Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Issue title: The International Workshop on Socio-Technical Aspects in Security
Guest editors: Thomas Groß and Luca Viganò
Article type: Research Article
Authors: Demjaha, Albesëa; * | Parkin, Simonb | Pym, Davidc
Affiliations: [a] University College London and The Alan Turing Institute, London, United Kingdom | [b] Delft University of Technology, Delft, The Netherlands | [c] University College London and The Institute of Philosophy, University of London, London, United Kingdom
Correspondence: [*] Corresponding author. E-mail: albese.demjaha.16@ucl.ac.uk.
Note: [1] This paper is an extended and revised version of a paper presented at the International Workshop on Socio-Technical Aspects in Security.
Abstract: Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote ‘good enough’ decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations.
Keywords: Security decision-making, security economics, security policy, security behaviour modelling
DOI: 10.3233/JCS-210046
Journal: Journal of Computer Security, vol. 30, no. 3, pp. 435-464, 2022
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
sales@iospress.com
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
info@iospress.nl
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office info@iospress.nl
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
china@iospress.cn
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
如果您在出版方面需要帮助或有任何建, 件至: editorial@iospress.nl