"A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business. The company is still totally vulnerable... the human factor is truly security's weakest link" Mitnick and Simon (2002).


"Computer security is difficult (maybe even impossible), but imagine for a moment that we've achieved it… Unfortunately, this still isn't enough. For this miraculous computer system to do anything useful, it is going to have to interact with users in some way, at some time, for some reason. And this interaction is the biggest security risk of them all. People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems" (Schneier, 2000).

Project Summary

Computer and information security (CIS) is usually approached from a technology-centric viewpoint. Remedies for CIS vulnerabilities and breaches tend to focus on technical mechanisms, e.g., stronger firewalls and implementation of encryption. The technical CIS remedies are often designed and implemented with little consideration for the needs and characteristics of the end users, network administrators, and CIS managers. This lack of consideration for human factors may create situations where people have to circumvent the CIS mechanisms and procedures in order to perform their job (i.e. violation of CIS rules, policies and procedures).

This project examines violations in CIS committed by two groups of people: (1) network administrators, and (2) end users. We use a mixed-methods research approach that combines qualitative (interviews and focus groups) and quantitative (survey) research in order to understand CIS violations, their consequences and the factors contributing to violations, and to develop solutions to deal with CIS violations.

Funding

Funding for the research project is provided by the National Science Foundation
(NSF # EIA-0120092)

• Full proposal (PDF)
• Research model
• Timeline