the human factor
play

The human factor Tyler Moore Tandy School of Computer Science, - PowerPoint PPT Presentation

Mar 29, 2023 •306 likes •822 views

The human factor Tyler Moore Tandy School of Computer Science, University of Tulsa Outline Behavioral economics and cybersecurity 1 Prospect theory Misperception of risk Decision-making shortcuts Behavioral economics of privacy Psychology

  1. The human factor Tyler Moore Tandy School of Computer Science, University of Tulsa

  2. Outline Behavioral economics and cybersecurity 1 Prospect theory Misperception of risk Decision-making shortcuts Behavioral economics of privacy Psychology of scam victims 2 2 / 33

  3. Behavioral economics and cybersecurity Outline Behavioral economics and cybersecurity 1 Prospect theory Misperception of risk Decision-making shortcuts Behavioral economics of privacy Psychology of scam victims 2 3 / 33

  4. Behavioral economics and cybersecurity Limits of rationality Economics models traditionally assume that individuals and firms behave rationally In many circumstances, this is an acceptable assumption Yet there are clearly times when people do not make decisions in a rational way, and frequently this happens in cybersecurity applications Behavioral economics studies the heuristics that people use to make decisions, along with the biases that affect our decision-making 4 / 33

  5. Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose? 5 / 33

  6. Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose? E [ U ] = 0 . 5 ∗ $2000 + 0 . 5 ∗ $0 = $1000 5 / 33

  7. Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose? E [ U ] = 0 . 5 ∗ $2000 + 0 . 5 ∗ $0 = $1000 Most people prefer option 1 5 / 33

  8. Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose? 6 / 33

  9. Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose? E [ U ] = 0 . 5 ∗ − $2000 + 0 . 5 ∗ $0 = − $1000 6 / 33

  10. Behavioral economics and cybersecurity Prospect theory Let’s make a deal Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose? E [ U ] = 0 . 5 ∗ − $2000 + 0 . 5 ∗ $0 = − $1000 Most people prefer option 2 6 / 33

  11. Behavioral economics and cybersecurity Prospect theory Prospect theory (Kahneman and Tversky 1979) 1 A sure gain is preferred over a chance at a greater gain “A bird in the hand is worth two in the bush” 2 An uncertain loss is preferred over a sure smaller loss “Run away to fight another day” 7 / 33

  12. Behavioral economics and cybersecurity Prospect theory Implications for cybersecurity (Schneier 2008) Most security investment decisions involve taking a small, but certain, loss rather risk a bigger loss if attacked For example: buy a data-loss-prevention solution to reduce your exposure to a data breach that might cost your company millions Prospect theory suggests that most people would rather risk the larger loss than pay up for protection now To sell security, one should frame the choice in terms of a certain gain, rather than uncertain loss avoided 8 / 33

  13. Behavioral economics and cybersecurity Prospect theory Framing effect (KT81) Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program A: If adopted, 200 people will be saved Program B: If adopted, 1/3 probability 600 will be saved, and 2/3 probability no one is saved. Which program do you prefer? 9 / 33

  14. Behavioral economics and cybersecurity Prospect theory Framing effect (KT81) Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program A: If adopted, 200 people will be saved Program B: If adopted, 1/3 probability 600 will be saved, and 2/3 probability no one is saved. Which program do you prefer? 72% of respondents said Program A 9 / 33

  15. Behavioral economics and cybersecurity Prospect theory Framing effect (KT81) Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program C: If adopted, 400 people will die. Program D: If adopted, 1/3 probability nobody will die, and 2/3 probability that 600 people will die. Which program do you prefer? 10 / 33

  16. Behavioral economics and cybersecurity Prospect theory Framing effect (KT81) Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program C: If adopted, 400 people will die. Program D: If adopted, 1/3 probability nobody will die, and 2/3 probability that 600 people will die. Which program do you prefer? 78% of respondents said Program D 10 / 33

  17. Behavioral economics and cybersecurity Prospect theory Framing effect and cybersecurity To increase the chances a security decision will be taken, frame the decision in terms of the certain benefits If framed in terms of the negative outcomes, emphasize uncertain outcomes 11 / 33

  18. Behavioral economics and cybersecurity Prospect theory Prospect theory: Role of probabilities Gains Losses High probability 100% chance to gain $900 preferred 95% chance to lose $1k preferred over 95% chance to gain $1k over 100% chance to lose $900 Certainty Effect Risk-averse Risk-seeking Low probability 5% chance to gain $1k preferred 100% chance to lose $60preferred over 100% chance to gain $60 over 5% chance to lose $1k Possibility Effect Risk-seeking Risk-averse Discussion: Can you identify cybersecurity scenarios to fit each quadrant? 12 / 33

  19. Behavioral economics and cybersecurity Prospect theory Prospect theory: Role of probabilities Gains Losses High probability 100% chance to gain $900 preferred 95% chance to lose $1k preferred over 95% chance to gain $1k over 100% chance to lose $900 Certainty Effect Risk-averse Risk-seeking Low probability 5% chance to gain $1k preferred 100% chance to lose $60preferred over 100% chance to gain $60 over 5% chance to lose $1k Possibility Effect Risk-seeking Risk-averse Discussion: Can you identify cybersecurity scenarios to fit each quadrant? Discussion: How does the perceived probability of different cyber threats influence when to invest in countermeasures? 12 / 33

  20. Behavioral economics and cybersecurity Misperception of risk Misperception of risk Prospect theory has shown that we are bad at dealing with low-probability events We tend to overestimate low-probability, costly events (e.g., cyber terrorism) We are more afraid of risks when we lack control We are more afraid of risks that we have been sensitized to (e.g., by media exposure) In everyday life people are more afraid of flying than driving, even though driving is far more dangerous In cyber people are more afraid of attacks on critical infrastructure than getting infected by a drive-by-download, even though the latter is much more likely to affect them 13 / 33

  21. Behavioral economics and cybersecurity Misperception of risk Indirect costs of cyber insecurity Even if the direct costs of a cybersecurity threat is small, we must consider the indirect costs of changed behavior in response to fear of the threat If people stop using online banking due to fear of losing their money, banks stand to lose much more than cybercriminals can actually steal If people refuse to adopt electronic health records over privacy concerns, hospitals will miss out on huge efficiency gains The perception of security matters as much as the reality 14 / 33

  22. Behavioral economics and cybersecurity Decision-making shortcuts Status quo bias Preference for the current situation such that any deviation is seen as negative Experimental evidence Consider two equivalent outcomes A and B People who start in outcome A and switch to B view the switch as negative But people who start in outcome B and switch to A view that switch as negative too! 15 / 33

  23. Behavioral economics and cybersecurity Decision-making shortcuts Endowment effect People value things more merely because they have them Experimental evidence People are willing to pay more to keep something they own than they will pay to acquire an equivalent good This effect holds even for goods acquired only minutes ago! 16 / 33

  24. Behavioral economics and cybersecurity Decision-making shortcuts Availability heuristic Easily remembered information and examples are relied upon to make decisions Anecdotes drive decisions, even when the bigger risk may be due to an issue not easily recalled 17 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Human Factor: The critical importance of communication and effective teamwork in providing

The Human Factor: The critical importance of communication and effective teamwork in providing

10/20/2018 The Human Factor: The critical importance of communication and effective teamwork in providing excellent care . Anna K. Meyer, MD,FAAP, FACS Associate Professor Coach UCSF School of Medicine Facilitator, UCSF Center for Enhancement of

683 views • 24 slides
Certainty Factor certainty factor CF (is the certainty factor in the hypothesis H due to

Certainty Factor certainty factor CF (is the certainty factor in the hypothesis H due to

Certainty Factor certainty factor CF (is the certainty factor in the hypothesis H due to evidence E) ranges between -1 (denial of the hypothesis H) and +1 (confirmation of H) allows the ranking of hypotheses difference between

280 views • 5 slides
Exploratory Factor Analysis: A Practical Guide James H. Steiger Department of Psychology and

Exploratory Factor Analysis: A Practical Guide James H. Steiger Department of Psychology and

Introduction Why Do an Exploratory Factor Analysis? Steps in a Common Factor Analysis A Practical Example Exploratory Factor Analysis: A Practical Guide James H. Steiger Department of Psychology and Human Development Vanderbilt University

740 views • 58 slides
Kansas City Power & Light Company EMS Reliability The Human Factor Alan Kloster IT Real

Kansas City Power & Light Company EMS Reliability The Human Factor Alan Kloster IT Real

Kansas City Power & Light Company EMS Reliability The Human Factor Alan Kloster IT Real Time Systems Manager Customer Overview More than 830,800 customers Service Territory Stable Regulated Customer Base Residences

127 views • 9 slides
Rating Factor 1 Review Rating Factor 1 Capacity of the Applicant 1 Rating Factor Review 2

Rating Factor 1 Review Rating Factor 1 Capacity of the Applicant 1 Rating Factor Review 2

Fiscal Year (FY) 2020 Indian Housing Block Grant (IHBG) Competitive Grant Application Review Training Rating Factor 1 Review Rating Factor 1 Capacity of the Applicant 1 Rating Factor Review 2 This module will introduce all Rating Factors

576 views • 25 slides
Real Application of Factor Investing in SA Ann Sebastian STANLIB FACTOR INVESTING WHAT IS IT?

Real Application of Factor Investing in SA Ann Sebastian STANLIB FACTOR INVESTING WHAT IS IT?

Real Application of Factor Investing in SA Ann Sebastian STANLIB FACTOR INVESTING WHAT IS IT? A factor is a broad, persistent driver of long-term returns SA specific factors are Growth, Quality, Momentum, Analyst Sentiment and Valuation

667 views • 12 slides
IMCA Ivan van Winsen Engineering with the Human Factor in the Loop September-2018 HMC Offshore

IMCA Ivan van Winsen Engineering with the Human Factor in the Loop September-2018 HMC Offshore

Heerema Simulation Center IMCA Ivan van Winsen Engineering with the Human Factor in the Loop September-2018 HMC Offshore Construction Contractor OIL & GAS REMOVAL RENEWABLES Fixed platforms Transformer platforms Removal

367 views • 12 slides
Delft Cooperation on Intelligent Systems The Human in the loop: a crisis-continuation factor?

Delft Cooperation on Intelligent Systems The Human in the loop: a crisis-continuation factor?

Delft Cooperation on Intelligent Systems The Human in the loop: a crisis-continuation factor? Christiaan Huygens Symposium 13 March 2008 Delft Cooperation on Intelligent Systems Introduction The speaker The D-CIS Lab 8 0 0 2 / 3 0 /

535 views • 39 slides
Human Factors? 1 Causes of incidences in healthcare Building a Safer USA 2000 Institute of

Human Factors? 1 Causes of incidences in healthcare Building a Safer USA 2000 Institute of

Simulation & Patient Safety Thats me The Human Factor in health care Come join us! Ralf Krage , MD, PhD, DEAA dept. of anesthesiology, ADAM simulationgroup www.sesam-web.org VU university medical center Amsterdam, the Netherlands

354 views • 7 slides
SUSTAINABLE ENERGY ACCESS: A CRITICAL FACTOR FOR HUMAN DEVELOPMENT Mahama Kappiah Executive

SUSTAINABLE ENERGY ACCESS: A CRITICAL FACTOR FOR HUMAN DEVELOPMENT Mahama Kappiah Executive

15TH INTERNATIONAL ENERGY FORUM MINISTERIAL Algiers, 26-28 September 2016 International Conference Center of Algiers SUSTAINABLE ENERGY ACCESS: A CRITICAL FACTOR FOR HUMAN DEVELOPMENT Mahama Kappiah Executive Director ECREEE WWW.ECREEE.ORG

343 views • 19 slides
Human limitations as safety factor considerations in Femtosecond Laser beam alignments Arie

Human limitations as safety factor considerations in Femtosecond Laser beam alignments Arie

Human limitations as safety factor considerations in Femtosecond Laser beam alignments Arie Amitzi Femto Laser Femtosecond Ti:Sapphire Laser - basic parameters Ti : sapphire laser is usually pumped with another laser with a wavelength of 514

474 views • 12 slides
Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Version 1.0 Cornelius Klbel (corny@cornelinux.de) May 2014 (CC BY-NC-SA 4.0) Everybody knows that a password - be it simple or even complex - is a potential vulnerability. Two factor authentication is the way to authenticate a user not only

400 views • 5 slides
Factor VIII and factor IX development plans at the Paediatric Committee Overview Presented by:

Factor VIII and factor IX development plans at the Paediatric Committee Overview Presented by:

Factor VIII and factor IX development plans at the Paediatric Committee Overview Presented by: Thorsten Olski MD MSc PhD Scientific Officer, Paediatrics An agency of the European Union Progress development in children Factor VIII

341 views • 4 slides
DUO 2-Factor Authentication at UNC Charlotte WHATS DUO? Two-Factor Authentication

DUO 2-Factor Authentication at UNC Charlotte WHATS DUO? Two-Factor Authentication

DUO 2-Factor Authentication at UNC Charlotte WHATS DUO? Two-Factor Authentication Using two devices to prove youre you! Why? Breaches! UNC Charlotte has been the victim of more than one data breach, and ITS is attempting to

623 views • 6 slides
(IHBG) Competitive NOFA Training Rating Factor 3: Soundness of Approach 1 Rating Factor 3

(IHBG) Competitive NOFA Training Rating Factor 3: Soundness of Approach 1 Rating Factor 3

FY20 Indian Housing Block Grant (IHBG) Competitive NOFA Training Rating Factor 3: Soundness of Approach 1 Rating Factor 3 Soundness of Approach 2 Maximum total 40 points Rating Factor Title Points Factor 3 Subfactor 3.1- IHBG

863 views • 40 slides
1 2 3 4 5 1. 6 1. Opioid growth factor ([Met5]enkephalin) prevents the incidence and retards

1 2 3 4 5 1. 6 1. Opioid growth factor ([Met5]enkephalin) prevents the incidence and retards

1 2 3 4 5 1. 6 1. Opioid growth factor ([Met5]enkephalin) prevents the incidence and retards the growth of human colon cancer. Zagon IS et al. Am J Physiol. (1996) 2. The OGF-OGFr axis utilizes the p21 pathway to restrict progression of

926 views • 45 slides
Mimi M. Recker Professor and Department Head October, 2013 1

Mimi M. Recker Professor and Department Head October, 2013 1

Mimi M. Recker Professor and Department Head October, 2013 1 Teacher learning and LS A long focus on: How and when teacher learning takes place

474 views • 29 slides
Eighth International Planning Competition: Deterministic Part Luk a s Chrpa Mauro Vallati

Eighth International Planning Competition: Deterministic Part Luk a s Chrpa Mauro Vallati

Eighth International Planning Competition: Deterministic Part Luk a s Chrpa Mauro Vallati Thomas L. McCluskey PARK research group School of Computing and Engineering University of Huddersfield IPC-8 Deterministic (2014) University of

859 views • 66 slides
Models of Strategic Reasoning Lecture 2 Eric Pacuit University of Maryland, College Park

Models of Strategic Reasoning Lecture 2 Eric Pacuit University of Maryland, College Park

Models of Strategic Reasoning Lecture 2 Eric Pacuit University of Maryland, College Park ai.stanford.edu/~epacuit August 7, 2012 Eric Pacuit: Models of Strategic Reasoning 1/30 Lecture 1: Introduction, Motivation and Background Lecture 2:

993 views • 72 slides
Software Agents and Multi-Agent Systems Keith S. Decker Department of Computer Science

Software Agents and Multi-Agent Systems Keith S. Decker Department of Computer Science

Software Agents and Multi-Agent Systems Keith S. Decker Department of Computer Science University of Delaware What is a Software Agent? Autonomous & Persistent: The main point about agents is that they are capable of acting independently,

545 views • 19 slides
More Data Cleaning; Crowdsourcing February 11, 2020 Data Science CSCI 1951A Brown University

More Data Cleaning; Crowdsourcing February 11, 2020 Data Science CSCI 1951A Brown University

More Data Cleaning; Crowdsourcing February 11, 2020 Data Science CSCI 1951A Brown University Instructor: Ellie Pavlick HTAs: Josh Levin, Diane Mutako, Sol Zitter (Some slides stolen from Chris Callison-Burch and Kristy Milland. Thank you!) 1

1.14k views • 91 slides
Abstraction: The Hardcore of Software Engineering Dewayne E Perry Motorola Regents Chair in

Abstraction: The Hardcore of Software Engineering Dewayne E Perry Motorola Regents Chair in

Abstraction: The Hardcore of Software Engineering Dewayne E Perry Motorola Regents Chair in Software Engineering Electrical and Computer Engineering The University of Texas at Austin 1 What is Software Engineering (SE)? SE is concerned

286 views • 9 slides
Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to the problem? What do you need in the language to represent the problem? How can you map from the informal problem description to a

128 views • 12 slides
Toward a Reasoning Framework for Dependability Tacksoo Im and John D. McGregor

Toward a Reasoning Framework for Dependability Tacksoo Im and John D. McGregor

Toward a Reasoning Framework for Dependability Tacksoo Im and John D. McGregor {tim,johnmc}@cs.clemson.edu School of Computing Clemson University 1 Problem Statement How do we predict and evaluate the dependability of a software

733 views • 24 slides

More recommend