Information security decisions are often made without any formal or rigorous backing. For instance, data about impact or likelihood of security breaches is rarely available. Careful prediction, for instance using monte carlo simulation, is often ommitted. It is natural, but also somewhat easy, to say that we need more rigorous techniques when we make information security decision. In the investigator’s own work the following key challenges remain unresolved.

First, rigorous approaches may introduce a false sense of security to decision-makers by not fully disclosing assumptions to decision makers (e.g, a model may assume a restricted attack scenario). Secondly, one may invest in perfecting the rigorous aspect without gaining too much more information; that is, the value of the added rigour may not lead to better decisions. This violates Buffett’s mantra to better be approximately right than precisely wrong. Thirdly, decision-makers tend to ignore the information they receive through rigorous assessment, unless it validates the decision they already intended to make.

To address these issues, we take inspiration from the work on nudging in the behavioural economics community, which provides a framework to influence decision makers as effectively as possible. In particular, we need tools and techniques to form a choice architecture tailored to information security. Information security has particular well-known characteristics, which we will exploit to provide sufficient rigour underlying the choice architecture. In particular, the project will establish rigorous mathematical approaches to include uncertainty about unknowns in our analysis, and will derive a theory about the ‘value of rigour’, allowing experts to judge which elements of rigour pay off further investment.

We do our research in connection to one overarching information security issue of high practical importance, namely ‘consumerization’, that is, the use in the workplace of people’s own technologies. This is possibly the main challenge that IT departments face in the coming years, to keep the workplace secure as the boundaries between work and personal life become more blurred. Depending on the enterprise, doing the “right thing” may result in different policies. The project will work with large organisations and SMEs through well-established channels. It will demonstrate the benefits of the advocated choice architecture through a case study in an SME.

In very concrete terms, a possible outcome that an end user may experience as result of the project is as follows. Our research in the psychology of choice may reveal that a sense of ownership of data contributes to better security behaviour of employees. Quantitative techniques underlying the choice architecture measure the frequency with which an employee uses the phone for this purpose. Nudging tools are installed both as a mobile phone application and as a desktop tool for the CISO. For example, the tool for employees may be a mobile app that visually displays the consequence of data loss from the perspective of the employee, for instance in terms of how success in their job may be at stake. It makes strategic use of opt-outs and opt-ins to nudge the employee to balance security and productivity based on an underlying predictive model. The nudging tool for the CISO may be a desktop tool that provides the latest data and can be configured for a particular part of the organisation. The CISO tool carefully protects against a false sense of security by presenting the risk of unknowns and helps the CISO understand what data and which underlying assessment or decision-making would help improve the decision-making most.

Project details

February 2013 – December 2016
EPSRC (EP/K006568/1)
Funded value:
  • Aad Van Moorsel, Newcastle University (Principal Investigator)
  • Thomas Rainer Gross, Newcastle University (Co-Investigator)
  • Christopher Duncan Laing (Co-Investigator)
  • Leonardus Budiman Arief (Researcher)

NORTH Lab investigators

Pam Briggs

I hold a Chair in Applied Psychology at Northumbria University and am a Visiting Professor at Newcastle University. My work primarily addresses issues of identity, trust and security in new social media, seeking answers to three main questions: Why and when do we feel secure in disclosing sensitive identity information about ourselves? What makes us trust an electronic message? How and when do we seek to protect our privacy?

In the last five years, I’ve secured over £2m in research funding, have published over forty articles on human perceptions of trust, privacy and security in computer-mediated communication and have developed, with colleagues, a new model of health advice-seeking online. I’m one of the founder members of the UK's Research Institute in the Science of Cybersecurity, funded by GCHQ in association with RCUK's Global Uncertainty Programme and my most recent research awards address both usable and inclusive privacy and security.

My latest projects (see projects page) concern cybersecurity across the lifespan (cSALSA), the human side of cyber and cloud crime (CRITICAL) and attitudes and decision-making behaviours around cyberinsurance (CYBECO). I’m also a co-investigator on the Digital Economy Research Centre (DERC) where I’ve been exploring ways to democratise context-relevant data collection and analysis and explore the design of digital platforms for social action.

View Profile Send Email

Lynne Coventry

Lynne Coventry is the Director of PaCT Lab (Psychology and Communication Technology) at the University of Northumbria. Lynne is best known for her work on usable security, particularly biometrics.

Her research interests are varied and she is currently involved in research exploring the role of communication technology in the lives of older adults to facilitate mobility and inclusion, the role of trust in student’s use of online information, the usability of medical products and the design of usable security. She is an applied researcher who enjoys working in multidisciplinary teams to solve real problems. She is keen to explore new ways of integrating psychology into design and technology development processes.

She has a multidisciplinary background with a BSC in Psychology and Computing Science, an MSc in Software Engineering and a PhD in Human Computer Interaction. While her early career was spent as a research fellow and lecturer at Stirling University, Heriot Watt and Dundee university, the majority of her career has been as a researcher within Industry (both computing and medical products) working to incorporate understanding of people, their use and acceptance of technology into the requirements and design process.

Lynne is a founding member of the Scottish Usability Professional Association and previous vice president. Lynne is a founding member of STEPS, and current Editor of Interfaces (A British Computer Society Magazine) and a reviewer for a number of international conferences and journals.

View Profile Send Email

James Nicholson

James is a Lecturer in the School of Computer and Information Sciences. James is interested in many aspects of cybersecurity and privacy, including usable security, social engineering, lay users’ understanding of cybersecurity, multifactor authentication, everyday surveillance, and inclusive cybersecurity.

Previously, James was a senior researcher in PaCT Lab working on the Cybersecurity Across the Lifespan (cSALSA) project. The project explores how cyber-security is understood, and the attitudes and behaviours of people to cyber-security and risk. During his time in PaCT Lab, James also worked on Choice Architecture for Information Security (ChAISe), Digital Economy Research Centre (DERC), and the Horizon 2020 project CYBECO. Prior to PaCT Lab, James worked at Open Lab, Newcastle University on the TEDDI and SiDE projects.

James’ work has focused on improving user authentication, both by repurposing existing graphical authentication systems and by evaluating novel ones. He is also interested in user privacy and how groups of users (children, parents, older adults) experience location tracking technologies, as well as how CCTV video can be crowdsourced to de-centralise the surveillance landscape. More recently, he has developed tools and methodologies for uncovering and understanding employees’ mental models of security threats with the aim of improving training programmes and/or organisational policies, as well as practical means for improving users’ protection against these security threats (e.g. phishing).

James obtained his BSc (Information Systems) from Newcastle University in 2008, and his MRes Psychology from Northumbria University in 2009. James’ PhD work – completed in 2012 – explored user authentication in the context of older adults under the supervision of Professor Lynne Coventry and Professor Pam Briggs.

View Profile Send Email

Other Projects