PROCEEDINGS of the HUMAN FACTORS and ERGONOMICS SOCIETY 55th ANNUAL MEETING - 2011 1115

Human Performance in Cybersecurity: A Research Agenda

Michael W. Boyce1, Katherine Muse Duma2, Lawrence J. Hettinger3, Ph.D., Thomas B. Malone4, Ph.D., Darren P.
Wilson1, Janae Lockett-Reynolds1, Ph.D.
1
Department of Homeland Security, Science and Technology Directorate, Human Factors / Behavioral Sciences Division,
Washington, DC 2 Booz Allen Hamilton , McLean, VA, 3Liberty Mutual Research Institute for Safety, Hopkinton, MA 4Carlow
International, Potomac Falls, VA

This paper provides an overview of critical areas of human performance research required to support the development and deployment
of effective cybersecurity systems. These areas include usability and security compliance, mitigation of human error and risk
reduction, enhancement of situation awareness, and development of effective visualization tools and techniques. We describe the
nature of the research and development efforts required to support effective human-centered design of cybersecurity systems and
make specific recommendations for near-term work in this area.

Information Technology Sector Baseline Risk Assessment

INTRODUCTION (2009), human factors in the design, control, and management
of identity management systems remain the greatest risk to
President Obama has declared that the “cyber threat is one effective cybersecurity system operation.
of the most serious economic and national security challenges Research on human performance in relation to
we face as a nation” and that “America's economic prosperity cybersecurity must begin with determining which tasks are
in the 21st century will depend on cybersecurity (White House necessary according to the user roles, responsibilities, and
Press Release, May 29, 2009).” Cybersecurity poses many requirements to assist in assessing user behavior, performance
challenges to human performance, both in the use of computer and proficiency The tasks are listed in Table 1,
systems and in interfacing with computer security provisions.
This paper offers an overview of critical human performance Table 1: Tasks Performed by a Cybersecurity System
research issues whose examination is vital for the
development and deployment of effective cybersecurity -Gain access -Provide authentication
systems. -Follow/ Update security -Manage accounts
Cybersecurity can be defined as measures designed to procedures -Provide operations
protect a computer or a computer system against unauthorized -Maintain prevention / monitoring
access or attack. The importance of addressing human detection countermeasures -Detect intrusion attempts
performance issues in cybersecurity is recognized in the -Conduct security awareness / -Respond to cybersecurity
pending Senate Bill S.4380, “Protecting Cyberspace as a procedures training incidents
National Asset Act of 2010” which seeks to establish in the -Conduct cybersecurity risk -Report on incidents
Executive Office of the President, an Office of Cyberspace analysis /audits -Deny access
Policy which will establish research and development -Mitigate intrusion effects
priorities. Section 238, Cybersecurity Research and
Not subject to U.S. copyright restrictions DOI 10.1177/1071181311551233

Development, describes requirements for research and There are various ways to approach these tasks.
development including efforts to understand behavioral factors Some may be entrusted to machine algorithms while others are
that affect cybersecurity technology and practices. The Senate entirely an individual person’s responsibility, and for still
Bill also calls for the development and implementation of an others both human and machine have a role to play.
identity management strategy for cyberspace, which shall Moreover, where humans are involved the key actors may be
include, at a minimum, research and development goals, an cybersecurity professionals, computer users,
analysis of appropriate protections for privacy and civil administrators/supervisors in various roles or some
liberties, and mechanisms to develop and disseminate best combination thereof. Some security interventions, including
practices and standards relating to identity management, some that may be among the most effective, such as entrance
including usability and transparency. Likewise, the pending barriers to rooms containing secured computers requiring
House Bill H.R. 4061, the ‘‘Cybersecurity Enhancement Act credential presentation, are no different in kind than similar
of 2010’’ Section 112 states that the National Center of precautions that are taken for security reasons outside the
Excellence for Cybersecurity shall perform research on cyberseurity world. Therefore, safeguards of this sort are not
cybersecurity social and behavioral factors, including human- included in the discussion in this paper. This article focuses
computer interactions, usability, user motivations, and on measures that are primarily if not exclusively protective in
organizational cultures. Section 204 of the House Bill, the cybersecurity world.
“Identity Management Research and Development” contains a A focus on the human element is important not just
requirement to improve the usability of identity management because people often have capacities to contribute to
systems. One reason for this focus is because, as stated in the cybersecurity that machines lack, but also because a
recently published Department of Homeland Security (DHS) cybersecurity system can be no stronger than its weakest link.
Downloaded from pro.sagepub.com at HFES-Human Factors and Ergonomics Society on June 4, 2015
PROCEEDINGS of the HUMAN FACTORS and ERGONOMICS SOCIETY 55th ANNUAL MEETING - 2011 1116

In many situations the potential for accidental or intentional PREVIOUS FINDINGS

subversion of security by a person will be the system’s
weakest link. Research is needed to determine where Usability and Security Compliance of User Interfaces
cybersecurity systems of different sorts are most vulnerable, The American National Standards Institute (ANSI,
and the best ways to allocate the responsibility for plugging 2001) defines usability as “the extent to which a product can
different vulnerabilities between humans and machines. The be used by specified users to achieve specified goals with
roles people play in creating and overcoming vulnerabilities effectiveness, efficiency and satisfaction in a specified context
must be identified for specific systems based on the system’s of use” (p. 2). In the realm of cybersecurity usability is
task performance requirements. These include time to enhanced by increasing user acceptance and satisfaction
complete, required accuracy and reliability levels, any human (reduce confusion and frustration), and reducing user
involvement mandated by policy or regulations, the cognitive workload. Usability may also be enhanced by
availability of state-of-the-art technology, required reducing the potential for and impact of human error, and this
information, user knowledge and skills, and decision can be applied to not only to enterprise cybersecurity but
requirements. Frequent capability gaps include uncertainties personal computer cybersecurity as well. There are multiple
in defining the human role within the cybersecurity issues to consider with respect to the usability of cybersecurity
“ecosystem” (DHS, 2011), implementing this role effectively, interfaces. One issue that most cyber systems have is multiple
providing technical support to enable and/or facilitate human users working in multiple environments, many with differing
performance, and knowing what knowledge and procedures needs. Thus, the DHS National Cyberspace Strategy lays out
will optimize the interaction between the user and the five major groups of users with differing roles and
automated processes. Human performance research issues responsibilities for ensuring the proper execution of
include usability and security compliance, human error cybersecurity: (1) Home User / Small Business, (2) Large
reduction / risk reduction, situation awareness, and Enterprises, (3) Critical Sectors / Infrastructures, (4) National
visualization of large and complex datasets. Issues and Vulnerabilities, and (5) Global. Within these major
groups, there are security policy makers, software developers,
PREVIOUS WORK security officers who must analyze and monitor the security
The Government Accountability Office (GAO) report data, and the users of the system itself. Each of these groups
entitled “Technology Assessment: Cybersecurity for Critical of users has different perspectives on how to implement and
Infrastructure Protection” (2004), argued that there must be a use cybersecurity reflecting their different interests,
strong relationship between people, technology, and processes knowledge, needs and responsibilities.
in order to develop a strong cybersecurity infrastructure. The To complicate things even further, not only are there
report cited instances where configuration of technology leads multiple users with multiple needs, but as the United States
to human error, which in turn leads to system vulnerability, Computer Emergency Readiness Team (US-CERT) tells us,
and identified four areas of special concern: there are also multiple areas of vulnerability to keep in mind.
ƒ Access control and the use of user names and Vulnerability concerns include those associated with
passwords passwords, anti-virus software, firewalls, virus/spyware
ƒ Failure to follow procedures defense, instant messaging, Skype, chat rooms, social
ƒ Poorly configured network components networking, mobile devices, USB devices, wireless networks
ƒ Poor configuration management: Administrators who and electronic data, among other potential points of error
lack knowledge of underlying system processes, and and/or attack. Each of these areas of vulnerability has unique
outdated interfaces and software components make characteristics, often including different user interface
the systems vulnerable to internet attacks. requirements
Our assessment of human performance research The explosive growth of mobile computing
requirements was developed with the above areas of concern, technologies (e.g., smart phones) has, for example, raised
and others, in mind. The intent is to provide information on serious cybersecurity issues, many of which have implications
priorities and concerns in the cybersecurity domain and to for human interface design. As noted by US-CERT, mobile
provide recommendations for potential HSI research, technologies are increasingly used in the same way as personal
development and assessment activities. computers and are therefore susceptible to the same threats
A goal of this effort is to facilitate the creation of that affect any computer system connected to the internet (US-
cybersecurity systems that are error tolerant, through the use CERT, 2010). The convenience of mobile technologies makes
of task modeling. Task modeling identifies tasks which have a them especially attractive for such uses as on-line banking and
high likelihood of error occurrence and high consequences. other financial transactions, social networking, emailing, etc.
This modeling analysis identifies areas that are priorities for Mobile technologies also provide information, such as the
better incorporation of Human Systems Integration (HSI) location of the user, that is often not available with more
processes in the design of cybersecurity systems drawing on traditional PC technology. Clearly, the ease of use that makes
research relating to usability, human error, situation awareness such application of mobile technologies possible must be
and visualization. These areas directly involve human-system counterbalanced with comparable emphasis on safe and secure
interaction and systematic consideration of the vulnerabilities operations. As mentioned above, passwords and password
and potentialities in this relationship and will enable improved management are a key area of vulnerability. As potential
system retrofitting and development. systems used to compromise security systems become faster
Downloaded from pro.sagepub.com at HFES-Human Factors and Ergonomics Society on June 4, 2015
PROCEEDINGS of the HUMAN FACTORS and ERGONOMICS SOCIETY 55th ANNUAL MEETING - 2011 1117

and more proficient at deciphering passwords, there is a need Human Error Reduction/Risk Reduction
for increased security. This often gets interpreted as a need for
The GAO reported in 2004 that reviews of
more complex passwords. The thought process is that
cybersecurity controls at federal agencies uncovered numerous
complexity will maintain difficulty in guessing the correct
instances where the effectiveness of technology was limited
password. Additionally, multiple passwords are often needed
through improper configuration of the technology (by humans)
for multiple accounts with varying levels of security, and
or through human errors. Gross (2004) reported that human
password updates are required with differing frequencies
error, not technology, is the most significant cause of IT
depending on the system. Many times this can lead to
security breaches today, according to a security survey
forgotten passwords, interfering with productivity, or people
released by the Computing Technology Industry Association
write their password down or place it in a single simple
Inc. (CompTIA).
password keeper to reduce their mental workload, defeating
the purpose of requiring a password for security reasons. A In addition to frustration regarding passwords, one of
study undertaken by Parkin, et al (2010), allowed software the most common areas of human error is authentication. This
developers and cybersecurity policymakers to see and in turn causes increased likelihood of threat intrusion and
understand what effect and/or consequences their increased enterprise costs. Parkin et al (2010) state that
cybersecurity software and policies had on users. The results significant effort has been dedicated to providing alternative,
demonstrated a disconnect between software developer / more usable authentication mechanisms. Commercially, there
policy maker decisions and user needs. This not only has been significant investment in biometrics to replace
indicates the need for training policy-makers and software password authentication with authentication via fingerprints,
developers to better understand users, but also illustrates the retinal eye scan, etc.. However, in a recent study on password
need to involve users at every stage of the development use in organizations it was found that little has changed: single
process, as they provide applied information which can guide sign-on is at best partially implemented, there are short
development. timeouts on services leading to a need for frequent re-
An issue not mentioned by US-CERT is users’ authentication, and users are still required to generate complex
perception of vulnerability and awareness of their own passwords without regard to how these address the real
cybersecurity risks. According to West (2008), “…people threats. Even where single sign-on mechanisms exist, legacy
tend to believe they are less vulnerable to risks than systems and increasing use of third party services means that
others…People also believe they are less likely to be harmed individual users still have many passwords to cope with. The
by consumer products compared to others”. West attributed consequence of this reality is that users are forced to organize
this in part to the fact that cybersecurity has no “visible primary tasks around the password mechanism. Considering
threat”, and is associated with abstract consequences. One only web-based services, Parkin et al (2010) found that the
result is that users are not fully aware and do not fully average user has an average of 25 web accounts and, since
understand the safety implications/consequences associated users cope by re-using passwords across several accounts, they
with poor cybersecurity habits and are therefore less motivated have an average of 6.5 passwords each.
to actually implement cybersecurity measures. Another result
As with research on reducing password system
is that cybersecurity specialists and designers often impose
requirements on people who see no need for them and who, if complexity, authentication research should encompass both
the requirements are user unfriendly, subsequently construct design approaches and training methods. Although it is true
that training users can help their performance, training in and
inherently insecure work-arounds. What is needed are
workable mitigation strategies, either through improved of itself will do little to reduce the incidence and impact of
usability and interface design to make cybersecurity measures human errors. As is true in any software system
implementation, user interfaces, security processes, routines
easier to understand and implement, or through training or
alerts to increase awareness of risks and consequences, or and techniques must be based on a user-centered design
some combination of these. approach addressing the proper allocation of security functions
to a human or automation. To do so, user interfaces must be
Critical to the success of a cybersecurity system is
that users understand how to use its protections as well as the designed in accordance with human factors design criteria.
benefits of use and consequences or risks of not using it. Such Research is needed to determine the types of errors
knowledge can be imparted by training, but should also be associated with the different human roles that figure in the
enhanced through features of the user interface design. It is cybersecurity tasks listed in Table 1, and to assess the risk
equally important for security policy makers and software associated with these errors. The risk determination will
designers to understand users’ operational requirements, and identify the likelihood of errors in alternate scenarios, the
understand the effect that policy/software design may consequences of any errors, and mitigation strategies to reduce
potentially have on them. In addition, cybersecurity error likelihoods and/or the consequences. For example,
professionals should bear in mind that the goal of their task is studies can help determine how to make systems error tolerant
to facilitate missions that belong to others. A completely so that erroneous actions can be detected and corrected before
bullet proof system that substantially hampers the ability of serious consequences are realized and with the least amount of
users to accomplish their mission is not always preferable to a inconvenience to the user.
system that is far more facilitative but runs some security risk.
The best outcome will depend on the costs and values at stake.
Downloaded from pro.sagepub.com at HFES-Human Factors and Ergonomics Society on June 4, 2015
PROCEEDINGS of the HUMAN FACTORS and ERGONOMICS SOCIETY 55th ANNUAL MEETING - 2011 1118

Situation Awareness in Cybersecurity Bean, 2008; Claburn, 2008), human error is cited as the
leading cause of information system security failure in 50-
In the field of cybersecurity, situation awareness is
80% of instances.
the ability to assess data, evaluate options, and make decisions
Given the vast and complex nature of cyber space,
in a timely manner. Analysts are often charged to examine all
interface design approaches that capitalize on recent advances
traffic coming through the network for vulnerabilities and
in complex data set visualization are well worth exploring.
efforts to exploit them. Providing contextual clues can assist in
Current users of cybersecurity systems are often required to
guiding individuals to the locations they should regard most
process large amounts of graphical information whose
closely and enable faster decisions (Daniel at all, 2010).
meaning and interrelationships are not always clear.
Intrusion detection systems also exist to assist users.
However, such systems often don’t allow speedy decisions
because of the time they take for data analysis. This in turn DISCUSSION
can reduce user performance. One way to improve this
This research agenda for addressing human performance
analytic process is through the summation of information in
in cybersecurity systems identifies many of the major human
addition to individualized information which can be leveraged
performance research issues to be encountered in the design
when additional information is needed (Daniel, et al., 2010).
and deployment of cybersecurity systems. Required research
Currently throughout the Department of Homeland
activities include methods for enhancing usability, user-
Security (DHS), there are growing initiatives to increase
automation interaction, procedures and user interfaces,
capabilities through partnerships with counterparts throughout
situation awareness and decision support, alarms and alerts,
the world. Information sharing is one aspect that can greatly
and help utilities. This work was funded by the Department of
improve situation awareness in cybersecurity. This becomes
Homeland Security, Science and Technology Directorate,
relevant from a user perspective as an analyst now is a part of
Human Factors / Behavioral Sciences Division, Human
an international cybersecurity community. If countries can
Systems Research and Engineering Program.
work at cybersecurity issues jointly, the information resources
available to all would increase, thereby increasing Vulnerability Assessment Procedures
cybersecurity knowledge and capabilities at a uniform and
large scale level (Takeshi, Hiroyuki, & Youki, 2010). As described above, usability is a major challenge to
cybersecurity systems and directly effects vulnerability. The
research requirement is to assess user interface design
Cybersecurity and Visualization
concepts in terms of their usability, and to develop a set of
design guidelines that ensure usability. Usability assessments
One of the most pressing problems in the design and
usually constitute two interrelated approaches: a heuristic
use of cybersecurity systems involves supporting the user’s
evaluation using HSI experts determining the extent to which
ability to quickly and accurately extract the information
a design conforms with HSI design standards; and a
needed to perform required operations. The sheer volume of
performance evaluation entailing representative users
information that characterizes cybersecurity operations, as
conducting selected sequences of tasks under representative
well as the rapid speed with which events unfold, presents
conditions, with systematic collection of measures of
difficult design challenges. Human-computer interfaces for
performance, including quantitative measures of performance,
cybersecurity applications must be able to reliably accomplish
and qualitative opinions of the users. For authentication
the following:
techniques, usability should address issues beyond ease of use
• Operator situation awareness must be maintained at a including human error potential and user workload. Any
consistently high level, and in such a manner that proposed technique to replace or supplement the use of
cognitive workload is maintained in an acceptable passwords, such as tokens, cards, or biometrics, will need to
range. Current designs that rely heavily on the user’s be assessed in terms of user interface usability.
own ability to maintain high levels of sustained
situation awareness over lengthy periods of time are User-Automation Interaction
particularly at risk for human error.
Much of the surveillance and monitoring to support
• Maintaining separation of signal (i.e., information) cybersecurity, detect attempted intrusions or identify outright
from noise (i.e., random interference) in visual and/or attacks has been automated, due in large part to the large
auditory displays is essential to effective amounts of data to be monitored and the short timeframe
cybersecurity human-system performance. available for detection. The optimal roles of the user in such
• Interface design must be directly tied to the user’s surveillance systems need to be established, and the
information requirements and must be flexible and information and user interfaces needed to support these roles
agile enough to respond rapidly to the ever changing must be defined through empirical research. In addition, the
landscape of the cybersecurity operational interactions between human users and automation must be
environment. clearly defined to avoid “automation surprises” and situations
For these reasons and because of the importance of the where the user lacks needed oversight of what the automation
enterprise, understanding the potential sources of human error is doing.
in cybersecurity and designing features to mitigate its
occurrence is critical. As noted above and elsewhere (e.g.,
Downloaded from pro.sagepub.com at HFES-Human Factors and Ergonomics Society on June 4, 2015
PROCEEDINGS of the HUMAN FACTORS and ERGONOMICS SOCIETY 55th ANNUAL MEETING - 2011 1119

Procedures and User Interfaces Daniel, M. B., Shawn, B., Douglas, L., Adam, W., & William,
A. P. (2010). Real-time visualization of network
Research is needed on user procedures and interfaces to
behaviors for situational awareness. Paper presented
support initiating, monitoring, supervising, conducting,
at the Proceedings of the Seventh International
managing and verifying cybersecurity activities and incidents.
Symposium on Visualization for Cyber Security,
Procedures must be intuitive, consistent, and compatible with
Ottawa, Ontario, Canada.
the cognitive and computer literacy skills of the user. Research
Department of Homeland Security (2011). Enabling
concerns include providing feedback to verify correct
distributed security in cyberspace: Building a healthy
performance and control of cognitive workload of the user.
and resilient cyber ecosystem with automated
Situation Awareness and Decision Support collective action. www.dhs.gov/xlibrary/assets/nppd-
healthy-cbyer-ecosystem.pdf
Information must be displayed to the user on what is Claburn, T. (2008) Human error cited as greatest security
happening in the cybersecurity space and what can be threat. Information Week,
expected in the near future. Decision aides will be needed to http://www.informationweek.com/news/security/clie
select a decision and implement it in a way that will reduce the nt/showArticle.jhtml?articleID=213002007
potential for human error or at least to convey to the user that
GAO Report 04-321 (2004) Technology Assessment:
an error has occurred and how it can be corrected. Decision Cybersecurity for Critical Infrastructure Protection
aiding software and adaptive algorithms are needed to reliably Gross, G. (2003) “Human error causes most security
respond to variations in the user’s operational state.
breaches” IGD News Service
Alarms and Alerts http://www.gao.gov/new.items/d04321.pdf
Takeshi, T., Hiroyuki, F., & Youki, K. (2010). Building
Alarms and alerts will be needed to bring to the user’s ontology of cybersecurity operational information.
attention events that require cognizance if not action. Features Paper presented at the Proceedings of the Sixth
of alarms and alerts need to be empirically investigated to Annual Workshop on Cyber Security and Information
enhance attention-getting potential and the clarity with which Intelligence Research, Oak Ridge, Tennessee.
they identify problems, without adding to the potential for Parkin, S., van Moorsel, A., Inglesant, P., and Sasse, A.
error. A high priority here is the development of unified alert (2010). A Stealth Approach to Usable Security:
fusion models which prioritize alerts, identify associations and Helping IT Security managers to Identify Workable
assess the state of system security. Security Solutions. Paper presented at the
Proceedings of the 2010 New Security Paradigms
Help Utilities Workshop, Concord, Massachusetts.
Research is needed on online help to provide procedural United States Computer Emergency Readiness Team (US-
aids, recovery from errors, and advice without requiring the CERT), (2011), Cyber threats to mobile devices
user to exit the application and with minimal waste of time (Technical Inforation Paper TIP-10-105-01).
and training. http://www.us-cert.gov/reading_room/TIP10-105-
CONCLUSIONS 01.pdf
Effective human performance is critical to the successful United States Computer Emergency Readiness Team (US-
implementation and operation of cybersecurity processes, CERT). (2011). Cybersecurity Tips. Retrieved
facilities and provisions. Although the research areas January 24, 2011, from http://www.us-
discussed in this paper are in most cases not new, considerable cert.gov/cas/tips/
work within each is required to support the effective design U.S. Department of Homeland Security. (2003). The National
and deployment of cybersecurity. This research should follow Strategy to Secure Cyberspace. Retrieved from
the accepted human factors approach of achieving full http://www.dhs.gov/xlibrary/assets/National_Cybersp
integration of the human with other elements of the ace_Strategy.pdf
cybersecurity system. The focus on the roles of the human in U.S. Department of Homeland Security. (2009). National
operating, supervising and monitoring cybersecurity systems, Infrastructure Protection Plan: Partnering to Enhance
and on the requirements attendant to these roles, will produce Protection and Resiliency. Retrieved from
human performance research findings and results that will http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf
help to effectively and economically integrate the user into the U.S. Senate S.4380 (2010) Senate Bill “Protecting Cyberspace
cybersecurity system. as a National Asset Act of 2010”
West, R. (2008). The Psychology of Security: Why do good
REFERENCES users make bad decisions? Communications of the
ANSI (2001) Common Industry Format for Usability Test ACM, 51(4), 34-40.
Reports, ANSI-NCITS 354-2001, American National White House Press Release (2009). Remarks by the President
Standards Institute. on Securing our Nation’s Cyber Infrastructure.
Bean, Martin (2008) Human error in IT security breaches, http://www.whitehouse.gov/the_press_office/Remark
http://www.newhorizons.com/elevate/network%20defens s-by-the-President-on-Securing-Our-Nations-Cyber-
e%20contributed%20article.pd Infrastructure/

Downloaded from pro.sagepub.com at HFES-Human Factors and Ergonomics Society on June 4, 2015