While mistakes by users are estimated to be responsible for up to 60% of computer security breaches, human factors are often overlooked when the security of computer networks is tested.
That is mainly because human tests are costly and very hard to repeat, says Jim Blythe, a computer scientist at the University of Southern California’s (USC's) Information Sciences Institute (ISI) in Marina del Ray, CA, and USC’s Viterbi School in Los Angeles.
As a result, Blythe, who is the project's technical lead researcher, and his team have removed humans from the equation and turned to what they call "cognitive agents"—software that can be fine-tuned to make the same "human errors" that their real-life counterparts frequently make.
Such errors, which can leave networks vulnerable to attack, can result when humans ignore or misunderstand warnings, underestimate danger, download infected files, or disable security mechanisms. Also, human frailties such as hunger, fatigue, the need to take breaks at regular intervals, the urge to do some Web browsing, and even the need to go to the bathroom can take their toll.
While no attempt was made to itemize, say, the "top 10 errors" that affect system vulnerability, Blythe reports his team was careful to copy the literature available on human physiology and to program in representative pressures likely to affect performance.
The work of the team is described in a paper delivered at the 23rd IAAI Conference on Artificial Intelligence.
"We are building a tool that anybody testing cybersecurity can use to duplicate the human element in the process," says Blythe. "Until now, there has been much greater emphasis on the theoretical efficacy of security tools rather than how they will work when people are involved in the loop."
After about a year of working on infrastructure, the ISI team is still at a very early stage
in the tool’s development, says Blythe.
"One interesting thing we’ve learned is that the structure of the organization turns out to be very important to the impact of an attack," he says. "If you can train several of your workers to respond to an attack rather than there being an over-reliance on one or two IT agents—or if you can have several people on call—you can reduce the vulnerability of the organization as a whole to that attack."
The timeline for availability of the DARPA-funded tool depends on the progress of preliminary talks ISI is currently holding with DETERlab, the Department of Homeland Security- and National Science Foundation-sponsored laboratory for security experiments. "If and when it is agreed that our tool will be placed on their platform," says Blythe, it can be much more easily disseminated."
In the meantime, additional information on the ISI tool can be had by contacting the ISI team.
Paul Hyman was editor-in-chief of several hi-tech publications at CMP Media, including Electronic Buyers’ News.