The literature review by Antti Ollila discusses the critical role of humans in cyber security, emphasizing that human error is a significant threat, contributing to 46% of cyber incidents. It highlights the importance of understanding cognitive factors to design better systems and train users to reduce errors, noting that effective usability can enhance security without compromising design. The document references several studies and guidelines, suggesting that well-implemented design and training can mitigate human error in technology use.

1. Literature Review
Antti Ollila 24.2.2016
KOG520
University of Jyväskylä

2.  Computers…
◦ …are logical
◦ …are bad at making informed decisions
◦ …do not make mistakes
◦ …are designed, operated, built and maintained…
◦ … by humans
(Saariluoma 2013, TJTA103 opening lecture)

3.  Humans can be…
◦ …unskilled
◦ …taking unnecessary risks
◦ …careless
◦ …tired, sick, etc.
 Humans are needed to make technology work
(Saariluoma 2013, TJTA103 opening lecture)

4.  Happens everywhere
◦ and all the time
 Email to wrong recipient
 Cashier giving too much change
 More complexity, bigger impact
◦ UK: disclosed personal information on 25m citizens
◦ Italy: Costa Concordia
◦ Finland: Nokia Water Crisis

5.  3rd most significant threat in 2003(Whitman)
 46% of cyber security incidents in UK 2011-
2012(Lee)
 Weakest link in the cyber security chain
Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM,
46(8), 91-95.
Lee, M. G. (2012, October). Securing the human to protect the system: Human factors in cyber security. In
System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference on (pp.
1-5). IET.

6.  Google Scholar, IEEEXplore, sciencedirect
◦ ”Cyber Security Human Error”
◦ ”Cyber Security Human Factor”
◦ ”Usable Security”
◦ ”Cyber Security Usability”
◦ Years 2010-2016
 Forward searching from articles found or read
before

7.  Toward Automated Reduction of Human Errors based on
Cognitive Analysis (Miyamoto, D. & Takahashi, T. 2013)
 Securing the Human to Protect the System: Human Factors
in Cyber Security (Lee, M.G. 2012)
 Measuring the Human Factor of Cyber Security (Bowen et
al. 2011)
 Alice in Warningland: A Large-Scale Field Study of Browser
Security Warning Effectiveness (Akhawe, D. & Felt, A. P.
2013)
 Guidelines for Usable Cybersecurity: Past and Present
(Nurse et al. 2011)

8.  Framework to gather data to understand
human error
 Less biased than questionnaires
 Cognitive psychology
◦ Monitor eye movement and facial skin temperature
when performing tasks

9.  Well-Meaning Insider
◦ slips
◦ lapses
◦ mistakes
 Malicious Insider
◦ violations
 Malicious Outsider
 46% by well-meaning insiders, 17% violations

10.  Training system to prevent phishing
 Generates phishing emails and tracks the
success rate
 In test group(2000 university students and
staff) no successful phishing attempts after 4
iterations

11.  Study on browser warning messages
 Sample of ~25m interactions
 Malware warnings
◦ 7.2% Firefox, 23.2% Chrome
 Good design can increase security

12.  Too complex security systems might lead to
weakened security
 19 design guidelines for better usability
 Usability and Security do not have to be seen
as competing system goals

13.  Security is rarely primary task
 Not everyone is a security specialist
◦ And also the experts make errors
 Human error is significant threat to
information security...
 ...but it can be mitigated to some extent by
design and training

14.  ”Companies spend millions of dollars on
firewalls and secure access devices, and it’s
money wasted because none of these
measures address the weakest link in the
security chain: the people who use,
administer and operate computer systems”
-Kevin Mitnick