Building Trust By Communicating Risk
Dr. L. Jean Camp
Director Security Informatics, Indiana University - Bloomington
Thursday, November 14th, 2013
2:00 p.m., 1000 SEO Building
Computer security mechanisms involve the mitigation of risk; operating a computer and interacting with the network requires a myriad of trust decisions. Security risk mitigations depend not only on technical mechanisms but also on human decision-making and subsequent behavior. Current practice is to treat human risk behaviors as interaction or usability requirements to be addressed with a gloss over an otherwise complete system. We argue instead for the application of human trust and risk decision heuristics applied not as a gloss but rather as design constraints via a taxonomy of likely behaviors. Thus well-documented irrational heuristics as well as rational incentives can be integrated into the design of technical security mechanisms. Human and organizational behaviors are as much constraints on network security designs as bandwidth and processing power. In order to illustrate how this fails in certificate design, I illustrate the theoretical failures of trust in current certificate applications and show how these occur in practice.
Professor L. Jean Camp’s core interest is human-centered security and privacy. This interest spans domains from home-based computing to human interactions to reduce routing errors. It was the interdisciplinary focus that led Prof. Camp from graduate electrical engineering research in North Carolina to the Department of Engineering and Public Policy at Carnegie Mellon, and it remained her core interests as a Senior Member of the Technical Staff at Sandia National Laboratories. At Sandia National Laboratories her work focused on computer security. She left Sandia National Laboratories for Harvard’s Kennedy School, focusing on technology policy in the realms of security and privacy. As a Professor in Informatics her research addresses human-centered design in security and privacy as well as economics of security. See http://www.ljean.com for more information.