Systematic Decision Making in Security Management: Modelling Password Usage and Support

David J. Pym; Simon Arnell; Adam Beautement; Philip Inglesant; Brian Monahan; Angela Sasse

Systematic Decision Making in Security Management: Modelling Password Usage and Support

David J. Pym, Simon Arnell, Adam Beautement, Philip Inglesant, Brian Monahan, Angela Sasse

Computing Science

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

Abstract

We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.

Original language	English
Title of host publication	HP Laboratories Technical Reports
Publisher	HP Laboratories
Number of pages	12
Publication status	Published - 21 Mar 2011
Event	QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS - Pisa, Italy Duration: 14 Sept 2012 → 14 Sept 2012

Conference

Conference	QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS
Country/Territory	Italy
City	Pisa
Period	14/09/12 → 14/09/12

Keywords

security analytics
security management
economics
password

Access to Document

https://www.hpl.hp.com/techreports/2011/HPL-2011-36.pdfLicence: Unspecified

Cite this

Pym, DJ, Arnell, S, Beautement, A, Inglesant, P, Monahan, B & Sasse, A 2011, Systematic Decision Making in Security Management: Modelling Password Usage and Support. in HP Laboratories Technical Reports., HP-2011-36, HP Laboratories, QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS, Pisa, Italy, 14/09/12. <https://www.hpl.hp.com/techreports/2011/HPL-2011-36.pdf>

@inproceedings{608bd3d1905f4b6592f550576671c471,

title = "Systematic Decision Making in Security Management: Modelling Password Usage and Support",

abstract = "We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.",

keywords = "security analytics, security management, economics, password",

author = "Pym, {David J.} and Simon Arnell and Adam Beautement and Philip Inglesant and Brian Monahan and Angela Sasse",

year = "2011",

month = mar,

day = "21",

language = "English",

booktitle = "HP Laboratories Technical Reports",

publisher = "HP Laboratories",

note = "QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS ; Conference date: 14-09-2012 Through 14-09-2012",

}

TY - GEN

T1 - Systematic Decision Making in Security Management

T2 - QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS

AU - Pym, David J.

AU - Arnell, Simon

AU - Beautement, Adam

AU - Inglesant, Philip

AU - Monahan, Brian

AU - Sasse, Angela

PY - 2011/3/21

Y1 - 2011/3/21

N2 - We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.

AB - We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.

KW - security analytics

KW - security management

KW - economics

KW - password

UR - https://www.cantab.net/users/david.pym/ABIMPSFinal.pdf

UR - https://www.labs.hp.com/hplabs/index

M3 - Published conference contribution

BT - HP Laboratories Technical Reports

PB - HP Laboratories

Y2 - 14 September 2012 through 14 September 2012

ER -

Systematic Decision Making in Security Management: Modelling Password Usage and Support

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this