Information Technology Reference
In-Depth Information
Engineering and Technology Approaches to Information Security
Clarke (2001) described five main areas of information security: service integrity, data integrity,
data secrecy, authentication, and non-repudiation. Much research and many technologies reflect
capabilities in subsets of these five areas (cf. Caelli et al., 1991). For example, academic research on
cryptography provides theories and algorithms that help to ensure data secrecy, non-repudiation, and
other capabilities (e.g., Rivest et al., 1978). As Bruce Schneier suggested in
Applied Cryptography
(1995), these tools give control over information privacy and security when, “planning a political
campaign, discussing taxes, designing a new product [or] planning a marketing strategy” (p. xix).
In short, cryptography is part of an essential tool kit for implementing some of the basic functions
of information security.
Notably, however, in Schneier's (2000) follow-up topic,
Secrets and Lies
, he also asserted that
such tools provide insufficient information protection on their own: “If you think that technology
can solve your security problems, then you don't understand the problems and you don't under-
stand the technology” (p. xii). Schneier and others (e.g., Horowitz, 2001; Hull, 2002; Scanlon,
2002) have suggested that the vagaries of user behavior constitute one of the major “detrimental”
influences on the usefulness of security technology (i.e., what one might term the “pesky humans”
proposition).
With awareness of this idea, however, some computer scientists have recognized that
understanding variability in user behavior may actually be an important lever for improving
the effectiveness of security technology. For example, some researchers have used behavioral pro-
files as a strategy for authentication and intrusion detection (e.g., Monrose and Rubin, 1997;
Yeung and Ding, 2002; Singh et al., 2001; Seleznyov et al., 2001). Such research exemplifies use
of variability in human behavior as a starting point for improving the functions of information
security.
Thus, in overview, engineering-focused information security research has provided theories,
algorithms, and methods to support essential functions of security. Standards developers ensure
interoperability among these methods, and a marketplace of information security products uses
the academic research and the standards to provide technological approaches for supporting secu-
rity. Although awareness of the user as a source of variance in system activity and performance
appears in some research, this awareness has primarily been applied to information security prob-
lems related to authentication, rather than to larger issues of human-computer interaction. In the
next subsection we examine how human factors research has helped to improve information secu-
rity by focusing on what happens at the human-computer interface.
Human Factors Engineering
The field of human factors engineering, “is concerned with the role of humans in complex sys-
tems, the design of equipment and facilities for human use, and the development of environments
for comfort and safety” (Salvendy, 1987, p. xvii). As such, the field has an important role in pro-
moting information security by integrating an awareness of the capabilities of the human organ-
ism with knowledge of information systems to improve interfaces and overall performance of the
“human-machine” system. Such improvements might focus on increasing the effectiveness of
authentication interfaces, system maintenance interfaces, and any other task where a user must
work directly with a device to promote security. Human factors researchers also specialize in under-
standing visualization tasks, human error in task performance, and the determinants of accidents and
failures in human-machine systems.
Search WWH ::
Custom Search