SimPass : quantifying the impact of password behaviours and policy directives on an organisation’s systems
Renaud, Karen and Mackenzie, Lewis (2013) SimPass : quantifying the impact of password behaviours and policy directives on an organisation’s systems. Journal of Artificial Societies and Social Simulation, 16 (2). 3. ISSN 1460-7425 (https://doi.org/10.18564/jasss.2181)
Preview |
Text.
Filename: Renaud_Mackenzie_JASSS2013_SimPass_quantifying_impact_password_behaviours_policy_directives_organisations_systems.pdf
Final Published Version License: Download (696kB)| Preview |
Abstract
Users are often considered the weakest link in the security chain because of their natural propensity for choosing convenience over safe practice. One area with a vast amount of evidence related to poor user behaviour is that of password management. For example, when hackers gain unauthorised access to public websites, subsequent analysis generally confirms that compromised passwords are to blame. We have a pretty good idea of the extent to which careless behaviour impacts on the individual user's personal security. However, we don't fully understand the impact on the organisation as a whole when such laxity is aggregated across a large number of employees, nor do we know how best to intervene so as to improve the level of protection of critical systems. Current wisdom mandates the use of increasingly draconian policies to curb insecure behaviours but it is clear that this approach has limited effectiveness. Unfortunately, no one really understands how the individual directives contained in these policies impact on the security of the systems in an organisation. Sometimes a mandated tightening of policy can have unexpected side-effects which are not easily anticipated and may indeed prove entirely counterproductive. It would be very difficult to investigate these issues in a real-life environment so here we describe a simulation model, which seeks to replicate a typical organisation, with employee agents using a number of systems over an extended period. The model is configurable, allowing adjustment of particular input parameters in order to reflect different policy dictats so as to determine their impact on the security of the simulated organisation's IT infrastructure. This tool will support security specialists developing policies within their organisations by quantifying the longitudinal impacts of particular rules
ORCID iDs
Renaud, Karen ORCID: https://orcid.org/0000-0002-7187-6531 and Mackenzie, Lewis;-
-
Item type: Article ID code: 82857 Dates: DateEvent30 July 2013PublishedSubjects: Science > Mathematics > Electronic computers. Computer science Department: Faculty of Science > Computer and Information Sciences Depositing user: Pure Administrator Date deposited: 20 Oct 2022 14:44 Last modified: 04 Dec 2024 01:26 URI: https://strathprints.strath.ac.uk/id/eprint/82857