Measuring the Security Impacts of Password Policies Using Cognitive Behavioral Agent-Based Modeling
Total Page:16
File Type:pdf, Size:1020Kb
Measuring the Security Impacts of Password Policies Using Cognitive Behavioral Agent-Based Modeling Vijay Kothari Jim Blythe Sean W. Smith Department of Computer Information Sciences Institute Department of Computer Science University of Southern Science Dartmouth College California Dartmouth College [email protected] [email protected] [email protected] Ross Koppel Department of Sociology University of Pennsylvania [email protected] ABSTRACT dash [1, 2], an agent-based simulation framework that Agent-based modeling can serve as a valuable asset to secu- supports the dual-process model of cognition, reactive plan- rity personnel who wish to better understand the security ning, modeling of human deficiencies (e.g., fatigue, frustra- landscape within their organization, especially as it relates tion), and multi-agent interactions, enables us to create such to user behavior and circumvention. In this paper, we ar- tools. In dash, users are represented as agents with weighted gue in favor of cognitive behavioral agent-based modeling goals, plans to achieve those goals, attributes, knowledge, for usable security and report on our work on developing and abilities. These agents use mental models and have an agent-based model for a password management scenario. perceptions of the world that often depart from reality. In We perform a number of trials and a sensitivity analysis that accordance with their mental models, they take actions, ob- provide valuable insights into improving security (e.g., an or- serve and interpret events, and communicate. They dynam- ganization that wishes to suppress one form of circumvention ically compute and recompute goals and the plans they use may want to endorse another form of circumvention). to achieve them. dash models may better enable security personnel to (a) identify weaknesses in security policies and mechanisms, e.g., workflow impediments that prompt user 1. INTRODUCTION circumvention, (b) estimate the likelihood of user engage- Agent-based models incorporating user behavior, emotion, ment in workarounds, (c) gauge the number of inescapable and cognition can serve as valuable tools that assist com- security infractions from policy-workflow mismatches, (d) puter security personnel design, implement, and maintain estimate the values of security and organizational objective security systems, devise security policies, and employ secu- functions, (e) test the accuracy of proxy security measures, rity practices that are congruent with security and other and (f) measure the impacts that shifts in the environment organizational objectives. have on security. A cognitive and behavioral-centric ap- Indeed, as the current state of security practice indicates, proach to modeling can provide insights into the effective- we need these sorts of tools. Our interviews, surveys, and ness of informing users of practical needs for security, imple- observations reflect many examples where security fails to menting a feedback loop, imposing more stringent policies accommodate users. Such mismatches between user needs or harsher penalties for circumvention, and more. and security policies and mechanisms often induce circum- Agent-based modeling is particularly enlightening in sce- vention, thereby undermining overall objectives. Even if one narios where security in practice radically differs from secu- could design adequate security policies and mechanisms a rity in the abstract, where it's extraordinarily challenging to priori, the dynamic nature of software systems, user needs, anticipate how emotions, cognitive biases, and other human and organizational and environmental changes would neces- deficiencies may affect user behavior. Indeed, in order to sitate frequent readjustments. Consequently, we need tools get security right it is critical that we understand how users that allow us to better understand computer security's costs, interact with our systems. And we must adapt our systems common perceptions and misperceptions, side effects, and to our users (and not expect our users to adapt to our sys- interactions. tems!) so as to induce \good" behavior [3, 4]. In previous work [5] we discussed the potential for agent-based models to be applied to prediction of human circumvention of se- curity, relayed an anecdote regarding timeouts in a medical Permission to make digital or hard copies of all or part of this work for setting, explained our preliminary work, and discussed our personal or classroom use is granted without fee provided that copies are future directions for building such models. In this paper, we not made or distributed for profit or commercial advantage and that copies follow up on this work by detailing our progress on modeling bear this notice and the full citation on the first page. To copy otherwise, to the password management scenario. republish, to post on servers or to redistribute to lists, requires prior specific The password management scenario involves establishing permission and/or a fee. HotSoS 2015 Urbana, Illinois USA password polices for an enterprise. In theory, having a pol- Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$15.00. icy that requires users to use strong passwords, to never write them down, and to never reuse them across sites would 3. THE PASSWORD MANAGEMENT SCE- improve security. In practice, users commonly circumvent NARIO: SECURITY DEPENDENCIES IN- password policies due to perceived cognitive limitations, fa- tigue, frustration, and work culture. Password choices and TRODUCED BY WORKAROUNDS password management practices for one service may affect the choices and practices for another, making the services 3.1 Prelminaries interdependent. By applying agent-based models, security In terms of usability and security, many consider pass- personnel can better understand this complex environment, words a failure. Users are notorious for choosing weak pass- estimate measures of aggregate security that incorporate cir- words. In an effort to mitigate the security risks linked to cumventions, risks, and costs, and ultimately make better weak passwords, many services now require users to choose decisions. passwords that satisfy complex password composition rules. This paper is structured as follows. In Section 2, we in- Unfortunately, this brings with it a slew of other security troduce the modeling framework. in Section 3 we in- dash challenges [3, 12, 13, 4]. Users who are unable to cope vestigate the password modeling scenario, detail our dash with the increased cognitive demands of having to remember modeling work, perform a sensitivity analysis, and discuss dozens of passwords resort to circumventing password poli- results and takeaways. In Section 4 we discuss future work cies and employing poor password management strategies; including the autologout scenario. In Section 5 we conclude. they write passwords down on Post-it notes, reuse passwords across multiple services with little or no variation, and leave passwords in plaintext files on their computers. However, perceived cognitive limitations are not the only impetus for user circumvention of password policies. In some domains, 2. THE DASH AGENT MODELING PLAT- users need to share information with others who have differ- ent access rights than themselves, but the \proper" channel FORM for information sharing is slow and inefficient. So, they share The dash agent modeling platform provides a framework passwords instead [3]. and a set of capabilities for modeling human behavior [1], Services are culpable too. Some services effectively dis- designed to capture observations from human-centered se- courage strong passwords by setting low ceilings on password curity experiments, e.g. [6]. In order to model human task- length, disallowing special characters, using easily guessable oriented behavior, which is both goal-directed and respon- security questions, and assigning default passwords that are sive to changes in the environment, dash includes a reactive often left unchanged. Others impose excessive password planning framework that re-assesses goal weights and plans complexity requirements and require frequent password re- after receiving input after an action [7]. In order to model sets, which further incentivizes users to circumvent. In re- deliberative behavior, dash includes an implementation of cent years, many services have also been the target of mas- mental models following the approach of Johnson-Laird and sive password breaches; in some cases, they have even ex- others [8] and a simple framework for evaluating costs and posed passwords to malicious actors in cleartext. Moreover, benefits of alternative worlds. This approach adopts the due to password reuse, risks associated with poor password view that users follow essentially rational behavior when practices are not confined to those services that are lax about making decisions about on-line actions including security, password security. That is, the security of even those ser- but typically have an incomplete or incorrect model of the vices that make good efforts to secure user passwords can security landscape. easily be compromised by vulnerabilities on other sites [14]. In order to model bounded attention that affects human While tremendous effort has been spent on trying to re- decision-making, particularly under stress or cognitive load, place passwords, it has been met with questionable success. dash adapts psychology's dual-process framework [9] in which Bonneau et al [15] compared passwords to other authentica- two modules provide alternative suggestions for the agent's