research-article

Open access

Case study: predicting the impact of a physical access control intervention

Authors:

Tristan Caulfield,

Simon ParkinAuthors Info & Claims

STAST '16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust

Pages 37 - 46

https://doi.org/10.1145/3046055.3046056

Published: 05 December 2016 Publication History

Abstract

We investigate a planned physical security intervention at a partner organisation site, to determine the potential individual cost of security upon employees when replacing a secure door with a turnstile. Systems modelling techniques are applied to model the lobby area of the site, and to guide data collection to situate the model. Managers at the site were consulted during preference elicitation to identify meaningful model parameters. Direct observation of regular employee behaviours from pre-recorded CCTV footage provided localised data: 1800 sequences of behaviour events were logged over one working day for approximately 600 employees and visitors. This included responses to security events, such as returning to the card reader or moving to a different turnstile. Model results showed that if one turnstile was implemented at the observed site, an average of 0.5 seconds would be added to individual entry times for employees, amounting to over sixty hours for the site as a whole over a year. Three turnstiles approach the time cost of a secure door.

References

[1]

Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Communications of the ACM 42, 12 (1999), 40--46.

Digital Library

[2]

Simon Arnell, Adam Beautement, Philip Inglesant, Brian Monahan, David Pym, and Angela Sasse. 2012. Systematic decision making in security management modelling password usage and support. In International Workshop on Quantitative Aspects in Security Assurance. Pisa, Italy. Citeseer.

[3]

Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, and M. Angela Sasse. Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours. In Symposium on Usable Privacy and Security 2016 (SOUPS) (2016). USENIX.

[4]

Adam Beautement, Robert Coles, Jonathan Griffin, Christos Ioannidis, Brian Monahan, David Pym, Angela Sasse, and Mike Wonham. 2009a. Modelling the human and technological costs and benefits of USB memory stick security. In Managing Information Risk and the Economics of Security. Springer, 141--163.

[5]

Adam Beautement and David Pym. 2010. Structured Systems Economics for Security Management. In WEIS.

[6]

Adam Beautement, M Angela Sasse, and Mike Wonham. 2009b. The compliance budget: managing security behaviour in organisations. In Proceedings of the 2008 workshop on New security paradigms. ACM, 47--58.

Digital Library

[7]

Adrian Beck and Andrew Willis. 1999. Context-specific measures of CCTV effectiveness in the retail sector. Surveillance of public space: CCTV, street lighting and crime prevention, crime prevention studies series 10 (1999), 251--269.

[8]

Rainer Böhme. 2010. Security metrics and security investment models. In International Workshop on Security. Springer, 10--24.

Digital Library

[9]

Tristan Caulfield and David Pym. 2015a. Improving Security Policy Decisions with Models. IEEE Security and Privacy Magazine 13, 5 (2015), 34--41.

[10]

Tristan Caulfield and David Pym. 2015b. Modelling and simulating systems security policy. In Proceedings of the 8th International Conference on Simulation Tools and Techniques. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 9--18.

Digital Library

[11]

Cormac Herley. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop. ACM, 133--144.

Digital Library

[12]

Helen PN Hughes, Chris W Clegg, Mark A Robinson, and Richard M Crowder. 2012. Agent-based modelling and simulation: The potential contribution to organizational psychology. Journal of Occupational and Organizational Psychology 85, 3 (2012), 487--502.

[13]

Iacovos Kirlappos, Adam Beautement, and M Angela Sasse. 2013. âĂIJComply or DieâĂI Is Dead: Long live security-aware principal agents. In International Conference on Financial Cryptography and Data Security. Springer, 70--82.

[14]

Iacovos Kirlappos, Simon Parkin, and Martina Angela Sasse. Learning from "Shadow Security": Why understanding non-compliance provides the basis for effective security. In Workshop on Usable Security (USEC 2014) (2014).

[15]

Gabriele Lenzini, Sjouke Mauw, and Samir Ouchani. 2015. Security analysis of socio-technical physical systems. Computers & electrical engineering 47 (2015), 258--274.

Digital Library

[16]

Harvey Molotch. 2013. Everyday Security: Default to Decency. IEEE Security & Privacy 11, 6 (2013), 84--87.

Digital Library

[17]

Charles Morisset, Iryna Yevseyeva, Thomas Groß, and Aad van Moorsel. 2014. A formal model for soft enforcement: influencing the decision-maker. In International Workshop on Security and Trust Management. Springer, 113--128.

[18]

Simon Parkin, Aad Van Moorsel, Philip Inglesant, and M Angela Sasse. 2010. A stealth approach to usable security: helping IT security managers to identify workable security solutions. In Proceedings of the 2010 workshop on New security paradigms. ACM, 33--50.

Digital Library

[19]

Edgar H Schein. 2010. Organizational culture and leadership. Vol. 2. John Wiley & Sons.

[20]

Katharine E Worton. 2012. Using socio-technical and resilience frameworks to anticipate threat. In 2012 Workshop on Socio-Technical Aspects in Security and Trust. IEEE, 19--26.

Digital Library

Cited By

Menges UKluge A(2024)Contrasting and Synergizing CISOs' and Employees' Attitudes, Needs, and Resources for Security Using Personas2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00058(456-472)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00058
Demjaha APym DCaulfield TParkin S(2024)‘The trivial tickets build the trust’: a co-design approach to understanding security support interactions in a large universityJournal of Cybersecurity10.1093/cybsec/tyae00710:1Online publication date: 20-Jun-2024
https://doi.org/10.1093/cybsec/tyae007
Caulfield TIlau MPym D(2022)Engineering Ecosystem Models: Semantics and PragmaticsSimulation Tools and Techniques10.1007/978-3-030-97124-3_21(236-258)Online publication date: 31-Mar-2022
https://doi.org/10.1007/978-3-030-97124-3_21
Show More Cited By

Index Terms

Case study: predicting the impact of a physical access control intervention
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
  2. Human and societal aspects of security and privacy
    1. Economics of security and privacy
    2. Usability in security and privacy

Recommendations

Case study: Business process outsourcing: A case study of Satyam Computers

The prominence of business process outsourcing (BPO) continues to intensify in today's hyper-competitive marketplace. Engaging in BPO can help an organization focus on its core competencies, while gaining specialized knowledge, skills, and processes in ...
Modelling Security Using Trust Based Concepts

Security modelling and analysing not only require solving technical problems but also reasoning on the organization as a whole for the development of a secure system. Assumptions exist about trust relationships among actors within the system environment,...
Integrating security and usability into the requirements and design process

According to Ross Anderson, 'Many systems fail because their designers protect the wrong things or protect the right things in the wrong way'. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

STAST '16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust

December 2016

101 pages

ISBN:9781450348263

DOI:10.1145/3046055

General Chairs:
Gabriele Lenzini
SnT/University of Luxembourg, LU
,
Giampaolo Bella
University of Catania, IT
,
Program Chairs:
Zinaida Benenson
University of Erlangen-Nuremberg
,
Carrie Gates

Copyright © 2016 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Engineering and Physical Sciences Research Council

Conference

STAST '16

STAST '16: Socio-Technical Aspects in Security and Trust

December 5, 2016

California, Los Angeles

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
415
Total Downloads

Downloads (Last 12 months)111
Downloads (Last 6 weeks)25

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Menges UKluge A(2024)Contrasting and Synergizing CISOs' and Employees' Attitudes, Needs, and Resources for Security Using Personas2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00058(456-472)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00058
Demjaha APym DCaulfield TParkin S(2024)‘The trivial tickets build the trust’: a co-design approach to understanding security support interactions in a large universityJournal of Cybersecurity10.1093/cybsec/tyae00710:1Online publication date: 20-Jun-2024
https://doi.org/10.1093/cybsec/tyae007
Caulfield TIlau MPym D(2022)Engineering Ecosystem Models: Semantics and PragmaticsSimulation Tools and Techniques10.1007/978-3-030-97124-3_21(236-258)Online publication date: 31-Mar-2022
https://doi.org/10.1007/978-3-030-97124-3_21
Hielscher JKluge AMenges USasse M(2021)“Taking out the Trash”: Why Security Behavior Change requires Intentional ForgettingProceedings of the 2021 New Security Paradigms Workshop10.1145/3498891.3498902(108-122)Online publication date: 25-Oct-2021
https://dl.acm.org/doi/10.1145/3498891.3498902
Carmichael PMorisset C(2018)Learning Decision Trees from Synthetic Data Models for Human Security BehaviourSoftware Engineering and Formal Methods10.1007/978-3-319-74781-1_5(56-71)Online publication date: 2-Feb-2018
https://doi.org/10.1007/978-3-319-74781-1_5

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten