Well-intentioned human users continually circumvent security controls. The pandemic/ubiquitous fact of this circumvention undermines the effectiveness of security designs that implicitly assume circumvention never happens. We seek to develop metrics to enable security engineers and other stakeholders to make meaningful, quantifiable comparisons, decisions, and evaluations of proposed security controls in light of what really happens when these controls are deployed.

This project builds on foundations of human-computer-interface in security and the preliminary research the investigators have been working on already: Blythe, Koppel, and Smith, studying workers’ reasons for and methods of circumvention along with Xie, studying techniques for assisting mobile-app users (who can be enterprise workers) to conduct security controls on apps to be installed on their mobile devices. Research conducted in large enterprise systems increasingly finds that such apps are a major source of malware invasions into those larger systems. Similarly, with the expanded use of BYOD (bring your own device), such dangers are pandemic without security controls and without users’ ability to understand and follow those controls. Security-control circumvention by enterprise workers as mobile app users is reflected by their acceptance to install apps without sufficiently assessing their risk.