“Human in the loop” is a terminology used for the people indulged in the system to participate in the security operations of a system. It is found that humans fail more often in the process of security than machines. Either the systems need to be automated or the humans must be supported and aided to take the decisions in order to reduce the errors. A framework is designed to analyse the root cause of the failure and identify the human errors. The framework can be useful during the design phase as well as to identify the problems associated with the deployed systems. Humans are often thought of as the weakest link in the process of securing the systems from the threats. Human errors roughly amount to 60 percent of total breaches, making the automation more reliable. Due to the fact that systems rely on humans to handle the physical components, they cannot be replaced. Humans could be needed for some specific knowledge or involvement but apart from that the system should be automated to make it more robust and safe. If there is some intervention needed, then the system must include guidance to minimise the chances of error. Sometimes the uneducated human can be destructive.
A framework is designed to understand the behaviour of the non-malicious humans which is based on a simple communication-processing model. A “communication” is made with the receiver that invokes the behaviour. Behaviour involves information processing which is dependent on the personal characteristics and communication impediments. Communication involves alerting the person about the potential threat. It can be achieved by “active and passive indicators” such as pop-ups with warning messages and notices, “Status Indicators” in the form of an icon or widget. The human can also be “self-alerted” if the user is trained to handle the systems. The users must work in compliance with the policies of the organisations and the systems to minimise the impact, if not the attack. Communication is an important element which can be compromised by “Environmental Stimuli” and interference. Environmental stimuli include the diversions that can manipulate the attention of the users such as lights, noise or the user’s primary task. Interference includes the anomalies which may manipulate the message or even block them from appearing.
To overcome this, traditional secure system analysis is used to perform the rigorous testing for the working. “Human receiver” need to process the communication in order to act, which is used to bring the attention to the system and for long enough for the user to understand. After some time, they become habitual and they might ignore them often. To process the communication, the user needs to be familiar to the indicators and should be aware that what steps needs to be taken. The indicators must be displayed with the level of a technicality they understand, in order to recall and apply the required measures. Sometimes knowledge and experience plays an important role in the capability of a user, for amateurs the alerts must be descriptive to avoid the mistakes. Attitude and the beliefs matter a lot, users might ignore the warnings. To make the user comply, the indicators must be differentiated by different colours and medium through which they are displayed. To overcome the attitude, the organisations can opt for “rewards and punishments” to motivate the users. Along with it, the confirmation is equally important to provide feedback for the action. It can be achieved with good design and visualisation. Sometimes the humans can cause more failures than machines. Machines have no emotions, no greed, no fatigue, no discrimination, and no limits, even in terms of time.
The recent attacks include distracting humans or misconveying information to attract users. A non-malicious user can also be the reason for the attack. The framework suggests three strategies to improve the security systems: “Human elimination, Guidance and Aiding, and Training”. Humans are easy to distract and they are more prone to misunderstand or forget the messages or steps. The attitude and alertness is another factor which raises the chances of a breach. There are more chances of error with humans. If elimination is not possible in some part of the system, humans can be guided to do a certain operation. Design can be improved to make communication clearer. The important elements can be made more distinguishable by the use of colours, placements of indiators, etc. For example, showing pop-ups if the severity is high and immediate actions are required. Humans have a contextual understanding. If the users are trained and they have the knowledge about the security systems, it can help the user understand the situation better than a machine. Knowledge and prior experience, which comes as a result of training can improve human accuracy. Reference: Cranor, L. F. (2008). A framework for reasoning about the human in the loop.
Cite this Essay
To export a reference to this article please select a referencing style below