Enhancing Cybersecurity by Generating User-Specific Security Policy through the Formal Modeling of User Behavior

Abstract

Despite the ongoing efforts to develop cutting-edge security solutions, the question always remains whether these technologies can overcome system vulnerabilities that often result from poor security practices made by end-users. Recently, some research devoted to study the human role in cybersecurity, especially the psychological aspect. Researchers found that the users’ responses to security-related situations correlate with various elusive factors such as demographics, personality traits, decision-making styles, and risk-taking preferences. That explains why some users neglect to act according to common security tips and advice. The goal of this research is to make cybersecurity maintain a high-level of quality and reliability; we reinforce the policy generated to overcome weaknesses created by the human link in the security chain. To achieve this goal, we developed a formal method-based approach to model and examine end-users security-related behaviors described by Finite-State Automaton (FSA). The methodology initially assesses the cybersecurity behaviors that users exhibit during the use of electronic devices such as laptops, smartphones, or the access to Internet accounts in daily life, spanning four aspects: device securement, password generation, proactive awareness, and updating. Once we identified these behaviors, we created a knowledge repository to represent the behavior using Finite-State Automata (FSA). This enabled the formulation of linear-time security properties based on Timed Computation Tree Logic (TCTL) to check the reachability of good and poor behaviors. To perform the reachability analysis, we used a model checking tool to identify poor security behaviors. This supports our objective to distinguish which user lacks security knowledge and awareness and regarding what aspect, and generating effective countermeasures. Hence, we were able to determine what type of policies that an organization or other entity should impose on specific users based on their security decisions. Our approach assumes a Zero Trust philosophy but may help in other security systems to mitigate the risks of being exposed due to ignorant cyber users or targeted by cyber offenders.