University of Wisconsin–Madison

Human Factors in Computer & Information Security

  • “A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business. The company is still totally vulnerable… the human factor is truly security’s weakest link” Mitnick and Simon (2002).

    “Computer security is difficult (maybe even impossible), but imagine for a moment that we’ve achieved it… Unfortunately, this still isn’t enough. For this miraculous computer system to do anything useful, it is going to have to interact with users in some way, at some time, for some reason. And this interaction is the biggest security risk of them all. People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems” (Schneier, 2000).

    Overview: Computer and information security (CIS) is usually approached from a technology-centric viewpoint. Remedies for CIS vulnerabilities and breaches tend to focus on technical mechanisms, e.g., stronger firewalls and implementation of encryption. The technical CIS remedies are often designed and implemented with little consideration for the needs and characteristics of the end users, network administrators, and CIS managers. This lack of consideration for human factors may create situations where people have to circumvent the CIS mechanisms and procedures in order to perform their job (i.e. violation of CIS rules, policies and procedures).

    This project examined violations in CIS committed by two groups of people:  network administrators and end users. We used a mixed-methods research approach which combined qualitative (interviews and focus groups) and quantitative (surveys) research methods in order to understand CIS violations, their consequences, the factors contributing to violations, and to develop solutions to deal with CIS violations.

    Funding: National Science Foundation

    Research model

    Full proposal (PDF)

  • Pascale Carayon, PhD
    Procter & Gamble Bascom Professor in Total Quality
    Department of Industrial and Systems Engineering
    Director, Center for Quality and Productivity Improvement
    University of Wisconsin-Madison

    Raj Veeramani
    Professor, Industrial and Systems Engineering, Mechanical Engineering, Civil & Environmental Engineering and Operations & Information Management
    Director, Wisconsin E-Business Consortium
    University of Wisconsin-Madison

    Peter Hoonakker, PhD
    Research Scientist, Associate Director of Research
    Center for Quality and Productivity Improvement
    University of Wisconsin-Madison

    Sami Saydjari
    Founder and President of Cyber Defense Agency

    Nis Bornoe
    Center for Quality and Productivity Improvement
    University of Wisconsin-Madison

  • Hoonakker, P., Bornoe, N.A., & Carayon, P. (2009). Password Authentication from a Human Factors Perspective: Results of a survey among end-users. Paper presented at the Human Factors and Ergonomics Society (HFES) 53rd Annual Meeting, San Antonio, TX.

    Hoonakker, P., Carayon, P. & Bornoe, N.A. (2009). Spamming, phishing and spoofing. Paper presented at the IEA Conference, Beijing China.

    Kraemer, S. & Carayon, P. (2009). Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security, 28 (7), 509-520.

    Hoonakker, P. & Carayon, P. (2008). Computer and information security from a human factors perspective. Paper presented at the 2008 ODAM Conference, Guaruja, Brazil.

    Kraemer, S. & Carayon, P. (2007). Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics, 38 (2), 143-154. PMID: 16782040

    Kraemer, S., Carayon, P. & Clem, J. (2006). Characterizing violations in computer and information security systems. Paper presented at the IEA 2006 Conference, Maastricht, The Netherlands.

    Kraemer, S., Carayon, P., & Clem, J. (2006). Performance of red teams in computer and information security. Applied Ergonomics.

    Kraemer, S. & Carayon, P. (2003). A human factors vulnerability evaluation method for computer and information security.Proceedings of the Human Factors and Ergonomics Society (HFES) 47th Annual Meeting, Denver, CO.

    Carayon, P. & Kraemer, S. (2003). Using accident analysis methods in computer security: The development of the human factors vulnerability analysis (HFVA). Proceedings of the XVth Triennial Congress of the International Ergonomics Association and the 7th Joint Conference of Ergonomics Society of Korea/Japan Ergonomics Society, Seoul, Korea.

    Kraemer, S., Carayon, P., & Duggan, R. (2003). A model of red team performance. In Luczak & Zink (Eds.) Proceedings of the Seventh International Symposium on Human Factors Organizational Design and Management, IEA Press: Aachen, Germany.

    Carayon, P., & Kraemer, S. (2003). Human factors in e-security: The business viewpoint. Center for Quality and Productivity Improvement (CQPI), Madison, WI.

    Kraemer, S. (2002). A human factors evaluation method for computer and information security technical vulnerabilities and security breaches. MS Thesis, Department of Industrial and Systems Engineering, University of Wisconsin-Madison.

    Carayon, P. & Kraemer, S. (2002). Macroergonomics in WWDU: What about computer and information security? In H. Luczak, A.E. Cakir, & G. Cakir (Eds.). Proceedings of the 6th International Scientific Conference on Work With Display Units (WWDU) – World Wide Work. (pp. 87-89). Berlin, Germany: Ergonomic Institut fur Arbeits – und Sozialforschung Forschungsgesellschaft mbH.

  • A web survey was conducted to gather information on CIS violations of network administrators and end users. The survey is developed based on the literature and interviews of network administrators and end users.

    For the results of pilot study with an adapted version of the questionnaire, click here.

    For an explanation for the topics in the questionnaire, click here.

    For more information, please contact Peter Hoonakker.