How to mimic human laxness with computers
Aug 6th 2011 | from the print edition
TO ERR is human, but to foul things up completely takes a computer, or so the old saw goes. Although this may seem a little unfair to computers, a group of cybersecurity experts led by Jim Blythe of the University of Southern California are counting on there being at least some truth in the saying. They have created a system for testing computer-security networks by making computers themselves simulate the sorts of human error that leave networks vulnerable.
Mistakes by users are estimated to be responsible for as many as 60% of breaches of computer security. Repeated warnings about being vigilant, for example, often go unheeded as people fail to recognise the dangers of seemingly innocuous actions such as downloading files. On top of that, some “mistakes” are actually the result of deliberation. Users—both regular staff and members of the information-technology (IT) department, who should know better—often disable security features on their computers, because those features slow things down or make the computer more complicated to use.
Yet according to Dr Blythe, such human factors are often overlooked when security systems are tested. This is partly because it would be impractical to manipulate the behaviour of users in ways that would give meaningful results. He and his colleagues have therefore created a way of testing security systems with computer programs called cognitive agents. These agents’ motives and behaviours can be fine-tuned to mess things up with the same aplomb as a real employee. The difference is that what happened can be analysed precisely afterwards.