Mismorphism: a Semiotic Model of Computer Security Circumvention (Extended Version)

Authors

Sean W. Smith, Dartmouth College
R Koppel, University of Pennsylvania
J Blythe, University of Southern California
V Kothari, Dartmouth College

Document Type

Technical Report

Publication Date

3-1-2015

Technical Report Number

TR2015-768

Abstract

In real world domains, from healthcare to power to finance, we deploy computer systems intended to streamline and improve the activities of human agents in the corresponding non-cyber worlds. However, talking to actual users (instead of just computer security experts) reveals endemic circumvention of the computer-embedded rules. Good-intentioned users, trying to get their jobs done, systematically work around security and other controls embedded in their IT systems. This paper reports on our work compiling a large corpus of such incidents and developing a model based on semiotic triads to examine security circumvention. This model suggests that mismorphisms---mappings that fail to preserve structure---lie at the heart of circumvention scenarios; differential perceptions and needs explain users' actions. We support this claim with empirical data from the corpus.

Dartmouth Digital Commons Citation

Smith, Sean W.; Koppel, R; Blythe, J; and Kothari, V, "Mismorphism: a Semiotic Model of Computer Security Circumvention (Extended Version)" (2015). Computer Science Technical Report TR2015-768. https://digitalcommons.dartmouth.edu/cs_tr/368