Evidential Reasoning Approach to Behavioural Analysis of ICT Users ’ Security Awareness

The role of ICT system’s user should be taken into consideration when developing different information security solutions because user, as its constitutive element, can significantly affect overall system security with his/her potentially risky behaviour depending on the level of user’s security awareness. In this paper authors propose risk assessment approach of ICT users’ behaviour based on the evidential reasoning technique. Performance testing was compared using combination of cluster analysis and discriminant analysis while empirical analysis was conducted on the total of 627 e-mail users grouped regarding gender, age, technical background knowledge and level of experience. Assessment methodology used in this paper has proven to be well suited for evaluation of users’ awareness and identification of their potentially risky behaviour. Results of empirical analysis showed that all groups of users got overall utility grade higher than the simulated "minimally enough aware" user, but less than “average awareness” grade. As users of all groups are highly critical towards collocutor, it can mean that users are quite aware about the importance of information security foundation, but also about lack of knowledge regarding different security issues. Another possible reason may be the users’ negligence toward security guidelines and protocols.


INTRODUCTION
The role of users' behaviour should be taken into consideration when developing different information security solutions [1,2], because users of the ICT system can significantly affect the system security [3][4][5] depending on the users' level of security awareness.The paper proposes novel assessment approach of users' behaviour caused by their level of security awareness based on evidential reasoning technique.
The Enhanced Evidential Reasoning Algorithm (EERA) is based on Dempster -Shafer theory and allows calculations with uncertainty, subjective judgment and partial information [6].This algorithm has proven to be useful in many practical cases of analysis of different technical systems, both static and dynamic states, comparison between or with referent values [6][7][8][9][10][11][12].In this work the user is considered to be a constitutive part of the ICT system which implies that the chosen algorithm for system state evaluation could be appropriate.The e-mail service has been chosen for security awareness analysis because it is widely accepted and frequently used among various ICT users.Also, e-mail service is one of the most corrupted communication channels by all sorts of malicious attacks like: spam, viruses, phishing or direct social attacks [13,14].
Data about users' behaviour was collected by a specifically designed questionnaire [15].Grades from poor to excellent were used in order to distinguish each answer.Moreover, a normalized grade interval was defined by simulating minimally aware or naïve, minimally enough secure and maximally aware or paranoid user's information security behaviour.
There were 627 users included in this survey and by using metadata from the first part of questionnaire they were grouped regarding: gender, age, technical background knowledge and number of e-mail addresses used.Statistical cluster analysis in combination with discriminant analysis was used for testing purposes of the proposed risk assessment approach.There were 306 cases in total used for testing purposes.The main goal of this paper is to present the usage of the evidential reasoning approach to behavioural analysis of ICT users' security awareness.
Analysis was conducted on the groups of ICT users obtained from cluster analysis in order to present many analytic possibilities of this approach: overall group evaluation, comparison between groups, evaluation of single user and comparison with referential values gained by simulation and/or expert's evaluation.

DESCRIPTION OF THE QUESTIONNAIRE
Our questionnaire was developed for data collection about security awareness.It consists of two main groups of questions: five demographic questions and 17 questions regarding e-mail user's behaviour covering five segments of user's security awareness such as habits of system usage, way of accessing the system, password quality, habits of e-mail address usage and attitude towards collocutor.Short explanations of questions regarding e-mail users' behaviour with associated answers and their grades according to EERA as poor, indifferent, average, good and excellent are presented in Tab. 1.
Items covered by each question were organized in hierarchical tree structure as this was required by EERA.

Enhanced Evidential Reasoning Algorithm
The EERA was chosen as assessment method for evaluation of e-mail users' behaviour caused by user's security awareness, described by grades of their answers given in questionnaire.Algorithm is well suited for dealing with a multiple-criteria decision analysis problem which takes the quantitative and qualitative measurements into consideration, and is assessed using subjective judgments with uncertainties.
This approach was introduced in the 1990s [16,17] and is based on the Dempster-Shafer theory [18,19], the decision-making theory [20] and the evaluation analysis model [21].This algorithm, which is chosen for risk modelling, includes a hierarchical model of human and organizational error taxonomy similar to Grabowski model [22].It allows multiple questionnaire answers, thus enabling a particular user who did not answer one or more questions to be graded as well.The missing data are considered as uncertainty.The impact of non-uniform user's risky behaviour can be expressed as weighting attributes of different system parts in the total calculation.Some examples of this algorithm applied onto technical systems are: the oil reserve forecast [7], motorcycle evaluation [6], car industry [8], expert system [9], knowledge reduction [10], risk analysis [11] and electric power grid state [12].In order to perform the assessment with EERA, a minimum of two level hierarchy of attributes is needed as higher level attributes are assessed through associated lower level attributes in the hierarchical assessment.The uncertain judgments are allowed in case of indeterminism of a certain attribute.The following examples are showing cases where users give more answers or do not provide any answer.The evaluation grades for particular answer or combination of answers that represent basic or lower level attributes could be as follows [15]: • The sum of grades would contain 50 % of grade for one answer and 50 % of grade for other answer, in case when the user chooses two of proposed answers.• It would be 100 % of the related grade if the user gives only one particular answer.• The sum of grades would contain the combination of two different grades, for example 50 % of one grade and 30 % of the other grade if the user's answer was something like "I do not know".
• The value 0 % for all grades would be if the user gave no answer.
The percentages in the above assessment examples are referred to as degrees of belief and may be used in decimal format as 0.3, 0.5 and 1.
The degree of belief, which is equal to 100 %, for one particular answer represents "absolutely sure" belief.The third assessment is incomplete as the total degree of belief is 0.8 while the first and second assessments are complete.The missing value of 0.2 in the third assessment represents the degree of ignorance or uncertainty.The forth assessment is a special case and represents the total ignorance or 100 % of uncertainty.It is possible to define the proportion of grades as degrees of belief in order to perform assessment on the whole group of users [15].For example, the basic group attribute of password, self-assessment would be distribution of proportions on how many users grade their password with particular evaluation grade.An example of distribution of grades under group of users is: S (password self-assessment) = {(poor, 0.19), (average, 0.43), (excellent, 0.32), (uncertainty, 0.06)}. (1) In this example 32 % of users provided the answer of excellent, 43 % as average, 19 % as poor and 6 % did not know how to self-assess their password or did not answer that question at all.
In order to calculate an overall evaluation grade, presented as general or higher level attribute, by aggregating the above possible judgments in a rational way, the evidential reasoning approach can be used as it is a suitable method for dealing with aggregation problem through tree structure shown in Fig. 1 [23].
In order to use the evidential reasoning algorithm to aggregate attributes of a multilevel structure, certain enhancement was needed.There are four synthesis axioms used for enhancement purposes [16]: • If no basic attribute is assessed to an evaluation grade at all, then the general attribute should not be assessed to the same grade either.• If all basic attributes are precisely assessed to an individual grade, then the general attribute should also be precisely assessed to the same grade.• If all basic attributes are completely assessed to a subset of grades, then the general attribute should be completely assessed to the same subset as well.• If any basic assessment is incomplete, then a general assessment is obtained by aggregating the incomplete with the degree of incompleteness properly assigned.
The usage of the utility number and utility interval gives a single numerical value as the overall grade of users' awareness thus enabling a comparison between different users or groups of users.A detailed explanation on how to grade a whole group of users can be found in [15], while detailed explanation of the EERA can be found in [6].Calculations were performed using open source System Assessor Software (SAS) [24].Commercial software package called Intelligent Decision System (IDS) tool was also available [25].Significant difference value between utility grades is defined as 5 % or 0.05.It is needed in order to compare the overall utility grades of awareness between e-mail users and groups of users.

PERFORMANCE TESTING
In order to test performance of users' behaviour evaluation with evidential reasoning approach, standard statistical methods were used in parallel manner on the same data.There were altogether 306 e-mail users included, representing cases in statistical analysis.Statistical cluster analysis, in combination with statistical discriminant analysis is commonly used in the field of economy, related to marketing for categorization of customers [26].Input variables for both methods were evaluation grades of given answers from poor to excellent while output variables are statistical arithmetic means with standard deviation comparable to utility grades calculated by EERA.

Results of the Statistical Analysis
The cluster analysis is a statistical method that is used in order to identify homogeneous groups of cases or individuals in a population where optimal number of groups, properties of segments and group membership are unknown in advance.This means that a cluster analysis is used as an exploratory technique [26].Cluster analysis procedure was chosen in order to categorize ICT system's users' regarding their security awareness.Drawing dendogram, also known as tree diagram, is a common way to visualize the cluster analysis's progress by displaying the distance level at which there was a combination of objects and clusters.It is possible to define the number of clusters by tracking differences between distance levels in previous and next step of the clustering algorithm [27].
Discriminant analysis was applied on groups analysing grouping variables in order to evaluate the quality of clustering and to identify grouping variables that have significant influence on group membership.Variables used in previously explained questionnaire for data gathering were divided onto external variables and dependent variables.External variables as: gender, age, professional qualification and number of e-mail addresses in use were not used for categorization.Dependent variables were collected from answers regarding ICT system users' awareness of security issues and were used for categorization.As each particular answer from those questions had a matching grade shown in Tab. 1, representing dependent variables in ordinal scale from one to five, named as: poor, indifferent, average, good and excellent there was a problem with questions that had only two or three possible answers.From the 17 questions, 11 were discarded from the cluster analysis because of the following reasons: questions with binary data are meaningless for cluster analysis, questions that correlate had to be reduced before performing the cluster analysis.Also, a relatively small size of dataset was an Technical Gazette 25, 2(2018), 309-315 additional reason for discarding these questions [27].
Altogether there were six questions selected.Detailed description of each question can be found in [28].Hierarchical method was used as the most common approach to cluster analysis [27].Also, Euclidean distance measure of (dis)similarity was chosen because data were measured in ordinal scale.Ward's method was chosen because there were no outliers and because this method produces similarly sized clusters [26].Standardization of variables is needed when values are in different scales or variance differs significantly, which is not the case in this work [27].USA) with significance level defined as α=0,05.The number of clusters is defined while examining dendogram shown in Fig. 2, which graphically represents the result of the cluster analysis.
The steps in which Ward's algorithm can be stopped should be detected from the resulting dendogram depending on the number of clusters and distance between them.In this analysis the algorithm was stopped between 26 % and 41 % of the whole clustering procedure because it presents quite a big distance.
Growing distance in dendogram stands for the difference between groups and is graphically represented as a higher jump.This procedure resulted in six clusters representing six groups of users.The Classification of discriminant analysis showed that 98.7 % of originally grouped cases were correctly classified and canonical discriminant functions gave variables that significantly influenced group membership in Tab. 2. Overlapping between groups was only 1.3 %.None of the questions had significantly influenced the Group 3 and also question Q2 has equally influenced all six groups (p=0.578).Only Group 2 has value "excellent" for variable that has significant influence on clustering analysis and can be called "excellent password quality group".Groups 1, 4, 5 and 6 are "poor" or "indifferent" in related variable presenting grades of answers for question with significant influence.Only group 3 is "average" in a way regarding all six variables meaning grades on answers for all six questions.Users that belong to the "excellent password quality group" have their password graded as excellent which is significantly different from the password grades for users of the other five groups.In the first group that can be called "less secure access group" users prefer less secure way of accessing their e-mail system, which significantly differs comparing them to other users.While the users of the "group of average awareness" are average regarding answers to the all six questions, users that belong to the forth group, "forgettable group" do not log off the system after finishing their work.Fifth group can be called "naive group" because these users are not critical to unknown collocutors and the sixth group can be called similarly, for example "security critical group" because users from that group are sending personal and sensitive data by e-mail carelessly and as plain text.

Evaluation with EERA and Comparison with Results of Statistical Cluster Analysis
Each one of six groups of users defined by statistical clustering method was evaluated by EERA shown in Tab. 3. Results are presented as distribution of grades fulfilled with uncertainty and additionally with utility grade.Utility grade fulfilled with utility interval that is defined by uncertainty is used as one overall grade suitable for comparison among different groups of users.
Matching of evaluation results is evident for all six groups when comparing the results gained by statistical cluster and discriminant analysis (arithmetic mean with standard deviation) and results gained by evidential reasoning approach (utility with utility interval).
The highest utility grade (U = 0.855) got "excellent password quality group" while utility grades of all four "poor or indifferent" groups are lower than utility grade of the "group of average awareness" (U = 0.821).Performance testing confirms the accuracy of ICT users' evaluation with evidential reasoning approach, because the results are comparable similarly among and between all six groups.

EMPIRICAL RESULTS OF BEHAVIOURAL ANALYSIS
The 627 analysed e-mail users were grouped according to external variables gained from introductory questions in questionnaire about gender, age, technical background knowledge and number of e-mail addresses used.Results of the users' security awareness show that users with university degree have greatest awareness about security issues when using e-mail system.Unlike them, users that have only one address, meaning that are less experienced, have the lowest awareness regarding email system's security issues.Although all groups got an overall utility grade higher than the simulated minimally enough aware user, the first four groups did not get significantly higher grade as difference is less than 5 %.
Those e-mail users have only one address, younger user, users without technical background knowledge and users without university degree shown in Tab. 4 where P, I, A, G, E and U stands for poor, indifferent, average, good, excellent and uncertainty.
All other groups of e-mail users got significantly higher overall utility grade of their security awareness, but none of the groups got a grade close to "excellent".However, grades of five groups were close to the grade of group of "average awareness", as their grades differ in less than 5 % than referent value (U=0.821).The overall utility grades of all groups are less than 10 % higher comparing to the referent value of the "minimally enough aware user" and more than 20 % below "excellent", except grade of users that use more than two e-mail addresses.
By analysing groups of questions, it is possible to identify security critical group of questions for particular group of e-mail users shown in Tab. 5. Young users got the lowest utility grade for group of questions regarding the way of accessing the e-mail system.Also, most of the groups of e-mail users got the lowest utility grade regarding the same subject.
All groups got the highest utility grade for group of questions on subject regarding attitude towards collocutor.
Detailed analysis of answers regarding each question for all interviewed users gave the following results: • E-mail users rarely differentiate private from professional e-mail communication.
• Most users are using free e-mail services (like Gmail and Yahoo) for professional communication.
• Users rarely use third "temporal" e-mail address for registration on security questionable Internet services.
• Users too often use public PCs with questionable software protection for accessing e-mail system.
• Users rarely take into account the software protection of their private PCs.
• All groups of e-mail users are very critical when communicating with unknown collocutors (utility grade for subject regarding attitude towards collocutor is "very good" for all groups of users).
It is possible to calculate utility grades of basic attributes as well, especially for the questions belonging to groups of questions that got lower utility grade.

DISCUSSION AND CONCLUSION
In this paper the usage of the evidential reasoning approach to behavioural analysis of ICT system users' security awareness is presented.The analysis was conducted on groups of users in order to present many analytic possibilities of the enhanced evidential reasoning algorithm: overall group evaluation, comparison between groups, evaluation of single user and comparison with referent values gained by simulation and/or expert's valuation.Also, a specific questionnaire was developed for data gathering.
Assessment methodology used in this paper has proven its applicability on the evaluation of user's and users' behaviour.It is possible to rank potentially risky behaviour by using utility grades and normalized interval between minimally aware "naïve" and maximally aware "paranoid" user's behaviour.When discussing results of the users' behaviour evaluation grouped by demographic questions, certain general conclusions could be made.Obtained results were expected regarding less experienced users.This group got the lowest utility grade of their information security awareness.Also, users without technical background knowledge and without university degree got an expected low overall utility grade.However, low overall utility grade was not expected for young users because they are mostly well familiar and are frequently using all kinds of electronic communication systems.Maybe those users are too credulous.All groups of users are highly critical towards collocutor.This may mean that all kinds of ICT users are quite aware of the importance regarding security issues, but do not know enough about different security issues and/or are showing negligence towards information security guidelines and protocols.
Results of empirical analysis had shown that all groups of users got an overall utility grade higher than the simulated "minimally enough aware" user, but lower than the grade of "average awareness".This implies that e-mail users of all groups need additional education, frequent alerts and remainders regarding their risky behaviour caused by security awareness while using not only e-mail communication system, but also while using different ICT systems in everyday life.The correction of users' risky behaviour should be done by raising the users' information security awareness applying education and training [29][30][31].Some limitations of this work arise from a rather small number of questions defined in questionnaire used in this work, because there is little focus placed on this area from the technicians' perspective.Also most of the intervened users belong simultaneously to several groups.For example a user can simultaneously belong to male group, group with technical background knowledge and also group of older users.
However, the comparison between opposite groups is well defined, for example the comparison of overall utility grades between male and female users can produce constructive conclusions.
Another drawback is the subjective assessment of answers that can be questionable from the perspective of a security expert.This is partly solved by using evidential reasoning approach that is well suited for calculations with subjective judgments and their main aim was to present the usage of the novel assessment approach and not to identify security critical users among population of ICT users.
Future work should involve all major security aspects that describe ICT user's awareness and its possible risky behaviour in evaluation.This should be achieved by developing and verifying more general questionnaire.Also, by following the presented modelling procedure, it should be possible to develop a model for assessment on the overall ICT system regarding its security, maintenance and/or cost effectiveness.

Figure 1
Figure 1 Part of the hierarchical tree construction of subjects covered by each corresponding question in Tab. 1

Figure 2
Figure 2 Three diagram results of the cluster analysis Clustering and statistical calculations were performed with software tool Statistica 11.0 (StatSoft, Tulsa, OK,

Table 1
[15]t description of questions with possible answers and matching grades per each answer[15]

Table 2 Results
of statistical analysis: average answer grades per each cluster group of users Selected questions with covered subjects Grp 1/n=45 Grp 2/n=42 Grp 3/n=63 Grp 4/n=46 Grp 5/n=63 Grp 6/n=47 p** Q2 (usage of free e-mail services)/mean ± *significant influence of the particular question on the particular group; **One Way ANOVA test; p is significant at level <0.05

Table 3
Results of the evaluation with evidential reasoning approach: distribution of grades with associated utility grade per each cluster group of users

Table 4
Comparing assessment results between simulated e-mail users and graded groups of e-mail users

Table 5
Comparing assessment results between subclasses for each group of users.