Criteria for a Personal Information Security Agent

Today's economy depends on the secure flow of information within and across organizations and information security is an issue of vital importance. Information security ensures business continuity and minimizes business damage by preventing and reducing the impact of security incidents. However, information security efforts are certainly not as effective as one would have wished for. A commonly accepted reason for this is the insecure behaviour of people. This insecure behaviour is often due to a lack of knowledge, awareness, education and training. In order to address this, many organisations provide security education, training and awareness programs to their employees. However, these programs often do not achieve a persistent change towards secure behaviour. The various reasons that contribute to the failure of security education, training and awareness programs and cause the trend towards insecure behaviour are briefly discussed. It follows that changing the behaviour of people is an inherently difficult task that requires the consideration of many factors. Similarly, a tool that intends to address insecure behaviour needs to consider various technological elements that may contribute in its ability to influence behaviour. The aim of this paper is to propose the principles of a personal information security agent and explore a set of objectives and criteria that may contribute to its success in influencing and reminding individuals towards a more secure behaviour. The criteria stem from various domains such as persuasive technology and human computer interaction. Persuasive technology has been applied in various domains to shape, reinforce or change people's behaviour. We describe related work that has been done using persuasive technology, and build on it. The proposed criteria consists of functions such as "To motivate" and characteristics such as "Context sensitivity". To put the theory into practice, a prototype of a personal security agent has been developed that implements some of the criteria. Based on this, a discussion on the development and implementation of the prototype and its potential benefits has been included. The prototype was developed to test the proposed criteria in a practical experiment that will form part of future research.