Users are often considered the weakest link in the security chain because of their poor security behaviour. One area with a vast amount of evidence related to poor behaviour is that of password management.

We have a pretty good idea of the extent to which this behaviour impacts on the individual user’s personal security. Unfortunately, we don’t know what the impact of this kind of behaviour by a number of organisational employees is, on a larger scale, nor do we know how best to intervene so as to improve the general security of an organisation as a whole. Current wisdom mandates the use of policies to curb insecure behaviours but it is clear that this approach has limited effectiveness. Unfortunately, no one really understands how the individual directives contained in the policies impact on the security of the eco-system. Sometimes directives have unexpected side-effects which are not easily anticipated.

It would be very difficult to answer this question in a real-life environment. I will describe a simulation engine which models an organisation with employee agents using a number of systems over an extended period. The simulation is tailorable, allowing tweaking of particular system-wide settings in order to implement policy dictats so as to determine their potential impact on the security of the organisation’s systems.

This tool supports security specialists developing policies within their organisations by quantifying the longitudinal impacts of particular rules.