The security impact of humans in systems

A system with humans in it has characteristically different security properties from a fully automated system. This paper identifies the distinctive security impacts of systems involving humans, presents an approach to security analysis of complex systems and outlines the consequences for system design. It indicates a number of areas in which it has proved important to address system-level security issues, through a model which treats humans as components alongside technology elements. The special features of humans are brought out, prompting some new concerns for the future. These features are related to: (a) the fact that humans have a pre-existing societal interaction with other humans, which they don´t (yet) have with machines, and (b) the fact that humans are capable of highly intelligent attacks (and defences)-far more than machines currently are, though this may change. Many sectors are coming to terms with the necessity for human-in-the-loop modelling. It yields not only a much more robust analysis of security issues, but also a few operational surprises