usable privacy and security i
Download
Skip this Video
Download Presentation
Usable Privacy and Security I

Loading in 2 Seconds...

play fullscreen
1 / 22

Usable Privacy and Security I - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Usable Privacy and Security I. 05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006. Usable Privacy and Security I. Chapter 1: Psychological Acceptability Revisited Chapter 2: The Case for Usable Security Chapter 3: Design for Usability

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Usable Privacy and Security I' - marlin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
usable privacy and security i

Usable Privacy and Security I

05-899/17-500 Usable Privacy and Security

Colleen Koranda

February 7, 2006

usable privacy and security i2
Usable Privacy and Security I
  • Chapter 1: Psychological Acceptability Revisited
  • Chapter 2: The Case for Usable Security
  • Chapter 3: Design for Usability
  • Chapter 32: Users are not the Enemy

Carnegie Mellon University

usable security
Usable Security
  • The user side…
    • A secure system has to be complicated and complex; thus, difficult to use
    • The Need to Know Principle
      • The more that is known about security the easier it is to attack
      • Users know little about security
      • Lack of knowledge makes it less secure
    • Humans are the weakest link in the security chain
      • Hackers pay attention to human element in security to exploit it

Carnegie Mellon University

usable security4
Usable Security
  • Why are security products ineffective?
    • Users do not understand the importance of data, software, and systems
    • Users do not see that assets are at risk
    • Users do not understand that their behavior is at risk

Carnegie Mellon University

usable security5
Usable Security
  • Why are security products ineffective?
    • Users do not understand the importance of data, software, and systems
    • Users do not see that assets are at risk
    • Users do not understand that their behavior is at risk

Carnegie Mellon University

approach 1
Approach #1
  • Educate the user
  • Today’s educational topic: passwords

Carnegie Mellon University

what makes a good password
What makes a Good Password?

Carnegie Mellon University

suggestions for creating passwords
Suggestions for Creating Passwords
  • Interject random characters within a word
    • confine = cOn&fiNe
  • Deliberately misspell a word
    • helium = healeum
  • Make an acronym
    • I’ve fallen, and I can’t get up = If,alcgu
  • Use numbers and sounds of letters to make words
    • I am the one for you = imd14u
  • Combine letters from multiple words
    • Laser and implosion = liamspel

https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html

Carnegie Mellon University

how long does it take to crack a password
How Long does it take to Crack a Password?
  • Brute force attack
  • Assuming 100,000 encryption operations per second
  • FIPS Password Usage
    • 3.3.1 Passwords shall have maximum lifetime of 1 year

Password Length

http://geodsoft.com/howto/password/cracking_passwords.htm#howlong

Carnegie Mellon University

education results
Education Results
  • Educating users does not automatically mean they will change their behavior
  • Why?
    • users do not believe they are at risk
    • users do not think they will be accountable for not following security regulations
    • security mechanisms can conflict with social norms
    • security behavior conflicts with self-image

Carnegie Mellon University

motivation
Motivation
  • Users are motivated if care about what is being protected

-and-

  • Users understand how their behavior can put assets at risk

Carnegie Mellon University

motivation14
Motivation
  • How can motivation be accomplished?
    • Security should not be a ‘firefighting’ response
    • Organizations must become active in security
  • Approach #2 – Design a Usable System

Carnegie Mellon University

design a usable system
Design a Usable System
  • User centered design is critical in system security
  • Password mechanisms should be compatible with work practices
    • Change regime and spiraling effect:
      • I cannot remember my password. I have to write it down. Everyone knows it’s on a Post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know
      • Passwords that are memorable are not secure

Carnegie Mellon University

how to design a usable secure system
How to Design a Usable & Secure System?
  • Current problem
    • Lack of communication between users and security departments
  • Solution
    • Product: actual security mechanisms
    • Process: how decisions are made
    • Panorama: the context of security

Carnegie Mellon University

product
Product
  • Password Considerations
    • Meaning increases memorability
      • Are often less secure
      • How do you make a password easy to remember but hard to guess?
    • Passwords that change over time
      • Can decrease memorability
      • Can increase security?
    • System generated passwords
      • Can be more inherently secure
      • Are less memorable
    • Passwords are often used infrequently
      • How can they be remembered?

Carnegie Mellon University

process
Process
  • Security tasks must be designed to support production tasks
    • AEGIS process
      • gathering participants
      • identifying assets
      • modeling assets in context of operation
      • security requirements on assets
      • risk analysis
      • designing security of the system
    • Benefits of involving stakeholders
      • increased awareness of security
      • security aspects become much more accessible and personal
      • provide a simple model through security properties of the system

Carnegie Mellon University

panorama
Panorama
  • Security tasks must take into account the environment
    • Education
      • Teaching concepts and skills
    • Training
      • Change behavior through drills, monitoring, feedback, reinforcement
      • Focus should be on correct usage of security mechanisms
      • Should encompass all staff, not only those with immediate access to systems deemed at risk
    • Attitudes
      • Role models

Carnegie Mellon University

activity
Activity
  • Groups will explore how to solve a problem related to passwords with a given scenario
  • The goal is to make suggestions for a secure system that users will comply with
  • Simply saying ‘educate and train users’ is not enough to make a convincing argument
  • Weigh the pros and cons of decisions you make
  • Refer to the design checklist (p42)

Carnegie Mellon University

summary
Summary
  • Users need to be informed about security issues
  • Majority of users are security conscious if they see the need for the behavior
  • The key to all security efforts is a balance between security and usability

Carnegie Mellon University

bibliography
Bibliography
  • Security and Usability
    • Chapter 1: Psychological Acceptability Revisited
    • Chapter 2: The Case for Usable Security
    • Chapter 3: Design for Usability
    • Chapter 32: Users are not the Enemy
  • http://www.smat.us/sanity/riskyrules.html
  • http://www.dss.mil/search-dir/training/csg/security/S2unclas/Need.htm
  • http://www.itl.nist.gov/fipspubs/fip112.htm
  • http://www.securitystats.com/tools/password.php
  • https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html
  • http://geodsoft.com/howto/password/cracking_passwords.htm#howlong

Carnegie Mellon University

ad