1 / 46

Course Overview

Course Overview. January 16, 2007. Outline. Review syllabus and course policies Distribute survey Introduction to usable privacy and security Faculty research overview Introduce students. Syllabus. http://cups.cs.cmu.edu/courses/ups-sp07/ Course numbers Grading

atalaya-faridoon
Download Presentation

Course Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Course Overview January 16, 2007

  2. Outline • Review syllabus and course policies • Distribute survey • Introduction to usable privacy and security • Faculty research overview • Introduce students

  3. Syllabus • http://cups.cs.cmu.edu/courses/ups-sp07/ • Course numbers • Grading • Homework (25%) - due at 3:15pm • Lecture (25%) • Project (50%) • Textbook and readings • Schedule

  4. Survey • Please fill out course survey and bring it with you to class on Thursday

  5. Unusable security & privacy • Unpatched Windows machines compromised in minutes • Phishing web sites increasing by 28% each month • Most PCs infected with spyware (avg. = 25) • Users have more passwords than they can remember and practice poor password security • Enterprises store confidential information on laptops and mobile devices that are frequently lost or stolen

  6. Grand Challenge “Give end-users security controls they can understandand privacy they can control forthe dynamic, pervasive computing environments of the future.” - Computing Research Association 2003

  7. Just work

  8. security/privacy researchers and system developers human computer interaction researchers and usability professionals

  9. Mark your calendarfor SOUPS 2007 - July 18-20 at CMU http://cups.cs.cmu.edu/soups/

  10. The user experience

  11. How do users stay safe online?

  12. POP!

  13. After installing all that security and privacy software

  14. Do you have any time left to get any work done?

  15. Secondary tasks

  16. “Users do not want to be responsible for, nor concern themselves with, their own security.” - Blake Ross

  17. Concerns may not be aligned • Security experts are concerned about the bad guys getting in • Users may be more concerned about locking themselves out

  18. Grey: Smartphone based access-control system • Deployed in CMU building with computer security faculty and students • Nobody questions that the security works • But lots of concerns about getting locked out L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons Learned from the Deployment of a Smartphone-Based Access-Control System.Technical Report CMU-CyLab-06-016, CyLab, Carnegie Mellon University, October 2006. http://www.cylab.cmu.edu/default.aspx?id=2244

  19. Secure, but usable?

  20. Unusable security frustrates users

  21. Typical password advice • Pick a hard to guess password • Don’t use it anywhere else • Change it often • Don’t write it down

  22. What do users do when every web site wants a password?

  23. Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

  24. Approaches to usable security • Make it “just work” • Invisible security • Make security/privacy understandable • Make it visible • Make it intuitive • Use metaphors that users can relate to • Train the user

  25. Make it “just work”

  26. This makes users very happy (but it’s not that easy)

  27. Make decisions • Developers should not expect users to make decisions they themselves can’t make

  28. Make security understandable

  29. “Present choices, not dilemmas” - Chris Nodder (in charge of user experience for Windows XP SP2)

  30. Train the user

  31. Training people not to fall for phish • Laboratory study of 28 non-expert computer users • Asked to evaluate 10 web sites, take 15 minute break, evaluate 10 more web sites • Experimental group read web-based training materials during break, control group played solitaire • Experimental group performed significantly better identifying phish after training • People can learn from web-based training materials, if only we could get them to read them!

  32. How do we get people trained? • Most people don’t proactively look for training materials on the web • Many companies send “security notice” emails to their employees and/or customers • But these tend to be ignored • Too much to read • People don’t consider them relevant

  33. Embedded training • Can we “train” people during their normal use of email to avoid phishing attacks? • Periodically, people get sent a training email • Training email looks like a phishing attack • If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CyLab Technical Report. CMU-CyLab-06-017, 2006. http://www.cylab.cmu.edu/default.aspx?id=2253

  34. Diagram intervention

  35. Explains why they are seeing this message

  36. Explains how to identify a phishing scam

  37. Explains what a phishing scam is

  38. Explains simple things you can do to protect self

  39. Comic strip intervention

  40. Embedded training evaluation • Lab study compared two prototype interventions to standard security notice emails from Ebay and PayPal • Existing practice of security notices is ineffective • Diagram intervention somewhat better • Comic strip intervention worked best • Interventions most effective when based on real brands

  41. Faculty research overview Lorrie Cranor JasonHong CMU Usable Privacy and Security (CUPS) Laboratoryhttp://cups.cs.cmu.edu/

  42. Student introductions • Introduce yourself to your neighbor and tell them your background. Tell them why you’re taking the course and what you want to get out of the course • Form a group of ~4 and repeat • Form a group of ~8 and repeat • Pick someone to stand up in front of the class, introduce your group members, and summarize the reasons people in your group are taking the course and what you want to get out of the course

  43. CMUUsablePrivacy andSecurity Laboratory http://cups.cs.cmu.edu/

More Related