1 / 12

Enhancing Backend Security Solutions: Addressing Expectations and Usability Issues

Explore the critical issues of expecting too much from users in designing secure systems, focusing on weak passwords, phishing, and social engineering. Learn about subjective expected utility theory and the importance of user-centric security design. Supported by insights from experts such as Don Norman and Peter Gutmann.

hughd
Download Presentation

Enhancing Backend Security Solutions: Addressing Expectations and Usability Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Usable security: Problems ECE 695 Alexander J. Quinn 3/19/2018

  2. Credit: ‘jrockway’ @ https://slashdot.org/comments.pl?sid=190833&cid=15698213

  3. Problem (about SSL and Man-In-Demo attacks)

  4. Overview • Problem: expecting too much • Symptoms: security risks • Weak passwords • Phishing • Downloading malware • Social engineering • Solutions: design • … and more backend security

  5. Problem Expecting too much rationality Expecting too muchattention Expecting too much memory Expecting too much knowledge Expecting too much concern

  6. Credit: Don Norman, Design of Everyday Things, chapter 2, p. 65

  7. Which of these passwords meets the rules? 1. random-dancer 2. d9l3c93jdlcks93jckdoekcjslqp 3. FuddyHuffaker_$0cje 4. Boilerrrrrrr93kcjslekcu@#$

  8. Credit: The Psychology of Security Usability

  9. Subjective Expected Utility Theory • Assume: • User has a utility function to rank options based on future outcomes • User knows all possible alternative strategies • User can estimate probability of outcomes for each alternative • User will choose an alternative based on subjective expected utility Credit: The Psychology of Security Usability

  10. Subjective Expected Utility Theory for each possible decision alternative: x = all possible consequences of making a decision, which includes recursive evaluation of any carry-on effects); p(x) = quantitative probability for x; U(x) = subjective utility of each consequence; p(x) × U(x) = probability multiplied by subjective utility; Credit: Peter Gutmann, Engineering Security (draft, April 2014)

  11. For exercise next time… • If the 3rd digit of your PUID (or SSN) is odd, then think of the worst instance of unusable security you’ve ever seen. • If the 3rd digit is even, think of one that is fake, but might sound real. Get ready to give a 30-second description. We’ll vote and see how well we can guess.

More Related