Usable privacy and security i
Download
1 / 22

Usable Privacy and Security I - PowerPoint PPT Presentation


  • 97 Views
  • Uploaded on

Usable Privacy and Security I. 05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006. Usable Privacy and Security I. Chapter 1: Psychological Acceptability Revisited Chapter 2: The Case for Usable Security Chapter 3: Design for Usability

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Usable Privacy and Security I' - marlin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Usable privacy and security i l.jpg

Usable Privacy and Security I

05-899/17-500 Usable Privacy and Security

Colleen Koranda

February 7, 2006


Usable privacy and security i2 l.jpg
Usable Privacy and Security I

  • Chapter 1: Psychological Acceptability Revisited

  • Chapter 2: The Case for Usable Security

  • Chapter 3: Design for Usability

  • Chapter 32: Users are not the Enemy

Carnegie Mellon University


Usable security l.jpg
Usable Security

  • The user side…

    • A secure system has to be complicated and complex; thus, difficult to use

    • The Need to Know Principle

      • The more that is known about security the easier it is to attack

      • Users know little about security

      • Lack of knowledge makes it less secure

    • Humans are the weakest link in the security chain

      • Hackers pay attention to human element in security to exploit it

Carnegie Mellon University


Usable security4 l.jpg
Usable Security

  • Why are security products ineffective?

    • Users do not understand the importance of data, software, and systems

    • Users do not see that assets are at risk

    • Users do not understand that their behavior is at risk

Carnegie Mellon University


Usable security5 l.jpg
Usable Security

  • Why are security products ineffective?

    • Users do not understand the importance of data, software, and systems

    • Users do not see that assets are at risk

    • Users do not understand that their behavior is at risk

Carnegie Mellon University


Approach 1 l.jpg
Approach #1

  • Educate the user

  • Today’s educational topic: passwords

Carnegie Mellon University


What makes a good password l.jpg
What makes a Good Password?

Carnegie Mellon University


Suggestions for creating passwords l.jpg
Suggestions for Creating Passwords

  • Interject random characters within a word

    • confine = cOn&fiNe

  • Deliberately misspell a word

    • helium = healeum

  • Make an acronym

    • I’ve fallen, and I can’t get up = If,alcgu

  • Use numbers and sounds of letters to make words

    • I am the one for you = imd14u

  • Combine letters from multiple words

    • Laser and implosion = liamspel

https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html

Carnegie Mellon University


Slide9 l.jpg

http://www.hirtlesoftware.com/p_passpr.htm

Carnegie Mellon University



How long does it take to crack a password l.jpg
How Long does it take to Crack a Password?

  • Brute force attack

  • Assuming 100,000 encryption operations per second

  • FIPS Password Usage

    • 3.3.1 Passwords shall have maximum lifetime of 1 year

Password Length

http://geodsoft.com/howto/password/cracking_passwords.htm#howlong

Carnegie Mellon University


Education results l.jpg
Education Results

  • Educating users does not automatically mean they will change their behavior

  • Why?

    • users do not believe they are at risk

    • users do not think they will be accountable for not following security regulations

    • security mechanisms can conflict with social norms

    • security behavior conflicts with self-image

Carnegie Mellon University


Motivation l.jpg
Motivation

  • Users are motivated if care about what is being protected

    -and-

  • Users understand how their behavior can put assets at risk

Carnegie Mellon University


Motivation14 l.jpg
Motivation

  • How can motivation be accomplished?

    • Security should not be a ‘firefighting’ response

    • Organizations must become active in security

  • Approach #2 – Design a Usable System

Carnegie Mellon University


Design a usable system l.jpg
Design a Usable System

  • User centered design is critical in system security

  • Password mechanisms should be compatible with work practices

    • Change regime and spiraling effect:

      • I cannot remember my password. I have to write it down. Everyone knows it’s on a Post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know

      • Passwords that are memorable are not secure

Carnegie Mellon University


How to design a usable secure system l.jpg
How to Design a Usable & Secure System?

  • Current problem

    • Lack of communication between users and security departments

  • Solution

    • Product: actual security mechanisms

    • Process: how decisions are made

    • Panorama: the context of security

Carnegie Mellon University


Product l.jpg
Product

  • Password Considerations

    • Meaning increases memorability

      • Are often less secure

      • How do you make a password easy to remember but hard to guess?

    • Passwords that change over time

      • Can decrease memorability

      • Can increase security?

    • System generated passwords

      • Can be more inherently secure

      • Are less memorable

    • Passwords are often used infrequently

      • How can they be remembered?

Carnegie Mellon University


Process l.jpg
Process

  • Security tasks must be designed to support production tasks

    • AEGIS process

      • gathering participants

      • identifying assets

      • modeling assets in context of operation

      • security requirements on assets

      • risk analysis

      • designing security of the system

    • Benefits of involving stakeholders

      • increased awareness of security

      • security aspects become much more accessible and personal

      • provide a simple model through security properties of the system

Carnegie Mellon University


Panorama l.jpg
Panorama

  • Security tasks must take into account the environment

    • Education

      • Teaching concepts and skills

    • Training

      • Change behavior through drills, monitoring, feedback, reinforcement

      • Focus should be on correct usage of security mechanisms

      • Should encompass all staff, not only those with immediate access to systems deemed at risk

    • Attitudes

      • Role models

Carnegie Mellon University


Activity l.jpg
Activity

  • Groups will explore how to solve a problem related to passwords with a given scenario

  • The goal is to make suggestions for a secure system that users will comply with

  • Simply saying ‘educate and train users’ is not enough to make a convincing argument

  • Weigh the pros and cons of decisions you make

  • Refer to the design checklist (p42)

Carnegie Mellon University


Summary l.jpg
Summary

  • Users need to be informed about security issues

  • Majority of users are security conscious if they see the need for the behavior

  • The key to all security efforts is a balance between security and usability

Carnegie Mellon University


Bibliography l.jpg
Bibliography

  • Security and Usability

    • Chapter 1: Psychological Acceptability Revisited

    • Chapter 2: The Case for Usable Security

    • Chapter 3: Design for Usability

    • Chapter 32: Users are not the Enemy

  • http://www.smat.us/sanity/riskyrules.html

  • http://www.dss.mil/search-dir/training/csg/security/S2unclas/Need.htm

  • http://www.itl.nist.gov/fipspubs/fip112.htm

  • http://www.securitystats.com/tools/password.php

  • https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html

  • http://geodsoft.com/howto/password/cracking_passwords.htm#howlong

Carnegie Mellon University