1 / 22

Usable Privacy and Security I

Usable Privacy and Security I. 05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006. Usable Privacy and Security I. Chapter 1: Psychological Acceptability Revisited Chapter 2: The Case for Usable Security Chapter 3: Design for Usability

marlin
Download Presentation

Usable Privacy and Security I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Usable Privacy and Security I 05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006

  2. Usable Privacy and Security I • Chapter 1: Psychological Acceptability Revisited • Chapter 2: The Case for Usable Security • Chapter 3: Design for Usability • Chapter 32: Users are not the Enemy Carnegie Mellon University

  3. Usable Security • The user side… • A secure system has to be complicated and complex; thus, difficult to use • The Need to Know Principle • The more that is known about security the easier it is to attack • Users know little about security • Lack of knowledge makes it less secure • Humans are the weakest link in the security chain • Hackers pay attention to human element in security to exploit it Carnegie Mellon University

  4. Usable Security • Why are security products ineffective? • Users do not understand the importance of data, software, and systems • Users do not see that assets are at risk • Users do not understand that their behavior is at risk Carnegie Mellon University

  5. Usable Security • Why are security products ineffective? • Users do not understand the importance of data, software, and systems • Users do not see that assets are at risk • Users do not understand that their behavior is at risk Carnegie Mellon University

  6. Approach #1 • Educate the user • Today’s educational topic: passwords Carnegie Mellon University

  7. What makes a Good Password? Carnegie Mellon University

  8. Suggestions for Creating Passwords • Interject random characters within a word • confine = cOn&fiNe • Deliberately misspell a word • helium = healeum • Make an acronym • I’ve fallen, and I can’t get up = If,alcgu • Use numbers and sounds of letters to make words • I am the one for you = imd14u • Combine letters from multiple words • Laser and implosion = liamspel https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html Carnegie Mellon University

  9. http://www.hirtlesoftware.com/p_passpr.htm Carnegie Mellon University

  10. http://www.securitystats.com/tools/password.php Carnegie Mellon University

  11. How Long does it take to Crack a Password? • Brute force attack • Assuming 100,000 encryption operations per second • FIPS Password Usage • 3.3.1 Passwords shall have maximum lifetime of 1 year Password Length http://geodsoft.com/howto/password/cracking_passwords.htm#howlong Carnegie Mellon University

  12. Education Results • Educating users does not automatically mean they will change their behavior • Why? • users do not believe they are at risk • users do not think they will be accountable for not following security regulations • security mechanisms can conflict with social norms • security behavior conflicts with self-image Carnegie Mellon University

  13. Motivation • Users are motivated if care about what is being protected -and- • Users understand how their behavior can put assets at risk Carnegie Mellon University

  14. Motivation • How can motivation be accomplished? • Security should not be a ‘firefighting’ response • Organizations must become active in security • Approach #2 – Design a Usable System Carnegie Mellon University

  15. Design a Usable System • User centered design is critical in system security • Password mechanisms should be compatible with work practices • Change regime and spiraling effect: • I cannot remember my password. I have to write it down. Everyone knows it’s on a Post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know • Passwords that are memorable are not secure Carnegie Mellon University

  16. How to Design a Usable & Secure System? • Current problem • Lack of communication between users and security departments • Solution • Product: actual security mechanisms • Process: how decisions are made • Panorama: the context of security Carnegie Mellon University

  17. Product • Password Considerations • Meaning increases memorability • Are often less secure • How do you make a password easy to remember but hard to guess? • Passwords that change over time • Can decrease memorability • Can increase security? • System generated passwords • Can be more inherently secure • Are less memorable • Passwords are often used infrequently • How can they be remembered? Carnegie Mellon University

  18. Process • Security tasks must be designed to support production tasks • AEGIS process • gathering participants • identifying assets • modeling assets in context of operation • security requirements on assets • risk analysis • designing security of the system • Benefits of involving stakeholders • increased awareness of security • security aspects become much more accessible and personal • provide a simple model through security properties of the system Carnegie Mellon University

  19. Panorama • Security tasks must take into account the environment • Education • Teaching concepts and skills • Training • Change behavior through drills, monitoring, feedback, reinforcement • Focus should be on correct usage of security mechanisms • Should encompass all staff, not only those with immediate access to systems deemed at risk • Attitudes • Role models Carnegie Mellon University

  20. Activity • Groups will explore how to solve a problem related to passwords with a given scenario • The goal is to make suggestions for a secure system that users will comply with • Simply saying ‘educate and train users’ is not enough to make a convincing argument • Weigh the pros and cons of decisions you make • Refer to the design checklist (p42) Carnegie Mellon University

  21. Summary • Users need to be informed about security issues • Majority of users are security conscious if they see the need for the behavior • The key to all security efforts is a balance between security and usability Carnegie Mellon University

  22. Bibliography • Security and Usability • Chapter 1: Psychological Acceptability Revisited • Chapter 2: The Case for Usable Security • Chapter 3: Design for Usability • Chapter 32: Users are not the Enemy • http://www.smat.us/sanity/riskyrules.html • http://www.dss.mil/search-dir/training/csg/security/S2unclas/Need.htm • http://www.itl.nist.gov/fipspubs/fip112.htm • http://www.securitystats.com/tools/password.php • https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html • http://geodsoft.com/howto/password/cracking_passwords.htm#howlong Carnegie Mellon University

More Related