Security and Usability

Slides:



Advertisements
Similar presentations
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Advertisements

Identity Federation: Some Challenges and Thoughts OGF 19 Jan 30, 2007 Von Welch
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Introduction.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Understanding the Human in.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Safer Web Browsing Terry Labach Information Security Services IST.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.
Security 101 Harper P. Johnson Information Technology Services Director of Information Security.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Staying Safe Online Keep your Information Secure.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Practising Safer Web Browsing Terry Labach Information Security Services IST February 17, 2012.
Session 7 LBSC 690 Information Technology Security.
Another perspective on Network Security Network Security Essentials: Applications and Standards, 4/E William Stallings ISBN-10: ISBN-13:
KTAC Security Task Force Superintendents Update April 23, 2015.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Usable Privacy and Security.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
CSCD 303 Essential Computer Security Lecture 1 - Course Details.
Unit 2 Assignment 1. Spyware Spyware is a software that gathers information about a person or site and uses it without you knowing. It can send your information.
Computer Security Keeping you and your computer safe in the digital world.
Information Technology Security Office of the Vice President for Information Technology New Employee Orientation II.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Intro to Digital Technology Review for Final Introduction to Digital Technology Finals Seniors Monday, 5/16 – 2 nd Tuesday 5/17 – 1 st,3 rd Underclassmen.
Cybersecurity and People: Challenges in Predicting User Actions Joachim Meyer Dept. of Industrial Engineering Fleischman School of Engineering Tel Aviv.
PUBLIC COMPUTER SAFETY
Botnets A collection of compromised machines
Managing Windows Security
Keeping Children Safe Online
What they are and how to protect against them
Unit 4 IT Security.
Information Security.
Password Management Limit login attempts Encrypt your passwords
Homeland Security: Computer Protection
VIRUS HOAX + BOTS. VIRUS HOAX + BOTS Group Members Aneeqa Ikram Fatima Ishaque Tufail Rana Anwar Amjad.
How to build a good reputation online
Protecting your personal information and privacy
Vocabulary Big Data - “Big data is a broad term for datasets so large or complex that traditional data processing applications are inadequate.” Moore’s.
Computer Security Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Botnets A collection of compromised machines
Lesson 2- Protecting Yourself Online
Columbus State University
STOP. THINK. CONNECT. Online Safety Quiz.
Call AVG Antivirus Support | Fix Your PC
Risk of the Internet At Home
Why ISO 27001? Subtitle or presenter
Tom Chothia Computer Security
CSCD 303 Essential Computer Security
Lesson 2: Epic Security Considerations
Another perspective on Network Security
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
HOW DO I KEEP MY COMPUTER SAFE?
Implementing Client Security on Windows 2000 and Windows XP Level 150
Lesson 2: Epic Security Considerations
Lesson 2: Epic Security Considerations
CSCD 303 Essential Computer Security
Course Overview January 16, 2007.
Welcome to the E Safety Workshop
Internet Safety – Social Media
How To - Use a Monitor as a Secondary Display for your Laptop
Lesson 2- Protecting Yourself Online
Handling Information Securely
CSCD 303 Essential Computer Security
INTERNET SECURITY.
Presentation transcript:

Security and Usability Rachel Greenstadt February 15, 2016 Slide credits Lorrie Cranor

Announcements Midterm available Project 1 due next Thursday Mean 72, Median 75, STDev 15 Very bimodal distribution Project 1 due next Thursday I’m away next week Tues: guest lecture from Russell Handorf, FBI Thurs: discussion led by Kevin

A security professional’s view of humans... “Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)” Network Security: PRIVATE Communication in a PUBLIC World Charlie Kaufman, Radia Perlman + Mike Speciner Prentice Hall 1995

On the other hand…

The Attacker’s Perspective

security/privacy researchers and system developers But until recently, security and privacy researchers weren’t paying a whole of attention to what users wanted. Security folks worked in one department, while HCI folks worked in a different department, and they didn’t really talk much. But that is starting to change. human computer interaction researchers and usability professionals

How do you stay safe online?

Unusable security & privacy Unpatched Windows machines compromised in minutes Phishing web sites increasing by 28% each month Most PCs infected with spyware (avg. = 25) Users have more passwords than they can remember and practice poor password security Enterprises store confidential information on laptops and mobile devices that are frequently lost or stolen

- Computing Research Association 2003 Grand Challenge “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Computing Research Association 2003

Experts recommend…

POP! Firewalls Antivirus software Spam filters Pop-up blockers Cookie managers Spyware removers encryption software if you have kids, adult content filters, and if you want to cover your tracks, anonymity tools

After installing all that security and privacy software

Do you have any time left to get any work done?

Secondary tasks Security and privacy are secondary tasks Nobody buys a computer so they can spend time securing it. Time we spend configuring security and privacy tools is time we are not spending doing what we really want to be doing with our computers

Approaches to usable security Make it “just work” Invisible security Make security/privacy understandable Make it visible Make it intuitive Use metaphors that users can relate to Train the user

Make decisions Developers should not expect users to make decisions they themselves can’t make Many pieces of software contain prompts in which the developers ask users to make a security-related decision. Blake Ross suggests that - Before coding up such questions, software developers should ask themselves a question: if I can’t figure it out, how are users supposed to? What additional qualifications do users possess that will help them arrive at a better conclusion? (From Blake Ross’ book chapter)

Present choices, not dilemmas - Chris Nodder (in charge of user experience for XP SP2) Chris Nodder, who was in charge of user experience for MS XP SP2, puts it this way: “Present choices, not dilemmas.” If the user doesn’t have any insights into how to answer a question, it is a dilemma, not a decision. There are some situations where users possess some additional contextual knowledge or personal preferences that may allow them to make a better decision than the implementer could make in advance. In those cases, UIs are needed that will help users understand what bit of knowledge they bring to the decision and how they can best apply it. But if the users don’t have anything useful to contribute, they should not be making the decision.

XP SP1 - no question mark

XP SP2

Security Decisions Run this script? Trust this site? Make a firewall exception? Share this piece of personal information? Allow user bob access? Choose a password Buy from alice? Write about my diagnosis on the forum? Open this email? Install this software? Plug Carol’s usb key into my laptop? Drop this packet?

Hard for Machines and Humans Context-dependent Require specialized knowledge Dynamic : sophisticated adversaries and emerging threats Complex risk analysis requiring Large knowledge base and rationality

Contextual Mismatch Alice: * Knows she wants to visit her bank * Doesn’t know she’s not at her bank Alice’s device: * Knows Alice is not visiting her bank * Doesn’t know that Alice believes she is at her bank

Passwords Now let’s talk about a specific usable security problem that is becoming more and more problematic as people do an increasing number of transactions online. 2.

Typical advice Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down Common knowledge that this is advice doesn’t work

What do users do when every web site wants a password?

Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

From http://www.interactivetools.com/staff/dave/damons_office/

By the way, use a password manager

Symbols & Metaphors One way to make security and privacy tools more usable is to use symbols and metaphors. Unfortunately, many of the symbols and metaphors used to date have been a complete failure. 3.

Cookie flag Netscape SSL icons IE6 cookie flag Firefox SSL icon Netscape open lock (only symbol to left) Netscape cookie flag and closed lock IE cookie flag Firefox closed lock, note that it puts name of site next to closed lock, no open lock

Wireless privacy Many users unaware that communications over wireless computer networks are not private Another privacy issue that my students have been looking at is wireless privacy.

Wall of sheep

Defcon 2001 Photo credit: Kyoorius @ techfreakz.org http://www.techfreakz.org/defcon10/?slide=38

Defcon 2004 Photo credit: http://www.timekiller.org/gallery/DefconXII/photo0003

Peripheral display Help users form more accurate expectations of privacy Without making the problem worse

Experimental trial 11 subjects in student workspace Data collected by survey and traffic analysis Did they refine their expectations of privacy?

Results No change in behavior Peripheral display raised privacy awareness in student workspace But they didn’t really get it

Privacy awareness increased “I feel like my information /activity / privacy are not being protected …. seems like someone can monitor or get my information from my computer, or even publish them.”

But only while the display was on “Now that words [projected on the wall] are gone, I'll go back to the same.” Students associated privacy risk with our peripheral display rather than with their use of a wireless network. So, it looks like we still have our work cut out for ourselves.

Questions to ask about a security or privacy cue Do users notice it? Do they know what it means? Do they know what they are supposed to do when they see it? Will they actually do it? Will they keep doing it? I would like to try to generalize a bit from this experience. Our words on the wall were a privacy cue. Other people are developing other types of privacy and security cues, for example to warn people about potential phishing attacks - this is something I have started working on myself. A lot of security researchers are focusing on how to identify potentially dangerous situations and provide unspoofable cues to users. This is a good first step. But we need to go beyond that and examine whether these cues are actually helpful to users. We should be asking the following questions. We can speculate on the answers, but really the only way to know is to do user studies. And to do that generally is going to require some cooperation between security and usability folks.