Anna Adams Martina Angela Sasse Users Are Not the Enemy Anna Adams Martina Angela Sasse

Overview Introduction The Study Users Lack Security Knowledge Security Needs User-Centered Design Motivating Users Users and Password Behavior Recommendations Conclusion

Introduction Confidentiality of computer security Password Security Identification Authentication Password Security Key element is crack ability of password combination Should have several criteria for password security Confidentiality of computer security depends on authentication procedures. They can be broken into two parts Identification- User Id or to identify the user Authentication – to verify user owns user ID

Password Security Password composition Password lifetime What type of characters used for passwords Password lifetime Changing passwords frequently Password ownership Increase individual accountability Reduce illicit usage Allow for an establishment of system usage Reduce frequent password changes These are some examples of criteria suggested by The US Federal Information Processing Standards Many do not follow these rules actually once people pick a password not likely to change it - users have different behaviors and perceptions regarding passwords

The Study Web-based questionnaire Focused on password behaviors 4 factors influencing effective passwords Multiple passwords Password Content Perceived compatibility with work practices Users’ perceptions of organizational security and information sensitivity This study tried to capture data on user behaviors and perceptions relating to password systems. There were 2 groups that did web-based questionnaires, and a few from each group did indepth interviews The analysis they came by was the 4 factors influencing effective passwords

The Study What was found Multiple passwords Writing them down Poor design Linked passwords Password Content No feed back from security experts Own rules for passwords Password restrictions Increase password disclosures Ways to circumvent restrictions Password Content Users are not aware of appropriate password content If restrictions are placed could cause more password disclosures and attempts to circumvent restrictions.

The Study What was found cont. Compatibility between work practices and password procedures Shared passwords Not being informed of security issues Guided by what they see 2 main problems in password usage Systems factors External factors Not being informed of security issues Users are just not aware of the dangers out there. They are not aware there actions might be tracked many feel that since they haven’t seen attacks that they haven’t occurred The study identified 2 main problems These problems are due to lack of communication between security departments and users Users don’t understand security issues and security departments don’t understand user’s perception or tasks.

Users Lack Security Knowledge Need-to-know Principle The more know about security the easier it is to attack Users not informed Password behaviors Correct password content Cracking Not told of security breaches Need to know principle adopted by the military

Users Lack Security Knowledge Misunderstanding of login process Confuse user identification with passwords Think IDs are part of password Using physical attributes that don’t require ID recall Combine physical attributes with remote access to systems

Security Needs User-Center Design To achieve good user-center design in security mechanisms communication with users is needed Security has to think about the users Requiring many passwords create usability problems Frequently changed passwords increase disclosure Need to take into account passwords used out of the office Without communication between users and security departments we have many problems

Motivating Users Simplistic Approach to user authentication Restricts data by identification and authentication Does not work well for group work Authoritarian Approach to user authentication Led to security departments reluctance to communicate with users with regard to work practices

Motivating Users cont. Individual ownership of passwords increases accountability and decreases illicit usage of passwords If users perceive they are using shared passwords this increases groups responsibility and accountability Password mechanism has to be compatible with work practices

Motivating Users cont. Most users are security conscious just need to think that security is important Need to forget about Need-to-Know If done could lead to security leaks Can also motivate users of real problems Need to have communication between security department and users This is the only area in IT in which user training is not regarded as essential

Users and Password Behavior Major problems with Security Insecure work practices Low security motivation Personal thinking vs. drills and punishment Security procedures must work with user work practices Security departments have to see how their mechanisms are used in practice These problems should be addressed Low security motivation can be caused by security mechanisms that take no account of users work practices Suggestions made by the paper to motivate users Many believe users are not motivated to adopt secure behavior but can be done through drills and punishment

Recommendations Password Content Multiple Passwords Provide training on usable and secure passwords Provide constructive feedback on password construction Multiple Passwords Reduce number of passwords 4 or 5 passwords max Smart cards when using multiple passwords

Recommendations cont. Users’ Perception of Security Work Practices System security needs to be visible to all Inform users of existing and potential threats Users awareness needs to be maintained over time Provide guidance as to which systems and information are sensitive and why Work Practices Password mechanisms need to match organization and work procedures

Conclusion Communication between security department and users Limiting passwords Creating secure passwords Sharing security issues The users are not the enemy of security Users can help solve the problem Questions ?