Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Slides:

Advertisements

Similar presentations

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Advertisements

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

1 Secure Interaction Design Kami Vaniea. 2 Overview Designing secure interfaces  Design principles Firefox extensions  Cookies  Phishing  Tracking.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Visualizing Privacy II.

The Importance of Being Earnest [in Security Warnings] Serge Egelman (UC Berkeley) Stuart Schechter (Microsoft Research)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (

Red Hat Linux Network. Red Hat Network Red Hat Network is the environment for system- level support and management of Red Hat Linux networks. Red Hat.

CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Introduction.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Computers and Society Carnegie Mellon University Spring 2007 Cranor/Tongia 1 Regulating Online Speech / Privacy.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Understanding the Human in.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Designing user studies February.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.

Working group discussion 1 Cyber Risk Security, Privacy ?

Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong

CMU Usable Privacy and Security Laboratory Power Strips, Prophylactics, and Privacy, Oh My! Julia Gideon, Serge Egelman, Lorrie.

Chapter 14: Personalization and TrustCopyright © 2004 by Prentice Hall User-Centered Website Development: A Human- Computer Interaction Approach.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Security Warnings TROPE: Teachers’ Resources for Online Privacy Education 1.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Automated Tracking of Online Service Policies J. Trent Adams 1 Kevin Bauer 2 Asa Hardcastle 3 Dirk Grunwald 2 Douglas Sicker 2 1 The Internet Society 2.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Preferences Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 1 P3P I Week 6 - October.

CMU Usable Privacy and Security Laboratory Phinding Phish: An Evaluation of Anti-Phishing Toolbars Yue Zhang, Serge Egelman, Lorrie.

How P3P Works Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research 4 February 2002

User Interfaces for Privacy Design and Evaluation of the AT&T Privacy Bird P3P User Agent Lorrie Faith Cranor AT&T Labs-Research

SURFING THE WEB PRIVACY, SAFETY, AND RELIABLE SOURCES.

Use of a P3P User Agent by Early Adopters Lorrie Faith Cranor Manjula Arjula Praven Guduru AT&T Labs November 2002.

1 Personalization and Trust Personalization Mass Customization One-to-One Marketing Structure content & navigation to meet the needs of individual users.

ARTICLE WRITTEN BY: DEVDATTA AKHAW, ADRIENNE PORTER FELT PUBLISHED IN: PROCEEDINGS OF 22 ND USENIX SECURITY SYPOSIUM AUGUST WASHINGTON, D.C, USA.

U.S. Department of Commerce Web Advisory Group Minding Your Own Business The Platform for Privacy Preferences Project.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

Human-Computer Interaction at CMU Jodi Forlizzi Jason Hong.

ISPAB Panel on Usable Security Mary Frances Theofanos - NIST Ellen Cram Kowalczyk - Microsoft.

C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Networking E-commerce. E-commerce ► A general term used to describe the buying and selling of products or services over the Internet. ► This covers a.

1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.

Computer Security Keeping you and your computer safe in the digital world.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Secure HTTP (HTTPS) Pat Morin COMP 2405.

Setting and Upload Products

How P3P Works Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research 4 February

Private and Secure Biometric User Authentication in the Web Master Thesis Defense Zaki Alsubhi Department of Computer Science University of Colorado.

Conveying Trust Serge Egelman.

Certificates An increasingly popular form of authentication

Vocabulary Big Data - “Big data is a broad term for datasets so large or complex that traditional data processing applications are inadequate.” Moore’s.

How to Check if a site's connection is secure ?

Yannis Mallios February 27, 2008

CS 142 Lecture Notes: Network Security

CS 142 Lecture Notes: Network Security

Security and Usability

CS 142 Lecture Notes: Network Security

The basics of Social Science Research Lecture 3

Certificates An increasingly popular form of authentication

Personal Privacy and the Public Internet

Presentation transcript:

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January 30, 2007

How do we know whether security is usable?

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 3 Need to observe users We are not our users! (you may be surprised by what users really do)

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 4 Wireless privacy study Many users unaware that communications over wireless computer networks are not private How can we raise awareness? B. Kowitz and L. Cranor. Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA.

Wall of sheep

Photo credit: techfreakz.org Defcon 2001

Photo credit: Defcon 2004

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 8 Peripheral display Help users form more accurate expectations of privacy Without making the problem worse

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 10 Experimental trial Eleven subjects in student workspace Data collected by survey and traffic analysis Did they refine their expectations of privacy?

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 11 Results No change in behavior Peripheral display raised privacy awareness in student workspace But they didn’t really get it

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 12 Privacy awareness increased “I feel like my information /activity / privacy are not being protected …. seems like someone can monitor or get my information from my computer, or even publish them.”

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 13 But only while the display was on “Now that words [projected on the wall] are gone, I'll go back to the same.”

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 14 Security and privacy indicators

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 15 Evaluating indicators Case study: Privacy Bird

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 16 Platform for Privacy Preferences (P3P) 2002 W3C Recommendation XML format for Web privacy policies Protocol enables clients to locate and fetch policies from servers

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 17 Privacy Bird P3P user agent Free download Compares user preferences with P3P policies

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 20 Critique Privacy Bird Security people Can attackers spoof it? What if P3P policy contains lies? Can P3P policies be digitally signed? What about main-in- the-middle attacks? Usability people Green/red color blind problem Do people notice it in corner of browser? Do people understand privacy implications? Why a bird?

Typical security evaluation

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 22 Does it behave correctly when not under attack? No false positives or false negatives

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 23 Anti-phishing tools Y. Zhange, S. Egelman, L. Cranor, and J. Hong. Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of NSSS 2006, forthcoming.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 24 Does it behave correctly when under attack? Can attackers cause wrong indicator to appear?

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 25 Correct indicator Wrong indicator Attacker redirects through CDN

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 26 Can it be spoofed or obscured? Can attacker provide indicator users will rely on instead of real indicator?

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 27

Usability evaluation

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 29 C-HIP Model Communication- Human Information Processing (C-HIP) Model Wogalter, M Communication- Human Information Processing (C-HIP) Model. In Wogalter, M., ed., Handbook of Warnings. Lawrence Erlbaum Associates, Mahwah, NJ,

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 30 Do users notice it? If users don’t notice indicator all bets are off “What lock icon?” Few users notice lock icon in browser chrome, https, etc. C-HIP model: Attention switch, attention maintenance

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 31

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 32

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 33 Do users know what it means? Web browser lock icon: “I think that it means secured, it symbolizes some kind of security, somehow.” Web browser security pop-up: “Yeah, like the certificate has expired. I don’t actually know what that means.” C-HIP Model: Comprehension/Memory J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, July 2006, Pittsburgh, PA.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 34 Netscape SSL icons Cookie flag IE6 cookie flag Firefox SSL icon

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 35 Privacy Bird icons Privacy policy matches user’s privacy preferences Privacy policy does not match user’s privacy preferences

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 36

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 37 Do users know what to do when they see it? C-HIP Model: Comprehension/Memory

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 38

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 39

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 40

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 41 Do users believe the indicator? “Oh yeah, I have [seen warnings], but funny thing is I get them when I visit my [school] websites, so I get told that this may not be secure or something, but it’s my school website so I feel pretty good about it.” C-HIP Model: Attitudes/Beliefs

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 42 Are users motivated to take action? May view risk as minimal May find recommended action too inconvenient or difficult C-HIP Model: Motivation

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 43 Do they actually do it? “I would probably experience some brief, vague sense of unease and close the box and go about my business.” C-HIP Model: Behavior

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 44

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 45 Do they keep doing it? Difficult to measure in laboratory setting Need to collect data on users in natural environment over extended period of time C-HIP Model: Behavior

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 46 How does it interact with other indicators? Indicator overload?

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 47

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 48 Summary: Security evaluation Does indicator behave correctly when not under attack? No false positives or false negatives Does indicator behave correctly when under attack? Can attackers cause wrong indicator to appear? Can indicator be spoofed or obscured? Can attacker provide indicator users will rely on instead of real indicator?

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 49 Summary: Usability evaluation Do users notice it? Do they know what it means? Do they know what they are supposed to do when they see it? Do they believe it? Are they motivated to do it? Will they actually do it? Will they keep doing it? How does it interact with other indicators?