05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I

KorandaCarnegie Mellon University2  Chapter 1: Psychological Acceptability Revisited  Chapter 2: The Case for Usable Security  Chapter 3: Design for Usability  Chapter 32: Users are not the Enemy Usable Privacy and Security I

KorandaCarnegie Mellon University3 Usable Security  The user side…  A secure system has to be complicated and complex; thus, difficult to use  The Need to Know Principle  The more that is known about security the easier it is to attack  Users know little about security  Lack of knowledge makes it less secure  Humans are the weakest link in the security chain  Hackers pay attention to human element in security to exploit it

KorandaCarnegie Mellon University4 Usable Security  Why are security products ineffective?  Users do not understand the importance of data, software, and systems  Users do not see that assets are at risk  Users do not understand that their behavior is at risk

KorandaCarnegie Mellon University5 Usable Security  Why are security products ineffective?  Users do not understand the importance of data, software, and systems  Users do not see that assets are at risk  Users do not understand that their behavior is at risk

KorandaCarnegie Mellon University6 Approach #1  Educate the user  Today’s educational topic: passwords

KorandaCarnegie Mellon University7 What makes a Good Password?

KorandaCarnegie Mellon University8 Suggestions for Creating Passwords  Interject random characters within a word  confine = cOn&fiNe  Deliberately misspell a word  helium = healeum  Make an acronym  I’ve fallen, and I can’t get up = If,alcgu  Use numbers and sounds of letters to make words  I am the one for you = imd14u  Combine letters from multiple words  Laser and implosion = liamspel

KorandaCarnegie Mellon University9

KorandaCarnegie Mellon University10

KorandaCarnegie Mellon University11 How Long does it take to Crack a Password?  Brute force attack  Assuming 100,000 encryption operations per second  FIPS Password Usage  Passwords shall have maximum lifetime of 1 year Password Length

KorandaCarnegie Mellon University12 Education Results  Educating users does not automatically mean they will change their behavior  Why?  users do not believe they are at risk  users do not think they will be accountable for not following security regulations  security mechanisms can conflict with social norms  security behavior conflicts with self-image

KorandaCarnegie Mellon University13 Motivation  Users are motivated if care about what is being protected -and-  Users understand how their behavior can put assets at risk

KorandaCarnegie Mellon University14 Motivation  How can motivation be accomplished?  Security should not be a ‘firefighting’ response  Organizations must become active in security  Approach #2 – Design a Usable System

KorandaCarnegie Mellon University15 Design a Usable System  User centered design is critical in system security  Password mechanisms should be compatible with work practices  Change regime and spiraling effect:  I cannot remember my password. I have to write it down. Everyone knows it’s on a Post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know  Passwords that are memorable are not secure

KorandaCarnegie Mellon University16 How to Design a Usable & Secure System?  Current problem  Lack of communication between users and security departments  Solution  Product: actual security mechanisms  Process: how decisions are made  Panorama: the context of security

KorandaCarnegie Mellon University17 Product  Password Considerations  Meaning increases memorability  Are often less secure  How do you make a password easy to remember but hard to guess?  Passwords that change over time  Can decrease memorability  Can increase security?  System generated passwords  Can be more inherently secure  Are less memorable  Passwords are often used infrequently  How can they be remembered?

KorandaCarnegie Mellon University18 Process  Security tasks must be designed to support production tasks  AEGIS process  gathering participants  identifying assets  modeling assets in context of operation  security requirements on assets  risk analysis  designing security of the system  Benefits of involving stakeholders  increased awareness of security  security aspects become much more accessible and personal  provide a simple model through security properties of the system

KorandaCarnegie Mellon University19 Panorama  Security tasks must take into account the environment  Education  Teaching concepts and skills  Training  Change behavior through drills, monitoring, feedback, reinforcement  Focus should be on correct usage of security mechanisms  Should encompass all staff, not only those with immediate access to systems deemed at risk  Attitudes  Role models

KorandaCarnegie Mellon University20 Activity  Groups will explore how to solve a problem related to passwords with a given scenario  The goal is to make suggestions for a secure system that users will comply with  Simply saying ‘educate and train users’ is not enough to make a convincing argument  Weigh the pros and cons of decisions you make  Refer to the design checklist (p42)

KorandaCarnegie Mellon University21 Summary  Users need to be informed about security issues  Majority of users are security conscious if they see the need for the behavior  The key to all security efforts is a balance between security and usability

KorandaCarnegie Mellon University22 Bibliography  Security and Usability  Chapter 1: Psychological Acceptability Revisited  Chapter 2: The Case for Usable Security  Chapter 3: Design for Usability  Chapter 32: Users are not the Enemy      