Security & Usability Charles Frank. Convenience is the Antithesis to Security  Computer systems must employ mechanisms that are difficult to use!

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

Helping our customers keep their computers safe.  Using your pet’s, business, family, friend’s names  Using number or letter sequences (0123, abcd)
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
PRIORITIES. AARP Tax-Aide Priorities BudgetsTraining E-Filing Reimbursements Security Accuracy Developing Leaders CertificationDonations Recruitment.
VM: Chapter 5 Guiding Principles for Software Security.
Users vs. security Cyberdefence seminar, Tallinn Technical University Maksim Afanasjev, 2011.
Secure Design Principles  secure the weakest link  reduce the attack surface  practice defense in depth  minimize privilege  compartmentalize  fail.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
1 Database Security & Encryption
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
1 Firewalls Types of Firewalls  Screening router firewalls  Computer-based firewalls  Firewall appliances  Host firewalls (firewalls on clients and.
September 2007 General Security Basics Your Responsibilities for Safe Computing.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.
Masud Hasan Secue VS Hushmail Project 2.
Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.
References  Cranor & Garfinkel, Security and Usability, O’Reilly  Sasse & Flechais, “Usable Security: Why Do We Need It? How Do We Get It?”  McCracken.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Module 14: Configuring Server Security Compliance
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
{ Active Directory Security Why bother?.   Law #1: Nobody believes anything bad can happen to them, until it does   Law #2: Security only works if.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.
Biometrics and Usability March 21, 2008 Poor Usability: The Inherent Insider Threat Information Access Division Visualization and Usability Group Mary.
Heuristic evaluation Functionality: Visual Design: Efficiency:
FLOOR CANDY.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
How can IT help you today?. Agenda Why Do You Care? What Are The Risks? What Can You Do? Questions? How can IT help you today? 2.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.
Policies CIT 380: Securing Computer SystemsSlide #1.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
May 25 – June 15, Technical Overview Bruce Cowper IT Pro Advisor Microsoft Canada Damir Bersinic IT Pro Advisor Microsoft.
Fall 2008CS 334: Computer SecuritySlide #1 Design Principles Thanks to Matt Bishop.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Windows Administration How to protect your computer.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Computer Security Sample security policy Dr Alexei Vernitski.
June 1, 2004© Matt Bishop [Changed by Hamid R. Shahriari] Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Slide #13-1 Design Principles CS461/ECE422 Computer Security I Fall 2008 Based on slides provided by Matt Bishop for use with Computer Security: Art and.
1 Saltzer [1974] and later Saltzer and Schroeder [1975] list the following principles of the design of secure protection systems, which are still valid:
1 Design Principles CS461 / ECE422 Spring Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.
USABILITY Ben Aaron.
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Chapter3 Security Strategies.
Putting It All Together
Putting It All Together
Why did you choose us? To address and provide a solution to the many problems associated with your current manual filing system -Problems include: -Lack.
Security through Group Policy
Operating System Hardening
Agenda The current Windows XP and Windows XP Desktop situation
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Design Principles Thanks to Matt Bishop 2006 CS 395: Computer Security.
Presentation transcript:

Security & Usability Charles Frank

Convenience is the Antithesis to Security  Computer systems must employ mechanisms that are difficult to use!

Complex Mechanisms  Hard to configure  Hard to implement correctly  This weakens security

Principle of Psychology Acceptability  “It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanism correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanism he must use, mistakes will be minimized. If he must translate his image of his protection into a radically different specification language, he will make errors.” Jerome Saltzer & Michael Schroeder (1975)

Home Users  No anti-virus  No firewall  Run as administrator  No password  Wireless access point without a password or with the vendor default password and without encryption  Why? –Principle of Psychology Acceptability

Patching  Update functionality or enhance security  Patches can interfere with programs running on a system  XP SP2 –IIS & FTP clients & servers did not work correctly –Games did not work correctly  Principle of Psychology Acceptability

Principle of Psychology Acceptability  Complex configurations lead to errors, and the less computer-savvy the users are, the worse the security problems will be.  “How can one create mechanisms that are easy to install, provide the protection mechanism necessary, and are unobtrusive to use, for people ranging from novice home computer users to system administrators?” – an open question

Humans & Security  Are usability and security competing goals?  Humans are the weakest link in the security chain.  Security systems are social as well as technical.  Security mechanisms require extra work. Humans find shortcuts and workarounds.

Humans & Security  Users will find ways to evade security demands that are considered unreasonable or burdensome.  Build systems that are safe and usable.

Usability & Security  Security experts may reject proposal for improving usability because they might help an attacker. –Require passwords be changed frequently. –Users write them down or put a number at the end.  Security designers should minimize the mental workload that a system creates for users.

Socially Acceptable Security  Require users to lock their screens when they leave their desks. –Their office mates might think that the user does not trust them.  People follow security policies to the letter might be considered “paranoid” or “anal” by their peers.  Psychological acceptability

User-Center Security Design  Security is a supporting task. Security must be designed to support production tasks.  Bring together stakeholders to carry out risk analysis and to consider the practical implications of proposed security mechanisms in the context of use.

User Education  Senior management sometimes exhibit bad security behavior. They are too important to be bother with “petty” security policies.  Organizations must integrate security into their business process for users to care about protecting assets and exhibiting good security behavior.

References  Security and Usability: Designing Secure Systems That People Can Use, ed. Lorrie Faith Cranor & Simson Garfinkel, O’Reilly  Matt Bishop, “Psychological Acceptability Revisited”  M. Angela Sasse & Ivan Flechais, “Usable Security”  Bruce Tognazzi, “Design for Usability”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.