ISPAB Panel on Usable Security Mary Frances Theofanos - NIST Ellen Cram Kowalczyk - Microsoft.

Slides:



Advertisements
Similar presentations
Building Secure Mashups D. K. Smetters PARC Usable.
Advertisements

Helping our customers keep their computers safe.  Using your pet’s, business, family, friend’s names  Using number or letter sequences (0123, abcd)
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Project management Project manager must;
SECURITY CHECK Protecting Your System and Yourself Source:
INTERNET SAFETY FOR EVERYONE A QUICK AND EASY CRASH COURSE.
What is identity theft, and how can you protect yourself from it?
Cyber bullying and internet safety Parents meeting: staying safe online.
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Acceptable Use Policy –The Acceptable Use Policy defines the rules of the machine and internet connection you are on. –Specific policies differ by machine.
Top of Content Box Line Subtitle Line Title Line Right Margin Line Wearables: Panacea or Pandora’s Box – A Security Perspective Gary Davis | Chief Consumer.
Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Viruses & Security Threats Unit 1 – Understanding Computer Systems JMW 2012.
Securing Information Systems
Social impacts of the use of it By: Mohamed Abdalla.
Internet Safety By Stephanie Jarrard. What is the Internet?  “Internet” is a shortened name for “Interconnected networks”  The internet is a global.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
National Energy Research Scientific Computing Center (NERSC) Computer Security – The New Threats Stephen Lau NERSC Center Division, LBNL June 24, 2004.
The Future of Information Security Awareness Kelley Archer: Facilitator - Director Information Security, AIMIA Inc. Aaron Cohen: Managing Partner, MAD.
Masud Hasan Secue VS Hushmail Project 2.
Personal Safety Unit - Level 7. The Internet is not anonymous. Your address, screen name, and password serve as barriers between you and others.
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
IT security By Tilly Gerlack.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely presents:
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Troubleshooting Windows Vista Security Chapter 4.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Mary Theofanos Visualization & Usability Group Information Access Division Information Technology Laboratory PIV Pilot Usability Lessons Learned.
Free, online, technical courses Take a free online course. Microsoft Virtual Academy.
Virus Assignment JESS D. How viruses affect people and businesses  What is a virus? A computer virus is a code or a program that is loaded onto your.
CSCE 201 Identification and Authentication Fall 2015.
Cybersecurity Test Review Introduction to Digital Technology.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.
ONLINE SECURITY Tips 1 Online Security Online Security Tips.
Catching Phish. If I went fishing what would I be doing? On the Internet fishing (phishing) is similar! On the internet people might want to get your.
Avoiding Frauds and Scams Barbara Martin-Worley Director, Consumer Fraud Protection 18 th Judicial District Attorney’s Office Serving Arapahoe, Douglas,
A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Hotspot Shield Protect Your Online Identity
Information Security.
9/4/2018 6:45 PM Secure your Office 365 environment with best practices recommended for political campaigns Ethan Chumley Campaign Technology Advisor Civic.
Cybersecurity Awareness
Information Security Awareness 101
Information is at the heart of any University, and Harvard is no exception. We create it, analyze it, share it, and apply it. As you would imagine, we.
Red Flags Rule An Introduction County College of Morris
Setting up an online account
12/5/2018 2:50 AM How to secure your front door with real-time risk assessments of your logons Jan Ketil Skanke COO and Principal Cloud Architect CloudWay.
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
The Dark Side of the Internet
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Cybersecurity Simplified: Phishing
Presentation transcript:

ISPAB Panel on Usable Security Mary Frances Theofanos - NIST Ellen Cram Kowalczyk - Microsoft

What is Usable Security Usable Security is taking into account that the user is often the most important part of a security solution – Set a strong password and keep it secret – Keep smartcards in a secure place – Don’t download suspicious files – Update your system (or don’t turn off updating) – Don’t put unknown thumb drives, disks, etc. into your machine

Why do we need Usable Security User Experiences? People not working in the evening because smartcard left in car Passwords: different rules, expected to use unique passwords yet not write them down. BitLocker is more secure with PIN, but had to back down as to difficult for users. Some organizations backed out of BitLocker all together due to usability/support concerns. Didn’t consider issues with Virtual machines when requiring screensavers, and many users opted out. Policies around erasing mobile phones after a small number of access attempts lead to longer locking windows and easier passwords.

Current NIST Usable Security Work Policy makers often have very little usability data when they make security policy. NIST goal: Trying to provide them with usability data in conjunction with the security data that they have so that they can make an informed policy. – Passwords (survey of feds about passwords – there may be plenty of research on private sector but no data on feds so we are collecting it. – Password policies – again we are looking at how policies are presented to users – the ambiguities and inconsistencies across agencies … and what this means to users – PIV ( smartcard implementations) just completed a pilot – how do you move to card and pin or card and biometric, what are the implications what does this mean to user behavior, user acceptance, productivity, – RSA tokens – what does this mean to productivity … – We are looking at users perception of risk and awareness of cyber security – and threat models.

Current MSFT Usable Security Work Usable Security in Products – Smart Screen in IE: Constantly tuning to keep users from hurting themselves – Office: intelligence around whether a user trusts a file Usable Security Research – Access control – Warnings – Secondary authentication – Identity Models – Quantified User Harm Metrics Usable Security Guidance – Guidance for warnings and prods focused on: Architecting so you can avoid asking the user Providing clear explanations and testing them – Starting work on UX Convention guidance Icons, calling out verified vs. unverified data

Usable Security Challenges Many assumptions and anecdotes about how users are harmed by bad security usability, but little concrete data – Pockets of data on specific user bases, but significant variance and only partial coverage Easy to spot issues, often don’t have a good solution – Often what’s in place is the best known solution, but has major drawbacks Spoofing is very difficult to solve – Very little that a genuine product or solution can do that the attacker can’t – User’s aren’t focused on spotting the counterfeit, they want to get their job done Fundamentally, users will work around anything necessary to get their job done – Usable security has to get them to where they need to go, not just block unsafe actions.

Wish List - Research User’s Security Mental Model – Need a better understanding of how users perceive online security, and why they make the decisions they do. Quantified User Harm – Need quantifiable data about how users are actually getting malware, phished – This will provide prioritization of other research/solutions, allow measurement of success over time Usable Online Identity – Scalable (not 100 unique passwords) – Prevention of phishing/ID theft – Enablement of scenarios without encouraging over-collection of data Spoofing – Government and private companies need a way of communicating with people in a way that they can trust – Need a way to spot when user is being misdirected, help them find the site they want. Distributed Trust Model – Having users verify sites isn’t scalable – Current certificate model is too open – even malware is often signed, users don’t have relationship with signing companies – Need a model that enables users to establish trust with parties who can verify sites in a scalable way.

Wish List – Security Solutions and Policies Consider how a user will use a security solution or policy before putting it into place – What is their mental model of what’s going on? – What are the reasons the user might try to work around the solution or policy? – What can you do in the architecture to make the solution easier for the user? Determine ways your solution might be spoofed and address them Test security changes and policies on real people before deploying this may require research into finding ways to quickly do research on new policies as they are being formed. Fundamentally: Help users do right thing, and when they do the wrong thing, help them recover.

Call To Action Encourage/fund research in usable security Ensure usability is considered in security solutions and security policies. Evangelize the need for usability in security. We can’t meet the cyber- security challenge without usable solutions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.