Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Usability

Published byMarjorie Bailey Modified over 6 years ago

Similar presentations

Presentation on theme: "Security and Usability"— Presentation transcript:

1 Security and Usability
Rachel Greenstadt February 15, 2016 Slide credits Lorrie Cranor

2 Announcements Midterm available Project 1 due next Thursday
Mean 72, Median 75, STDev 15 Very bimodal distribution Project 1 due next Thursday I’m away next week Tues: guest lecture from Russell Handorf, FBI Thurs: discussion led by Kevin

3 A security professional’s view of humans...
“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)” Network Security: PRIVATE Communication in a PUBLIC World Charlie Kaufman, Radia Perlman + Mike Speciner Prentice Hall 1995

4 On the other hand…

5 The Attacker’s Perspective

6 security/privacy researchers and system developers
But until recently, security and privacy researchers weren’t paying a whole of attention to what users wanted. Security folks worked in one department, while HCI folks worked in a different department, and they didn’t really talk much. But that is starting to change. human computer interaction researchers and usability professionals

7 How do you stay safe online?

8 Unusable security & privacy
Unpatched Windows machines compromised in minutes Phishing web sites increasing by 28% each month Most PCs infected with spyware (avg. = 25) Users have more passwords than they can remember and practice poor password security Enterprises store confidential information on laptops and mobile devices that are frequently lost or stolen

9 - Computing Research Association 2003
Grand Challenge “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Computing Research Association 2003

10 Experts recommend…

11 POP! Firewalls Antivirus software Spam filters Pop-up blockers
Cookie managers Spyware removers encryption software if you have kids, adult content filters, and if you want to cover your tracks, anonymity tools

12 After installing all that security and privacy software

13 Do you have any time left to get any work done?

14 Secondary tasks Security and privacy are secondary tasks
Nobody buys a computer so they can spend time securing it. Time we spend configuring security and privacy tools is time we are not spending doing what we really want to be doing with our computers

15 Approaches to usable security
Make it “just work” Invisible security Make security/privacy understandable Make it visible Make it intuitive Use metaphors that users can relate to Train the user

16 Make decisions Developers should not expect users to make decisions they themselves can’t make Many pieces of software contain prompts in which the developers ask users to make a security-related decision. Blake Ross suggests that - Before coding up such questions, software developers should ask themselves a question: if I can’t figure it out, how are users supposed to? What additional qualifications do users possess that will help them arrive at a better conclusion? (From Blake Ross’ book chapter)

17 Present choices, not dilemmas
- Chris Nodder (in charge of user experience for XP SP2) Chris Nodder, who was in charge of user experience for MS XP SP2, puts it this way: “Present choices, not dilemmas.” If the user doesn’t have any insights into how to answer a question, it is a dilemma, not a decision. There are some situations where users possess some additional contextual knowledge or personal preferences that may allow them to make a better decision than the implementer could make in advance. In those cases, UIs are needed that will help users understand what bit of knowledge they bring to the decision and how they can best apply it. But if the users don’t have anything useful to contribute, they should not be making the decision.

18 XP SP1 - no question mark

19 XP SP2

20 Security Decisions Run this script? Trust this site?
Make a firewall exception? Share this piece of personal information? Allow user bob access? Choose a password Buy from alice? Write about my diagnosis on the forum? Open this ? Install this software? Plug Carol’s usb key into my laptop? Drop this packet?

21 Hard for Machines and Humans
Context-dependent Require specialized knowledge Dynamic : sophisticated adversaries and emerging threats Complex risk analysis requiring Large knowledge base and rationality

22 Contextual Mismatch Alice: * Knows she wants to visit her bank
* Doesn’t know she’s not at her bank Alice’s device: * Knows Alice is not visiting her bank * Doesn’t know that Alice believes she is at her bank

23 Passwords Now let’s talk about a specific usable security problem that is becoming more and more problematic as people do an increasing number of transactions online. 2.

24 Typical advice Pick a hard to guess password
Don’t use it anywhere else Change it often Don’t write it down Common knowledge that this is advice doesn’t work

25 What do users do when every web site wants a password?

26 Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

27 From http://www.interactivetools.com/staff/dave/damons_office/

28 By the way, use a password manager

29 Symbols & Metaphors One way to make security and privacy tools more usable is to use symbols and metaphors. Unfortunately, many of the symbols and metaphors used to date have been a complete failure. 3.

30 Cookie flag Netscape SSL icons IE6 cookie flag Firefox SSL icon
Netscape open lock (only symbol to left) Netscape cookie flag and closed lock IE cookie flag Firefox closed lock, note that it puts name of site next to closed lock, no open lock

31 Wireless privacy Many users unaware that communications over wireless computer networks are not private Another privacy issue that my students have been looking at is wireless privacy.

32 Wall of sheep

33 Defcon 2001 Photo credit: techfreakz.org

34 Defcon 2004 Photo credit:

35 Peripheral display Help users form more accurate expectations of privacy Without making the problem worse

36

37 Experimental trial 11 subjects in student workspace
Data collected by survey and traffic analysis Did they refine their expectations of privacy?

38 Results No change in behavior
Peripheral display raised privacy awareness in student workspace But they didn’t really get it

39 Privacy awareness increased
“I feel like my information /activity / privacy are not being protected …. seems like someone can monitor or get my information from my computer, or even publish them.”

40 But only while the display was on
“Now that words [projected on the wall] are gone, I'll go back to the same.” Students associated privacy risk with our peripheral display rather than with their use of a wireless network. So, it looks like we still have our work cut out for ourselves.

41 Questions to ask about a security or privacy cue
Do users notice it? Do they know what it means? Do they know what they are supposed to do when they see it? Will they actually do it? Will they keep doing it? I would like to try to generalize a bit from this experience. Our words on the wall were a privacy cue. Other people are developing other types of privacy and security cues, for example to warn people about potential phishing attacks - this is something I have started working on myself. A lot of security researchers are focusing on how to identify potentially dangerous situations and provide unspoofable cues to users. This is a good first step. But we need to go beyond that and examine whether these cues are actually helpful to users. We should be asking the following questions. We can speculate on the answers, but really the only way to know is to do user studies. And to do that generally is going to require some cooperation between security and usability folks.

Download ppt "Security and Usability"

Similar presentations

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Identity Federation: Some Challenges and Thoughts OGF 19 Jan 30, 2007 Von Welch

Identity Federation: Some Challenges and Thoughts OGF 19 Jan 30, 2007 Von Welch
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Introduction.

CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Introduction.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Understanding the Human in.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Understanding the Human in.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Safer Web Browsing Terry Labach Information Security Services IST.

Safer Web Browsing Terry Labach Information Security Services IST.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.

Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.
Security 101 Harper P. Johnson Information Technology Services Director of Information Security.

Security 101 Harper P. Johnson Information Technology Services Director of Information Security.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Staying Safe Online Keep your Information Secure.

Staying Safe Online Keep your Information Secure.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may. 2010 University of Palestine.

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Practising Safer Web Browsing Terry Labach Information Security Services IST February 17, 2012.

Practising Safer Web Browsing Terry Labach Information Security Services IST February 17, 2012.
Session 7 LBSC 690 Information Technology Security.

Session 7 LBSC 690 Information Technology Security.
Another perspective on Network Security Network Security Essentials: Applications and Standards, 4/E William Stallings ISBN-10: 0136108059 ISBN-13: 9780136108054.

Another perspective on Network Security Network Security Essentials: Applications and Standards, 4/E William Stallings ISBN-10: ISBN-13:

Similar presentations

Ads by Google