Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Security (unusable security ain’t secure)

Published byShauna Bell Modified over 6 years ago

Similar presentations

Presentation on theme: "Usable Security (unusable security ain’t secure)"— Presentation transcript:

1 Usable Security (unusable security ain’t secure)
Jeff Offutt SWE 632 User Interface Design and Development Based on slides from Paul Ammann Keynote talk at SECTEST 2014 (with liberal help from Angela Sasse of UCL)

2 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 12 January 2019

3 I hope you will all disagree by the time I finish today
A Poll “In the past decade our community has recognized a tension between security and usability: it is generally easy to provide more of one by offering less of the other.” Bonneau et al., Oakland S&P 2012 How many of you : Agree ? Disagree ? I hope you will all disagree by the time I finish today 12 January 2019

4 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 12 January 2019

5 Unusable Security Costs Money
12 January 2019

6 Standard Security Thinking: “Users Should Make the Effort”
“An hour from each of the US’s 180 million online users is worth approximately US$2.5 billion. A major error in security thinking has been to treat users’ time—an extremely valuable resource—as free.” C. Herley, IEEE S&P Jan/Feb 2014 12 January 2019

7 Does This Really Help Security?
12 January 2019

8 Productivity Impact – Lost Sales
Not a particularly effective security measure Not usable: failure rate around 40% — so customers go elsewhere “CAPTCHAs waste 17 years of human effort every day” (Pogue, Scientific American March 2012) 12 January 2019

9 Unusable Security is Ridiculous …
12 January 2019

10 Password Recovery “A significant percentage of users use the password recovery system every time they log in to their bank account” — Security executive at a major bank 12 January 2019

11 “Through 20 years of effort, we've successfully trained everyone to design passwords that are hard for humans to remember, but easy for computers to guess.” 12 January 2019

12 Unusable Security Costs Security
User errors — even when trying to be secure Non-compliance and workarounds to get tasks done Security policies that cannot be followed make effort seem futile: “It creates a sense of paranoia and fear, which makes some people throw up their hands and say, `there’s nothing to be done about security,’ and then totally ignore it.” Expert Round Table IEEE S&P Jan/Feb 2014 12 January 2019

13 Are these legitimate users?
Noncompliance Are these legitimate users? 12 January 2019

14 Classification of Errors (Norman)
Slips Goal is correct But execution is flawed Mistakes Goal is wrong Attacks Goal is immoral, anti-social, or illegal User errors ≠ security attacks Don’t treat legitimate users like criminals 12 January 2019

15 Impact on Security – Long-Term
Increased likelihood of security breaches “Noise” created by habitual non-compliance makes malicious behavior harder to detect Lack of appreciation of and respect for security creates a bad security culture Frustration can lead to disgruntlement: intentional malicious behavior — insider attacks, sabotage 12 January 2019

16 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 12 January 2019

17 Beliefs of Usable Security
These are based on a survey of security and usability professionals at several companies Belief 1 Software engineers and security experts understand usability Belief 2 Usability is the same as user interface design Belief 3 Usability is a luxury, not a necessity 12 January 2019

18 Myths of Usable Security
These are based on a survey of security and usability professionals at several companies Belief 1 Software engineers and security experts understand usability Myth 1 Software engineers and security experts understand usability Myth 2 Usability is the same as user interface design Belief 2 Usability is the same as user interface design Belief 3 Usability is a luxury, not a necessity Myth 3 Usability is a luxury, not a necessity 12 January 2019

19 Beliefs of Usable Security (2)
Making access more difficult for legitimate users also makes access more difficult for illegitimate users Belief 5 Usability and security conflict with each other Belief 6 The right process will lead to usable security 12 January 2019

20 Myths of Usable Security (2)
Making access more difficult for legitimate users also makes access more difficult for illegitimate users Belief 4 Making access more difficult for legitimate users also makes access more difficult for illegitimate users Myth 5 Usability and security conflict with each other Belief 5 Usability and security conflict with each other Belief 6 The right process will lead to usable security Myth 6 The right process will lead to usable security 12 January 2019

21 The Cost Confusion Low usable security Death Zone
Cost for authorized users Our goal is to drive this down Sweet Spot High usable security Cost for unauthorized users 12 January 2019

22 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 12 January 2019

23 ? ? Pain and Consequences pain Executive Programmers Purchasing
Designers ? Users pain 12 January 2019

24 Pain and Consequences Purchasing Executive Programmers Achieving usable security requires a pain-path from the users to the designers Designers Users pain 12 January 2019

25 Technology Should be Smarter
Move from explicit to implicit authentication: Proximity sensors Car key fobs Bio-metrics Thumbprints, facial recognition, etc. Web fingerprinting Two-factor authentication 12 January 2019

26 Summary Security can only be achieved by designing security systems that are usable Unusable security ain’t secure 12 January 2019

Download ppt "Usable Security (unusable security ain’t secure)"

Similar presentations

Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Why Usable Security Matters and How Testing Can Help Achieve It SECTEST Keynote Paul Ammann March 31, 2014 1.

Why Usable Security Matters and How Testing Can Help Achieve It SECTEST Keynote Paul Ammann March 31,
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
1 DETERRING INTERNAL INFORMATION SYSTEMS MISUSE EECS711 : Security Management and Audit Spring 2010 Presenter : Amit Dandekar Instructor : Dr. Hossein.

1 DETERRING INTERNAL INFORMATION SYSTEMS MISUSE EECS711 : Security Management and Audit Spring 2010 Presenter : Amit Dandekar Instructor : Dr. Hossein.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
References  Cranor & Garfinkel, Security and Usability, O’Reilly  Sasse & Flechais, “Usable Security: Why Do We Need It? How Do We Get It?”  McCracken.

References  Cranor & Garfinkel, Security and Usability, O’Reilly  Sasse & Flechais, “Usable Security: Why Do We Need It? How Do We Get It?”  McCracken.
Review for Final Exam Fall 2014 Jeff Offutt SWE 632 User Interface Design and Development.

Review for Final Exam Fall 2014 Jeff Offutt SWE 632 User Interface Design and Development.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Paul Ammann Usability and Security CS 101© Paul Ammann1.

Paul Ammann Usability and Security CS 101© Paul Ammann1.
By Godwin Alemoh. What is usability testing Usability testing: is the process of carrying out experiments to find out specific information about a design.

By Godwin Alemoh. What is usability testing Usability testing: is the process of carrying out experiments to find out specific information about a design.
EECS 690 Moral Issues in Computing Technology. The MACIT (The Myth of Amoral Computing and Information Technology) The MACIT has many distinguishing features,

EECS 690 Moral Issues in Computing Technology. The MACIT (The Myth of Amoral Computing and Information Technology) The MACIT has many distinguishing features,
Professional Ethics and Responsibilities Part-II

Professional Ethics and Responsibilities Part-II
1 Design Principles CS461 / ECE422 Spring 2012. 2 Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.

1 Design Principles CS461 / ECE422 Spring Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.
Safe Computing Practices. What is behind a cyber attack? 1.

Safe Computing Practices. What is behind a cyber attack? 1.
Cyber security. Malicious Code Social Engineering Detect and prevent.

Cyber security. Malicious Code Social Engineering Detect and prevent.

Similar presentations

Ads by Google