Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anna Adams Martina Angela Sasse

Published byColin Lambert Modified over 5 years ago

Similar presentations

Presentation on theme: "Anna Adams Martina Angela Sasse"— Presentation transcript:

1 Anna Adams Martina Angela Sasse
Users Are Not the Enemy Anna Adams Martina Angela Sasse

2 Overview Introduction The Study Users Lack Security Knowledge
Security Needs User-Centered Design Motivating Users Users and Password Behavior Recommendations Conclusion

3 Introduction Confidentiality of computer security Password Security
Identification Authentication Password Security Key element is crack ability of password combination Should have several criteria for password security Confidentiality of computer security depends on authentication procedures. They can be broken into two parts Identification- User Id or to identify the user Authentication – to verify user owns user ID

4 Password Security Password composition Password lifetime
What type of characters used for passwords Password lifetime Changing passwords frequently Password ownership Increase individual accountability Reduce illicit usage Allow for an establishment of system usage Reduce frequent password changes These are some examples of criteria suggested by The US Federal Information Processing Standards Many do not follow these rules actually once people pick a password not likely to change it - users have different behaviors and perceptions regarding passwords

5 The Study Web-based questionnaire
Focused on password behaviors 4 factors influencing effective passwords Multiple passwords Password Content Perceived compatibility with work practices Users’ perceptions of organizational security and information sensitivity This study tried to capture data on user behaviors and perceptions relating to password systems. There were 2 groups that did web-based questionnaires, and a few from each group did indepth interviews The analysis they came by was the 4 factors influencing effective passwords

6 The Study What was found
Multiple passwords Writing them down Poor design Linked passwords Password Content No feed back from security experts Own rules for passwords Password restrictions Increase password disclosures Ways to circumvent restrictions Password Content Users are not aware of appropriate password content If restrictions are placed could cause more password disclosures and attempts to circumvent restrictions.

7 The Study What was found cont.
Compatibility between work practices and password procedures Shared passwords Not being informed of security issues Guided by what they see 2 main problems in password usage Systems factors External factors Not being informed of security issues Users are just not aware of the dangers out there. They are not aware there actions might be tracked many feel that since they haven’t seen attacks that they haven’t occurred The study identified 2 main problems These problems are due to lack of communication between security departments and users Users don’t understand security issues and security departments don’t understand user’s perception or tasks.

8 Users Lack Security Knowledge
Need-to-know Principle The more know about security the easier it is to attack Users not informed Password behaviors Correct password content Cracking Not told of security breaches Need to know principle adopted by the military

9 Users Lack Security Knowledge
Misunderstanding of login process Confuse user identification with passwords Think IDs are part of password Using physical attributes that don’t require ID recall Combine physical attributes with remote access to systems

10 Security Needs User-Center Design
To achieve good user-center design in security mechanisms communication with users is needed Security has to think about the users Requiring many passwords create usability problems Frequently changed passwords increase disclosure Need to take into account passwords used out of the office Without communication between users and security departments we have many problems

11 Motivating Users Simplistic Approach to user authentication
Restricts data by identification and authentication Does not work well for group work Authoritarian Approach to user authentication Led to security departments reluctance to communicate with users with regard to work practices

12 Motivating Users cont. Individual ownership of passwords increases accountability and decreases illicit usage of passwords If users perceive they are using shared passwords this increases groups responsibility and accountability Password mechanism has to be compatible with work practices

13 Motivating Users cont. Most users are security conscious just need to think that security is important Need to forget about Need-to-Know If done could lead to security leaks Can also motivate users of real problems Need to have communication between security department and users This is the only area in IT in which user training is not regarded as essential

14 Users and Password Behavior
Major problems with Security Insecure work practices Low security motivation Personal thinking vs. drills and punishment Security procedures must work with user work practices Security departments have to see how their mechanisms are used in practice These problems should be addressed Low security motivation can be caused by security mechanisms that take no account of users work practices Suggestions made by the paper to motivate users Many believe users are not motivated to adopt secure behavior but can be done through drills and punishment

15 Recommendations Password Content Multiple Passwords
Provide training on usable and secure passwords Provide constructive feedback on password construction Multiple Passwords Reduce number of passwords 4 or 5 passwords max Smart cards when using multiple passwords

16 Recommendations cont. Users’ Perception of Security Work Practices
System security needs to be visible to all Inform users of existing and potential threats Users awareness needs to be maintained over time Provide guidance as to which systems and information are sensitive and why Work Practices Password mechanisms need to match organization and work procedures

17 Conclusion Communication between security department and users Limiting passwords Creating secure passwords Sharing security issues The users are not the enemy of security Users can help solve the problem Questions ?

Download ppt "Anna Adams Martina Angela Sasse"

Similar presentations

Mary Jo Sariscsany Assessing Health- Related Fitness and Physical Activity 13 chapter.

Mary Jo Sariscsany Assessing Health- Related Fitness and Physical Activity 13 chapter.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Multimedia Communications Tejinder Judge Usable Security – CS 6204 – Fall, 2009.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Multimedia Communications Tejinder Judge Usable Security – CS 6204 – Fall, 2009.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Access Control Methodologies

Access Control Methodologies
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
C R E S S T / U C L A Paper presented at AERA New Orleans—April 2000 Using Technology to Assess Students’ Web Expertise Davina C. D. Klein CRESST/UCLA.

C R E S S T / U C L A Paper presented at AERA New Orleans—April 2000 Using Technology to Assess Students’ Web Expertise Davina C. D. Klein CRESST/UCLA.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
Usability presented by the OSU Libraries’ u-team.

Usability presented by the OSU Libraries’ u-team.
Knowledge Acquisitioning. Definition The transfer and transformation of potential problem solving expertise from some knowledge source to a program.

Knowledge Acquisitioning. Definition The transfer and transformation of potential problem solving expertise from some knowledge source to a program.
05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.

05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.
Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.
Meaningful Learning in an Information Age

Meaningful Learning in an Information Age
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
User Centered Design Lecture # 5 Gabriel Spitz.

User Centered Design Lecture # 5 Gabriel Spitz.
Biometrics: Voice Recognition

Biometrics: Voice Recognition
Podcasting In Education By: Gerryanne Schwanke, Rachel Larson, Caitlyn Huonder, and Karli Beissel Introduction: Podcasting is basically a radio show online.

Podcasting In Education By: Gerryanne Schwanke, Rachel Larson, Caitlyn Huonder, and Karli Beissel Introduction: Podcasting is basically a radio show online.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Enforcing Concurrent Logon Policies with UserLock.

Enforcing Concurrent Logon Policies with UserLock.
BBA 229 Training and Development

BBA 229 Training and Development
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Similar presentations

Ads by Google