Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007."— Presentation transcript:

1 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 1 Course Overview January 16, 2007

2 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 2 Outline Review syllabus and course policies Distribute survey Introduction to usable privacy and security Faculty research overview Introduce students

3 3

4 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 4 Syllabus http://cups.cs.cmu.edu/courses/ups-sp07/ Course numbers Grading Homework (25%) - due at 3:15pm Lecture (25%) Project (50%) Textbook and readings Schedule

5 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 5 Survey Please fill out course survey and bring it with you to class on Thursday

6 6 Unusable security & privacy -Unpatched Windows machines compromised in minutes -Phishing web sites increasing by 28% each month -Most PCs infected with spyware (avg. = 25) -Users have more passwords than they can remember and practice poor password security -Enterprises store confidential information on laptops and mobile devices that are frequently lost or stolen

7 7 Grand Challenge “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Computing Research Association 2003

8 Just work

9 9 security/privacy researchers and system developers human computer interaction researchers and usability professionals

10 10 Mark your calendar for SOUPS 2007 - July 18-20 at CMU http://cups.cs.cmu.edu/soups/

11 The user experience

12 12 How do users stay safe online?

13 13 POP!

14 14 After installing all that security and privacy software

15 15 Do you have any time left to get any work done?

16 Secondary tasks

17 17 “Users do not want to be responsible for, nor concern themselves with, their own security.” - Blake Ross

18 18 Concerns may not be aligned -Security experts are concerned about the bad guys getting in -Users may be more concerned about locking themselves out

19 19 Grey: Smartphone based access-control system -Deployed in CMU building with computer security faculty and students -Nobody questions that the security works -But lots of concerns about getting locked out L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons Learned from the Deployment of a Smartphone-Based Access-Control System. Technical Report CMU-CyLab-06-016, CyLab, Carnegie Mellon University, October 2006. http://www.cylab.cmu.edu/default.aspx?id=2244

20 20 Secure, but usable?

21 21 Unusable security frustrates users

22 22 Typical password advice -Pick a hard to guess password -Don’t use it anywhere else -Change it often -Don’t write it down

23 What do users do when every web site wants a password?

24 24 Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

25 25

26 26 Approaches to usable security -Make it “just work” -Invisible security -Make security/privacy understandable -Make it visible -Make it intuitive -Use metaphors that users can relate to -Train the user

27 Make it “just work”

28 28 This makes users very happy (but it’s not that easy)

29 29 Make decisions -Developers should not expect users to make decisions they themselves can’t make

30 Make security understandable

31 “Present choices, not dilemmas” - Chris Nodder (in charge of user experience for Windows XP SP2)

32 32

33 Train the user

34 34 Training people not to fall for phish -Laboratory study of 28 non-expert computer users -Asked to evaluate 10 web sites, take 15 minute break, evaluate 10 more web sites -Experimental group read web-based training materials during break, control group played solitaire -Experimental group performed significantly better identifying phish after training -People can learn from web-based training materials, if only we could get them to read them!

35 35 How do we get people trained? -Most people don’t proactively look for training materials on the web -Many companies send “security notice” emails to their employees and/or customers -But these tend to be ignored -Too much to read -People don’t consider them relevant

36 36 Embedded training -Can we “train” people during their normal use of email to avoid phishing attacks? -Periodically, people get sent a training email -Training email looks like a phishing attack -If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CyLab Technical Report. CMU- CyLab-06-017, 2006. http://www.cylab.cmu.edu/default.aspx?id=2253

37 Diagram intervention

38 Explains why they are seeing this message

39 Explains how to identify a phishing scam

40 Explains what a phishing scam is

41 Explains simple things you can do to protect self

42 42 Comic strip intervention

43 43 Embedded training evaluation -Lab study compared two prototype interventions to standard security notice emails from Ebay and PayPal -Existing practice of security notices is ineffective -Diagram intervention somewhat better -Comic strip intervention worked best -Interventions most effective when based on real brands

44 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 44 Faculty research overview Lorrie Cranor Jason Hong CMU Usable Privacy and Security (CUPS) Laboratory http://cups.cs.cmu.edu/ http://cups.cs.cmu.edu/

45 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 45 Student introductions Introduce yourself to your neighbor and tell them your background. Tell them why you’re taking the course and what you want to get out of the course Form a group of ~4 and repeat Form a group of ~8 and repeat Pick someone to stand up in front of the class, introduce your group members, and summarize the reasons people in your group are taking the course and what you want to get out of the course

46 46 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/

Download ppt "Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007."

Similar presentations

Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile.

Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile.
Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Cyber check Do you work safely and responsibly online? Do you know about the risks to your cyber security? What are your online responsibilities ? How.

Cyber check Do you work safely and responsibly online? Do you know about the risks to your cyber security? What are your online responsibilities ? How.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Location Based Social Networking For All Presenter: Danny Swisher.

Location Based Social Networking For All Presenter: Danny Swisher.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Laboratory.

CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Laboratory.
CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Introduction.

CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Introduction.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.

CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.
Internet Security Passwords.

Internet Security Passwords.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Designing user studies February.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Designing user studies February.
Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.

Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.
Usable Privacy and Security Course Overview Lorrie Cranor, Jason Hong, Mike Reiter Grad students and juniors and seniors –Tended to be HCI, CS, Public.

Usable Privacy and Security Course Overview Lorrie Cranor, Jason Hong, Mike Reiter Grad students and juniors and seniors –Tended to be HCI, CS, Public.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

Similar presentations

Ads by Google