Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paul Ammann Usability and Security CS 101© Paul Ammann1.

Published byCameron Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Paul Ammann Usability and Security CS 101© Paul Ammann1."— Presentation transcript:

1 Paul Ammann http://www.cs.gmu.edu/~pammann Usability and Security CS 101© Paul Ammann1

2 Outline A Poll What’s wrong with usable security thinking The consequences of unusable security – Unusable security costs money – Unusable security costs security What to do – The need for appropriate incentives – The need for systems-level thinking 2CS 101© Paul Ammann

3 A Poll How many of you –Agree? –Disagree? Goal of this part of the talk –Convince more of you to disagree 3CS 101© Paul Ammann

4 What’s Wrong With ‘Usable Security’ Thinking? Security implementers sometimes invent the user instead of discovering the user 4CS 101© Paul Ammann

5 Proper Focus: Fit with Users & Activity If you want productive & secure users – and security is usually the secondary task Then you need to understand – Primary user activities – User motivations – User behavior – Impact on bottom line 5CS 101© Paul Ammann

6 The Consequences of Unusable Security Unusable Security Costs Money Unusable Security Costs Security 6CS 101© Paul Ammann

7 Unusable Security Costs Money 7CS 101© Paul Ammann

8 Standard Security Thinking: “Users Should Make the Effort” Question: how much? It all adds up: 1.Time spent on security tasks: authentication, access control, warnings, security education …. 2.Failure: time spent on errors and error recovery (user and visible organizational cost) 3.Disruption of primary tasks = re-start cost 8CS 101© Paul Ammann

9 Does This Really Help Security? 9CS 101© Paul Ammann

10 Time is Money “An hour from each of the US’s 180 million online users is worth approximately US$2.5 billion. A major error in security thinking has been to treat users’ time—an extremely valuable resource—as free.” C Herley, IEEE S&P Jan/Feb 2014 10CS 101© Paul Ammann

11 Password Re-use How many of you re-use passwords across accounts? How many of you use weak passwords? 11CS 101© Paul Ammann Absolutely prohibited in traditional security! Now a rational approach (USENIX 2014)! Key advance: Optimize both expected loss and finite user effort

12 Impact on Productivity – Long-Term 1.User opt out of services, return devices – Improves their productivity, but often reduces organizational productivity (example: email) – Organization has less control over alternatives 2.Stifling innovation: new opportunities that would require changes in security 3.Staff leaving organization to be more productive/creative elsewhere 12CS 101© Paul Ammann

13 Unusable Security is Ridiculous … 13CS 101© Paul Ammann

14 The Consequences of Unusable Security Unusable Security Costs Money Unusable Security Costs Security 14CS 101© Paul Ammann

15 Unusable Security Costs Security! 1.User errors - even when trying to be secure 2.Non-compliance/workarounds to get tasks done 3.Security policies that cannot be followed make effort seem futile: “It creates a sense of paranoia and fear, which makes some people throw up their hands and say, “there’s nothing to be done about security,” and then totally ignore it.” Expert Round Table IEEE S&P Jan/Feb 2014 15CS 101© Paul Ammann

16 User Errors When Trying To Be Secure Fact: PDF files are dangerous. – That’s a usability problem! – Is a generic warning helpful? Why not? – Is a detailed warning better? 16CS 101© Paul Ammann

17 Noncompliance Are these legitimate users? 17CS 101© Paul Ammann

18 Reasons For Non-Compliance Compliance requires ability and willingness Can’t comply Security tasks that are impossible to complete – remove/redesign (security hygiene) Could comply but won’t comply The cost of security tasks that can be completed in theory, but require a high level of effort and/or reduce productivity. Identify & reduce friction through better design or better policies Can comply and do comply Security tasks that staff routinely comply with – provides examples of what is workable in a particular environment = template for security 18CS 101© Paul Ammann

19 Revocation Usability and revocation Who identifies unneeded privileges? – Manager? Employee? – Answer says a lot about the organization Demo environment vs. actual practice – “How does that work with 1000 privileges?” 19CS 101© Paul Ammann

20 Old Security, No Longer Usable Entering a complex password on touchscreen keyboard time-consuming and error-prone users look for passwords that are easy to enter  severely reduced password space 20CS 101© Paul Ammann

21 New Security, Unusable Implementation Replacing existing 2FA card with a more secure one – good! Replacing 6-digit numeric code with 8-char alphanumeric password valid for 1 minute – bad! Why is that bad? – Skill set needed to analyze? 21CS 101© Paul Ammann

22 Impact on Security – Long-Term 1.Increased likelihood of security breaches 2.‘Noise' created by habitual non-compliance makes malicious behavior harder to detect 3.Lack of appreciation of and respect for security creates a bad security culture 4.Frustration can lead to disgruntlement: intentional malicious behavior - insider attacks, sabotage 22CS 101© Paul Ammann

23 The Need For Appropriate Incentives Some organizations don’t care about usability or usable security – Not much to do there – Dangerous invitation to competitors! Some do care Q: How to make it happen? A: High-level commitment A: Feedback loops A: Appropriate personnel 23CS 101© Paul Ammann

24 Systems-Level Thinking Typical report, as paraphrased by Norman Air Force: It was pilot error—the pilot failed to take corrective action. Inspector General: That’s because the pilot was probably unconscious. Air Force: So you agree, the pilot failed to correct the problem. Aircraft designers have gotten smarter There is a similar attitude in security – Fact: Users don’t do what they are supposed to – Question: Is it their fault? Can security designers get smarter? 24CS 101© Paul Ammann

25 Questions? Contact: – Paul Ammann: cs.gmu.edu/~pammann – 4428 Engineering Building Acknowledgements: – Angela Sasse has taught me a lot about usable security and shared slides generously! Further reading Adams and Sasse: Users are not the enemy (CACM 1999) Krol et al.: Rethining security warnings (7 th CRiSIS 2012) Caputo et al.: Going spear phishing (S&P magazine Jan/Feb 2014) Herley: More is not the answer (S&P magazine Jan/Feb 2014) Norman: The Design of Everyday Things (latest 2013) Florencio et al.: Password portfolios and the finite effort user (USENIX 2014) 25CS 101© Paul Ammann

Download ppt "Paul Ammann Usability and Security CS 101© Paul Ammann1."

Similar presentations

(nothing to see here). First thing you need to learn is that sysadmin is about people, not technology If youre a sysadmin so you dont have to deal with.

(nothing to see here). First thing you need to learn is that sysadmin is about people, not technology If youre a sysadmin so you dont have to deal with.
Supporting Students with Challenging Behavior in the Classroom

Supporting Students with Challenging Behavior in the Classroom
Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.

Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.
A2 Ethics How to assess arguments and theories. Aims  To discuss various methods of assessing arguments and theories  To apply these methods to some.

A2 Ethics How to assess arguments and theories. Aims  To discuss various methods of assessing arguments and theories  To apply these methods to some.
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
The Top 5 Mistakes Supervisors Make …and other important HR information.

The Top 5 Mistakes Supervisors Make …and other important HR information.
Why Usable Security Matters and How Testing Can Help Achieve It SECTEST Keynote Paul Ammann March 31, 2014 1.

Why Usable Security Matters and How Testing Can Help Achieve It SECTEST Keynote Paul Ammann March 31,
1 Authentication with Passwords Prof. Ravi Sandhu Executive Director and Endowed Chair February 1, 2013 © Ravi.

1 Authentication with Passwords Prof. Ravi Sandhu Executive Director and Endowed Chair February 1, © Ravi.
1 These courseware materials are to be used in conjunction with Software Engineering: A Practitioner’s Approach, 5/e and are provided with permission by.

1 These courseware materials are to be used in conjunction with Software Engineering: A Practitioner’s Approach, 5/e and are provided with permission by.
Fundamentals Getting Started. Go to: www.surescorefundamentals.com/pc3827.

Fundamentals Getting Started. Go to:
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Difficult Conversations. A difficult conversation is - anything we don’t want to talk about Usually we worry what will happen if we do talk about it If.

Difficult Conversations. A difficult conversation is - anything we don’t want to talk about Usually we worry what will happen if we do talk about it If.
Service Recovery Mgt 664. Service Recovery You can please - all of the people some of the time; some of the people all of the time; BUT, you can never.

Service Recovery Mgt 664. Service Recovery You can please - all of the people some of the time; some of the people all of the time; BUT, you can never.
Leading Your Company into a Unit Testing State of Mind Roy Osherove Gil Zilberfeld.

Leading Your Company into a Unit Testing State of Mind Roy Osherove Gil Zilberfeld.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.

Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.
HDI 2015 Conference and Expo Mary L. Cruse Director of IT First American Title Insurance Co. Coaching is.

HDI 2015 Conference and Expo Mary L. Cruse Director of IT First American Title Insurance Co. Coaching is.
HRD3eCH10 Contributed by Wells Doty, Ed.D. Clemson Univ1 Performance Management and Coaching Chapter 10.

HRD3eCH10 Contributed by Wells Doty, Ed.D. Clemson Univ1 Performance Management and Coaching Chapter 10.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Similar presentations

Ads by Google