Making Security Work M. Angela Sasse Dept of Computer Science University College London

Slides:



Advertisements
Similar presentations
E - safety How e-safe are you?.
Advertisements

Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.
Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Chapter 1  Introduction 1 Chapter 1: Introduction.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
most important characteristic
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.
People and Security. Contents People and security – what is the problem? Why usable security is important Introduction to usability principles Best Practices.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Relationship Bank Account Habit 4 Think Win-Win. Your Personal Challenge Task 1: On the mini post-it note, write the biggest challenge you are facing.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Usability and Security – Why we need to look at the big picture M. Angela Sasse Professor of Human-Centred Technology Department of Computer Science University.
05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
Of Passwords and People M. Angela Sasse Dept of Computer Science University College London
Out of Office: A Toolkit for an Agile Future. The Research Survey 13 organisations in public and private sectors 1219 team members: 55% female and 45%
NTFS. Authentication Is the person who she says she is? If so, access is allowed In Windows, authentication is handled by a password-protected user account.
SEC835 Database and Web application security Information Security Architecture.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
1 Social Engineering By Dan LoPresto. 2 An ounce of data on Dan…  Dan LoPresto owns/operates PitViper Industries - Technology Solutions.  CISSP Certification.
Social Media in the Workplace MEGAN QUIRK, ATTORNEY AT LAW.
The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS). SELECT AND USE APPROPRIATE METHODS TO MINIMISE SECURITY RISK TO IT SYSTEMS AND DATA 1.1 I can describe.
References  Cranor & Garfinkel, Security and Usability, O’Reilly  Sasse & Flechais, “Usable Security: Why Do We Need It? How Do We Get It?”  McCracken.
Security & Usability Charles Frank. Convenience is the Antithesis to Security  Computer systems must employ mechanisms that are difficult to use!
CHANGE YOUR MINDSET - IT ’ S ALL ABOUT ATTITUDE Su Pilkington Coach Mentor Motivator Facilitator Personal & Organisational Training and Development.
WEB DESIGN AND PROGRAMMING Get a job. WEB DESIGN AND PROGRAMMING What do employers look for? In your resume – Clean layout, use clear headers and subheads.
Group Success. What is a group?  2 or more individuals who have a shared objective which will bring about interaction. Characteristics of a group  A.
School of Computing. The Information Security Awareness Research Group.
Phishing scams Phishing is the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal.
Chapter 1  Introduction 1 Chapter 1: Introduction.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
E-Science Projects and Security M. Angela Sasse & Mike Surridge.
Data Base Systems Some Thoughts. Ethics Guide–Nobody Said I Shouldn’t Kelly make a backup copy of his company’s database on CD and took it home and installed.
Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004.
Viruses For… What is a virus? A virus, affects your computer and damages its software. It can affect your computer, and some viruses can damage your.
Effective Manager Welcome 4 th July 2012 Tony Zarola.
MY ONLINE CODE In the last 2 years of digital literacy I have learned the proper ways to act and why to act that way online, I have also learned other.
ISPAB Panel on Usable Security Mary Frances Theofanos - NIST Ellen Cram Kowalczyk - Microsoft.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Safety and Security Online: Private Information. Identify private information Recall that private information should not be given out in cyberspace.
Intro to Computer Security For COP3502, Intro to Computer Science Lecture 1 1.
Ergonomics/Human Integrated Systems (Project 02)
How to Maximize Learning from a “Failure”! Any questions Contact: Mr. Ballard.
Confidentiality, Integrity, Awareness What Does It Mean To You.
Digital Footprints Cyberbullying Passwords The Digital Community Staying Safe Online
Quibbletown Middle school Health and Physical Education Department.
Mohssen Mohammed Sakib Pathan Building Customer Trust in Cloud Computing with an ICT-Enabled Global Regulatory Body Mohssen Mohammed Sakib Pathan.
The Behaviour Change Wheel: a cross-disciplinary model Susan Michie Professor of Health Psychology, UCL UCL Grand Challenges Town meeting May 2013.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Privacy, anonymity and other confusing words Przemek Jaroszewski CERT Polska/NASK.
Creating your online identity
Outline Basic concepts in computer security
Setting up an online account
The Human Element in Security
Introduction Security Intro 1.
Insights from Children about Abuse and Neglect
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Data Recovery: Why Secure Deletion is so Important.
Anna Adams Martina Angela Sasse
Presentation transcript:

Making Security Work M. Angela Sasse Dept of Computer Science University College London

December 5, 2002NESC 2 The “Weakest Link” “Security is only as good as it’s weakest link, and people are the weakest link in the chain.” [Bruce Schneier, Secrets and Lies]

December 5, 2002 Framework – Interaction Design GOAL/ TASK CONTEXT USERSYSTEM

December 5, 2002NESC 4 User Characteristics Limitations of human memory Behaviour is goal-driven Knowledge and understanding of security threats and mechanisms Motivation to expend effort Perception and attitudes toward security

December 5, 2002NESC 5 System Factors Security on a per-system basis Applications, networks, OS etc. Proliferation passwords and PINs (banking, phones, websites) “Sticky plaster” approach instead of designed systems Wrong goals - strongest security rather than effectiveness in the real world

December 5, 2002NESC 6 No personal motivation to be security-conscious “No, if I have, I usually don’t have anything to hide or anything, but if I have something, I probably put it on my computer at home.”

December 5, 2002NESC 7 “Nobody would bother to attack me” “You know, if you think about, who’s actually going to go through all that struggle to hack a departmental computer science account of some academic at xxxx college. It’s not like NASA or anything, nothing of interest. “What would make it more likely?” Answer: “Maybe if I was more famous, or…” [laughs]

December 5, 2002NESC 8 “Hackers can’t be deterred anyway” “How foolproof is it?” Answer: “Ahm… I don’t know, really. I think it’s, ah, I haven’t the faintest idea, to be honest. I’ve got a feeling that for most purposes it’s good enough, but I think if somebody’s clever enough and perseveres enough, they will be able to get in. But I can’t see why [laughs]. To be honest.”

December 5, 2002NESC 9 Negative view of good security behaviour “What kind of person is a person who is very concerned about security?” Answer: “I think, it’s just that it’s all a personality type. First all, they could be people who generally have private or confidential information on there. Fine - data, I wanna keep it private. I suppose general personality types. People who would want to be more secure. I don’t know. That’s really a question for psychologists. What sort of people keep their desks tidy. What sort of people comb their hair in the morning.”

December 5, 2002NESC 10 Cont. “Probably the same sort of people who would not give their passwords away. People who are very sort of… either people who are very paranoid about breaches of security or whatever or people who were told “Never give your password away.” without understanding why that would be and therefore they would never do it because they were told not to do it. People therefore who are obedient. People who follow the crowd.”

December 5, 2002NESC 11 No personal accountability “I would say ‘If they can hack into my system, then it can’t be that secure a system to start with. It’s not my job to guarantee the security of the entire xxx computer network.’ “Well, I would just say, you know, this clearly is the work of a hacker, and I think also, people that know me personally would know that I wouldn’t do things like that.”

December 5, 2002NESC 12 Designing usable security Usable mechanisms – Physical & mental workload of users as low as possible – Consider frequency of use Strong but simple policies are easier to understand than more permissive, complicated ones Make assets and threats visible Rationale for security mechanisms and user behaviour in protecting assets

December 5, 2002NESC 13 Task Factors For most users, most of the time, security is enabling task to one or more production tasks If competing with production tasks, it will be eliminated/circumvented whenever possible Production tasks must drive security design

December 5, 2002NESC 14 Designing workable security Security design must be integrated with production tasks Performance determined by Production Tasks Speed, idle times, strength of authentication Availability – viable contingencies – No competing demands for user resources – Match security behaviour to work practices – Workable contingencies

Context Factors Physical – Ease of access and use – Environmental conditions Social – Social conventions (trust) Organisational – Lack of security culture – Assets, roles, responsibilies not clear or understood

Designing security policies Security policies specific to organisation Risk analysis: identify assets, threats, roles, and responsibilities Build positive security culture – Specify expected user behaviour, and penalties for transgression – Enforce penalties, and be seen to enforce them – Reward good user behaviour Security as ongoing process – Monitor and adapt

December 5, 2002NESC 17 Beyond end-users Urgent need to address usability for system administrators and developers Escalating cost Re-think – Simpler architectures – Design for security and usability, instead of sticking it on Support for good security development needed

December 5, 2002NESC 18 Supporting developers Integrate security into development process – Perform security analysis as part of requirements analysis – UML-based model of system, threats and security controls Design patterns – Develop tried & tested security design patterns – Develop design patterns for usable security

December 5, 2002NESC 19 S. Brostoff & M. A. Sasse (2001): Safe and Sound: a safety-critical design approach to security. Procs 10th ACM/SIGSAC New Security Paradigms Workshop. D. Weirich & M. A. Sasse (2001): Pretty Good Persuasion: A first step towards effective password security for the Real World. Procs10th ACM/SIGSAC New Security Paradigms Workshop. M. A. Sasse, S. Brostoff, & D. Weirich (2001): Transforming the “Weakest Link": a human-computer interaction approach to usable and effective security. BT Technical Journal, 19 (3), pp S. Brostoff & M. A. Sasse (2000): Are Passfaces more usable than passwords? A field trial investigation. Procs HCI 2000 pp Springer. A. Adams & M. A. Sasse (1999): Users Are Not The Enemy: Why users compromise security mechanisms and how to take remedial measures. Communications of the ACM, 42 (12), pp

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.