Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Security (unusable security ain’t secure)

Published byBethany O’Brien’ Modified over 5 years ago

Similar presentations

Presentation on theme: "Usable Security (unusable security ain’t secure)"— Presentation transcript:

1 Usable Security (unusable security ain’t secure)
Jeff Offutt SWE 205 Software Usability Analysis and Design Based on slides from Paul Ammann Keynote talk at SECTEST 2014 (with liberal help from Angela Sasse of UCL)

2 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 30 November 2018

3 I hope you will all disagree by the time I finish today
A Poll “In the past decade our community has recognized a tension between security and usability: it is generally easy to provide more of one by offering less of the other.” Bonneau et al., Oakland S&P 2012 How many of you : Agree ? Disagree ? I hope you will all disagree by the time I finish today 30 November 2018

4 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 30 November 2018

5 Unusable Security Costs Money
30 November 2018

6 Standard Security Thinking: “Users Should Make the Effort”
“An hour from each of the US’s 180 million online users is worth approximately US$2.5 billion. A major error in security thinking has been to treat users’ time—an extremely valuable resource—as free.” C. Herley, IEEE S&P Jan/Feb 2014 30 November 2018

7 Does This Really Help Security?
30 November 2018

8 Productivity Impact – Lost Sales
Not a particularly effective security measure Not usable: failure rate around 40% — so customers go elsewhere “CAPTCHAs waste 17 years of human effort every day” (Pogue, Scientific American March 2012) 30 November 2018

9 Unusable Security is Ridiculous …
30 November 2018

10 Password Recovery “A significant percentage of users use the password recovery system every time they log in to their bank account” — Security executive at a major bank 30 November 2018

11 “Through 20 years of effort, we've successfully trained everyone to design passwords that are hard for humans to remember, but easy for computers to guess.” 30 November 2018

12 Unusable Security Costs Security
User errors — even when trying to be secure Non-compliance and workarounds to get tasks done Security policies that cannot be followed make effort seem futile: “It creates a sense of paranoia and fear, which makes some people throw up their hands and say, `there’s nothing to be done about security,’ and then totally ignore it.” Expert Round Table IEEE S&P Jan/Feb 2014 30 November 2018

13 Are these legitimate users?
Noncompliance Are these legitimate users? 30 November 2018

14 Classification of Errors (Norman)
Slips Goal is correct But execution is flawed Mistakes Goal is wrong Attacks Goal is immoral, anti-social, or illegal User errors ≠ security attacks Don’t treat legitimate users like criminals 30 November 2018

15 Impact on Security – Long-Term
Increased likelihood of security breaches “Noise” created by habitual non-compliance makes malicious behavior harder to detect Lack of appreciation of and respect for security creates a bad security culture Frustration can lead to disgruntlement: intentional malicious behavior — insider attacks, sabotage 30 November 2018

16 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 30 November 2018

17 Classification of Errors (Norman)
Slips Goal is correct But execution is flawed Mistakes Goal is wrong Attacks Goal is immoral, anti-social, or illegal User errors ≠ security attacks Don’t treat legitimate users like criminals 30 November 2018

18 Impact on Security – Long-Term
Increased likelihood of security breaches “Noise” created by habitual non-compliance makes malicious behavior harder to detect Lack of appreciation of and respect for security creates a bad security culture Frustration can lead to disgruntlement: intentional malicious behavior — insider attacks, sabotage 30 November 2018

19 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 30 November 2018

20 Beliefs of Usable Security
These are based on a survey of security and usability professionals at several companies Belief 1 Software engineers and security experts understand usability Belief 2 Usability is the same as user interface design Belief 3 Usability is a luxury, not a necessity 30 November 2018

21 Myths of Usable Security
These are based on a survey of security and usability professionals at several companies Belief 1 Software engineers and security experts understand usability Myth 1 Software engineers and security experts understand usability Myth 2 Usability is the same as user interface design Belief 2 Usability is the same as user interface design Belief 3 Usability is a luxury, not a necessity Myth 3 Usability is a luxury, not a necessity 30 November 2018

22 Beliefs of Usable Security (2)
Making access more difficult for legitimate users also makes access more difficult for illegitimate users Belief 5 Usability and security conflict with each other Belief 6 The right process will lead to usable security 30 November 2018

23 Myths of Usable Security (2)
Making access more difficult for legitimate users also makes access more difficult for illegitimate users Belief 4 Making access more difficult for legitimate users also makes access more difficult for illegitimate users Myth 5 Usability and security conflict with each other Belief 5 Usability and security conflict with each other Belief 6 The right process will lead to usable security Myth 6 The right process will lead to usable security 30 November 2018

24 The Cost Confusion Low usable security Death Zone
Cost for authorized users Our goal is to drive this down Sweet Spot High usable security Cost for unauthorized users 30 November 2018

25 Outline A Poll Consequences of unusable security
Myths about usable security The path forward 30 November 2018

26 ? ? Pain and Consequences pain Executive Programmers Purchasing
Designers ? Users pain 30 November 2018

27 Pain and Consequences Purchasing Executive Programmers Achieving usable security requires a pain-path from the users to the designers Designers Users pain 30 November 2018

28 Classification of Errors (Norman)
Slips Goal is correct But execution is flawed Mistakes Goal is wrong User errors ≠ security attacks Don’t treat legitimate users like criminals 30 November 2018

29 Technology Should be Smarter
Move from explicit to implicit authentication: Proximity sensors Car key fobs Bio-metrics Thumbprints, facial recognition, etc. Web fingerprinting Two-factor authentication 30 November 2018

30 Summary Security can only be achieved by designing security systems that are usable Unusable Security Ain’t 30 November 2018

Download ppt "Usable Security (unusable security ain’t secure)"

Similar presentations

Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Why Usable Security Matters and How Testing Can Help Achieve It SECTEST Keynote Paul Ammann March 31, 2014 1.

Why Usable Security Matters and How Testing Can Help Achieve It SECTEST Keynote Paul Ammann March 31,
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
1 DETERRING INTERNAL INFORMATION SYSTEMS MISUSE EECS711 : Security Management and Audit Spring 2010 Presenter : Amit Dandekar Instructor : Dr. Hossein.

1 DETERRING INTERNAL INFORMATION SYSTEMS MISUSE EECS711 : Security Management and Audit Spring 2010 Presenter : Amit Dandekar Instructor : Dr. Hossein.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
References  Cranor & Garfinkel, Security and Usability, O’Reilly  Sasse & Flechais, “Usable Security: Why Do We Need It? How Do We Get It?”  McCracken.

References  Cranor & Garfinkel, Security and Usability, O’Reilly  Sasse & Flechais, “Usable Security: Why Do We Need It? How Do We Get It?”  McCracken.
Review for Final Exam Fall 2014 Jeff Offutt SWE 632 User Interface Design and Development.

Review for Final Exam Fall 2014 Jeff Offutt SWE 632 User Interface Design and Development.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Paul Ammann Usability and Security CS 101© Paul Ammann1.

Paul Ammann Usability and Security CS 101© Paul Ammann1.
By Godwin Alemoh. What is usability testing Usability testing: is the process of carrying out experiments to find out specific information about a design.

By Godwin Alemoh. What is usability testing Usability testing: is the process of carrying out experiments to find out specific information about a design.
EECS 690 Moral Issues in Computing Technology. The MACIT (The Myth of Amoral Computing and Information Technology) The MACIT has many distinguishing features,

EECS 690 Moral Issues in Computing Technology. The MACIT (The Myth of Amoral Computing and Information Technology) The MACIT has many distinguishing features,
Professional Ethics and Responsibilities Part-II

Professional Ethics and Responsibilities Part-II
1 Design Principles CS461 / ECE422 Spring 2012. 2 Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.

1 Design Principles CS461 / ECE422 Spring Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.
Safe Computing Practices. What is behind a cyber attack? 1.

Safe Computing Practices. What is behind a cyber attack? 1.

Similar presentations

Ads by Google