Presentation is loading. Please wait.

Presentation is loading. Please wait.

05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I."— Presentation transcript:

1 05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I

2 KorandaCarnegie Mellon University2  Chapter 1: Psychological Acceptability Revisited  Chapter 2: The Case for Usable Security  Chapter 3: Design for Usability  Chapter 32: Users are not the Enemy Usable Privacy and Security I

3 KorandaCarnegie Mellon University3 Usable Security  The user side…  A secure system has to be complicated and complex; thus, difficult to use  The Need to Know Principle  The more that is known about security the easier it is to attack  Users know little about security  Lack of knowledge makes it less secure  Humans are the weakest link in the security chain  Hackers pay attention to human element in security to exploit it

4 KorandaCarnegie Mellon University4 Usable Security  Why are security products ineffective?  Users do not understand the importance of data, software, and systems  Users do not see that assets are at risk  Users do not understand that their behavior is at risk

5 KorandaCarnegie Mellon University5 Usable Security  Why are security products ineffective?  Users do not understand the importance of data, software, and systems  Users do not see that assets are at risk  Users do not understand that their behavior is at risk

6 KorandaCarnegie Mellon University6 Approach #1  Educate the user  Today’s educational topic: passwords

7 KorandaCarnegie Mellon University7 What makes a Good Password?

8 KorandaCarnegie Mellon University8 Suggestions for Creating Passwords  Interject random characters within a word  confine = cOn&fiNe  Deliberately misspell a word  helium = healeum  Make an acronym  I’ve fallen, and I can’t get up = If,alcgu  Use numbers and sounds of letters to make words  I am the one for you = imd14u  Combine letters from multiple words  Laser and implosion = liamspel https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html

9 KorandaCarnegie Mellon University9 http://www.hirtlesoftware.com/p_passpr.htm

10 KorandaCarnegie Mellon University10 http://www.securitystats.com/tools/password.php

11 KorandaCarnegie Mellon University11 How Long does it take to Crack a Password?  Brute force attack  Assuming 100,000 encryption operations per second  FIPS Password Usage  3.3.1 Passwords shall have maximum lifetime of 1 year http://geodsoft.com/howto/password/cracking_passwords.htm#howlong Password Length

12 KorandaCarnegie Mellon University12 Education Results  Educating users does not automatically mean they will change their behavior  Why?  users do not believe they are at risk  users do not think they will be accountable for not following security regulations  security mechanisms can conflict with social norms  security behavior conflicts with self-image

13 KorandaCarnegie Mellon University13 Motivation  Users are motivated if care about what is being protected -and-  Users understand how their behavior can put assets at risk

14 KorandaCarnegie Mellon University14 Motivation  How can motivation be accomplished?  Security should not be a ‘firefighting’ response  Organizations must become active in security  Approach #2 – Design a Usable System

15 KorandaCarnegie Mellon University15 Design a Usable System  User centered design is critical in system security  Password mechanisms should be compatible with work practices  Change regime and spiraling effect:  I cannot remember my password. I have to write it down. Everyone knows it’s on a Post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know  Passwords that are memorable are not secure

16 KorandaCarnegie Mellon University16 How to Design a Usable & Secure System?  Current problem  Lack of communication between users and security departments  Solution  Product: actual security mechanisms  Process: how decisions are made  Panorama: the context of security

17 KorandaCarnegie Mellon University17 Product  Password Considerations  Meaning increases memorability  Are often less secure  How do you make a password easy to remember but hard to guess?  Passwords that change over time  Can decrease memorability  Can increase security?  System generated passwords  Can be more inherently secure  Are less memorable  Passwords are often used infrequently  How can they be remembered?

18 KorandaCarnegie Mellon University18 Process  Security tasks must be designed to support production tasks  AEGIS process  gathering participants  identifying assets  modeling assets in context of operation  security requirements on assets  risk analysis  designing security of the system  Benefits of involving stakeholders  increased awareness of security  security aspects become much more accessible and personal  provide a simple model through security properties of the system

19 KorandaCarnegie Mellon University19 Panorama  Security tasks must take into account the environment  Education  Teaching concepts and skills  Training  Change behavior through drills, monitoring, feedback, reinforcement  Focus should be on correct usage of security mechanisms  Should encompass all staff, not only those with immediate access to systems deemed at risk  Attitudes  Role models

20 KorandaCarnegie Mellon University20 Activity  Groups will explore how to solve a problem related to passwords with a given scenario  The goal is to make suggestions for a secure system that users will comply with  Simply saying ‘educate and train users’ is not enough to make a convincing argument  Weigh the pros and cons of decisions you make  Refer to the design checklist (p42)

21 KorandaCarnegie Mellon University21 Summary  Users need to be informed about security issues  Majority of users are security conscious if they see the need for the behavior  The key to all security efforts is a balance between security and usability

22 KorandaCarnegie Mellon University22 Bibliography  Security and Usability  Chapter 1: Psychological Acceptability Revisited  Chapter 2: The Case for Usable Security  Chapter 3: Design for Usability  Chapter 32: Users are not the Enemy  http://www.smat.us/sanity/riskyrules.html  http://www.dss.mil/search-dir/training/csg/security/S2unclas/Need.htm  http://www.itl.nist.gov/fipspubs/fip112.htm  http://www.securitystats.com/tools/password.php  https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html  http://geodsoft.com/howto/password/cracking_passwords.htm#howlong

Download ppt "05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I."

Similar presentations

Scenarios for applying crosscutting concerns. Aspects should be visible throughout the full lifecycle of a software product. While most AOP-efforts currently.

Scenarios for applying crosscutting concerns. Aspects should be visible throughout the full lifecycle of a software product. While most AOP-efforts currently.
Note: Lists provided by the Conference Board of Canada

Note: Lists provided by the Conference Board of Canada
Stepping StonesStepping Stones Programme Stepping Stones Stepping Stones Programme Next Step The Requirements Sylvia Tevlin Human Resources Manager.

Stepping StonesStepping Stones Programme Stepping Stones Stepping Stones Programme Next Step The Requirements Sylvia Tevlin Human Resources Manager.
New Supervisor: Skills for Success

New Supervisor: Skills for Success
Applying Psychology to Teaching

Applying Psychology to Teaching
Student Academic Success Center Power Over Procrastination

Student Academic Success Center Power Over Procrastination
Chapter 12 Getting Them to Talk. Creating Good Questions  Lower-level Questions Know Require children to recognize or understand basic concepts or facts.

Chapter 12 Getting Them to Talk. Creating Good Questions  Lower-level Questions Know Require children to recognize or understand basic concepts or facts.
Chapter 10 Schedule Your Schedule. Copyright 2004 by Pearson Education, Inc. Identifying And Scheduling Tasks The schedule from the Software Development.

Chapter 10 Schedule Your Schedule. Copyright 2004 by Pearson Education, Inc. Identifying And Scheduling Tasks The schedule from the Software Development.
Small Group Teaching. Outline Pros and Cons of SGT Pros and Cons of SGT learning environment in SGT learning environment in SGT skill involved in SGT.

Small Group Teaching. Outline Pros and Cons of SGT Pros and Cons of SGT learning environment in SGT learning environment in SGT skill involved in SGT.
Effective Communication of Cyber Security Risks: Addressing the Human Element in Security Jason R.C. Nurse (PhD, MSc, BSc) Cyber Security Centre, Department.

Effective Communication of Cyber Security Risks: Addressing the Human Element in Security Jason R.C. Nurse (PhD, MSc, BSc) Cyber Security Centre, Department.
EFFECTIVE DELEGATION AND SUPERVISION

EFFECTIVE DELEGATION AND SUPERVISION
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
THE PROCESS OF INTERACTION DESIGN

THE PROCESS OF INTERACTION DESIGN
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Part 2c: Requirements Chapter 2: How to Gather Requirements: Some Techniques to Use Chapter 3: Finding Out about the Users and the Domain Chapter 4: Finding.

Part 2c: Requirements Chapter 2: How to Gather Requirements: Some Techniques to Use Chapter 3: Finding Out about the Users and the Domain Chapter 4: Finding.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Behaviorism Ed Tech Masters Program Summer 2003. What is behaviorism all about? Psychology is purely the study of external behavior Behavior is objective.

Behaviorism Ed Tech Masters Program Summer What is behaviorism all about? Psychology is purely the study of external behavior Behavior is objective.
User-Centered Design Good design The user says “Yes, I see” or “Of course”. A simple explanation is sufficient. Bad design The user says “How am I going.

User-Centered Design Good design The user says “Yes, I see” or “Of course”. A simple explanation is sufficient. Bad design The user says “How am I going.
Meaningful Learning in an Information Age

Meaningful Learning in an Information Age

Similar presentations

Ads by Google