程序代写代做代考 database UsabsecMonday3

UsabsecMonday3

HUMAN-CENTRED SECURITY

• What is the main contribution of the paper?
• What is the methodology?
• Yee’s Guidelines
• What is the conclusion of the paper?
• What do we define usable security as – in

terms of a topic or research area – after
reading this paper?

Payne & Edwards

Yee

• Usability and security should not be
considered elements that can be added
later.

• Often considered in balance, but are
both fulfilling a common goal: user
expectations.

• Consider the task and incorporate
security decisions into that task.

PSEUDO-SECURITY

Pseudo-security

• Designers and developers are tasked
with considering security and
compliance.

• Manifestation?
– Security fixes
– Prompts
– Configuration screens

• Usability often suffers

PSEUDO-USABILITY

Pseudo-usability

• Designers and developers tasked with
improving the usability of a product.

• Manifestation?
– Superficial features
– skins
– widgets
– Animation

• Interfaces can misled or subsume
security decisions.

Secondary Security

• Difficulty arises when the system is not
able to determine if the outcome is
desirable or not.

• Consider many workflows, security is
presented as a secondary task.
–Workflow disruption
– Generates undesirable behaviour

ADMONITION AND
DESIGNATION

Yee, 2004

Yee Guidelines

• Path of least
resistance.

• Appropriate
boundaries.

• Explicit authorisation.
• Visibility.
• Revocability.

• Expected ability.
• Trusted path.
• Identifiability.
• Expressiveness.
• Clarity.

• What is the main contribution of the paper?
• What is the methodology?
• Yee’s Guidelines
• What is the conclusion of the paper?
• What do we define usable security as – in

terms of a topic or research area – after
reading this paper?

Payne & Edwards

INFORMATION SECURITY

Cornerstones of Information
Security

Confidentiality

This year – Phishing Again

The Ministry of Justice has been fined
£180,000 for “serious failings” in the
handling of confidential data.

Availability – Employee Error

Ransomware

http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/

Activity

• Discuss the examples you have
collected.

• Determine example you want to
present.

• Develop a brief overview of the example
and relate it back to Yee guidelines.

• Coffee break.
• Some teams will present.

1) What do users do to compromise security?
2) Why do they do this?
3) Relate to Yee guidelines …

Discussion

CONFIDENTIALITY

INTERGRITY

AVALIABILITY

Yee, 2004

Users behave insecurely

• Ignore warnings
• Choose poor settings
• Subvert corporate policies
• Click on links and get phished
• What should our approach be?

Twitter Hack – February 2013

Finger of Blame
• �I knew there was a good

reason I don’t use so called
social networks!…I find it
strange that most of the people
shouting about this deliberately
put mountains of personal stuff
out for the world to see anyway
& most never or rarely change
their passwords! It’s a fact that
if only a little info is known
about most individuals then
their passwords are fairly easy
to suss by a pro hacker
anyway!�

Blame…
• �Twitter (& facebook) is used by twits

so it does not surprise me that it is
insecure. It is not just kids but kidults in
there 20s, 30s and older trying to
appear on-message and part of the
crowd. Most of the info is just opinion
and the childish activities of last night
like where I got as pissed as I did. Why
in a recession so much time, money
and resource wasted on these purile
activities?�

Suggesting Strategies
• Just serves as a reminder to everyone never

to use or give real information, let alone the
same password across accounts on line.
Never use the likes of Twitter or Facebook

• They know which countries these hackers
continually operate from…why not just block
internet access to these countries until the
authorities in those countries get off their
a***s and do something about it

Good Password Practice
• People who use the same password for

everything are screwed. That’s why you
should have at least 4 levels of password,
and change them every so often

• That means passwords like �password�
and �123456� just won�t do any more

• But the hackers got into the database,
so how would good passwords have
helped?

A Last Comment
�There is a fortune waiting for the person

who comes up with an alternative to
passwords�

Twitter Hack – February 2013

Summary

Un-important

Blame the
Foreigners

Blame the
Victim

Password
Advice

Replace
Passwords

It is not clear whether the family had
updated the camera with the latest
software.

Gilbert says he had a firewall enabled and
both the camera and routers were
password protected.

At About the Same Time

No
Blame
Here

Wait a Minute…

Not Much Has Changed

1953 2013

Comparing….
Physical

Lock
Virtual LockEasily Lost

Easily Shared

Easily Replaced
Minor Resistance to
Intrusion Attempts

Possible to Subvert

No Replacement
Cost

No Initial
Cost

Has Replacement
Cost

Some Initial
Outlay Cost

Kept in Bunches so
Loss enables Multiple

Intrusions

Reused on multiple
Systems so leakage

Leads to multiple
intrusions

So…
How come no one is calling for a new

door lock and no one blames the victims?

Physical World
• Locks on Doors
–Act as a minor deterrent

(and we know this)
• Response to Intrusion
–Replace lock
–Submit insurance claim
–Tut about the wickedness of the

world
–Buy a dog J

Virtual World
• Virtual Locks
–We want perfection!
–No flaws tolerated

• Response to Intrusion
–Demand a better mechanism
–Blame the victims
–Wave hands around and say
�Something must be done�

Universal Cry….

The Easy Conclusion

The WRONG Conclusion

Fake anti-virus

? ?

Once?

?

Later?

Grrrr!

Grrr!

Systems get Compromised
sans weak passwords

P25 Radio

• Researchers scanned �encrypted�
frequencies in 50 metropolitan areas

• Over 20 min a day of cleartext comms
– Names of confidential informants
– Plans for forthcoming operations
–Wide range of crimes
–Mostly law enforcement

• Failure of user interface design!

Why do users behave insecurely?

• Don’t they understand?
• Is it inconvenience?
• It is a perfectly reasonable trade-off?
• Complexity of the security world?
• New threats every day – keeping up is

hard
• Values?

A Different Approach

• Instead of BLAMING
–Moral high ground – feels good but doesn’t

change anything
• Lets get next to the user, and
– Design better mechanisms
– Harness what humans are good at
– Don�t expect them to do what is humanly

impossible!
• Take the bigger view

• What is the main contribution of the paper?
• What is the methodology?
• Yee’s Guidelines
• What is the conclusion of the paper?
• What do we define usable security as – in

terms of a topic or research area – after
reading this paper?

Payne & Edwards