UsabsecMonday3
HUMAN-CENTRED SECURITY
• What is the main contribution of the paper?
• What is the methodology?
• Yee’s Guidelines
• What is the conclusion of the paper?
• What do we define usable security as – in
terms of a topic or research area – after
reading this paper?
Payne & Edwards
Yee
• Usability and security should not be
considered elements that can be added
later.
• Often considered in balance, but are
both fulfilling a common goal: user
expectations.
• Consider the task and incorporate
security decisions into that task.
PSEUDO-SECURITY
Pseudo-security
• Designers and developers are tasked
with considering security and
compliance.
• Manifestation?
– Security fixes
– Prompts
– Configuration screens
• Usability often suffers
PSEUDO-USABILITY
Pseudo-usability
• Designers and developers tasked with
improving the usability of a product.
• Manifestation?
– Superficial features
– skins
– widgets
– Animation
• Interfaces can misled or subsume
security decisions.
Secondary Security
• Difficulty arises when the system is not
able to determine if the outcome is
desirable or not.
• Consider many workflows, security is
presented as a secondary task.
–Workflow disruption
– Generates undesirable behaviour
ADMONITION AND
DESIGNATION
Yee, 2004
Yee Guidelines
• Path of least
resistance.
• Appropriate
boundaries.
• Explicit authorisation.
• Visibility.
• Revocability.
• Expected ability.
• Trusted path.
• Identifiability.
• Expressiveness.
• Clarity.
• What is the main contribution of the paper?
• What is the methodology?
• Yee’s Guidelines
• What is the conclusion of the paper?
• What do we define usable security as – in
terms of a topic or research area – after
reading this paper?
Payne & Edwards
INFORMATION SECURITY
Cornerstones of Information
Security
Confidentiality
This year – Phishing Again
The Ministry of Justice has been fined
£180,000 for “serious failings” in the
handling of confidential data.
Availability – Employee Error
Ransomware
http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
Activity
• Discuss the examples you have
collected.
• Determine example you want to
present.
• Develop a brief overview of the example
and relate it back to Yee guidelines.
• Coffee break.
• Some teams will present.
1) What do users do to compromise security?
2) Why do they do this?
3) Relate to Yee guidelines …
Discussion
CONFIDENTIALITY
INTERGRITY
AVALIABILITY
Yee, 2004
Users behave insecurely
• Ignore warnings
• Choose poor settings
• Subvert corporate policies
• Click on links and get phished
• What should our approach be?
Twitter Hack – February 2013
Finger of Blame
• �I knew there was a good
reason I don’t use so called
social networks!…I find it
strange that most of the people
shouting about this deliberately
put mountains of personal stuff
out for the world to see anyway
& most never or rarely change
their passwords! It’s a fact that
if only a little info is known
about most individuals then
their passwords are fairly easy
to suss by a pro hacker
anyway!�
Blame…
• �Twitter (& facebook) is used by twits
so it does not surprise me that it is
insecure. It is not just kids but kidults in
there 20s, 30s and older trying to
appear on-message and part of the
crowd. Most of the info is just opinion
and the childish activities of last night
like where I got as pissed as I did. Why
in a recession so much time, money
and resource wasted on these purile
activities?�
Suggesting Strategies
• Just serves as a reminder to everyone never
to use or give real information, let alone the
same password across accounts on line.
Never use the likes of Twitter or Facebook
• They know which countries these hackers
continually operate from…why not just block
internet access to these countries until the
authorities in those countries get off their
a***s and do something about it
Good Password Practice
• People who use the same password for
everything are screwed. That’s why you
should have at least 4 levels of password,
and change them every so often
• That means passwords like �password�
and �123456� just won�t do any more
• But the hackers got into the database,
so how would good passwords have
helped?
A Last Comment
�There is a fortune waiting for the person
who comes up with an alternative to
passwords�
Twitter Hack – February 2013
Summary
Un-important
Blame the
Foreigners
Blame the
Victim
Password
Advice
Replace
Passwords
It is not clear whether the family had
updated the camera with the latest
software.
Gilbert says he had a firewall enabled and
both the camera and routers were
password protected.
At About the Same Time
No
Blame
Here
Wait a Minute…
Not Much Has Changed
1953 2013
Comparing….
Physical
Lock
Virtual LockEasily Lost
Easily Shared
Easily Replaced
Minor Resistance to
Intrusion Attempts
Possible to Subvert
No Replacement
Cost
No Initial
Cost
Has Replacement
Cost
Some Initial
Outlay Cost
Kept in Bunches so
Loss enables Multiple
Intrusions
Reused on multiple
Systems so leakage
Leads to multiple
intrusions
So…
How come no one is calling for a new
door lock and no one blames the victims?
Physical World
• Locks on Doors
–Act as a minor deterrent
(and we know this)
• Response to Intrusion
–Replace lock
–Submit insurance claim
–Tut about the wickedness of the
world
–Buy a dog J
Virtual World
• Virtual Locks
–We want perfection!
–No flaws tolerated
• Response to Intrusion
–Demand a better mechanism
–Blame the victims
–Wave hands around and say
�Something must be done�
Universal Cry….
The Easy Conclusion
The WRONG Conclusion
Fake anti-virus
? ?
Once?
?
Later?
Grrrr!
Grrr!
Systems get Compromised
sans weak passwords
P25 Radio
• Researchers scanned �encrypted�
frequencies in 50 metropolitan areas
• Over 20 min a day of cleartext comms
– Names of confidential informants
– Plans for forthcoming operations
–Wide range of crimes
–Mostly law enforcement
• Failure of user interface design!
Why do users behave insecurely?
• Don’t they understand?
• Is it inconvenience?
• It is a perfectly reasonable trade-off?
• Complexity of the security world?
• New threats every day – keeping up is
hard
• Values?
A Different Approach
• Instead of BLAMING
–Moral high ground – feels good but doesn’t
change anything
• Lets get next to the user, and
– Design better mechanisms
– Harness what humans are good at
– Don�t expect them to do what is humanly
impossible!
• Take the bigger view
• What is the main contribution of the paper?
• What is the methodology?
• Yee’s Guidelines
• What is the conclusion of the paper?
• What do we define usable security as – in
terms of a topic or research area – after
reading this paper?
Payne & Edwards