05-899/17-500 Usable Privacy and Security

1
Usable Privacy and Security I

• 05-899/17-500 Usable Privacy and Security
• Colleen Koranda
• February 7, 2006

2
Usable Privacy and Security I

• Chapter 1 Psychological Acceptability Revisited
• Chapter 2 The Case for Usable Security
• Chapter 3 Design for Usability
• Chapter 32 Users are not the Enemy

3
Usable Security

• The user side
• A secure system has to be complicated and
  complex thus, difficult to use
• The Need to Know Principle
• The more that is known about security the easier
  it is to attack
• Users know little about security
• Lack of knowledge makes it less secure
• Humans are the weakest link in the security chain
  
• Hackers pay attention to human element in
  security to exploit it

4
Usable Security

• Why are security products ineffective?
• Users do not understand the importance of data,
  software, and systems
• Users do not see that assets are at risk
• Users do not understand that their behavior is at
  risk

5
Usable Security

• Why are security products ineffective?
• Users do not understand the importance of data,
  software, and systems
• Users do not see that assets are at risk
• Users do not understand that their behavior is at
  risk

6
Approach 1

• Educate the user
• Todays educational topic passwords

7
What makes a Good Password?
8
Suggestions for Creating Passwords

• Interject random characters within a word
• confine cOnfiNe
• Deliberately misspell a word
• helium healeum
• Make an acronym
• Ive fallen, and I cant get up If,alcgu
• Use numbers and sounds of letters to make words
• I am the one for you imd14u
• Combine letters from multiple words
• Laser and implosion liamspel

https//www1.cs.columbia.edu/crf/accounts/crack_t
utorial.html
9
http//www.hirtlesoftware.com/p_passpr.htm
10
http//www.securitystats.com/tools/password.php
11
How Long does it take to Crack a Password?

• Brute force attack
• Assuming 100,000 encryption operations per second
• FIPS Password Usage
• 3.3.1 Passwords shall have maximum lifetime of 1
  year

Password Length
http//geodsoft.com/howto/password/cracking_passwo
rds.htmhowlong
12
Education Results

• Educating users does not automatically mean they
  will change their behavior
• Why?
• users do not believe they are at risk
• users do not think they will be accountable for
  not following security regulations
• security mechanisms can conflict with social
  norms
• security behavior conflicts with self-image

13
Motivation

• Users are motivated if care about what is
  being protected
• -and-
• Users understand how their behavior can put
  assets at risk

14
Motivation

• How can motivation be accomplished?
• Security should not be a firefighting response
• Organizations must become active in security
• Approach 2 Design a Usable System

15
Design a Usable System

• User centered design is critical in system
  security
• Password mechanisms should be compatible with
  work practices
• Change regime and spiraling effect
• I cannot remember my password. I have to write
  it down. Everyone knows its on a Post-it in my
  drawer, so I might as well stick it on the screen
  and tell everyone who wants to know
• Passwords that are memorable are not secure

16
How to Design a Usable Secure System?

• Current problem
• Lack of communication between users and security
  departments
• Solution
• Product actual security mechanisms
• Process how decisions are made
• Panorama the context of security

17
Product

• Password Considerations
• Meaning increases memorability
• Are often less secure
• How do you make a password easy to remember but
  hard to guess?
• Passwords that change over time
• Can decrease memorability
• Can increase security?
• System generated passwords
• Can be more inherently secure
• Are less memorable
• Passwords are often used infrequently
• How can they be remembered?

18
Process

• Security tasks must be designed to support
  production tasks
• AEGIS process
• gathering participants
• identifying assets
• modeling assets in context of operation
• security requirements on assets
• risk analysis
• designing security of the system
• Benefits of involving stakeholders
• increased awareness of security
• security aspects become much more accessible and
  personal
• provide a simple model through security
  properties of the system

19
Panorama

• Security tasks must take into account the
  environment
• Education
• Teaching concepts and skills
• Training
• Change behavior through drills, monitoring,
  feedback, reinforcement
• Focus should be on correct usage of security
  mechanisms
• Should encompass all staff, not only those with
  immediate access to systems deemed at risk
• Attitudes
• Role models

20
Activity

• Groups will explore how to solve a problem
  related to passwords with a given scenario
• The goal is to make suggestions for a secure
  system that users will comply with
• Simply saying educate and train users is not
  enough to make a convincing argument
• Weigh the pros and cons of decisions you make
• Refer to the design checklist (p42)

21
Summary

• Users need to be informed about security issues
• Majority of users are security conscious if they
  see the need for the behavior
• The key to all security efforts is a balance
  between security and usability

22
Bibliography

• Security and Usability
• Chapter 1 Psychological Acceptability Revisited
• Chapter 2 The Case for Usable Security
• Chapter 3 Design for Usability
• Chapter 32 Users are not the Enemy
• http//www.smat.us/sanity/riskyrules.html
• http//www.dss.mil/search-dir/training/csg/securit
  y/S2unclas/Need.htm
• http//www.itl.nist.gov/fipspubs/fip112.htm
• http//www.securitystats.com/tools/password.php
• https//www1.cs.columbia.edu/crf/accounts/crack_t
  utorial.html
• http//geodsoft.com/howto/password/cracking_passwo
  rds.htmhowlong