Users Are Not the Enemy

1
Users Are Not the Enemy

• Anna Adams
• Martina Angela Sasse

2
Overview

• Introduction
• The Study
• Users Lack Security Knowledge
• Security Needs User-Centered Design
• Motivating Users
• Users and Password Behavior
• Recommendations
• Conclusion

3
Introduction

• Confidentiality of computer security
• Identification
• Authentication
• Password Security
• Key element is crack ability of password
  combination
• Should have several criteria for password
  security

4
Password Security

• Password composition
• What type of characters used for passwords
• Password lifetime
• Changing passwords frequently
• Password ownership
• Increase individual accountability
• Reduce illicit usage
• Allow for an establishment of system usage
• Reduce frequent password changes

5
The Study

• Web-based questionnaire
• Focused on password behaviors
• 4 factors influencing effective passwords
• Multiple passwords
• Password Content
• Perceived compatibility with work practices
• Users perceptions of organizational security and
  information sensitivity

6
The Study What was found

• Multiple passwords
• Writing them down
• Poor design
• Linked passwords
• Password Content
• No feed back from security experts
• Own rules for passwords
• Password restrictions
• Increase password disclosures
• Ways to circumvent restrictions

7
The Study What was found cont.

• Compatibility between work practices and password
  procedures
• Shared passwords
• Not being informed of security issues
• Guided by what they see
• 2 main problems in password usage
• Systems factors
• External factors

8
Users Lack Security Knowledge

• Need-to-know Principle
• The more know about security the easier it is to
  attack
• Users not informed
• Password behaviors
• Correct password content
• Cracking
• Not told of security breaches

9
Users Lack Security Knowledge

• Misunderstanding of login process
• Confuse user identification with passwords
• Think IDs are part of password
• Using physical attributes that dont require ID
  recall
• Combine physical attributes with remote access to
  systems

10
Security Needs User-Center Design

• To achieve good user-center design in security
  mechanisms
• communication with users is needed
• Security has to think about the users
• Requiring many passwords create usability
  problems
• Frequently changed passwords increase disclosure
• Need to take into account passwords used out of
  the office

11
Motivating Users

• Simplistic Approach to user authentication
• Restricts data by identification and
  authentication
• Does not work well for group work
• Authoritarian Approach to user authentication
• Led to security departments reluctance to
  communicate with users with regard to work
  practices

12
Motivating Users cont.

• Individual ownership of passwords increases
  accountability and decreases illicit usage of
  passwords
• If users perceive they are using shared passwords
  this increases groups responsibility and
  accountability
• Password mechanism has to be compatible with work
  practices

13
Motivating Users cont.

• Most users are security conscious just need to
  think that security is important
• Need to forget about Need-to-Know
• If done could lead to security leaks
• Can also motivate users of real problems
• Need to have communication between security
  department and users
• This is the only area in IT in which user
  training is not regarded as essential

14
Users and Password Behavior

• Major problems with Security
• Insecure work practices
• Low security motivation
• Personal thinking vs. drills and punishment
• Security procedures must work with user work
  practices
• Security departments have to see how their
  mechanisms are used in practice

15
Recommendations

• Password Content
• Provide training on usable and secure passwords
• Provide constructive feedback on password
  construction
• Multiple Passwords
• Reduce number of passwords
• 4 or 5 passwords max
• Smart cards when using multiple passwords

16
Recommendations cont.

• Users Perception of Security
• System security needs to be visible to all
• Inform users of existing and potential threats
• Users awareness needs to be maintained over time
• Provide guidance as to which systems and
  information are sensitive and why
• Work Practices
• Password mechanisms need to match organization
  and work procedures

17
Conclusion

• Communication between security department and
  users
• Limiting passwords
• Creating secure passwords
• Sharing security issues
• The users are not the enemy of security
• Users can help solve the problem

Questions ?