human factors
play

Human Factors Professor Adam Bates Fall 2018 Security & - PowerPoint PPT Presentation

Oct 02, 2022 •141 likes •459 views

CS 563 - Advanced Computer Security: Human Factors Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Discuss the practical consideration of usability of security

  1. CS 563 - Advanced Computer Security: Human Factors Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

  2. Administrative Learning Objectives : • Discuss the practical consideration of usability of security mechanisms and concepts • Understand how usability can be incorporated into a broader research agenda Announcements : • Reaction paper was due today (and all classes) • “Preference Proposal” Homework due 9/24 Reminder : Please put away (backlit) devices at the start of class CS423: Operating Systems Design 2 2

  3. Why Johnny Can’t Encrypt • Security mechanisms are only effective when used correctly • Invoked? configured? • This makes security a user interface problem • Case Study: Investigate PHP 5.0 • Cognitive Walkthrough • Laboratory User Tests • 2015 USENIX Security “Test of Time” award recipient Security & Privacy Research at Illinois (SPRAI) 3

  4. Usable Security We can call security software/features “usable” if the people who are expected to use it… • are made aware of the tasks they need to perform • are able to understand how to succeed at those tasks • don’t make dangerous errors while completing tasks • are comfortable enough to continuously use the software Security & Privacy Research at Illinois (SPRAI) 4

  5. Usabile Security Challenges • Lack of Motivation: Users will invest only limited attention/ capital to maintain security • Understanding Abstractions: Abstractions used by domain experts (e.g., security policy) may be obtuse to end users. • Providing good feedback: How can software guide the user to the security outcome they ‘really want’? • ‘Barn Door’ Property: Once an asset is unprotected even once, its security may be irrevocably compromised. • ‘Weakest Link’ Property: Securing assets must be comprehensive; user engagement cannot be intermittent. Security & Privacy Research at Illinois (SPRAI) 5

  6. PGP 5.0 • “Pretty Good Privacy” • Software for encrypting and signing data • GUI with plug-in for easy (?) use with email clients Security & Privacy Research at Illinois (SPRAI) 6

  7. Cognitive Walkthrough • Visual Metaphors: • Public vs. Private Keys • Signatures & Verification • Different key types: • Compatibility increases complexity • Keys listed as users Security & Privacy Research at Illinois (SPRAI) 7

  8. Cognitive Walkthrough • Key Servers: • Vital to using PGP , but buried in menus • Connection to remote resource is non-obvious • Push for locally revoked keys is not automatic Security & Privacy Research at Illinois (SPRAI) 8

  9. Cognitive Walkthrough • Key Management: • Unneeded confusion in interface • Validity versus Trust? • Presence of Irreversible Actions (e.g., key deletion) • Consistency of terminology • Too much information exposed when not needed Security & Privacy Research at Illinois (SPRAI) 9

  10. User Tests • PGP 5.0 with Eudora • 12 participants all with at least some college and none with advanced knowledge of encryption • Participants were given a scenario with tasks to complete within 90 min • Tasks built on each other • Participants could ask some questions through email Security & Privacy Research at Illinois (SPRAI) 10

  11. User Test • Scenario: Subject is ‘campaign coordinator’ that needs to send private emails to campaign team. • Tasks: Generate a key pair, acquire team’s public keys, type email, sign email using private key, encrypt using team’s public keys (different versions), send result. • Experimenter posed as team member to send instructions and feedback (sidequest: decrypt message) Security & Privacy Research at Illinois (SPRAI) 11

  12. User Test Results • Users sent message in plaintext (3) • Users used their public key to encrypt (7) and could not recover (5) • Users could not encrypt at all (1) • Users could not decrypt messages (2 succeeded) • Users could not handle legacy keys (1 succeeded) • Only 3 users completed the basic process of sending and receiving encrypted emails. Security & Privacy Research at Illinois (SPRAI) 12

  13. Takeaway If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all? Security & Privacy Research at Illinois (SPRAI) 13

  14. Takeaway If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all? Security & Privacy Research at Illinois (SPRAI) 14

  15. Aside: Can we fix the user? Security Design: Stop Trying to Fix the User • “The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things.” • Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. • Schneier suggests that solution is not Bruce Schneier interventions to ‘fix’ user, but the design of systems that work in spite of the user. Security & Privacy Research at Illinois (SPRAI) 15

  16. Threat Modeling • Foundation concept of secure system design and opsec • What do I want to protect? • Who do I want to protect it from? • How bad are the consequences if I fail? • How likely is it that I will need to protect it? • How much trouble am I willing to go through to try to prevent potential consequences? Security & Privacy Research at Illinois (SPRAI) 16

  17. Do threat models improve real-world security? Security & Privacy Research at Illinois (SPRAI) 17

  18. Threat Model Example Security & Privacy Research at Illinois (SPRAI) 18

  19. Battle For New York • Introduce threat modeling to New York City Cyber Command (NYC3) • Infrastructure accessed by 60 million tourists and 300,000 employees each year • Introduce 25 NYC3 employees to threat model training (‘Center of Gravity’ framework) • Monitor their usage at 30, efficacy at 120 days Security & Privacy Research at Illinois (SPRAI) 19

  20. Center of Gravity Framework • In military strategy. CoG is the primary asset(s) needed to achieve mission objective. Security & Privacy Research at Illinois (SPRAI) 20

  21. Study Pilot study to test relevance, clarity, validity of • protocol Recruit NYC3 employees over company email (25) • • Participants… • fill out 29 question baseline survey • complete 60 minute training • 60 minute individual session • fill out 29 question post-training survey • complete 30 day follow-up survey • Long-term evaluation of security incidents at 120 days Security & Privacy Research at Illinois (SPRAI) 21

  22. CoG Analysis Security & Privacy Research at Illinois (SPRAI) 22

  23. Participants • 25 participants completed study • 37% of NYC3 • Pre-Intervention Baseline • Security assessed through city- specific policies, NIST framework, accreditation process. • Participants report that such guidelines were not frequently applies • Many were unaware of such programs Security & Privacy Research at Illinois (SPRAI) 23

  24. Results • Participants reported that threat modeling gave them a better understanding of capabilities and requirements (n=12) • Participants agreed threat modeling was useful in their daily routine (n=23) • Many report improved ability to monitor critical assets (n=17), mitigate threats (n=16), respond to incidents (n=15) Security & Privacy Research at Illinois (SPRAI) 24

  25. Results (30 days later) • Perceived efficacy of framework decreased only slightly (not significant) • Still using mitigation strategies from threat modeling (n=21) or incorporating concepts into routine (n=20) • NYC3 began to institutionalize threat modeling as a result of participant feedback Security & Privacy Research at Illinois (SPRAI) 25

  26. Results (120 days later) • Inspect participants’ threat models to identify actionable defense plans: • Testing readiness (test defense plans) • Secure account permissions • Protect physical network assets • Crowdsourcing assessments (bug bounty program?) • Increased sensor coverage • Segment legacy systems • Protect against data corruption • Reduce human error (e.g., two person change control) Security & Privacy Research at Illinois (SPRAI) 26

  27. Results (120 days later) • Inspect participants’ threat models to identify actionable defense plans: • Testing readiness (test defense plans) • Secure account permissions • Protect physical network assets • Crowdsourcing assessments (bug bounty program?) • Increased sensor coverage • Segment legacy systems • Protect against data corruption • Reduce human error (e.g., two person change control) Security & Privacy Research at Illinois (SPRAI) 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IE 507, Human-Centered Design Seminar Human Factors (and Human Factors-Related) Research (and

IE 507, Human-Centered Design Seminar Human Factors (and Human Factors-Related) Research (and

IE 507, Human-Centered Design Seminar Human Factors (and Human Factors-Related) Research (and Development) Dr. Kenneth Funk Mr. Sami Al-AbdRabbuh Mr. Steven Hattrup School of Mechanical, Industrial, and Manufacturing Engineering Friday 25

729 views • 47 slides
Human Factors Research Some OSU examples 1 Human Factors Research to Inform the Human-Machine

Human Factors Research Some OSU examples 1 Human Factors Research to Inform the Human-Machine

Human Factors Research Some OSU examples 1 Human Factors Research to Inform the Human-Machine Systems Engineering Process Needs, Problems, Opportunities Generalizable Research Question(s) Hypothesis Formulation Operation,Test Analysis

588 views • 19 slides
Integrating Human Factors into a Comprehensive Safety System May 2019 Human & Organisational

Integrating Human Factors into a Comprehensive Safety System May 2019 Human & Organisational

Integrating Human Factors into a Comprehensive Safety System May 2019 Human & Organisational Factors HSEs definition of Human Factors The environmental, organisation and job factors, and human and individual characteristics, which

539 views • 21 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA December 2015 Agenda ASA Human Factors

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA December 2015 Agenda ASA Human Factors

Human factors seminar Applied human factors: Hazard analysis Gareth Hughes, Manager Human Factors zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA December 2015 Agenda ASA Human Factors team who we are Hazard analysis

844 views • 65 slides
HFACS Who Would Have Thought? Scott A. Shappell, Ph.D. HUMAN FACTORS Necessity is the

HFACS Who Would Have Thought? Scott A. Shappell, Ph.D. HUMAN FACTORS Necessity is the

HFACS Who Would Have Thought? Scott A. Shappell, Ph.D. HUMAN FACTORS Necessity is the Mother of Invention HUMAN FACTORS Swiss Cheese Model of Human Error Inputs Organizational Influences Supervisory Factors Preconditions for

235 views • 19 slides
an air carrier International Air Safety Summit November 13, 2018 Challenges of Human Factors and

an air carrier International Air Safety Summit November 13, 2018 Challenges of Human Factors and

Integrating human factors and SMS at an air carrier International Air Safety Summit November 13, 2018 Challenges of Human Factors and SMS integration Human Factors in design Engineering human factors considerations into our processes

451 views • 20 slides
Human factors Ruth Aylett Topics Human senses and their limitations Sight Hearing

Human factors Ruth Aylett Topics Human senses and their limitations Sight Hearing

Human factors Ruth Aylett Topics Human senses and their limitations Sight Hearing Touch Vestibular system Health and safety issues Why are human factors important? Human capabilities define desired technology

687 views • 25 slides
Human Factors in Aviation A CAANZ Perspective Scope Human Factors Airline flight operations

Human Factors in Aviation A CAANZ Perspective Scope Human Factors Airline flight operations

Human Factors in Aviation A CAANZ Perspective Scope Human Factors Airline flight operations Maintenance Aviation risk Regulatory approach SMS A dynamic industry Rule Development Part 121 (large aeroplanes) Crew

351 views • 24 slides
Human Factors in Healthcare Safety Andrea L. Cooks, HFE, MS Human Factors Consultant Mary Jo

Human Factors in Healthcare Safety Andrea L. Cooks, HFE, MS Human Factors Consultant Mary Jo

4/4/2018 Human Factors in Healthcare Safety Andrea L. Cooks, HFE, MS Human Factors Consultant Mary Jo Giaccone, MSN, RN, CPPS Director Patient Safety, Regulatory, & Accreditation Nursing Grand Rounds March 14, 2018 Agenda What is

132 views • 12 slides
Human Factors in Medical a discipline concerned with specifying Modeling and Simulation the

Human Factors in Medical a discipline concerned with specifying Modeling and Simulation the

Human Factors Engineering Human Factors in Medical a discipline concerned with specifying Modeling and Simulation the capacities and limitations of the human and designing machines that Mark W. Scerbo, Ph. D. accommodate the limits of the

140 views • 9 slides
The Role of Human Factors in Psychological Safety Dr. Yin Shanqing Senior Principal Human

The Role of Human Factors in Psychological Safety Dr. Yin Shanqing Senior Principal Human

The Role of Human Factors in Psychological Safety Dr. Yin Shanqing Senior Principal Human Factors Specialist Quality, Safety, & Risk Management Do you feel safe right now? 2 Will You Always Do What is Right Shared belief that the team

457 views • 34 slides
Human Factors and Model Based Systems Engineering Chris Vance Head of Human Factors MBDA This

Human Factors and Model Based Systems Engineering Chris Vance Head of Human Factors MBDA This

Human Factors and Model Based Systems Engineering Chris Vance Head of Human Factors MBDA This document and the information contained herein is proprietary information of MBDA and shall not be disclosed or reproduced without the prior

637 views • 45 slides
ME Forum 2019 Orientation & Human Factors Into Improvement Rollin J Terry Fairbanks, MD

ME Forum 2019 Orientation & Human Factors Into Improvement Rollin J Terry Fairbanks, MD

Integrating Safety Science ME Forum 2019 Orientation & Human Factors Into Improvement Rollin J Terry Fairbanks, MD MS CPPS Founding Director, National Center for Human Factors in Healthcare Professor of Emergency Medicine, Georgetown

572 views • 53 slides
Human factors in ship design and operation: Challenges related to digitalization and automation

Human factors in ship design and operation: Challenges related to digitalization and automation

A presentation of Human factors in ship design and operation: Challenges related to digitalization and automation based on A PhD thesis by Vincentius Rumawas Department of Marine Technology @HFC Human Factors in Control Meeting:

551 views • 40 slides
Human factors in ship design and operation: Challenges related to digitalization and automation

Human factors in ship design and operation: Challenges related to digitalization and automation

A presentation of Human factors in ship design and operation: Challenges related to digitalization and automation based on A PhD thesis by Vincentius Rumawas Department of Marine Technology @HFC Human Factors in Control Meeting:

423 views • 40 slides
INTRODUCING THE FROM ERGONOMICS; A MEDICAL DEFINITION HUMAN ENGINEERING OR HUMAN FACTORS

INTRODUCING THE FROM ERGONOMICS; A MEDICAL DEFINITION HUMAN ENGINEERING OR HUMAN FACTORS

INTRODUCING THE FROM ERGONOMICS; A MEDICAL DEFINITION HUMAN ENGINEERING OR HUMAN FACTORS ENGINEERING An applied science concerned with the characteristics of people that need to be considered in designing things that they use in order that

364 views • 23 slides
Launchpad GPG & SSH Key Basics Class on making and importing your own GPG & SSH Key(s)

Launchpad GPG & SSH Key Basics Class on making and importing your own GPG & SSH Key(s)

Launchpad GPG & SSH Key Basics Class on making and importing your own GPG & SSH Key(s) into Launchpad Making your GPG Key Ok the things you'll need for this process. 1) Email Client such as Thunderbird. 2) A GPG/PGP Key Plugin for

449 views • 6 slides
Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End

Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End

Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End Encryption Only the two parties communicating can decrypt messages Forward Secrecy Key compromise doesnt compromise past session keys

424 views • 23 slides
Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin

Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin

Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin 27th July 2016 1/22 Borel reducibility In the framework of Borel reducibility, relations are defined over Polish or standard Borel spaces.

467 views • 44 slides
Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recap Symmetric keys Benefit: fastest, mathematically the strongest Drawback:

425 views • 23 slides
Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler August 2018 DEF CON 26 Public keys what for? Break them! Retrieve the private keys Show how easy it is If we can do it

684 views • 31 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
GPG4LIBRE: OPENPGP SIGNING & ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER

GPG4LIBRE: OPENPGP SIGNING & ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER

GPG4LIBRE: OPENPGP SIGNING & ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER 12TH, 2017 Thorsten.Behrens@cib.de GPG4LIBRE - MOTIVATION we dont do enough crypto yet! put encryption and signing at users finger tips

188 views • 17 slides
On P olya Urn Scheme with Infinitely Many Colors DEBLEENA THACKER Indian Statistical

On P olya Urn Scheme with Infinitely Many Colors DEBLEENA THACKER Indian Statistical

On P olya Urn Scheme with Infinitely Many Colors DEBLEENA THACKER Indian Statistical Institute, New Delhi Joint work with: ANTAR BANDYOPADHYAY, Indian Statistical Institute, New Delhi. Genaralization of the Polya Urn scheme to infinitely many

924 views • 46 slides

More recommend