security and human behavior
play

Security and human behavior Some material from Lorrie Cranor, Mike - PowerPoint PPT Presentation

Oct 28, 2023 •154 likes •886 views

Security and human behavior Some material from Lorrie Cranor, Mike Reiter, Rob Reeder, Blase Ur 1 In this lecture Overview Minimizing effort Case studies Password expiration, security images, password meters, implantable

  1. Security and human behavior Some material from Lorrie Cranor, Mike Reiter, Rob Reeder, Blase Ur 1

  2. In this lecture … • Overview • Minimizing effort • Case studies – Password expiration, security images, password meters, implantable devices 2

  3. Humans “Humans are incapable of securely storing high- quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations… But they are sufficiently pervasive that we must design our protocols around their limitations.” −− C. Kaufman, R. Perlman, and M. Speciner. Network Security: PRIVATE Communication in a PUBLIC World. 2nd edition. Prentice Hall, page 237, 2002. 3

  4. More on humans “Not long ago, [I] received an e-mail purporting to be from [my] bank. It looked perfectly legitimate, and asked [me] to verify some information. [I] started to follow the instructions, but then realized this might not be such a good idea … [I] definitely should have known better.” -- former FBI Director Robert Mueller 4

  5. And one more … “I think privacy is actually overvalued … If someone drained my cell phone, they would find a picture of my cat, some phone numbers, some email addresses, some email text. What’s the big deal?” -- Judge Richard Posner U.S. Court of Appeals, 7 th circuit 2014 5

  6. Better together Examining security/privacy and usability together is often critical for achieving either 6

  7. The human threat • Malicious humans • Humans who don’t know what to do • Unmotivated humans • Humans with human limitations 7

  8. Key challenges • Security is a se secondary ry ta task sk – Users are trying to get something else done • Security concepts are ha hard – Viruses, certificates, SSL, encryption, phishing • Human capabilities are lim imit ited 8

  9. Are you capable of remembering a unique strong password for every account you have? 9

  10. Key challenges • Security is a se secondary ry ta task sk • Security concepts are ha hard • Human capabilities are lim imit ited • Misaligned prio iorit itie ies 10

  11. Keep the Don’t lock bad guys out me out! Security User Expert 11

  12. Key challenges • Security is a se secondary ry ta task sk • Security concepts are ha hard • Human capabilities are lim imit ited • Misaligned prio iorit itie ies • Activ ive adversarie ies – Unlike ordinary UX 12

  13. 13

  14. Key challenges • Security is a se secondary ry ta task sk • Security concepts are ha hard • Human capabilities are lim imit ited • Misaligned prio iorit itie ies • Activ ive adversarie ies – Unlike ordinary UX • Habituation – The “crying wolf” problem 14

  15. KEY CHALLENGE EXAMPLE: HABITUATION 15

  16. Exercise: Draw a penny N o c h e • Draw a circle a t i n g ! • Sketch the layout of the four basic items on the front of a US penny – What are the items, and how are they positioned? • Hint: – Someone’s portrait (who?) – Two patriotic phrases – Another item – Extra credit: an item that some pennies have and some don’t 16

  17. Score your sketch • Score: – 1 for Abraham Lincoln – +1 for Abraham Lincoln facing right – +1 for “Liberty” – +1 for “Liberty” to Abe’s left – +1 for “In God We Trust” – +1 for “In God We Trust” over Abe’s head – +1 for the year – +1 for the year to Abe’s right – Extra credit: +1 for the mint letter under the year – -1 for every other item 17

  18. Lessons from Abe • You’ve probably seen hundreds of pennies – And yet, this is hard • Memory limitations – Remembering a penny isn’t important, unless you take this quiz! • Habituation – You see it so often, you don’t remember it anymore 18

  19. Habituation to warnings 19

  20. 20 Image courtesy of Johnathan Nightingale

  21. If it’s important, make it stand out SSL warning; risk low; yellow background Malware warning; risk very high; red background 21

  22. MINIMIZING EFFORT 22

  23. People are economical • Given two paths to a goal, they’ll take the shorter path • More steps = less likely they’ll be completed • Can they figure out what to do? – Too hard = give up and take easiest path 23

  24. 24

  25. 25

  26. 26

  27. 27

  28. 28

  29. 29

  30. 30

  31. “Good” security practices people don’t do • Install anti-virus software • Keep your OS and applications up-to-date • Change your passwords frequently * • Read a website’s privacy policy before using it • Regularly check accounts for unusual activity • Pay attention to the URL of a website • Research software’s reputation before installing • Enable your software firewall • Make regular backups of your data 31

  32. What can go wrong when you don’t consider human factors CASE STUDIES 32

  33. PASSWORD EXPIRATION AND USER BEHAVIOR 37

  34. Does password expiration improve security in practice? • Observatio ion – Users often respond to password expiration by transforming their previous passwords in small ways [Adams & Sasse 99] • Conje jecture – Attackers can exploit the similarity of passwords in the same account to predict the future password based on the old ones [Zhang et. al, CCS 2010] 38

  35. Empirical analysis • UNC “Onyen” logins – Broadly used by campus and hospital personnel – Password change required every 3 months – No repetition within 1 year • 51141 unsalted hashes, 10374 defunct accounts – 4 to 15 hashes per account in temporal order • Cracked ~8k accounts, 8 months, standard tools • Experimental set: 7752 accounts – At least one cracked password, NOT the last one 39

  36. Transform Trees “password” “pa$sword”? “Password”? p→ s→$ P p→ p→ s→$ s→$ P P “pa$$word”? “Pa$sword”? “Pa$sword”? ┴ • Approximation algorithm for optimal tree searching 40

  37. Location Independent Transforms CATEGORY EXAMPLE Capitalization tarheels#1 → tArheels#1 Deletion tarheels#1 → tarheels1 Duplication tarheels#1 → tarheels#11 Substitution tarheels#1 → tarheels#2 Insertion tarheels#1 → tarheels#12 Leet Transform tarheels#1 → t@rheels#1 Block Move tarheels#1 → #tarheels1 Keyboard Transform tarheels#1 → tarheels#! 41

  38. Evaluation • Pick a known plaintext, non-last password (OLD) • Pick any later password (NEW) • Attempt to crack NEW with transform tree rooted at OLD 42

  39. Results: Offline Attack Within 3 Seconds !! 41% 50% 41% 39% 30% 37% 40% 28% Success rate 26% 28% 30% 24% 25% 20% 17% depth 4 10% depth 3 depth 2 0% depth 1 Edit Dist Edit w/ Loc Ind Mov Pruned Takeaway: Memory limitations, convenience 43

  40. SECURITY IMAGES AND THE ADVERSARY PROBLEM 44

  41. [Lee et. al, Internet Computing 2014] 45

  42. Goal: Prevent phishing If you do not recognize your Personal Security Image & Caption then DO NOT enter your password! 46

  43. Study design • Participants recruited via MTurk • Each day, receive an email with a small $ amount. Log in and “report” the deposit. • At the end of the study, receive the amount “deposited.” • On last day, security image is absent: “Under maintenance.” • Will participants log in? 47

  44. Varieties of security images • Control • Large, blinking • Interactive (click, type a word) • Custom image • No caption • Also: security priming, less habituation 48

  45. Results • 80-100% claimed they looked at the image, but: • 73% entered passwords despite no image • No significant differences by image type • Users with stronger passwords logged in less often (65% to 80%) Takeaway: Attention failure, misaligned priorities, misunderstanding security concepts 49

  46. PASSWORD METERS AND MOTIVATING YOUR USERS 50

  47. Password Meters … • … come in all shapes and sizes [Ur et. al, USENIX Sec 2012] 51

  48. Experimental setup • No meter • Baseline (boring) meter • Visual differences – Size, text only • Dancing bunnies (wait and see) • Scoring differences – Same password scores differently 52

  49. Conditions with Visual Differences 53

  50. Conditions with Visual Differences 54

  51. Conditions with Visual Differences 55

  52. Conditions with Visual Differences 56

  53. Conditions with Visual Differences 57

  54. Conditions with Visual Differences 58

  55. Bunny Condition 59

  56. Bunny Condition 60

  57. Conditions with Scoring Differences 61

  58. Conditions with Scoring Differences 62

  59. Conditions with Scoring Differences 63

  60. Conditions with Scoring Differences 64

  61. Conditions with Scoring Differences 65

  62. Conditions with Scoring Differences 66

  63. Conditions with Scoring Differences 67

  64. Password Meters (Scoring) Weak Medium Strong 5×10 8 5×10 10 5×10 12 50% No meter Percentage of Passwords Cracked Baseline meter 40% Nudge-comp8 Bold text-only half 30% Text-only half Nudge-16 One-third-score 20% Half-score 10% 0% 10 10 10 11 10 12 10 4 10 8 10 5 10 6 10 7 10 9 10 13 Number of Guesses 68

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12,

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12,

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12, 2009 Joseph Bonneau, Computer Laboratory Today I) Culture gap on social networks is hurting security II) The future of the internet is social

762 views • 17 slides
UT^2: Human-like Behavior via Neuroevolution of Combat Behavior and Replay of Human Traces Jacob

UT^2: Human-like Behavior via Neuroevolution of Combat Behavior and Replay of Human Traces Jacob

UT^2: Human-like Behavior via Neuroevolution of Combat Behavior and Replay of Human Traces Jacob Schrum, Igor Karpov, and Risto Miikkulainen {schrum2,ikarpov,risto}@cs.utexas.edu Our Approach: UT^2 Evolve skilled combat behavior

488 views • 26 slides
Introduction to Design Topics Human Behavior UX Design Testing and Feedback Tools

Introduction to Design Topics Human Behavior UX Design Testing and Feedback Tools

Introduction to Design Topics Human Behavior UX Design Testing and Feedback Tools Human Behavior Human Behavior We conserve brainpower We dont read, we scan We satisfice We muddle our way through We hate

809 views • 41 slides
Validation Graybars 1 st Law of Human Behavior All

Validation Graybars 1 st Law of Human Behavior All

Chris McCurry, Ph.D. ABCD, Inc., P.S. Validation Graybars 1 st Law of Human Behavior All behavior is a message, and a behavior

665 views • 3 slides
Simulating the Behavior of the Human Brain on NVIDIA GPUs (Human Brain Project) Pedro

Simulating the Behavior of the Human Brain on NVIDIA GPUs (Human Brain Project) Pedro

www.bsc.es Simulating the Behavior of the Human Brain on NVIDIA GPUs (Human Brain Project) Pedro Valero-Lara, Ivan Mart nez-Prez, Antonio J. Pea, Xavier Martorell, Ral Sirvent, and Jess Labarta Munich, 09-11-2018 Human Brain

146 views • 14 slides
1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN SECURITY CONCEPT According to the human security principles PROTECTION OBJECTIVE TOP-DOWN Support the formulation of public policies (gender,

1.15k views • 14 slides
SPE-165611 The Human Chain - A Different Approach to Behavior Safety Program Through the Use of

SPE-165611 The Human Chain - A Different Approach to Behavior Safety Program Through the Use of

SPE-165611 The Human Chain - A Different Approach to Behavior Safety Program Through the Use of Social Marketing Concepts Dr. Elie Daher Slide 2 The Impact of Behavior on Safety Big improvements made in engineering and safety

171 views • 15 slides
A STUDY ON THE BEHAVIOR ANALYSIS OF HUMAN RIGHT A STUDY ON THE BEHAV OF HUMAN RIGHT ARM UNDER

A STUDY ON THE BEHAVIOR ANALYSIS OF HUMAN RIGHT A STUDY ON THE BEHAV OF HUMAN RIGHT ARM UNDER

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE COMPOSITE MATERIALS A STUDY ON THE BEHAVIOR ANALYSIS OF HUMAN RIGHT A STUDY ON THE BEHAV OF HUMAN RIGHT ARM UNDER IMPACT CON ARM UNDER IMPACT CONDITION DITION J. Chae 1 *, E. Choe 1 , J. Lee 1 , H.

522 views • 6 slides
GAME THEORETICAL INFERENCE OF HUMAN BEHAVIOR IN SOCIAL NETWORKS Symposium on Resilience and

GAME THEORETICAL INFERENCE OF HUMAN BEHAVIOR IN SOCIAL NETWORKS Symposium on Resilience and

GAME THEORETICAL INFERENCE OF HUMAN BEHAVIOR IN SOCIAL NETWORKS Symposium on Resilience and performance of networked systems Zrich, 16.01.2020 [N. Pagan & F. Drfler, Game theoretical inference of human behavior in social

643 views • 40 slides
Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT

Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT

Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT CTOR OR Hussein Hassanali Chief Information Security Officer, Bank AL Habib Limited & President, ISACA Karachi Chapter UBL Funds Culture

376 views • 19 slides
Psychology of Security Security as human behaviour and experience Stefan Schumacher

Psychology of Security Security as human behaviour and experience Stefan Schumacher

Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base Psychology of Security Security as human behaviour and experience Stefan Schumacher

721 views • 43 slides
Psychology of Security Security as human behaviour and experience Stefan Schumacher

Psychology of Security Security as human behaviour and experience Stefan Schumacher

Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base Psychology of Security Security as human behaviour and experience Stefan Schumacher

495 views • 34 slides
What Social Scientists Know Research-based Practices for Promoting Conservation Behavior Lucy

What Social Scientists Know Research-based Practices for Promoting Conservation Behavior Lucy

What Social Scientists Know Research-based Practices for Promoting Conservation Behavior Lucy Gertz Understanding Human Behavior All human actions have one or more of these seven causes: chance, nature, compulsion, habits, reason,

759 views • 42 slides
CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

Overview CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human Security 3.Program Security Security Computer security threats Unintentional: - Coding faults - Operational faults -

238 views • 8 slides
Philosophy of Mind- Toward a Unified Theory of Human Behavior and Consciousness DANIELLE JOHNSON

Philosophy of Mind- Toward a Unified Theory of Human Behavior and Consciousness DANIELLE JOHNSON

Philosophy of Mind- Toward a Unified Theory of Human Behavior and Consciousness DANIELLE JOHNSON PHD FERMI SOCIETY OF PHILOSOPHY FEBRUARY 14, 2020 History of The Wall Alleviate Human Solve Science Suffering Biology The Self

445 views • 20 slides
Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System

Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System

Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System Administrators Christian Tiefenau , Maximilian Hring, Katharina Krombholz, Emanuel von Zezschwitz @chrizzlz @cathykxx Usable Security and Privacy Lab,

596 views • 12 slides
DSLs in the Cloud with Eclipse Technologies Jan Khnlein Miro Spnemann @jankoehnlein

DSLs in the Cloud with Eclipse Technologies Jan Khnlein Miro Spnemann @jankoehnlein

DSLs in the Cloud with Eclipse Technologies Jan Khnlein Miro Spnemann @jankoehnlein @sponemann The Aim: A DSL Tool in the Browser Code Generator Graphical View Workspace and Tool Integration Intelligent DSL Editor

611 views • 34 slides
An introduction to a BA(hons) Events and Festival Management degree Wh Why y QM QMU?

An introduction to a BA(hons) Events and Festival Management degree Wh Why y QM QMU?

An introduction to a BA(hons) Events and Festival Management degree Wh Why y QM QMU? Friendly, supportive and approachable Academic, yet vocationally focused Innovative mix of teaching and learning methods Excellent employment

645 views • 15 slides
How much colon should be resected? Surgical Standard of Care and Operative Techniques Classic

How much colon should be resected? Surgical Standard of Care and Operative Techniques Classic

Colon Cancer How much colon should be resected? Surgical Standard of Care and Operative Techniques Classic teaching 5 cm margin on either side of tumor Concern regarding microscopic intramural spread Shrinkage of margins 45%

356 views • 9 slides
Hypothesis testing Hypothesis tests are most often used to make a statement about superiority,

Hypothesis testing Hypothesis tests are most often used to make a statement about superiority,

Hypothesis testing Hypothesis tests are most often used to make a statement about superiority, inferiority or equality of treatments. Confidence intervals do contain this information also, but the conclusion is a bit more difficult to extract.

242 views • 13 slides
Event details 28 May 2016 (Sat) 0730 1100 Sengkang Hockey Stadium Sec 1 3 students

Event details 28 May 2016 (Sat) 0730 1100 Sengkang Hockey Stadium Sec 1 3 students

Event details 28 May 2016 (Sat) 0730 1100 Sengkang Hockey Stadium Sec 1 3 students Guests Alumni Compulsory Ex-staff Attire Sec 4 5 students PE t-shirt (Your own Families of staff and students

430 views • 21 slides
Multi-modal Face Recognition Hu Han hanhu@ict.ac.cn http: / / vipl.ict.ac.cn/ members/ hhan

Multi-modal Face Recognition Hu Han hanhu@ict.ac.cn http: / / vipl.ict.ac.cn/ members/ hhan

Multi-modal Face Recognition Hu Han hanhu@ict.ac.cn http: / / vipl.ict.ac.cn/ members/ hhan 2016/ 04/ 06 2 Trend on multi-modal (face) recognition Multi-modal & cross-modal FR Conclusion and discussion hanhu@ict.ac.cn

773 views • 49 slides
Entrepreneurship & Innovation Programs Neil Kane Director of Undergraduate Entrepreneurship

Entrepreneurship & Innovation Programs Neil Kane Director of Undergraduate Entrepreneurship

Entrepreneurship & Innovation Programs Neil Kane Director of Undergraduate Entrepreneurship nkane@msu.edu 312-404-3507 Online or Not? Minor in Entrepreneurship and Innovation Open to any student in any college 15 credit-hours

462 views • 10 slides
Relax into Enlightenment C R I M S O N C I R C L E N E T W O R K S H O U D 4 , D E C E M B E

Relax into Enlightenment C R I M S O N C I R C L E N E T W O R K S H O U D 4 , D E C E M B E

Relax into Enlightenment C R I M S O N C I R C L E N E T W O R K S H O U D 4 , D E C E M B E R 2 0 1 7 SHOUD RECAP Recent Events Christmas Party! Upcoming Shaumbra Events Colorado January 2018 Adamus Saint-Germains annual

880 views • 63 slides

More recommend