usability
play

Usability Engineering Secure Software Last Revised: October 28, - PowerPoint PPT Presentation

Sep 04, 2023 •442 likes •753 views

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Quote: Taher El-Gamal, Inventor of SSL Security professionals always struggle with the general public because

  1. Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1

  2. Quote: Taher El-Gamal, Inventor of SSL “Security professionals always struggle with the general public because usability always wins.” Source: https://www.cnet.com/ Source: https://en.wikipedia.org/ SWEN-331: Engineering Secure Software Benjamin S Meyers 2

  3. Users are NOT the Enemy Security mechanisms are designed, implemented, applied, ● maintained, and breached by people Human factors is the key ○ Hackers can leverage human factors, too (e.g. social engineering, ○ “rubber hose” cryptanalysis) Why do users not adhere to security criteria? ● Lack of security knowledge ○ Lack of motivation ○ Users are guided by what they actually see -- or don’t see ○ Developers not considering human factors with respect to ○ security mechanisms (e.g. constantly changing passwords) SWEN-331: Engineering Secure Software Benjamin S Meyers 3

  4. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● SWEN-331: Engineering Secure Software Benjamin S Meyers 4

  5. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● Balloon Giraffe Sphinx SWEN-331: Engineering Secure Software Benjamin S Meyers 5

  6. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● SWEN-331: Engineering Secure Software Benjamin S Meyers 6

  7. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● Ball Moon Jerry Alex India Chair Graph SWEN-331: Engineering Secure Software Benjamin S Meyers 7

  8. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● SWEN-331: Engineering Secure Software Benjamin S Meyers 8

  9. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● Be Pluto Daisy All Train Byte Lime Fact Screen Zoo SWEN-331: Engineering Secure Software Benjamin S Meyers 9

  10. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● Users will use externalization to cope ● Sticky notes, password managers ○ Facilitates insider attacks ○ Source: https://www.lastpass.com/ Source: https://www.flickr.com/ SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10

  11. Human Factors Minimize the mental workload for the user ● Recognition rather than recall (e.g. recognize images) ○ Forgiving mechanisms (93% successful login with 9th attempt) ○ Realistic security vs. theoretical security ■ Resetting passwords overload help desks ■ Delay logins instead of lockouts ■ Source: https://thycotic.com/products/password-reset-server/user-experience/ SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11

  12. Human Factors Awkward behavior ● e.g. organizations mandate that users must lock their screens ○ when leaving their desks, even for brief periods Users will not comply with security mechanisms that conflict ○ with their values or self-image Solution: label such behaviors positively ○ Source: https://tenor.com/ SWEN-331: Engineering Secure Software Benjamin S Meyers 12 12

  13. Usability of Permission Granting Global resources Prompts (iOS, browsers) ● ● e.g. smartphones expose a Used to verify user intent ○ ○ global clipboard to apps Repetitiveness teaches users ○ User friendly to ignore them ○ Violates least-privilege (prompt-fatigue) ○ Manifests (Android, WinPhone) User-driven access controls ● ● Out of context: checked at Via access control gadgets ○ ○ time of install, not time of use Captures users’ intent, ○ Disruptive: only prompted at minimizes interaction ○ first use to avoid Enables in-context, ○ prompt-fatigue non-disruptive, and Violates least-privilege least-privilege permission ○ granting SWEN-331: Engineering Secure Software Benjamin S Meyers 13 13

  14. Usability of Permission Granting SWEN-331: Engineering Secure Software Benjamin S Meyers 14 14

  15. Usability of Authentication Mechanisms Criteria for assuring password security ● Composition (length, valid characters) ○ Lifetime ○ Ownership (individual vs. group) ○ Source: https://xkcd.com/936/ SWEN-331: Engineering Secure Software Benjamin S Meyers 15 15

  16. Usability of Authentication Mechanisms Attacked by phishing ● Protection software ● Password alert extension for Chrome ○ New login alerts ○ Source: https://chrome.google.com/ SWEN-331: Engineering Secure Software Benjamin S Meyers 16 16

  17. Usability of Authentication Mechanisms Recall-based graphical passwords ● Recall-based (drametric systems) ○ Users recall and reproduce a secret drawing (grid or canvas) ○ Drawbacks: phishing, easy to guess ○ Source: https://arstechnica.com/ Source: www.researchgate.net/ SWEN-331: Engineering Secure Software Benjamin S Meyers 17 17

  18. Usability of Authentication Mechanisms Recognition-based graphical passwords ● Recognition-based (cognometric systems) ○ Users memorize a portfolio of images during password creation ○ and then recognize their images from among decoys to login More difficult to be phished ○ Drawbacks: limited memory, ○ shoulder-surfing Source: semanticscholar.org/ SWEN-331: Engineering Secure Software Benjamin S Meyers 18 18

  19. Usability of Authentication Mechanisms Cued-recall graphical passwords ● Cued-recall (locimetric systems) ○ Users remember and target specific locations in an image ○ Tolerance area of 14x14 pixels ○ Easier memory task than pure recall ○ Drawback: vulnerable to visual ○ hotspots and simple geometric patterns in images Source: semanticscholar.org/ SWEN-331: Engineering Secure Software Benjamin S Meyers 19 19

  20. Usability of Authentication Mechanisms Multi-Factor Authentication ● Something you know → passwords, image recognition ○ Passwords are bad ■ Something you have → auth app, YubiKey ○ Mobile authenticators are annoying ■ Something you are → fingerprints, facial recognition ○ Biometrics have high false-positive rates ■ Source: https://blockspot.io/ Source: computer.howstuffworks.com SWEN-331: Engineering Secure Software Benjamin S Meyers 20 20

  21. Usability of Authentication Mechanisms Continuous Authentication ● Auth mechanism continuously verifies that you’re still you ○ e.g. regular pings for your phone’s location ○ e.g. are you typing the way you normally do? ○ e.g. are you clicking what you normally click? ○ e.g. continuous facial recognition ○ If the system thinks you might not be you, it can prompt you for ○ more information → password, card number, fingerprint Drawbacks: ○ Resource consumption ■ Not always possible ■ Needs a failsafe (which needs to be secure) ■ SWEN-331: Engineering Secure Software Benjamin S Meyers 21 21

  22. Authorization Over Authentication Sign in with Google/GitHub/Facebook ● Instead of creating a new account (with a new password), ○ authorize the app/site to authenticate you using another service Pros: ○ Centralized management/revoking ■ Less passwords to remember ■ Cons: ○ Single point of failure ■ What if Microsoft buys GitHub? ■ SWEN-331: Engineering Secure Software Benjamin S Meyers 22 22

  23. Vulnerabilities are a Usability Problem Every developer mistake could be justified as a usability ● mistake (e.g. misusing C) Software vulnerabilities are blind spots in developers’ ● heuristic-based decision-making processes Humans use heuristics (simple computational models) to find ○ feasible (not optimized) solutions quickly due to: Limitation of working memory ■ Cognitive effort ■ Source: fotosearch.com.br SWEN-331: Engineering Secure Software Benjamin S Meyers 23 23

  24. Development Tools Can Help Reusable components that accomplish a single task ● e.g. SSL/TLS implementations (Java, OpenSSL) ○ Security information should research users (app developers) ● when they need it, on the spot e.g. IDE’s, text editors, browsers, compilers, etc. bring security ○ information while coding SWEN-331: Engineering Secure Software Benjamin S Meyers 24 24

  25. Example: PGP “Why Johnny Can’t Encrypt” [USENIX 1999, Whitten et al.] ● Advanced technical users failed to encrypt and decrypt their ○ mail using PGP 5.0, even after receiving instruction and practice Encryption is a complex concept ○ Terminology employed is fundamentally at odds with everyday ○ language (e.g. key, private, public) Corroborated by similar studies ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 25 25

  26. Usable OpenSSL → Confusion OpenSSL is an open source implementation for SSL/TLS ● Cryptography library written in C ○ Easy to use for simple encryption ○ Becomes synonym for “secure” ○ # Encrypt “I love OpenSSL!” with AES and 256 bits of encryption > touch plain.txt > echo “I love OpenSSL!” > plain.txt > openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin enter aes-256-cbc encryption password: hello Verifying - enter aes-256-cbc encryption password: hello # Decrypt > openssl enc -aes-256-cbc -d -in encrypted.bin -pass pass:hello I love OpenSSL! SWEN-331: Engineering Secure Software Benjamin S Meyers 26 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Do gma 1 Deliverables from usability professionals must be highly usable Reports,

Do gma 1 Deliverables from usability professionals must be highly usable Reports,

Myths about usability testing Copies of Slides U X Day Graz 2013 F ive use rs will find 85% o f the usability pro ble ms Rolf Molich - and o the r myths abo ut DialogDesign usability te sting Do gma 1 Deliverables from

659 views • 18 slides
Rigorous Evaluation Usability Testing To Review - What is Usability? A measure of the quality

Rigorous Evaluation Usability Testing To Review - What is Usability? A measure of the quality

Rigorous Evaluation Usability Testing To Review - What is Usability? A measure of the quality of the users experience when interacting with a product or system How usable is the interface? Usability Measures Ease of learning

912 views • 24 slides
USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU

USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU

USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU WILL HAVE WORKED THROUGH THE LYNDA.COM UX-1 SECTION. FOR THIS CLASS USABILITY WHAT is Usability? WHY is Usability important? USER

611 views • 21 slides
Web Design and Usability CSE 190 M (Web Programming) Spring 2007 University of Washington

Web Design and Usability CSE 190 M (Web Programming) Spring 2007 University of Washington

CSE 190 M: Web Design and Usability Page 1 Web Design and Usability CSE 190 M (Web Programming) Spring 2007 University of Washington References: J. Nielsen's Designing Web Usability (2) What is usability? usability: the effectiveness with

187 views • 6 slides
Usability and Eye Tracking Marco Pretorius Usability Manager & Researcher UNISA: School of

Usability and Eye Tracking Marco Pretorius Usability Manager & Researcher UNISA: School of

Usability and Eye Tracking Marco Pretorius Usability Manager & Researcher UNISA: School of Computing Agenda Introduction What is usability? User-centered design Eye tracking Benefits and ROI UNISA usability

931 views • 60 slides
Ergonomi mics and usability usability tes3ng s3ng in in the the de design sign of f

Ergonomi mics and usability usability tes3ng s3ng in in the the de design sign of f

Ergonomi mics and usability usability tes3ng s3ng in in the the de design sign of f applic applica3o a3ons f ns for c r chr hronic nic c condi3o ndi3on n ma manageme ment and health promo mo3on Ba Backg ckgrou ound

637 views • 34 slides
Topics in Usability Testing [Reading assignment: Chapter 11, pp. 169-182] Software Usability

Topics in Usability Testing [Reading assignment: Chapter 11, pp. 169-182] Software Usability

Topics in Usability Testing [Reading assignment: Chapter 11, pp. 169-182] Software Usability Eventually a person will interact with a software system. Software usability is how: appropriate functional effective that

678 views • 21 slides
My Background curiosities and interests getting a career Usability A recent

My Background curiosities and interests getting a career Usability A recent

Agenda My Background curiosities and interests getting a career Usability A recent gradate perspective Usability in the industry Some good usability resources. 2 Auckland University CS 345 My background Psychology

511 views • 5 slides
AMIA Usability Task Force HIMSS Usability Task Force Robert Schumacher, Janey Barnes

AMIA Usability Task Force HIMSS Usability Task Force Robert Schumacher, Janey Barnes

AMIA Usability Task Force HIMSS Usability Task Force Robert Schumacher, Janey Barnes original learning module creators Formative Usability Testing is a methodology used to obtain qual alitati ative r e reacti tion ons to

327 views • 15 slides
Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing

Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing

Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing using a structured process Validate adherence to interaction requirements Actual users who perform realistic and representative tasks

490 views • 38 slides
Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and

Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and

Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and software ethics Visually impaired Deaf and hard of hearing Dexterity and mobility impairments Section 508 the law Universal

593 views • 33 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Medical Device Usability David Adams Global Head, Active Medical Devices Add logo on slide 4

Medical Device Usability David Adams Global Head, Active Medical Devices Add logo on slide 4

Medical Device Usability David Adams Global Head, Active Medical Devices Add logo on slide 4 here Topics What is usability? Why usability is so important The regulatory requirements EN 62366 Usability engineering process

789 views • 38 slides
SunyoungKim,PhD Last class Normans design principles Recap. Usability Usability is a

SunyoungKim,PhD Last class Normans design principles Recap. Usability Usability is a

Human-Computer Interaction 18. Design Mobile Design Principles SunyoungKim,PhD Last class Normans design principles Recap. Usability Usability is a measure of the effectiveness, efficiency and satisfaction with which specified

921 views • 75 slides
Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User

Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User

Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User Experience Researcher jim@measuringu.com What is Usability? Earliest known (so far) modern use of term usability Refrigerator ad from

475 views • 35 slides
KDE Usability Project August 9 2008 Celeste Lyn Paul celeste@kde.org KDE Usability Project

KDE Usability Project August 9 2008 Celeste Lyn Paul celeste@kde.org KDE Usability Project

1 The Past, Present, and Future of the KDE Usability Project Looking Back and Moving Forward The Past, Present and Future of the KDE Usability Project August 9 2008 Celeste Lyn Paul celeste@kde.org KDE Usability Project usability.kde.org

780 views • 48 slides
AIRS Educa+on and Public Outreach NASA Sounder Science Team Mee1ng Nov 35, 2010 Sharon Ray,

AIRS Educa+on and Public Outreach NASA Sounder Science Team Mee1ng Nov 35, 2010 Sharon Ray,

Jet Propulsion Laboratory California Institute of Technology AIRS Educa+on and Public Outreach NASA Sounder Science Team Mee1ng Nov 35, 2010 Sharon Ray, AIRS Outreach Lead New AIRS Web Site Launched 9.13.10 Jet Propulsion Laboratory

463 views • 20 slides
Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org

Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org

Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org http://incubator.apache.org/solr/ What is Faceted Searching? 2 Example: Epicurious.com 3 Example: Nabble.com 4 Example: CNET.com 5 Aka:

774 views • 35 slides
Online Fundraising Certification Training Email Fundraising Donation & Landing Pages

Online Fundraising Certification Training Email Fundraising Donation & Landing Pages

Online Fundraising Certification Training Email Fundraising Donation & Landing Pages Facebook Donor Acquisition NEXTAFTER.COM/TRAINING The Essential Conference for Online Fundraising And Digital marketing 2 Days 16 +

1.47k views • 126 slides
Thread-level Analysis over Technical User Forum Data Li Wang, Su Nam Kim and Timothy Baldwin

Thread-level Analysis over Technical User Forum Data Li Wang, Su Nam Kim and Timothy Baldwin

Thread-level Analysis over Technical User Forum Data Li Wang, Su Nam Kim and Timothy Baldwin NICTA VRL Department of Computer Science and Software Engineering University of Melbourne VIC 3010 Australia December 9, 2010 Introduction 2 / 23

606 views • 33 slides
IS THERE ANY MAGIC IN A FAMILY REPORT: HOW GOOD ARE EXPERT REPORTS IN THE FAMILY COURT? Chris

IS THERE ANY MAGIC IN A FAMILY REPORT: HOW GOOD ARE EXPERT REPORTS IN THE FAMILY COURT? Chris

IS THERE ANY MAGIC IN A FAMILY REPORT: HOW GOOD ARE EXPERT REPORTS IN THE FAMILY COURT? Chris Lennings, Alison ONeill and Katie Seidler LSC Psychology Sydney SIGNIFICANCE OF EXPERT REPORTS Expert psychological reports are a necessary

558 views • 30 slides
enteprise enteprise 2FA to your ownCloud 2FA to your ownCloud in 15 minutes in 15 minutes

enteprise enteprise 2FA to your ownCloud 2FA to your ownCloud in 15 minutes in 15 minutes

Add Add enteprise enteprise 2FA to your ownCloud 2FA to your ownCloud in 15 minutes in 15 minutes FOSDEM 2019, February 3rd Cornelius Klbel about me about me Cornelius Klbel 2FA since 2005 2014: privacyIDEA

918 views • 28 slides
Drupal, NetFlix, & Chill: Adaptive Bitrate Video Streaming Stephen Barker, Digital Frontiers

Drupal, NetFlix, & Chill: Adaptive Bitrate Video Streaming Stephen Barker, Digital Frontiers

Drupal, NetFlix, & Chill: Adaptive Bitrate Video Streaming Stephen Barker, Digital Frontiers Media, Inc. Dave Kopecek, Aisle 8, Inc. 1 The Problem Existing Site 400 HD videos Slow video loading/buffering/playback latency (10-11 seconds

838 views • 25 slides
What queries can the Domain mediator answer for me? Developer CLIDE Schema Schema

What queries can the Domain mediator answer for me? Developer CLIDE Schema Schema

Large-Scale Data Integration Systems Exporting and Interactively Querying Application Domain CNET Computer Developer Web Service-Accessed Sources: PCWorld Portals Application Application The CLIDE System

320 views • 9 slides

More recommend