usable security and the human in the loop
play

Usable security and the human in the loop Michelle Mazurek Some - PowerPoint PPT Presentation

Apr 01, 2023 •164 likes •985 views

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1 Todays class Introducing me Introducing you Human Factors for Security and

  1. Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1

  2. Today’s class • Introducing me • Introducing you • Human Factors for Security and Privacy? • Course policies and syllabus • The human in the loop 2

  3. Who am I? • Michelle Mazurek (mmazurek@umd.edu) • Assistant professor, CS and UMIACS • Affiliated with MC2 and HCIL • Office hours: Tues 2-3 pm in AVW 3421, or by appointment 3

  4. Who are you? • Preferred name • Academic program, adviser if applicable • Background in HCI (a lot, a little, none) • Background in security/privacy (a lot, a little, none) • Why this course? 4

  5. Humans “Humans are incapable of securely storing high- quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations… But they are sufficiently pervasive that we must design our protocols around their limitations.” −− C. Kaufman, R. Perlman, and M. Speciner. Network Security: PRIVATE Communication in a PUBLIC World. 2nd edition. Prentice Hall, page 237, 2002. 5

  6. More on humans “Not long ago, [I] received an e-mail purporting to be from [my] bank. It looked perfectly legitimate, and asked [me] to verify some information. [I] started to follow the instructions, but then realized this might not be such a good idea … [I] definitely should have known better.” -- former FBI Director Robert Mueller 6

  7. And one more … “I think privacy is actually overvalued … If someone drained my cell phone, they would find a picture of my cat, some phone numbers, some email addresses, some email text. What’s the big deal?” -- Judge Richard Posner U.S. Court of Appeals, 7 th circuit 7

  8. Better together Examining security/privacy and usability together is often critical for achieving either 8

  9. Borrowing from many disciplines Many disciplines have experience studying humans. Can we learn from their models and methods? • Psychology • HCI • Sociology • Marketing • Ethnography • Counterterrorism • Cognitive sciences • Communication • Warning science • Persuasive technology • Risk perception • Learning science • Behavioral economics 9

  10. Why is security/privacy different? • Presence of an adversary • Security/privacy is a secondary task • Designing for humans is not enough! – Support users who are predictable, stressed, careless, unmotivated, busy, foolish – Without Without compr compromising security and privacy omising security and privacy 10

  11. Bridging security and HCI Security � Usability/HCI � Usable Security � Humans are a secondary Humans are the primary Human factors and constraint compared to constraint, security is security are both primary security concerns rarely considered constraints Humans considered Concerned about human Concerned about both primarily in their role as error but not human normal users and adversaries/attackers attackers adversaries Involves threat models Involves task models, Involves threat models mental models, cognitive AND task models, mental models models, etc. Focus on security metrics Focus on usability metrics Considers usability and security metrics together User studies are rare User studies are common User studies common, often involve deception or distraction 11

  12. Bridging security and HCI Security � Usability/HCI � Usable Security � Humans are a secondary Humans are the primary Human factors and constraint compared to constraint, security is security are both primary security concerns rarely considered constraints Humans considered Concerned about human Concerned about both primarily in their role as error but not human normal users and adversaries/attackers attackers adversaries Involves threat models Involves task models, Involves threat models mental models, cognitive AND task models, mental models models, etc. Focus on security metrics Focus on usability metrics Considers usability and security metrics together User studies are rare User studies are common User studies common, often involve deception or distraction 12

  13. User-selected graphical passwords Security � Usability/HCI � Usable Security � What is the space of How difficult is it for a All the security/privacy possible passwords? user to create, and usability HCI remember, and enter a questions How can we make the graphical password? password space larger to How long does it take? How do users select make the password graphical passwords? harder to guess? How hard is it for users to How can we help them learn the system? choose passwords harder How are the stored for attackers to predict? passwords secured? Are users motivated to put in effort to create As the password space Can an attacker gain good passwords? increases, what are the knowledge by observing impacts on usability a user entering her Is the system accessible factors and predictability password? using a variety of devices, of human selection? for users with disabilities? 13

  14. User-selected graphical passwords Security � Usability/HCI � Usable Security � What is the space of How difficult is it for a All the security/privacy possible passwords? user to create, and usability HCI remember, and enter a questions How can we make the graphical password? password space larger to How long does it take? How do users select make the password graphical passwords? harder to guess? How hard is it for users to How can we help them learn the system? choose passwords harder How are the stored for attackers to predict? passwords secured? Are users motivated to put in effort to create As the password space Can an attacker gain good passwords? increases, what are the knowledge by observing impacts on usability a user entering her Is the system accessible factors and predictability password? using a variety of devices, of human selection? for users with disabilities? 14

  15. Course goals • Gain an appreciation for the importance of human factors to security and privacy • Learn about current and important research in the area • Learn how to conduct user studies targeting security and privacy issues • Gain tools for critically evaluating research you hear or read about 15

  16. Course topics • Quick overviews of security and privacy • Intro to HCI methods and experimental design – How and when to use different qualitative and quantitative study designs – Ecological validity and ethics – Overview of statistical analysis • Current/important research on topics of note – Passwords, web and mobile privacy, policies and notices, usable encryption, etc. 16

  17. Topic: Passwords • Can people make passwords that are easy to remember, yet hard to crack? Image from http://www.trypap.com 17

  18. Topic: Graphical passwords • Humans have great visual memory… can this fact be leveraged for authentication? Image from http://www.techradar.com 18

  19. Topic: Biometrics • Characteristics of the human body can be used to identify or authenticate – How can this be done in a user-friendly way? Image from http:// www.sciencedaily.com 19 Image from http://www.economist.com

  20. Topic: Secondary authentication • Favorite athlete? • Make of first car? • Where Barack Obama met his wife? • Jennifer Lawrence’s mother’s maiden name? Image from http://www.wikipedia.org 20

  21. Topic: Censorship, anonymity • How can we help people to remain anonymous on the Internet? (And should we?) • How can we help people to evade censorship? (And should we?) Image from http:// www.wikipedia.org Image from http://www.jhalderm.com 21

  22. Topic: Usable encryption • Why don’t people encrypt their email and files? 22

  23. Topic: SSL and PKIs • Is there any hope for making certificates and SSL warnings usable? • Can we teach developers to use SSL correctly? 23

  24. Topic: Security warnings • When do we really need them? • Can we make them more effective? 24

  25. Topic: Privacy policies and notices • How do we communicate privacy-critical info? – To busy users – Despite information overload Screenshot from http://www.tosdr.org 25

  26. Topic: Access control, policy configuration • Who should have access to your files, physical spaces, and online posts? • How can we make it easier for users to express and enforce their preferences? 26 Image from http://www.about.com

  27. Topic: Privacy and security at home • How does the increase in devices and sensors affect privacy dynamics within the home? • How can these sensors be usably secured? Image from http://www.ftc.gov Image from http:// 27 www.makezine.com

  28. Topic: Browser privacy & security • What kind of tracking currently occurs, and what do average people think of it? • … And why has phishing been so effective? 28

  29. Topic: HFPS for mobile • Do people understand where the information on their phone goes? • …And can someone please make app permissions usable? Image from http://www.nokia.com 29 Image from http:// www.arstechnica.com

  30. Topic: Social networks and privacy • Can people want to share some things widely yet want other things to be private? 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1 The human threat Malicious humans Humans who dont know what to do

569 views • 38 slides
Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi,

Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi,

Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi, Aditi Shah, Bharath Subramanian, and Sauvik Das The Sixteenth Symposium on Usable Privacy and Security August 7th - 11th, 2020 High attention levels

1.03k views • 6 slides
Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security Ponnurangam Kumaraguru (PK) Associate Professor ACM Distinguished & TEDx Speaker Linkedin/in/ponguru/ 1 fb/ponnurangam.kumaraguru,

949 views • 60 slides
Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

350 views • 9 slides
Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell,

715 views • 34 slides
What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given a choice between dancing pigs and security, users will pick dancing pigs every time. Felton and McGraw (1999) clicky lusers BYU LAB

1.12k views • 84 slides
Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of Internet Speaking to a host end-to-end channel Communication security container-based authenticity: X.509, Certificate

678 views • 57 slides
Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security (CUPS) Lab Carnegie Mellon University 2 Personalization 3 Cross-System Personalization 4 Cross-System Personalization 5 Cross-System

310 views • 18 slides
Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two Six Labs working on DARPA Brandeis This talk goes over work from UCB 1 Install-time permissions A ccept all or dont use the app at all. No

944 views • 77 slides
Usable Security Spring 2015 Franziska (Franzi) Roesner

Usable Security Spring 2015 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

1.11k views • 55 slides
The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas Reynolds University at Albany a Lightning Talk Symposium On Usable Privacy & Security Carnegie Mellon University, July 2011 Usable

371 views • 5 slides
Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to Verifying their Vote Workshop on Usable Security 2/23/2014 Usable Security Lab Jurlind Budurushi, Marcel Woide and Melanie Volkamer Crypto Lab Current

217 views • 19 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
2018 Facilitator: Mdm Pauline Goh Mr Ko Kuan Woei 1 Objectives Identifying scientific

2018 Facilitator: Mdm Pauline Goh Mr Ko Kuan Woei 1 Objectives Identifying scientific

Science Parents Workshop Primary 6 2018 Facilitator: Mdm Pauline Goh Mr Ko Kuan Woei 1 Objectives Identifying scientific concepts tested in PSLE Questions Use of answering strategies in PSLE Questions 2 Part 1 Sharing the process of

818 views • 34 slides
Sus Sustainability ainability Information, ideas and activities for lessons Lesson Content

Sus Sustainability ainability Information, ideas and activities for lessons Lesson Content

Sus Sustainability ainability Information, ideas and activities for lessons Lesson Content What is sustainable farming? Carbon footprints and food miles The environmental impact of potatoes Seasonality Sustainable potato

580 views • 7 slides
Welcome to CS 3000: Algorithms & Data! Section 1 Instructor Tim LaRock (he/him/his)

Welcome to CS 3000: Algorithms & Data! Section 1 Instructor Tim LaRock (he/him/his)

Welcome to CS 3000: Algorithms & Data! Section 1 Instructor Tim LaRock (he/him/his) larock.t@northeastern.edu bit.ly/cs3000syllabus Zoom Notes I will be recording our Zoom lectures. Keep both your video and audio muted at all times unless

938 views • 52 slides
How to contact me Kristina Striegnitz Are computers intelligent? Will they ever be? email:

How to contact me Kristina Striegnitz Are computers intelligent? Will they ever be? email:

How to contact me Kristina Striegnitz Are computers intelligent? Will they ever be? email: striegnk@union.edu Write down a short paragraph (15min) on whether or not you office hours: Steinmetz 233 think that computers can think/are

304 views • 5 slides
The Map To Millions for Millennials sli.do/sbm2m 1 Disclaimer Any advice contained in this

The Map To Millions for Millennials sli.do/sbm2m 1 Disclaimer Any advice contained in this

The Map To Millions for Millennials sli.do/sbm2m 1 Disclaimer Any advice contained in this video is general advice only and does not take into consideration the viewers personal circumstances. Any reference to the viewers actual

584 views • 54 slides
Supporting Facility and Shin Ming Guo Process Flows NKFUST Servicescapes Process Flow

Supporting Facility and Shin Ming Guo Process Flows NKFUST Servicescapes Process Flow

Supporting Facility and Shin Ming Guo Process Flows NKFUST Servicescapes Process Flow Structures Process Performance Facility Layout 1 1 Environmental Psychology & Orientation Need for spatial cues to orient visitors

545 views • 15 slides
Convolutional Neural Nets EECS 442 David Fouhey Fall 2019, University of Michigan

Convolutional Neural Nets EECS 442 David Fouhey Fall 2019, University of Michigan

Convolutional Neural Nets EECS 442 David Fouhey Fall 2019, University of Michigan http://web.eecs.umich.edu/~fouhey/teaching/EECS442_F19/ Previously Backpropagation = + 3 2 x -x -x+3 (-x+3) 2 -n n 2 n+3 1 2x 6

975 views • 70 slides
UNDERSTANDNG PROCESSES 2 L EARNNG O BJECTVES Understand the following concepts: Flow

UNDERSTANDNG PROCESSES 2 L EARNNG O BJECTVES Understand the following concepts: Flow

O PERATONS & L OGSTCS M ANAGEMENT N A R T RANSPORTATON P ROFESSOR D AVD G LLEN (U NVERSTY OF B RTSH C OLUMBA )& P ROFESSOR B ENNY M ANTN (U NVERSTY OF W ATERLOO ) Istanbul Technical University Air

1.11k views • 82 slides

More recommend