Add to collection(s) Add to saved
  1. Business

Paul Ammann Usability and Security CS 101

advertisement 
Usability and Security
Paul Ammann
http://www.cs.gmu.edu/~pammann
CS 101
© Paul Ammann
1
Outline
• A Poll
• What’s wrong with usable security thinking
• The consequences of unusable security
– Unusable security costs money
– Unusable security costs security
• What to do
– The need for appropriate incentives
– The need for systems-level thinking
CS 101
© Paul Ammann
2
A Poll
“In the past decade our community has
recognized a tension between security
and usability: it is generally easy to
provide more of one by offering less of
the other.”
Bonneau et al, Oakland S&P 2012
• How many of you
– Agree?
– Disagree?
• Goal of this part of the talk
– Convince more of you to disagree
CS 101
© Paul Ammann
3
What’s Wrong With ‘Usable Security’
Thinking?
Security
implementers
sometimes
invent the user
instead of
discovering
the user
CS 101
© Paul Ammann
4
Proper Focus: Fit with Users & Activity
• If you want productive & secure users
– and security is usually the secondary task
• Then you need to understand
– Primary user activities
– User motivations
– User behavior
– Impact on bottom line
CS 101
© Paul Ammann
5
The Consequences of Unusable Security
• Unusable Security
Costs Money
• Unusable Security
Costs Security
CS 101
© Paul Ammann
6
Unusable Security Costs Money
CS 101
© Paul Ammann
7
Standard Security Thinking:
“Users Should Make the Effort”
• Question: how much? It all adds up:
1. Time spent on security tasks: authentication,
access control, warnings, security education
….
2. Failure: time spent on errors and error
recovery (user and visible organizational cost)
3. Disruption of primary tasks = re-start cost
CS 101
© Paul Ammann
8
Does This Really Help Security?
CS 101
© Paul Ammann
9
Time is Money
“An hour from each of the US’s 180 million online
users is worth approximately US$2.5 billion. A
major error in security thinking has been to treat
users’ time—an extremely valuable resource—as
free.”
C Herley, IEEE S&P Jan/Feb 2014
CS 101
© Paul Ammann
10
Password Re-use
How many of you re-use passwords across accounts?
How many of you use weak passwords?
Absolutely prohibited in traditional security!
Now a rational approach (USENIX 2014)!
Key advance:
Optimize both expected loss and finite user effort
CS 101
© Paul Ammann
11
Impact on Productivity – Long-Term
1. User opt out of services, return devices
– Improves their productivity, but often reduces
organizational productivity (example: email)
– Organization has less control over alternatives
2. Stifling innovation: new opportunities that
would require changes in security
3. Staff leaving organization to be more
productive/creative elsewhere
CS 101
© Paul Ammann
12
Unusable Security is Ridiculous …
CS 101
© Paul Ammann
13
The Consequences of Unusable Security
• Unusable Security
Costs Money
• Unusable Security
Costs Security
CS 101
© Paul Ammann
14
Unusable Security Costs Security!
1. User errors - even when trying to be secure
2. Non-compliance/workarounds to get tasks done
3. Security policies that cannot be followed make
effort seem futile:
“It creates a sense of paranoia and fear, which makes some
people throw up their hands and say, “there’s nothing to be done
about security,” and then totally ignore it.”
Expert Round Table IEEE S&P Jan/Feb 2014
CS 101
© Paul Ammann
15
User Errors When Trying To Be Secure
• Fact: PDF files are dangerous.
– That’s a usability problem!
– Is a generic warning helpful? Why not?
– Is a detailed warning better?
CS 101
© Paul Ammann
16
Noncompliance
Are these legitimate users?
CS 101
© Paul Ammann
17
Reasons For Non-Compliance
• Compliance requires ability and willingness
Can’t comply
Security tasks that are impossible to complete
– remove/redesign (security hygiene)
Could comply but won’t comply
The cost of security tasks that can be
completed in theory, but require a high level
of effort and/or reduce productivity. Identify
& reduce friction through better design or
better policies
CS 101
Can comply and do comply
Security tasks that staff routinely comply
with – provides examples of what is
workable in a particular environment =
© Paul
Ammann for security
18
template
Revocation
• Usability and revocation
• Who identifies unneeded privileges?
– Manager? Employee?
– Answer says a lot about the organization
• Demo environment vs. actual practice
– “How does that work with 1000 privileges?”
CS 101
© Paul Ammann
19
Old Security, No Longer Usable
• Entering a complex
password on
touchscreen keyboard
time-consuming and
error-prone
• users look for passwords
that are easy to enter 
severely reduced
password space
CS 101
© Paul Ammann
20
New Security, Unusable Implementation
• Replacing existing 2FA card
with a more secure one –
good!
• Replacing 6-digit numeric
code with 8-char
alphanumeric password
valid for 1 minute – bad!
• Why is that bad?
– Skill set needed to analyze?
CS 101
© Paul Ammann
21
Impact on Security – Long-Term
1. Increased likelihood of security breaches
2. ‘Noise' created by habitual non-compliance
makes malicious behavior harder to detect
3. Lack of appreciation of and respect for security
creates a bad security culture
4. Frustration can lead to disgruntlement:
intentional malicious behavior - insider attacks,
sabotage
CS 101
© Paul Ammann
22
The Need For Appropriate Incentives
• Some organizations don’t care about
usability or usable security
– Not much to do there
– Dangerous invitation to competitors!
• Some do care
Q: How to make it happen?
A: High-level commitment
A: Feedback loops
A: Appropriate personnel
CS 101
© Paul Ammann
23
Systems-Level Thinking
• Typical report, as paraphrased by Norman
Air Force: It was pilot error—the pilot failed to take corrective action.
Inspector General: That’s because the pilot was probably unconscious.
Air Force: So you agree, the pilot failed to correct the problem.
• Aircraft designers have gotten smarter
• There is a similar attitude in security
– Fact: Users don’t do what they are supposed to
– Question: Is it their fault?
• Can security designers get smarter?
CS 101
© Paul Ammann
24
Questions?
• Contact:
– Paul Ammann: cs.gmu.edu/~pammann
– 4428 Engineering Building
• Acknowledgements:
– Angela Sasse has taught me a lot about usable security
and shared slides generously!
• Further reading
•
•
•
•
•
•
CS 101
Adams and Sasse: Users are not the enemy (CACM 1999)
Krol et al.: Rethining security warnings (7th CRiSIS 2012)
Caputo et al.: Going spear phishing (S&P magazine Jan/Feb 2014)
Herley: More is not the answer (S&P magazine Jan/Feb 2014)
Norman: The Design of Everyday Things (latest 2013)
Florencio et al.: Password portfolios and the finite effort user
(USENIX 2014)
© Paul Ammann
25
Related documents
Give Your Boss What She Needs, Not Just What She Requests
Give Your Boss What She Needs, Not Just What She Requests
(Ammann College) Fall 2000 RA Training Schedule
(Ammann College) Fall 2000 RA Training Schedule
Ch1-Intro-summary.ppt
Ch1-Intro-summary.ppt
Contract Slides
Contract Slides
Ch3-5-FSMLogic.ppt
Ch3-5-FSMLogic.ppt
Java Slides
Java Slides
Ch9-3-future.ppt
Ch9-3-future.ppt
Introduction to Software Testing Chapter 8.4 Logic Coverage for
Introduction to Software Testing Chapter 8.4 Logic Coverage for
Download
advertisement