Science of Security Lablet

Understanding & Accounting Human Behavior

Towards a Scientific Basis for User Centric Security Design

Presented by Zach Jorgensen1

PIs: Ting Yu1, Ninghui Li2 and Robert Proctor2

1. North Carolina State University; 2. Purdue University

Science of Security Lablet

Understanding & Accounting Human Behavior

SECURE + USABLE

Science of Security Lablet

Understanding & Accounting Human Behavior

Science of Security Lablet

Understanding & Accounting Human Behavior

1. Reduce: Ask users for security decisions sparingly

2. Simplify: Ask questions that a user can understand

Science of Security Lablet

Understanding & Accounting Human Behavior

3. Active: Avoid putting users on the spot to make security decisions 4. Safe: Do not provide the user with an easy and insecure way out

Science of Security Lablet

Understanding & Accounting Human Behavior

CodeShield

Personalized Application Whitelisting

Image from: www.psdgraphics.com

Science of Security Lablet

Understanding & Accounting Human Behavior

Normal Mode Only execute white-listed code

Installation Mode Execute all software

Executed = added to whitelist

Science of Security Lablet

Understanding & Accounting Human Behavior

1. Reduce: “do I want to add new software now?”

2. Simplify: closely matches how typical users understand their actions.

Science of Security Lablet

Understanding & Accounting Human Behavior

3. Active: user must explicitly trigger installation mode. 4. Safe: not allowing new code is the easiest action.

Science of Security Lablet

Understanding & Accounting Human Behavior

• Switch – Median: 17

• Reboot – Median: 3.5

Science of Security Lablet

Understanding & Accounting Human Behavior

Risk Communication in Mobile Devices

Science of Security Lablet

Understanding & Accounting Human Behavior

1. No risk information until after decision is made 2. The same permissions screen is shown for all apps

Science of Security Lablet

Understanding & Accounting Human Behavior

3. Does not actively discourage risky behavior 4. Not personalized

Science of Security Lablet

Understanding & Accounting Human Behavior

Risk Scores

Science of Security Lablet

Understanding & Accounting Human Behavior

Generating Risk Scores

Science of Security Lablet

Understanding & Accounting Human Behavior

Risk scores lead to better decisions…

Science of Security Lablet

Understanding & Accounting Human Behavior

430

450

470

490

510

530

550

570

590

Medium-Risk/Safety Low-Risk/High-Safety

Res

pons

e Ti

me

(ms)

Decision Time for Installing an App

(Risk/Safety Level Only)

Risk Condition

Safety Condition

Safety

Risk

Science of Security Lablet

Understanding & Accounting Human Behavior

Discouraging Risky Actions via Installation Hurdles

Science of Security Lablet

Understanding & Accounting Human Behavior

Tapping Into Other Sources of Risk Information

Science of Security Lablet

Understanding & Accounting Human Behavior

Collaboration Opportunities

• Usable security mechanisms • Usable interfaces • Communicating risk information • User studies