Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Science of Security Lablet
Understanding & Accounting Human Behavior
Towards a Scientific Basis for User Centric Security Design
Presented by Zach Jorgensen1
PIs: Ting Yu1, Ninghui Li2 and Robert Proctor2
1. North Carolina State University; 2. Purdue University
Science of Security Lablet
Understanding & Accounting Human Behavior
SECURE + USABLE
Science of Security Lablet
Understanding & Accounting Human Behavior
Science of Security Lablet
Understanding & Accounting Human Behavior
1. Reduce: Ask users for security decisions sparingly
2. Simplify: Ask questions that a user can understand
Science of Security Lablet
Understanding & Accounting Human Behavior
3. Active: Avoid putting users on the spot to make security decisions 4. Safe: Do not provide the user with an easy and insecure way out
Science of Security Lablet
Understanding & Accounting Human Behavior
CodeShield
Personalized Application Whitelisting
Image from: www.psdgraphics.com
Science of Security Lablet
Understanding & Accounting Human Behavior
Normal Mode Only execute white-listed code
Installation Mode Execute all software
Executed = added to whitelist
Science of Security Lablet
Understanding & Accounting Human Behavior
1. Reduce: “do I want to add new software now?”
2. Simplify: closely matches how typical users understand their actions.
Science of Security Lablet
Understanding & Accounting Human Behavior
3. Active: user must explicitly trigger installation mode. 4. Safe: not allowing new code is the easiest action.
Science of Security Lablet
Understanding & Accounting Human Behavior
• Switch – Median: 17
• Reboot – Median: 3.5
Science of Security Lablet
Understanding & Accounting Human Behavior
Risk Communication in Mobile Devices
Science of Security Lablet
Understanding & Accounting Human Behavior
1. No risk information until after decision is made 2. The same permissions screen is shown for all apps
Science of Security Lablet
Understanding & Accounting Human Behavior
3. Does not actively discourage risky behavior 4. Not personalized
Science of Security Lablet
Understanding & Accounting Human Behavior
Risk Scores
Science of Security Lablet
Understanding & Accounting Human Behavior
Generating Risk Scores
Science of Security Lablet
Understanding & Accounting Human Behavior
Risk scores lead to better decisions…
Science of Security Lablet
Understanding & Accounting Human Behavior
430
450
470
490
510
530
550
570
590
Medium-Risk/Safety Low-Risk/High-Safety
Res
pons
e Ti
me
(ms)
Decision Time for Installing an App
(Risk/Safety Level Only)
Risk Condition
Safety Condition
Safety
Risk
Science of Security Lablet
Understanding & Accounting Human Behavior
Discouraging Risky Actions via Installation Hurdles
Science of Security Lablet
Understanding & Accounting Human Behavior
Tapping Into Other Sources of Risk Information
Science of Security Lablet
Understanding & Accounting Human Behavior
Collaboration Opportunities
• Usable security mechanisms • Usable interfaces • Communicating risk information • User studies