170 likes | 308 Views
Users Are Not the Enemy. Anna Adams Martina Angela Sasse. Overview. Introduction The Study Users Lack Security Knowledge Security Needs User-Centered Design Motivating Users Users and Password Behavior Recommendations Conclusion. Introduction. Confidentiality of computer security
E N D
Users Are Not the Enemy Anna Adams Martina Angela Sasse
Overview • Introduction • The Study • Users Lack Security Knowledge • Security Needs User-Centered Design • Motivating Users • Users and Password Behavior • Recommendations • Conclusion
Introduction • Confidentiality of computer security • Identification • Authentication • Password Security • Key element is crack ability of password combination • Should have several criteria for password security
Password Security • Password composition • What type of characters used for passwords • Password lifetime • Changing passwords frequently • Password ownership • Increase individual accountability • Reduce illicit usage • Allow for an establishment of system usage • Reduce frequent password changes
The Study • Web-based questionnaire • Focused on password behaviors • 4 factors influencing effective passwords • Multiple passwords • Password Content • Perceived compatibility with work practices • Users’ perceptions of organizational security and information sensitivity
The Study What was found • Multiple passwords • Writing them down • Poor design • Linked passwords • Password Content • No feed back from security experts • Own rules for passwords • Password restrictions • Increase password disclosures • Ways to circumvent restrictions
The Study What was found cont. • Compatibility between work practices and password procedures • Shared passwords • Not being informed of security issues • Guided by what they see • 2 main problems in password usage • Systems factors • External factors
Users Lack Security Knowledge • Need-to-know Principle • The more know about security the easier it is to attack • Users not informed • Password behaviors • Correct password content • Cracking • Not told of security breaches
Users Lack Security Knowledge • Misunderstanding of login process • Confuse user identification with passwords • Think IDs are part of password • Using physical attributes that don’t require ID recall • Combine physical attributes with remote access to systems
Security Needs User-Center Design • To achieve good user-center design in security mechanisms • communication with users is needed • Security has to think about the users • Requiring many passwords create usability problems • Frequently changed passwords increase disclosure • Need to take into account passwords used out of the office
Motivating Users • Simplistic Approach to user authentication • Restricts data by identification and authentication • Does not work well for group work • Authoritarian Approach to user authentication • Led to security departments reluctance to communicate with users with regard to work practices
Motivating Users cont. • Individual ownership of passwords increases accountability and decreases illicit usage of passwords • If users perceive they are using shared passwords this increases groups responsibility and accountability • Password mechanism has to be compatible with work practices
Motivating Users cont. • Most users are security conscious just need to think that security is important • Need to forget about Need-to-Know • If done could lead to security leaks • Can also motivate users of real problems • Need to have communication between security department and users • This is the only area in IT in which user training is not regarded as essential
Users and Password Behavior • Major problems with Security • Insecure work practices • Low security motivation • Personal thinking vs. drills and punishment • Security procedures must work with user work practices • Security departments have to see how their mechanisms are used in practice
Recommendations • Password Content • Provide training on usable and secure passwords • Provide constructive feedback on password construction • Multiple Passwords • Reduce number of passwords • 4 or 5 passwords max • Smart cards when using multiple passwords
Recommendations cont. • Users’ Perception of Security • System security needs to be visible to all • Inform users of existing and potential threats • Users awareness needs to be maintained over time • Provide guidance as to which systems and information are sensitive and why • Work Practices • Password mechanisms need to match organization and work procedures
Conclusion • Communication between security department and users • Limiting passwords • Creating secure passwords • Sharing security issues • The users are not the enemy of security • Users can help solve the problem Questions ?