1 / 17

Users Are Not the Enemy

Users Are Not the Enemy. Anna Adams Martina Angela Sasse. Overview. Introduction The Study Users Lack Security Knowledge Security Needs User-Centered Design Motivating Users Users and Password Behavior Recommendations Conclusion. Introduction. Confidentiality of computer security

crevan
Download Presentation

Users Are Not the Enemy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Users Are Not the Enemy Anna Adams Martina Angela Sasse

  2. Overview • Introduction • The Study • Users Lack Security Knowledge • Security Needs User-Centered Design • Motivating Users • Users and Password Behavior • Recommendations • Conclusion

  3. Introduction • Confidentiality of computer security • Identification • Authentication • Password Security • Key element is crack ability of password combination • Should have several criteria for password security

  4. Password Security • Password composition • What type of characters used for passwords • Password lifetime • Changing passwords frequently • Password ownership • Increase individual accountability • Reduce illicit usage • Allow for an establishment of system usage • Reduce frequent password changes

  5. The Study • Web-based questionnaire • Focused on password behaviors • 4 factors influencing effective passwords • Multiple passwords • Password Content • Perceived compatibility with work practices • Users’ perceptions of organizational security and information sensitivity

  6. The Study What was found • Multiple passwords • Writing them down • Poor design • Linked passwords • Password Content • No feed back from security experts • Own rules for passwords • Password restrictions • Increase password disclosures • Ways to circumvent restrictions

  7. The Study What was found cont. • Compatibility between work practices and password procedures • Shared passwords • Not being informed of security issues • Guided by what they see • 2 main problems in password usage • Systems factors • External factors

  8. Users Lack Security Knowledge • Need-to-know Principle • The more know about security the easier it is to attack • Users not informed • Password behaviors • Correct password content • Cracking • Not told of security breaches

  9. Users Lack Security Knowledge • Misunderstanding of login process • Confuse user identification with passwords • Think IDs are part of password • Using physical attributes that don’t require ID recall • Combine physical attributes with remote access to systems

  10. Security Needs User-Center Design • To achieve good user-center design in security mechanisms • communication with users is needed • Security has to think about the users • Requiring many passwords create usability problems • Frequently changed passwords increase disclosure • Need to take into account passwords used out of the office

  11. Motivating Users • Simplistic Approach to user authentication • Restricts data by identification and authentication • Does not work well for group work • Authoritarian Approach to user authentication • Led to security departments reluctance to communicate with users with regard to work practices

  12. Motivating Users cont. • Individual ownership of passwords increases accountability and decreases illicit usage of passwords • If users perceive they are using shared passwords this increases groups responsibility and accountability • Password mechanism has to be compatible with work practices

  13. Motivating Users cont. • Most users are security conscious just need to think that security is important • Need to forget about Need-to-Know • If done could lead to security leaks • Can also motivate users of real problems • Need to have communication between security department and users • This is the only area in IT in which user training is not regarded as essential

  14. Users and Password Behavior • Major problems with Security • Insecure work practices • Low security motivation • Personal thinking vs. drills and punishment • Security procedures must work with user work practices • Security departments have to see how their mechanisms are used in practice

  15. Recommendations • Password Content • Provide training on usable and secure passwords • Provide constructive feedback on password construction • Multiple Passwords • Reduce number of passwords • 4 or 5 passwords max • Smart cards when using multiple passwords

  16. Recommendations cont. • Users’ Perception of Security • System security needs to be visible to all • Inform users of existing and potential threats • Users awareness needs to be maintained over time • Provide guidance as to which systems and information are sensitive and why • Work Practices • Password mechanisms need to match organization and work procedures

  17. Conclusion • Communication between security department and users • Limiting passwords • Creating secure passwords • Sharing security issues • The users are not the enemy of security • Users can help solve the problem Questions ?

More Related