Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.
-
date post
20-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.
![Page 1: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/1.jpg)
PSYCHOLOGY AND SECURITY
![Page 2: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/2.jpg)
Agenda
Tuesday, June 28th Psychology and Security
Thursday, June 30th
Usable Security
![Page 3: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/3.jpg)
References
Ross Anderson, Security Engineering Chapter 2 “Usability and Psychology”
Ryan West, “The Psychology of Security”, Communications of the ACM, April 2008, p34-40.
![Page 4: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/4.jpg)
People
Only amateurs attack machines; professionals target people.
— Bruce Schneier Many real attacks exploit psychology
at least as much as technology. Kevin Mitnick, Art of Deception
![Page 5: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/5.jpg)
Phishing
it is much easier for crooks to build a bogus bank website that passes casual inspection than it is for them to create a bogus bank in a shopping mall.
![Page 6: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/6.jpg)
Phishing Examples
US Bank Amazon Twitter
![Page 7: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/7.jpg)
Pretexting & Social Engineering The most common way for private
investigators to steal personal information is pretexting — phoning someone who has the information under a false pretext, usually by pretending to be someone authorized to be told it. Such attacks are sometimes known collectively as social engineering.
![Page 8: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/8.jpg)
Trusting people
Many frauds work by appealing to our atavistic instincts to trust people more in certain situations.
![Page 9: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/9.jpg)
Psychological manipulation As designers learn how to forestall
the easier techie attacks, psychological manipulation of system users or operators becomes ever more attractive.
The security engineer simply must understand basic psychology and ‘security usability’.
![Page 10: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/10.jpg)
IRS Social Engineering
Fixing the problem is hard. Despite continuing publicity about pretexting, there was an audit of the IRS in 2007 by the Treasury Inspector General for Tax Administration, whose staff called 102 IRS employees at all levels, asked for their user ids, and told them to change their passwords to a known value. 62 did so.
![Page 11: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/11.jpg)
Policies & Training
It’s not enough for rules to exist; you have to train all the staff who have access to the confidential material, and explain to them the reasons behind the rules.
![Page 12: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/12.jpg)
Research Areas
Information security and psychology Human-computer interaction (HCI) Poorly understood by systems
developers Information security and economics
![Page 13: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/13.jpg)
Perception of Risk
Terrorism is largely about manipulating perceptions of risk.
Many protection mechanisms are sold using scaremongering.
![Page 14: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/14.jpg)
Cognitive psychology
How we think, remember, and make decisions.
What makes security harder than safety is that we have a sentient attacker who will try to provoke exploitable errors.
![Page 15: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/15.jpg)
Practiced actions
People are trained to click ‘OK’ to pop-up boxes as that’s often the only way to get the work done.
![Page 16: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/16.jpg)
Risk Evaluation
Risk and uncertainty are extremely difficult concepts for people to evaluate.
For designers of security systems, it is important to understand how users evaluate and make decisions regarding security.
The most elegant and intuitively designed interface does not improve security if users ignore warnings, choose poor settings, or unintentionally subvert corporate policies.
![Page 17: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/17.jpg)
Risk Evaluation
The user problem in security systems is not just about user interfaces or system interaction. Fundamentally, it is about how people think of risk that guides their behavior.
![Page 18: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/18.jpg)
Following rules
Starting URLs with the impersonated bank’s name, as www.citibank.secureauthentication.com— looking for the name being for many people a stronger rule than parsing its position.
![Page 19: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/19.jpg)
Mental Model
Attackers exploit dissonances between users’ mental models of a system and its actual logic.
A cognitive walkthrough can be aimed at identifying attack points, just as a code walkthrough can be used to search for software vulnerabilities.
![Page 20: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/20.jpg)
Behavioral economics
People’s decision processes depart from the rational behavior.
The heuristics we use in everyday judgment and decision making lie somewhere between rational thought and the unmediated input from the senses.
![Page 21: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/21.jpg)
Calculating Probabilities
We’re also bad at calculating probabilities, and use all sorts of heuristics to help us make decisions:
We also worry too much about unlikely events.
Many people perceive terrorism to be a much worse threat than food poisoning or road traffic accidents.
![Page 22: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/22.jpg)
Problem 1
Read “Users do not think they are at risk” on page 36 of Ryan West, “The Psychology of Security”.
Complete Problem 1
![Page 23: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/23.jpg)
Users aren’t stupid, they’re unmotivated
To conserve mental resources, we generally tend to favor quick decisions based on learned rules and heuristics.
It is efficient in the sense it is quick, it minimizes effort, and the outcome is good enough most of the time. (cognitive miser)
This partially accounts for why users do not reliably read all the text relevant in a display or consider all the consequences of their actions.
![Page 24: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/24.jpg)
Problem 2
Safety is an abstract concept. Chose a partner. Complete Problem #2
![Page 25: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/25.jpg)
Evaluating the security/cost trade-off
While the gains of security are generally abstract the cost is real and immediate.
it usually comes with a price paid in time, effort, and convenience.
Users weigh the cost of the effort against the perceived value of the gain (safety/security) and the perceived chance that nothing bad would happen either way.
![Page 26: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/26.jpg)
Risk aversion
People dislike losing $100 they already have more than they value winning $100.
Marketers talk in terms of ‘discount’ and ‘saving’ — by framing an action as a gain rather than as a loss makes people more likely to take it.
![Page 27: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/27.jpg)
Problem 3
Security as a secondary task. Losses perceived
disproportionately to gains With your partner, complete Problem
#3.
![Page 28: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/28.jpg)
Principle of Psychological Acceptability
Security Mechanisms should not make the resource more difficult to access than if the security mechanisms were not present. Salzer & Schroeder 1975
![Page 29: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/29.jpg)
Principle of Psychological Acceptability
The security mechanism may add some extra burden, but that burden must be both minimal and reasonable.
Every file access requires the user enter his password?
![Page 30: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/30.jpg)
Password Policies
Many users want to use a simple easy to remember password. They do not want to change their password. They write down their password. They want to use the same password for all their accounts.
It is a challenge to write a password policy that is psychologically acceptable and still provides security.
![Page 31: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/31.jpg)
Airport Security
Is it psychologically acceptable? How about full body scans and pat
downs?
![Page 32: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/32.jpg)
IMPROVING SECURITY COMPLIANCE ANDDECISION MAKING Reward pro-security behavior.
Users must be motivated to take pro-security actions.
There must be a tangible reward for making good security decisions.
One form of reward is to see that the security mechanisms are working and that the action the user chose is, in fact, making them safer.
![Page 33: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/33.jpg)
IMPROVING SECURITY COMPLIANCE ANDDECISION MAKING When an antivirus or antispyware
product finds and removes malicious code. The security application often issues a notification that it has found and mitigated a threat.
![Page 34: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/34.jpg)
Improve the awareness of risk People often believe they are at less
risk compared to others. Increase user awareness of the risks
they face. Security messages should be
instantly distinguishable from other message dialogs. Security messages should look and sound very different
![Page 35: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/35.jpg)
Catch corporate security policy violators
Having a corporate security policy that is not monitored or enforced is tantamount to having laws but no police.
Security systems should have good auditing capabilities.
The best deterrent to breaking the rules is not the severity of consequences but the likelihood of being caught.
![Page 36: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/36.jpg)
Reduce the cost of implementing security
To accomplish a task, users often seek the path of least resistance that satisfies the primary goal.
Making the secure choice the easiest for the user to implement, one takes advantage of normal user behavior and gains compliance.
![Page 37: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/37.jpg)
Reduce the cost of implementing security
To reduce the cost of security is to employ secure default settings.
Most users never change the default settings of their applications.
“Secure by Default” principle. While good default settings can
increase security, system designers must be careful that users do not find an easier way to slip around them.
![Page 38: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/38.jpg)
CONCLUSION
We can increase compliance if we work with the psychological principles that drive behavior.
![Page 39: Agenda Tuesday, June 28 th Psychology and Security Thursday, June 30 th Usable Security.](https://reader036.fdocuments.us/reader036/viewer/2022062320/56649d415503460f94a1c21a/html5/thumbnails/39.jpg)
Problem #4
1. Consider some software product that you regularly use, some website that you regularly visit, or some software product that you develop as part of your job. Briefly describe this product.
2. Discuss how well it meets the Principle of Psychological Acceptability for users of this product or website.
3. Discuss how this product or website could be improved from the psychological viewpoint.