124,070 research outputs found
Integrating security and usability into the requirements and design process
According to Ross Anderson, 'Many systems fail because their designers protect the wrong things or protect the right things in the wrong way'. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing good security. Some recent approaches have targeted security from the technological perspective, others from the human–computer interaction angle, offering better User Interfaces (UIs) for improved usability of security mechanisms. However, usability issues also extend beyond the user interface and should be considered during system requirements and design. In this paper, we describe Appropriate and Effective Guidance for Information Security (AEGIS), a methodology for the development of secure and usable systems. AEGIS defines a development process and a UML meta-model of the definition and the reasoning over the system's assets. AEGIS has been applied to case studies in the area of Grid computing and we report on one of these
A Socio-Technical Approach to Information Security
The main objective of this paper is to present a preliminary socio-technical information security (STInfoSec) framework for the development of online information security applications that addresses both social and technical aspects of information security design. The paper looks at theoretical aspects related to a view of information security as a soci0-technical system in the context of online banking. The STInfoSec framework investigates usability and security requirements for an improved online banking system that seeks to improve the adoption and continued use of the service. The STInfoSec framework proposes 12 usable security design principles that assist in addressing security and usability requirements in online applications such as online banking. The framework seeks to influence the behaviour of designers of online information security applications by incorporating principles that consider the end user behaviour of such applications. The validation of the framework is beyond the scope of this paper
FORTES: Forensic Information Flow Analysis of Business Processes
Nearly 70% of all business processes in use today rely on automated workflow systems for their execution. Despite the growing expenses in the design of advanced tools for secure and compliant deployment of workflows, an exponential growth of dependability incidents persists. Concepts beyond access control focusing on information flow control offer new paradigms to design security mechanisms for reliable and secure IT-based workflows.
This talk presents FORTES, an approach for the forensic analysis of information flow properties. FORTES claims that information flow control can be made usable as a core of an audit-control system. For this purpose, it reconstructs workflow models from secure log files (i.e. execution traces) and, applying security policies, analyzes the information flows to distinguish security relevant from security irrelevant information flows. FORTES thus cannot prevent security policy violations, but by detecting them with well-founded analysis, improve the precision of audit controls and the generated certificates
"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication
Usable and secure authentication on the web and beyond is mission-critical.
While password-based authentication is still widespread, users have trouble
dealing with potentially hundreds of online accounts and their passwords.
Alternatives or extensions such as multi-factor authentication have their own
challenges and find only limited adoption. Finding the right balance between
security and usability is challenging for developers. Previous work found that
developers use online resources to inform security decisions when writing code.
Similar to other areas, lots of authentication advice for developers is
available online, including blog posts, discussions on Stack Overflow, research
papers, or guidelines by institutions like OWASP or NIST.
We are the first to explore developer advice on authentication that affects
usable security for end-users. Based on a survey with 18 professional web
developers, we obtained 406 documents and qualitatively analyzed 272 contained
pieces of advice in depth. We aim to understand the accessibility and quality
of online advice and provide insights into how online advice might contribute
to (in)secure and (un)usable authentication. We find that advice is scattered
and that finding recommendable, consistent advice is a challenge for
developers, among others. The most common advice is for password-based
authentication, but little for more modern alternatives. Unfortunately, many
pieces of advice are debatable (e.g., complex password policies), outdated
(e.g., enforcing regular password changes), or contradicting and might lead to
unusable or insecure authentication. Based on our findings, we make
recommendations for developers, advice providers, official institutions, and
academia on how to improve online advice for developers.Comment: Extended version of the paper that appears at ACM CCS 2023. 18 pages,
4 figures, 11 table
Usable Security: Why Do We Need It? How Do We Get It?
Security experts frequently refer to people as “the weakest link in the chain” of system
security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password,
because it “was easier to dupe people into revealing it” by employing a range of social
engineering techniques. Often, such failures are attributed to users’ carelessness and
ignorance. However, more enlightened researchers have pointed out that current security
tools are simply too complex for many users, and they have made efforts to improve
user interfaces to security tools. In this chapter, we aim to broaden the current perspective,
focusing on the usability of security tools (or products) and the process of designing
secure systems for the real-world context (the panorama) in which they have to operate.
Here we demonstrate how current human factors knowledge and user-centered design
principles can help security designers produce security solutions that are effective in practice
Making GDPR Usable: A Model to Support Usability Evaluations of Privacy
We introduce a new model for evaluating privacy that builds on the criteria
proposed by the EuroPriSe certification scheme by adding usability criteria.
Our model is visually represented through a cube, called Usable Privacy Cube
(or UP Cube), where each of its three axes of variability captures,
respectively: rights of the data subjects, privacy principles, and usable
privacy criteria. We slightly reorganize the criteria of EuroPriSe to fit with
the UP Cube model, i.e., we show how EuroPriSe can be viewed as a combination
of only rights and principles, forming the two axes at the basis of our UP
Cube. In this way we also want to bring out two perspectives on privacy: that
of the data subjects and, respectively, that of the controllers/processors. We
define usable privacy criteria based on usability goals that we have extracted
from the whole text of the General Data Protection Regulation. The criteria are
designed to produce measurements of the level of usability with which the goals
are reached. Precisely, we measure effectiveness, efficiency, and satisfaction,
considering both the objective and the perceived usability outcomes, producing
measures of accuracy and completeness, of resource utilization (e.g., time,
effort, financial), and measures resulting from satisfaction scales. In the
long run, the UP Cube is meant to be the model behind a new certification
methodology capable of evaluating the usability of privacy, to the benefit of
common users. For industries, considering also the usability of privacy would
allow for greater business differentiation, beyond GDPR compliance.Comment: 41 pages, 2 figures, 1 table, and appendixe
Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science
e-Science projects face a difficult challenge in providing access to valuable computational resources, data and software to large communities of distributed users. Oil the one hand, the raison d'etre of the projects is to encourage members of their research communities to use the resources provided. Oil the other hand, the threats to these resources from online attacks require robust and effective Security to mitigate the risks faced. This raises two issues: ensuring that (I) the security mechanisms put in place are usable by the different users of the system, and (2) the security of the overall system satisfies the security needs of all its different stakeholders. A failure to address either of these issues call seriously jeopardise the success of e-Science projects.The aim of this paper is to firstly provide a detailed understanding of how these challenges call present themselves in practice in the development of e-Science applications. Secondly, this paper examines the steps that projects can undertake to ensure that security requirements are correctly identified, and security measures are usable by the intended research community. The research presented in this paper is based Oil four case studies of c-Science projects. Security design traditionally uses expert analysis of risks to the technology and deploys appropriate countermeasures to deal with them. However, these case studies highlight the importance of involving all stakeholders in the process of identifying security needs and designing secure and usable systems.For each case study, transcripts of the security analysis and design sessions were analysed to gain insight into the issues and factors that surround the design of usable security. The analysis concludes with a model explaining the relationships between the most important factors identified. This includes a detailed examination of the roles of responsibility, motivation and communication of stakeholders in the ongoing process of designing usable secure socio-technical systems such as e-Science. (C) 2007 Elsevier Ltd. All rights reserved
- …