Towards Enhanced Usability of IT Security Mechanisms - How to Design Usable IT Security Mechanisms Using the Example of Email Encryption

Nowadays, advanced security mechanisms exist to protect data, systems, and networks. Most of these mechanisms are effective, and security experts can handle them to achieve a sufficient level of security for any given system. However, most of these systems have not been designed with focus on good usability for the average end user. Today, the average end user often struggles with understanding and using security mecha-nisms. Other security mechanisms are simply annoying for end users. As the overall security of any system is only as strong as the weakest link in this system, bad usability of IT security mechanisms may result in operating errors, resulting in inse-cure systems. Buying decisions of end users may be affected by the usability of security mechanisms. Hence, software provid-ers may decide to better have no security mechanism then one with a bad usability. Usability of IT security mechanisms is one of the most underestimated properties of applications and sys-tems. Even IT security itself is often only an afterthought. Hence, usability of security mechanisms is often the after-thought of an afterthought. This paper presents some guide-lines that should help software developers to improve end user usability of security-related mechanisms, and analyzes com-mon applications based on these guidelines. Based on these guidelines, the usability of email encryption is analyzed and an email encryption solution with increased usability is presented. The approach is based on an automated key and trust man-agement. The compliance of the proposed email encryption solution with the presented guidelines for usable security mechanisms is evaluated

A comparison of two computer graphic systems

None provided

Consulting in computer systems and software

This report aims to describe the work I have done during my project in company. It is part of my second year in the Master of Computer Engineering – Mobile Computing of the School of Technology and Management of the Polytechnic Institute of Leiria. During this experience, I was assigned two missions. The first one is about the study of a S/MIME solution for email security and the second one is about the improvement of Microsoft Office 365 security score. For both missions I had material at my disposal and some instructions were given to me. I began by analysing the situation, and then established a state of the art in terms of technologies used. Then, thanks to my knowledge, I simulated virtual computer networks, tested encryption solutions, determined what were the best security practices, automated my work by scripting, reported the difficulties, and provided a detailed documentation about my work. The solutions produced respond to the problems, and they are functional. For the first mission, client machines can send S/MIME emails in a virtual network. For the second mission, the scripts and the tool provided allow to improve Microsoft Office 365 security score

Developing a security mechanism for software agents

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2006Includes bibliographical references (leaves: 73-76)Text in English; Abstract: Turkish and Englishx 76 leavesThis thesis proposes a message security solution on multi-agent systems. A general security analysis based on properties of software agents is presented along with an overview of security measures applicable to multi-agent systems. A security design and implementation has been developed to protect communication among agents. And this implementation scheme has been applied to Seagent, a semantic web enabled multi-agent framework. Hence, a set of agent security mechanisms have been adapted for Seagent and have been implemented for message confidentiality, integrity, authentication and nonrepudiation. Then these mechanisms have been tested for communication performance on Seagent

A trading model and security regime for mobile e-commerce via ad hoc wireless networking

Ad hoc wireless networking offers mobile computer users the prospect of trading with others in their vicinity anywhere anytime. This thesis explores the potential for developing such trading applications. A notable difficulty in designing their security services is being unable to use trusted parties. No one can be guaranteed present in each ad hoc wireless network session. A side benefit is that their costs don't have to be paid for. A reference model is defined for ad hoc m-commerce and a threat model is for- mulated of its security vulnerabilities. They are used to elicit security objectives and requirements for such trading systems. Possible countermeasures to address the threats are critically analysed and used to design security services to mitigate them. They include a self-organised P2P identity support scheme using PGP cer- tificates; a distributed reputation system backed by sanctions; a group membership service based on membership vouchers, quorate decisions by some group members and partial membership lists; and a security warning scheme. Security analysis of the schemes shows that they can mitigate the threats to an adequate degree to meet the trading system's security objectives and requirements if users take due care when trading within it. Formal verification of the system shows that it satisfies certain safety properties

WoT model for authenticity contents in virtual learning platforms

The following research proposal seeks to bring a model of security software on virtual learning platforms LCMS under all SCORM specifications to ensure the authenticity of content created under concepts of digital signature and identification of protocols and mechanisms to ensure such activities

Attribute-Based, Usefully Secure Email

A secure system that cannot be used by real users to secure real-world processes is not really secure at all. While many believe that usability and security are diametrically opposed, a growing body of research from the field of Human-Computer Interaction and Security (HCISEC) refutes this assumption. All researchers in this field agree that focusing on aligning usability and security goals can enable the design of systems that will be more secure under actual usage. We bring to bear tools from the social sciences (economics, sociology, psychology, etc.) not only to help us better understand why deployed systems fail, but also to enable us to accurately characterize the problems that we must solve in order to build systems that will be secure in the real world. Trust, a critically important facet of any socio-technical secure system, is ripe for analysis using the tools provided for us by the social sciences. There are a variety of scopes in which issues of trust in secure systems can be stud- ied. We have chosen to focus on how humans decide to trust new correspondents. Current secure email systems such as S/MIME and PGP/MIME are not expressive enough to capture the real ways that trust flows in these sorts of scenarios. To solve this problem, we begin by applying concepts from social science research to a variety of such cases from interesting application domains; primarily, crisis management in the North American power grid. We have examined transcripts of telephone calls made between grid manage- ment personnel during the August 2003 North American blackout and extracted several different classes of trust flows from these real-world scenarios. Combining this knowl- edge with some design patterns from HCISEC, we develop criteria for a system that will enable humans apply these same methods of trust-building in the digital world. We then present Attribute-Based, Usefully Secure Email (ABUSE) and not only show that it meets our criteria, but also provide empirical evidence that real users are helped by the system

Secure mobile multiagent systems in virtual marketplaces : a case study on comparison shopping

The growth of the Internet has deeply influenced our daily lives as well as our commercial structures. Agents and multiagent systems will play a major role in the further development of Internet-based applications like virtual marketplaces. However, there is an increasing awareness of the security problems involved. These systems will not be successful until their problems are solved. This report examines comparison shopping, a virtual marketplace scenario and an application domain for a mobile multiagent system, with respect to its security issues. The interests of the participants in the scenario, merchants and clients, are investigated. Potential security threats are identified and security objectives counteracting those threats are established. These objectives are refined into building blocks a secure multiagent system should provide. The building blocks are transformed into features of agents and executing platforms. Originating from this analysis, solutions for the actual implementation of these building blocks are suggested. It is pointed out under which assumptions it is possible to achieve the security goals, if at all