Modeling inertia causatives:validating in the password manager adoption context

Cyber criminals are benefiting from the fact that people do not take the required precautions to protect their devices and communications. It is the equivalent of leaving their home’s front door unlocked and unguarded, something no one would do. Many efforts are made by governments and other bodies to raise awareness, but this often seems to fall on deaf ears. People seem to resist changing their existing cyber security practices: they demonstrate inertia. Here, we propose a model and instrument for investigating the factors that contribute towards this phenomenon

Tietoturvasuunnitelma mikroyritykselle

Tämän työn tarkoitus on tutkia mikroyritysten mahdollisia puutteita ja tuoda käytettävää hyötyä tietoturvan parantamiseksi. Tässä työssä ei yritetty saavuttaa täydellisyyttä, vaan sen on tarkoitus toimia pohjana pienemmille yrityksille. Työssä tutkittiin mielikuvituksellisen alle 10 työntekijän mikroyrityksen tietoturvaa. Yrityksen tietoturvatarpeet keksittiin käyttämällä paikallisen yrityksen osittaisia tietoja pohjana, jonka päälle rakennettiin ongelmia. Parannusehdotukset tehtiin työssä määritellyn yrityksen ongelmien mukaan. Fyysistä tietoturvaa käsiteltiin enemmän laitteiden suojaamisen ja huoltamisen kannalta. Fyysisten riskien ehkäisyä pyrittiin myös huomioimaan. Vesivahingot ja sähkökatkokset nähtiin mahdollisina infrastruktuurin riskitekijöinä tietoturvan kannalta. Ihmisten tekemät virheet ja mahdolliset varkaudet nähtiin myös mahdollisina riskitekijöinä. Digitaalisen tietoturvan osalta yrityksen yhteyksien turvaaminen oli tärkeä osa tätä työtä. Yhteyksiä turvattiin hankkimalla oikeat ja tarvittavat laitteet. Hyväksi ratkaisuksi tähän tehtävään määriteltiin olevan uuden palomuurilaitteen hankkiminen vanhan modeemin/reitittimen jatkeeksi. Kunnollisten varmuuskopioiden puute nähtiin myös suurena riskitekijänä tietoturvan jatkuvuuden osalta. Tätä korjattiin hankkimalla tarvittavat laitteet kahta uutta varmuuskopiota varten. Yritykselle luotiin myös salasanapolitiikka, jota yrityksessä ei ennen ollut. Tietoturvaa käsiteltiin suhteellisen laajasti ja työssä käsiteltiin mikroyrityksille sopivasti liittyviä asioita. Tässä työssä ei tutkittu mikroyritykselle liian monimutkaisia ratkaisuja. Työssä yritettiin pysyä tärkeissä ja loogisissa tietoturvaa parantavissa vaihtoehdoissa. Hintaa yritettiin myös ottaa osaksi yrityksessä tehtäviin muutoksiin.The purpose of this work was to study possible information security shortcomings in micro enterprises and give usable advice to improve their security. This work does not try to achieve perfection, but it’s supposed to act as a basis for smaller companies. In this work, I studied information security of an imaginary micro enterprise with less than 10 employees. The company and all its problems were thought up by using a local micro enterprises information as a basis. All the improvement recommendations to information security were based on the imaginary enterprise’s needs. Physical information security was dealt with more in the protection and maintenance of equipment. Physical risk prevention was also considered. Water damages and electric outages were considered as potential infrastructure risk factors to information security. Errors made by employees and possible thefts were also under consideration. Creating secure connections were an important part of information security in this work. Connections were secured by getting proper and necessary equipment. New firewall device was a good solution to complement the company’s old modem/router. The lack of proper backups was also a major risk factor for data continuity. This was fixed by getting two new devices for backups. Password policies also did not exist so they were created. Information security was studied quite broadly and everything was thought out by keeping micro enterprises needs in mind. This work does not study complicated solutions for a micro enterprise and study was based more on important and logical solutions for information security for a micro enterprise. Price was also partially taken into consideration as part of implementation of this plan for the company

Modeling inertia causatives

Cyber criminals are benefiting from the fact that people do not take the required precautions to protect their devices and communications. It is the equivalent of leaving their home's front door unlocked and unguarded, something no one would do. Many efforts are made by governments and other bodies to raise awareness, but this often seems to fall on deaf ears. People seem to resist changing their existing cyber security practices: they demonstrate inertia. Here, we propose a model and instrument for investigating the factors that contribute towards this phenomenon

Addressing Misconceptions About Password Security Effectively

Nowadays, most users need more passwords than they can handle. Consequently, users have developed a multitude of strategies to cope with this situation. Some of these coping strategies are based on misconceptions about password security. In such cases, the users are unaware of their insecure password practices. Addressing the misconceptions is vital in order to decrease insecure coping strategies. We conducted a systematic literature review with the goal to provide an overview of the misconceptions about password security. Our literature review revealed that misconceptions exist in basically all aspects of password security. Furthermore, we developed interventions to address these misconceptions. Then, we evaluated the interventions\u27 effectiveness in decreasing the misconceptions at three small and medium sized enterprises (SME). Our results show that the interventions decrease the overall prevalence of misconceptions significantly in the participating employees

Costs and benefits of authentication advice

When it comes to passwords, conflicting advice can be found everywhere. Different sources give different types of advice related to authentication. In this paper such advice is studied. First, using a sample collection of authentication advice, we observe that different organizations' advice is often contradictory and at odds with current research. We highlight the difficulties organizations and users have when determining which advice is worth following. Consequently, we develop a model for identifying costs of advice. Our model incorporates factors that affect organizations and users, including, for example, usability aspects. Similarly, we model the security benefits brought by such advice. We then apply these models to our taxonomy of advice to indicate the potential effectiveness of the security recommendations. We find that organizations experience fewer costs than users as a result of authentication policies. Reassuringly, the advice our model has classified as good or bad, is in line with the NIST 2017 digital authentication guidelines

Teollisen ohjausjärjestelmän koventaminen ja arkkitehtuuri virtualisoidussa ympäristössä

Virtualization is widely used in traditional ICT in order to share hardware resources between separate software applications while also creating isolation. This makes it possible to more efficiently utilize hardware resources as isolation doesn't require running software on separate hardware servers. Virtualization offers features like fault tolerance and the ability to create easily managed test environments. Such features are also desirable in designing and maintaining automation systems. Industrial control systems and their requirements differ significantly from traditional ICT, however. Security and reliability are of critical concern in ICS, and the effects of introducing new technology need to be thoroughly considered. Many practices that may be well-established and trusted in ICT can't be used directly in ICS, if at all. Industrial automation uses highly specialized solutions, and security measures can hinder or prevent system performance. This thesis presents the main challenges and solutions related to using virtualization in industrial automation, with a focus on security and hardening. The virtualization platform used is VMware's vSphere 6.5, and thus the practical recommendations are aimed at VMware products. Much of the general design and security principles are also applicable in environments using different virtualization software. Automation systems are complex, and maintaining virtualization adds its own operational workload. Available scripting languages and programming interfaces are researched to find ways to decrease this workload by automating some of the maintenance tasks. Automation systems are very heterogeneous and the integration of virtualization needs a lot of additional case specific consideration and practical work. Still, many of the established ICT solutions addressing virtualization security and hardening problems are found suitable for use in the ICS domain with some special considerations. Using the available VMware APIs and scripting solutions, practical tools automating security checks and hardening of virtual environments was developed

Secure and Usable User Authentication

Authentication is a ubiquitous task in users\u27 daily lives. The dominant form of user authentication are text passwords. They protect private accounts like online banking, gaming, and email, but also assets in organisations. Yet, many issues are associated with text passwords, leading to challenges faced by both, users and organisations. This thesis contributes to the body of research enabling secure and usable user authentication, benefiting both, users and organisations. To that end, it addresses three distinct challenges. The first challenge addressed in this thesis is the creation of correct, complete, understandable, and effective password security awareness materials. To this end, a systematic process for the creation of awareness materials was developed and applied to create a password security awareness material. This process comprises four steps. First, relevant content for an initial version is aggregated (i.e. descriptions of attacks on passwords and user accounts, descriptions of defences to these attacks, and common misconceptions about password and user account security). Then, feedback from information security experts is gathered to ensure the correctness and completeness of the awareness material. Thereafter, feedback from lay-users is gathered to ensure the understandability of the awareness material. Finally, a formal evaluation of the awareness material is conducted to ensure its effectiveness (i.e. whether the material improves participant\u27s ability to assess the security of passwords as well as password-related behaviour and decreases the prevalence of common misconceptions about password and user account security). The results of the evaluation show the effectiveness of the awareness material: it significantly improved the participants\u27 ability to assess the security of password-related behaviour as well as passwords and significantly decreased the prevalence of misconceptions about password and user account security. The second challenge addressed in this thesis is shoulder-surfing resistant text password entry with gamepads (as an example of very constrained input devices) in shared spaces. To this end, the very first investigation of text password entry with gamepads is conducted. First, the requirements of authentication in the gamepad context are described. Then, these requirements are applied to assess schemes already deployed in the gamepad context and shoulder-surfing resistant authentication schemes from the literature proposed for non-gamepad contexts. The results of this assessment show that none of the currently deployed and only four of the proposals in the literature fulfil all requirements. Furthermore, the results of the assessment also indicate a need for an empirical evaluation in order to exactly gauge the shoulder-surfing threat in the gamepad context and compare alternatives to the incumbent on-screen keyboard. Based on these results, two user studies (one online study and one lab study) are conducted to investigate the shoulder-surfing resistance and usability of three authentication schemes in the gamepad context: the on-screen keyboard (as de-facto standard in this context), the grid-based scheme (an existing proposal from the literature identified as the most viable candidate adaptable to the gamepad context during the assessment), and Colorwheels (a novel shoulder-surfing resistant authentication scheme specifically designed for the gamepad context). The results of these two user studies show that on-screen keyboards are highly susceptible to opportunistic shoulder-surfing, but also show the most favourable usability properties among the three schemes. Colorwheels offers the most robust shoulder-surfing resistance and scores highest with respect to participants\u27 intention to use it in the future, while showing more favourable usability results than the grid-based scheme. The third challenge addressed in this thesis is secure and efficient storage of passwords in portfolio authentication schemes. Portfolio authentication is used to counter capture attacks such as shoulder-surfing or eavesdropping on network traffic. While usability studies of portfolio authentication schemes showed promising results, a verification scheme which allows secure and efficient storage of the portfolio authentication secret had been missing until now. To remedy this problem, the (t,n)-threshold verification scheme is proposed. It is based on secret sharing and key derivation functions. The security as well as the efficiency properties of two variants of the scheme (one based on Blakley secret sharing and one based on Shamir secret sharing) are evaluated against each other and against a naive approach. These evaluations show that the two (t,n)-threshold verification scheme variants always exhibit more favourable properties than the naive approach and that when deciding between the two variants, the exact application scenario must be considered. Three use cases illustrate as exemplary application scenarios the versatility of the proposed (t,n)-threshold verification scheme. By addressing the aforementioned three distinct challenges, this thesis demonstrates the breadth of the field of usable and secure user authentication ranging from awareness materials, to the assessment and evaluation of authentication schemes, to applying cryptography to craft secure password storage solutions. The research processes, results, and insights described in this thesis represent important and meaningful contributions to the state of the art in the research on usable and secure user authentication, offering benefits for users, organisations, and researchers alike

A model for secure and usable passphrases for multilingual users

Research on more than 100 million passwords that have been leaked to the public domain has uncovered various security limitations associated with user-generated short passwords. Long passwords (passphrases) are considered an alternative solution that could provide a balance between security and usability. However, the literature shows a lack of consistency in the security and usability contributions of passphrases. For example, studies that investigated passphrase security focusing on structural dependencies at character level found passphrases to be secure. Inversely, other research findings suggest that passphrase security could be compromised by the use of predictable grammatical rules, popular words in a natural language and keyboard patterns. This is further exacerbated by research on passphrases that is focused on the Global North. This is a huge concern given that results from inter-cultural studies suggest that local languages do influence password structure and to some extent, password usability and security. To address these gaps in the literature, this study used socio-technical theory which emphasised both the social and technical aspects of the phenomenon under study. Psychological studies show that the memory has limited capacity, something that threatens password usability; hence, the need to utilise information that is already known during password generation. Socio-cultural theory suggests that the information that is already known by users is contextually informed, hence sociocultural theory was applied to understand the contextual factors that could be used to enhance passphrase security and usability. With reference to the Southern African context, this study argues that system designers should take advantage of a multilingual user group and encourage the generation of passphrases that are based on substrings from different languages. This study went on to promote the use of multilingual passphrases instead of emphasising multi-character class passwords. This study was guided by design science research. Participants were invited to take part in a short password and multilingual passphrase generation and recall experiment that was made available using a web-based application. These passwords were generated by participants under pre-specified conditions. Quantitative and qualitative data was gathered. The study findings showed the use of both African and Indo-European languages in multilingual passphrases and short passwords. English oriented passwords and substrings dominated the multilingual passphrase and short password corpora. In addition, some of the short passwords and substrings in the multilingual passphrase corpora were found among the most common passwords of 2016, 2017 and 2018. Usability tests showed that multilingual passphrases are usable, even though they were not easy to create and recall when compared to short passwords. A high rate of password reuse during short password generation by participants might have worked in favour of short passwords. Nonetheless, participants appear to reflect better usability with multilingual passphrases over time due to repeated use. Females struggled to recall short passwords and multilingual passphrases when compared to their male counterparts. Security tests using the Probabilistic Context-Free Grammar suggest that short passwords are weaker, with just more than 50% of the short passwords being guessed, while none 4 Final Submission of Thesis, Dissertation or Research Report/Project, Conference or Exam Paper of the multilingual passphrases were guessed. Further analysis showed that short passwords that were oriented towards an IndoEuropean language were more easily guessed than African language-oriented short passwords. As such, this study encourages orienting passwords towards African languages while the use of multilingual passphrases is expected to offer more security. The use of African languages and multilingual passphrases by a user group that is biased towards English-oriented passwords could enhance security by increasing the search space