Reducing risky security behaviours:utilising affective feedback to educate users

Despite the number of tools created to help end-users reduce risky security behaviours, users are still falling victim to online attacks. This paper proposes a browser extension utilising affective feedback to provide warnings on detection of risky behaviour. The paper provides an overview of behaviour considered to be risky, explaining potential threats users may face online. Existing tools developed to reduce risky security behaviours in end-users have been compared, discussing the success rate of various methodologies. Ongoing research is described which attempts to educate users regarding the risks and consequences of poor security behaviour by providing the appropriate feedback on the automatic recognition of risky behaviour. The paper concludes that a solution utilising a browser extension is a suitable method of monitoring potentially risky security behaviour. Ultimately, future work seeks to implement an affective feedback mechanism within the browser extension with the aim of improving security awareness

The Emperor\u27s New Clothes: The Shocking Truth About Digital Signatures and Internet Commerce

This Article critiques a specific set of assumptions about specific application of digital signature technology: that contracts will be formed over the Internet among parties with no prior relationships through reliance on digital signature certificates issued by trusted third parties to establish the identity of the parties. This application for digital signature technology was once seen as both its most ambitious and most promising application because, for parties with no prior knowledge of each other, there is not yet a reliable system of online identities in Internet commerce. Parties with an ongoing commercial relationship can absorb the cost of offline communications such as faxes, telephone calls or face-to-face meetings to negotiate and execute an agreement governing the setting up of a reliable system for online authentication of parties to wholly electronic transactions. Parties that want to rely exclusively on online communications to create the framework for contracting as well as to enter into contracts, however, face a problem of infinite regress: how can the online communications that set up the system for confirming online identities itself be authenticated with nothing more to rely on than online communications? Many supporters of digital signatures believed legislation was essential to cut through this Gordian Knot. Legislation could authorize parties unable to use a prior relationship or offline communications to confirm the validity of online identities to rely on digital signature certificates instead. Much legislation regulating the use of digital signatures is based on an unstated premise: liabilities must be imposed by law because private agreements will not be adequate to the task of regulating this technology. This Article will summarize the original consensus regarding the role of digital signatures in electronic commerce, explain why that consensus was mistaken on many points, describe commercial applications of digital signatures that are gaining market share today and contrast them with the original consensus, and consider the implications of a major misperception of market trends for the future of electronic commerce legislation. A brief description of digital signatures and public key infrastructure is included in the appendix to this article

Recent advances in mobile touch screen security authentication methods: a systematic literature review

The security of the smartphone touch screen has attracted considerable attention from academics as well as industry and security experts. The maximum security of the mobile phone touch screen is necessary to protect the user’s stored information in the event of loss. Previous reviews in this research domain have focused primarily on biometrics and graphical passwords while leaving out PIN, gesture/pattern and others. In this paper, we present a comprehensive literature review of the recent advances made in mobile touch screen authentication techniques covering PIN, pattern/gesture, biometrics, graphical password and others. A new comprehensive taxonomy of the various multiple class authentication techniques is presented in order to expand the existing taxonomies on single class authentication techniques. The review reveals that the most recent studies that propose new techniques for providing maximum security to smartphone touch screen reveal multi-objective optimization problems. In addition, open research problems and promising future research directions are presented in the paper. Expert researchers can benefit from the review by gaining new insights into touch screen cyber security, and novice researchers may use this paper as a starting point of their inquir

Can China Promote Electronic Commerce Through Law Reform? Some Preliminary Case Study Evidence

The government of the People’s Republic of China (P.R.C.) has announced its intention to make China a global leader in innovation by 2020. Many Chinese business leaders share this goal. The primary focus of this national strategy is to transform China into an exporter of high-technology products based on Chinese designs rather than merely a low cost, high volume manufacturer of products based on technology developed in other countries. This paper will examine the implications for this strategy with regard to the use of computerized management information systems by Chinese businesses, and its relationship to recent law reform efforts intended to promote greater use of electronic commerce among Chinese businesses. This paper considers three case studies of recent reforms of P.R.C. commercial law in light of their contributions to this strategy, and finds that the results so far are quite mixed. The first case study looks at a domestic standard for accounting software issued in 1989 that successfully removed obstacles to the greater use of computerized accounting systems by local businesses and promoted the growth of the domestic accounting software industry. The second and third case studies involve P.R.C. legislation based on model laws developed by United Nations Commission on International Trade Law (UNCITRAL) developed to assist legislators in trading nations to harmonize their national commercial laws in order to eliminate barriers to international trade. The second case study looks at the inclusion of general electronic commerce enabling legislation in the 1999 Contract Law which in theory removed impediments to the use of electronic commerce by Chinese businesses but in reality appears to be too abstract and general to provide much certainty to parties wishing to form contracts using electronic media. The third case study looks at the 2004 Electronic Signature Law which promotes the use of a specific type of technology for authentication. While it is too soon to know whether this law will achieve its intended objectives in China, evidence from other countries with similar laws suggests that it may not

Enhancing Web Browsing Security

Web browsing has become an integral part of our lives, and we use browsers to perform many important activities almost everyday and everywhere. However, due to the vulnerabilities in Web browsers and Web applications and also due to Web users\u27 lack of security knowledge, browser-based attacks are rampant over the Internet and have caused substantial damage to both Web users and service providers. Enhancing Web browsing security is therefore of great need and importance.;This dissertation concentrates on enhancing the Web browsing security through exploring and experimenting with new approaches and software systems. Specifically, we have systematically studied four challenging Web browsing security problems: HTTP cookie management, phishing, insecure JavaScript practices, and browsing on untrusted public computers. We have proposed new approaches to address these problems, and built unique systems to validate our approaches.;To manage HTTP cookies, we have proposed an approach to automatically validate the usefulness of HTTP cookies at the client-side on behalf of users. By automatically removing useless cookies, our approach helps a user to strike an appropriate balance between maximizing usability and minimizing security risks. to protect against phishing attacks, we have proposed an approach to transparently feed a relatively large number of bogus credentials into a suspected phishing site. Using those bogus credentials, our approach conceals victims\u27 real credentials and enables a legitimate website to identify stolen credentials in a timely manner. to identify insecure JavaScript practices, we have proposed an execution-based measurement approach and performed a large-scale measurement study. Our work sheds light on the insecure JavaScript practices and especially reveals the severity and nature of insecure JavaScript inclusion and dynamic generation practices on the Web. to achieve secure and convenient Web browsing on untrusted public computers, we have proposed a simple approach that enables an extended browser on a mobile device and a regular browser on a public computer to collaboratively support a Web session. A user can securely perform sensitive interactions on the mobile device and conveniently perform other browsing interactions on the public computer

Usability issues with security of electronic mail

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.This thesis shows that human factors can have a large and direct impact on security, not only on the user’s satisfaction, but also on the level of security achieved in practice. The usability issues identified are also extended to include mental models and perceptions as well as traditional user interface issues. These findings were accomplished through three studies using various methodologies to best suit their aims. The research community have issued principles to better align security and usability, so it was first necessary to evaluate their effectiveness. The chosen method for achieving this was through a usability study of the most recent software specifically to use these principles. It was found that the goal of being simultaneously usable and secure was not entirely met, partially through problems identified with the software interface, but largely due to the user’s perceptions and actions whilst using the software. This makes it particularly difficult to design usable and secure software without detailed knowledge of the users attitudes and perceptions, especially if we are not to blame the user for security errors as has occurred in the past. Particular focus was given to e-mail security because it is an area in which there is a massive number of vectors for security threats, and in which it is technologically possible to negate most of these threats, yet this is not occurring. Interviews were used to gain in depth information from the user’s point of view. Data was collected from individual e-mail users from the general public, and organisations. It was found that although the literature had identified various problems with the software and process of e-mail encryption, the majority of problems identified in the interviews stemmed once again from user’s perceptions and attitudes. Use of encryption was virtually nil, although the desire to use encryption to protect privacy was strong. Remembering secure passwords was recurrently found to be problematic, so in an effort to propose a specific method of increasing their usability an empirical experiment was used to examine the memorability of passwords. Specially constructed passwords were tested for their ability to improve memorability, and therefore usability. No statistical significance in the construction patterns was found, but a memory phenomenon whereby users tend to forget their password after a specific period of non-use was discovered. The findings are discussed with reference to the fact that they all draw on a theme of responsibility to maintain good security, both from the perspective of the software developer and the end user. The term Personal Liability and General Use Evaluation (PLaGUE) is introduced to highlight the importance of considering these responsibilities and their effect on the use of security

Political conspiracy in Napoleonic France: the Malet affair

The French Revolution ushered in a period of political unrest in France which appeared never-ending, even when a seemingly stable government rose to power. After a series of failed Republican governments, Napoleon Bonaparte seized control on 18 Brumaire VIII, promising to uphold the revolutionary ideals that had permeated the nation. As time passed, however, it became clear that he aimed at gathering all political power for himself. With his consular and imperial regimes accepted by French citizens, Napoleon effectively returned the country to autocratic rule. Needing talented officials to serve in his military, ministries, and prefectures, Napoleon enlisted the services of men whose ideologies ranged from Republican, to monarchist, to imperialists. Relying on officials whose political beliefs conflicted with those of the current regime engendered instability within his new government, making it possible for any enterprising political hopeful to strike a devastating blow against the Empire. Throughout the Napoleonic era, many dissidents attempted to overthrow Bonaparte’s regimes, but only one man achieved enough success to unsettle the Emperor’s belief that his government was secure. General Claude-François de Malet was a fervent Republican and despite frequent prison breaks and constant denunciations of Napoleon and his government, few people considered him a serious threat. Opinion would change after the night of 22 October 1812. The event, simply known as the Malet Conspiracy, was the single most successful coup attempted against the Napoleonic regime. During this attempt, Malet successfully deceived several high-ranking military officials, prompting them to place their troops under his control. The readiness with which these men followed Malet’s orders without question speaks to the fragility of Napoleon’s Empire, even among those he considered his most trustworthy devotees. Fearing that his Empire was on the verge of collapse, Napoleon chose to return to Paris from Russia only after hearing of the events set into motion by Malet. After the nearly successful attempt, it became clear to Napoleon that running an imperial government required close, personal supervision, especially in the homeland of liberté, égalité, and fraternité

Bridging the gap between human and machine trust : applying methods of user-centred design and usability to computer security

This work presents methods for improving the usability of security. The work focuses on trust as part of computer security. Methods of usability and user-centred design present an essential starting point for the research. The work uses the methods these fields provide to investigate differences between machine and human trust, as well as how the technical expressions of trust could be made more usable by applying these methods. The thesis is based on nine publications, which present various possibilities to research trust with user-centric methods. The publications proceed chronologically and logically from the first user interviews about trust, trusting attitudes and behaviours in general to the actual design and usability testing of user interfaces for security applications, finally presenting the outcomes and conclusions of the research. The work also presents a review of relevant previous work in the area, concentrating on work done in the fields of usability and user-centred design. The work is of cross-disciplinary nature, falling into the areas of human-computer interaction, computer science and telecommunications. The ultimate goal of the conducted research has been to find out 1) how trust is to be understood in this context; 2) what methods can be used to gain insight into trust thus defined; and, finally, 3) what means can be used to create trust in the end users in online situations, where trust is needed. The work aims at providing insight into how trust can be studied with the methods provided by user-centred design and usability. Further, it investigates how to take understanding of trust formation in humans into account when attempting to design trust-inducing systems and applications. The work includes an analysis and comparison of the methods used: what kinds of methods to study trust exist in the field of usability and user-centred design. Further, it is evaluated, what kind of results and when can be reached with the different methods available, by applying a variety of these methods. Recommendations for the appropriate application of these methods when studying the various parts of trust is one of the outcomes. The results received with the methods used have also been compared with results received by others by applying alternative methods to the same research questions. On a conceptual level, the work contains an analysis of the concept of trust. It also contains a brief investigation into both technical and humane ways to express trust, with a comparison between the two