Towards Enhanced Usability of IT Security Mechanisms - How to Design Usable IT Security Mechanisms Using the Example of Email Encryption

Nowadays, advanced security mechanisms exist to protect data, systems, and networks. Most of these mechanisms are effective, and security experts can handle them to achieve a sufficient level of security for any given system. However, most of these systems have not been designed with focus on good usability for the average end user. Today, the average end user often struggles with understanding and using security mecha-nisms. Other security mechanisms are simply annoying for end users. As the overall security of any system is only as strong as the weakest link in this system, bad usability of IT security mechanisms may result in operating errors, resulting in inse-cure systems. Buying decisions of end users may be affected by the usability of security mechanisms. Hence, software provid-ers may decide to better have no security mechanism then one with a bad usability. Usability of IT security mechanisms is one of the most underestimated properties of applications and sys-tems. Even IT security itself is often only an afterthought. Hence, usability of security mechanisms is often the after-thought of an afterthought. This paper presents some guide-lines that should help software developers to improve end user usability of security-related mechanisms, and analyzes com-mon applications based on these guidelines. Based on these guidelines, the usability of email encryption is analyzed and an email encryption solution with increased usability is presented. The approach is based on an automated key and trust man-agement. The compliance of the proposed email encryption solution with the presented guidelines for usable security mechanisms is evaluated

User-Centric IT Security - How to Design Usable Security Mechanisms

Nowadays, advanced security mechanisms exist to protect data, systems, and networks. Most of these mechanisms are effective, and security experts can handle them to achieve a sufficient level of security for any given system. However, most of these systems have not been designed with focus on good usability for the average end user. Today, the average end user often struggles with understanding and using security mechanisms. Other security mechanisms are simply annoying for end users. As the overall security of any system is only as strong as the weakest link in this system, bad usability of IT security mechanisms may result in operating errors, resulting in insecure systems. Buying decisions of end users may be affected by the usability of security mechanisms. Hence software providers may decide to better have no security mechanism then one with a bad usability. Usability of IT security mechanisms is one of the most underestimated properties of applications and systems. Even IT security itself is often only an afterthought. Hence, usability of security mechanisms is often the afterthought of an afterthought. Software developers are missing guidelines on how to build security mechanisms with good usability for end users. This paper presents some guidelines that should help software developers to improve end user usability of security-related mechanisms, and analyzes common applications based on these guidelines.Comment: arXiv admin note: substantial text overlap with arXiv:1506.0698

Who influences information security behaviours of young home computer users in Vietnam? An ego-centric network analysis approach

This study aims to explore the social roles of the people who can influence young home computer users (HCUs) in Vietnam, as well as the interactions that make those people influential. Since HCUs are considered the weakest link in the security chain and cyber-threats can attack organisation’s information systems indirectly via these HCUs, it is therefore necessary to identify their sources of security influence for designing effective intervention. To this end, the ego-centric network analysis approach was employed to analyse the personal networks of security influence of 116 HCUs, comprising 548 influential sources in total. Close relationships such as family members, partners, friends, and colleagues were predominantly nominated as capable of influencing HCUs’ security behaviours. Furthermore, these sources influence the HCUs by possessing the power bases of expert, reward, and coercive, as well as holding legitimate positions that make them influential

Improving Desktop System Security Using Compartmentalization

abstract: Compartmentalizing access to content, be it websites accessed in a browser or documents and applications accessed outside the browser, is an established method for protecting information integrity [12, 19, 21, 60]. Compartmentalization solutions change the user experience, introduce performance overhead and provide varying degrees of security. Striking a balance between usability and security is not an easy task. If the usability aspects are neglected or sacrificed in favor of more security, the resulting solution would have a hard time being adopted by end-users. The usability is affected by factors including (1) the generality of the solution in supporting various applications, (2) the type of changes required, (3) the performance overhead introduced by the solution, and (4) how much the user experience is preserved. The security is affected by factors including (1) the attack surface of the compartmentalization mechanism, and (2) the security decisions offloaded to the user. This dissertation evaluates existing solutions based on the above factors and presents two novel compartmentalization solutions that are arguably more practical than their existing counterparts. The first solution, called FlexICon, is an attractive alternative in the design space of compartmentalization solutions on the desktop. FlexICon allows for the creation of a large number of containers with small memory footprint and low disk overhead. This is achieved by using lightweight virtualization based on Linux namespaces. FlexICon uses two mechanisms to reduce user mistakes: 1) a trusted file dialog for selecting files for opening and launching it in the appropriate containers, and 2) a secure URL redirection mechanism that detects the user’s intent and opens the URL in the proper container. FlexICon also provides a language to specify the access constraints that should be enforced by various containers. The second solution called Auto-FBI, deals with web-based attacks by creating multiple instances of the browser and providing mechanisms for switching between the browser instances. The prototype implementation for Firefox and Chrome uses system call interposition to control the browser’s network access. Auto-FBI can be ported to other platforms easily due to simple design and the ubiquity of system call interposition methods on all major desktop platforms.Dissertation/ThesisDoctoral Dissertation Computer Science 201

情報セキュリティの視点から振り返るウィンドウズXPの時代 : 新聞記事の分析から

ウィンドウズXPが2001年に登場してから12年を経て延長サポートが終了した。その間、一般ユーザーが増加し、高速通信の環境が整い、ブログ、SNSなど多様な方法で一般ユーザーが情報を発信するようになった。一方、一般ユーザーを標的にするウイルス、スパイウェアなど悪意の脅威が活発に活動し巧妙化した。2000年から2014年までの情報セキュリティに関する新聞記事を分析し、ウィンドウズXP時代のインターネット環境の変化を振り返り、一般ユーザーのセキュリティ意識がいかに啓発されてきたかを考察した。新聞は、一般ユーザーがインターネットを安全に利用するための知識を学ぶ重要な手段である。今後セキュリティ情報に、PCの構造やインターネットがつながる仕組みを基本的に伝えることを含めると、よりいっそうユーザーの理解が深まり、積極的にセキュリティ対策をとるようになる

Exploring factors that affect adoption of computer security practices among college students

Cyber-attacks threaten the security of computer users’ information, networks, machines, and privacy. Studies of computer security education, awareness, and training among ordinary computer users, college students, non-IT-oriented user groups, and non-technically trained citizens are limited. Most research has focused on computer security standards and guidelines in organizational contexts. Few studies have analyzed the predictors of college students’ adoption of computer security practices. Based on a comprehensive literature review, researchers have relied heavily on well-established behavioral theories, such as the technology acceptance model (TAM), theory of planned behavior (TPB), and protection motivation theory (PMT) to explain the variation in adoption of computer security practices among college students. This dissertation builds on this growing body of scholarship by blending those three into a single conceptual framework with the objective of finding the factors influencing the adoption of computer security practices among college students. This research tested the empirical fit of a model based on the technology acceptance model, theory of planned behavior, and protection motivation theory in explaining the variation in college students’ responses to a set of questions on their likelihood of adopting computer security practices. The model included the following independent variables: perceived vulnerability, perceived severity, response efficacy, computer self-efficacy, attitudes, subjective norms, perceived behavioral control, perceived ease of use, perceived usefulness, and awareness. The demographic variables (age, gender, education level, major, college, and IT experience) were used as control variables moderating the relationship between the cited independent variables and dependent variable. The dependent variable was computer security practices based on a composed scale of four items asking students to what extent they check, verify, or exercise caution in opening emails and attachments. Based on a 301 convenience sample collected at a Midwestern University, the analysis resulted in the significance of perceived vulnerability, perceived ease of use, and perceived usefulness. This finding suggests that the TAM enjoys empirical support in the study of computer security practices unlike the TPB or PMT. Results of this study should encourage university administrators to create workshops on teaching students the usefulness and ease of adopting computer security practices. Experimental research is highly encouraged because survey research suffers from several weaknesses such as social desirability

I Think They're Trying To Tell Me Something: Advice Sources and Selection for Digital Security

Users receive a multitude of digital- and physical-security advice every day. Indeed, if we implemented all the security advice we received, we would never leave our houses or use the Internet. Instead, users selectively choose some advice to accept and some (most) to reject; however, it is unclear whether they are effectively prioritizing what is most important or most useful. If we can understand from where users take security advice and how they subsequently develop security behaviors, we can develop more effective security interventions. As a first step, we conducted 25 semi-structured interviews of security-sensitive (those users who deal with sensitive data or hold security clearances) and general users. These interviews resulted in several key findings: (1) users' main sources of digital-security advice include IT professionals, workplaces, and negative events, whether experienced personally or retold through TV; (2) users determine whether to accept digital-security advice based on the trustworthiness of the advice-source, as they feel inadequately able to evaluate the advice content; (3) users reject advice for many reasons, from believing that someone else is responsible for their security to finding that the advice contains too much marketing material or threatens their privacy; and (4) security-sensitive users differ from general users in a number of ways, including feeling that digital-security advice is more useful in their day-to-day lives and relying heavily on their workplace as a source of security information. These and our other findings inform a set of design recommendations for enhancing the efficacy of digital-security advice