Proceedings of the Designing interactive secure systems workshop (DISS 2012).

In recent years, the field of usable security has attracted researchers from HCI and Information Security, and led to a better understanding of the interplay between human factors and security mechanisms. Despite these advances, designing systems which are both secure in, and appropriate for, their contexts of use continues to frustrate both researchers and practitioners. One reason is a misunderstanding of the role that HCI can play in the design of secure systems. A number of eminent security researchers and practitioners continue to espouse the need to treat people as the weakest link, and encourage designers to build systems that Homer Simpson can use. Unfortunately, treating users as a problem can limit the opportunities for innovation when people are engaged as part of a solution. Similarly, while extreme characters (such as Homer) can be useful for envisaging different modes of interaction, when taken out of context they risk disenfranchising the very people the design is meant to support. Better understanding the relationship between human factors and the design of secure systems is an important step forward, but many design research challenges still remain. There is growing evidence that HCI design artefacts can be effective at supporting secure system design, and that some alignment exists between HCI, security, and software engineering activities. However, more is needed to understand how broader insights from the interactive system design and user experience communities might also find traction in secure design practice. For these insights to lead to design practice innovation, we also need usability and security evaluation activities that better support interaction design, together with software tools that augment, rather than hinder, these design processes. Last, but not least, we need to share experiences and anecdotes about designing usable and secure systems, and reflect on the different ways of performing and evaluating secure interaction design research. The objective of this workshop is to act as a forum for those interested in the design of interactive secure systems. By bringing together a like-minded community of researchers and practitioners, we hope to share knowledge gleaned from recent research, as well as experiences designing secure and usable systems in practice

Holistic Blockchain Approach to Foster Trust, Privacy and Security in IoT Based Ambient Assisted Living Environment

The application of blockchains techniques in the Internet of Things (IoT) is gaining much attention with new solutions proposed in diverse areas of the IoT. Conventionally IoT systems are designed to follow the centralised paradigm where security and privacy control is vested on a 'trusted' third-party. This design leaves the user at the mercy of a sovereign broker and in addition, susceptible to several attacks. The implicit trust and the inferred reliability of centralised systems have been challenged recently following several privacy violations and personal data breaches. Consequently, there is a call for more secure decentralised systems that allows for finer control of user privacy while providing secure communication. Propitiously, the blockchain holds much promise and may provide the necessary framework for the design of a secure IoT system that guarantees fine-grained user privacy in a trustless manner. In this paper, we propose a holistic blockchain-based decentralised model for Ambient Assisted Living (AAL) environment. The nodes in our proposed model utilize smart contracts to define interaction rules while working collaboratively to contribute storage and computing resources. Based on the blockchain technique, our proposed model promotes trustless interaction and enhanced user's privacy through the blockchain-Interplanetary File System (IPFS) alliance. The proposed model also addresses the shortfall of storage constraints exhibited in many IoT systems

Integrating security and usability into the requirements and design process

According to Ross Anderson, 'Many systems fail because their designers protect the wrong things or protect the right things in the wrong way'. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing good security. Some recent approaches have targeted security from the technological perspective, others from the human–computer interaction angle, offering better User Interfaces (UIs) for improved usability of security mechanisms. However, usability issues also extend beyond the user interface and should be considered during system requirements and design. In this paper, we describe Appropriate and Effective Guidance for Information Security (AEGIS), a methodology for the development of secure and usable systems. AEGIS defines a development process and a UML meta-model of the definition and the reasoning over the system's assets. AEGIS has been applied to case studies in the area of Grid computing and we report on one of these

Continuous Authentication for Voice Assistants

Voice has become an increasingly popular User Interaction (UI) channel, mainly contributing to the ongoing trend of wearables, smart vehicles, and home automation systems. Voice assistants such as Siri, Google Now and Cortana, have become our everyday fixtures, especially in scenarios where touch interfaces are inconvenient or even dangerous to use, such as driving or exercising. Nevertheless, the open nature of the voice channel makes voice assistants difficult to secure and exposed to various attacks as demonstrated by security researchers. In this paper, we present VAuth, the first system that provides continuous and usable authentication for voice assistants. We design VAuth to fit in various widely-adopted wearable devices, such as eyeglasses, earphones/buds and necklaces, where it collects the body-surface vibrations of the user and matches it with the speech signal received by the voice assistant's microphone. VAuth guarantees that the voice assistant executes only the commands that originate from the voice of the owner. We have evaluated VAuth with 18 users and 30 voice commands and find it to achieve an almost perfect matching accuracy with less than 0.1% false positive rate, regardless of VAuth's position on the body and the user's language, accent or mobility. VAuth successfully thwarts different practical attacks, such as replayed attacks, mangled voice attacks, or impersonation attacks. It also has low energy and latency overheads and is compatible with most existing voice assistants

Assistive multimodal robotic system (AMRSys): security and privacy issues, challenges, and possible solutions

Assistive robotic systems could be a suitable solution to support a variety of health and care services, help independent living, and even simulate affection, to reduce loneliness. However, adoption is limited by several issues, as well as user concerns about ethics, data security, and privacy. Other than the common threats related to internet connectivity, personal robotic systems have advanced interaction possibilities, such as audio, video, touch, and gestures, which could be exploited to gain access to private data that are stored in the robot. Therefore, novel, safer methods of interaction should be designed to safeguard users’ privacy. To solicit further research on secure and private multimodal interaction, this article presents a thorough study of the state-of-the-art literature on data security and user privacy in interactive social robotic systems for health and care. In our study, we focus on social robotics to assist older people, which is a global challenge that is receiving a great deal of attention from the robotics and social care communities. This application will have a significant positive impact on the economy and society, but poses various security and privacy issues. This article analyses the key vulnerable areas where data leakage could occur during a multimodal interaction with a personal assistive robotic system. Thus, blockchain with a resource-aware framework, along with a continuous multifactor authentication mechanism, are envisaged as a potential solution for making such systems secure by design; therefore, increasing trust, acceptability, and adoption. Among the key cybersecurity research challenges, it is crucial to create an intelligent mechanism that autonomously determines the right trade-off between continuous user prompts and system usability, according to data types and personal preferences

Security and Online learning: to protect or prohibit

The rapid development of online learning is opening up many new learning opportunities. Yet, with this increased potential come a myriad of risks. Usable security systems are essential as poor usability in security can result in excluding intended users while allowing sensitive data to be released to unacceptable recipients. This chapter presents findings concerned with usability for two security issues: authentication mechanisms and privacy. Usability issues such as memorability, feedback, guidance, context of use and concepts of information ownership are reviewed within various environments. This chapter also reviews the roots of these usability difficulties in the culture clash between the non-user-oriented perspective of security and the information exchange culture of the education domain. Finally an account is provided of how future systems can be developed which maintain security and yet are still usable

Survey and Systematization of Secure Device Pairing

Secure Device Pairing (SDP) schemes have been developed to facilitate secure communications among smart devices, both personal mobile devices and Internet of Things (IoT) devices. Comparison and assessment of SDP schemes is troublesome, because each scheme makes different assumptions about out-of-band channels and adversary models, and are driven by their particular use-cases. A conceptual model that facilitates meaningful comparison among SDP schemes is missing. We provide such a model. In this article, we survey and analyze a wide range of SDP schemes that are described in the literature, including a number that have been adopted as standards. A system model and consistent terminology for SDP schemes are built on the foundation of this survey, which are then used to classify existing SDP schemes into a taxonomy that, for the first time, enables their meaningful comparison and analysis.The existing SDP schemes are analyzed using this model, revealing common systemic security weaknesses among the surveyed SDP schemes that should become priority areas for future SDP research, such as improving the integration of privacy requirements into the design of SDP schemes. Our results allow SDP scheme designers to create schemes that are more easily comparable with one another, and to assist the prevention of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications Surveys & Tutorials 2017 (Volume: PP, Issue: 99

Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science

e-Science projects face a difficult challenge in providing access to valuable computational resources, data and software to large communities of distributed users. Oil the one hand, the raison d'etre of the projects is to encourage members of their research communities to use the resources provided. Oil the other hand, the threats to these resources from online attacks require robust and effective Security to mitigate the risks faced. This raises two issues: ensuring that (I) the security mechanisms put in place are usable by the different users of the system, and (2) the security of the overall system satisfies the security needs of all its different stakeholders. A failure to address either of these issues call seriously jeopardise the success of e-Science projects.The aim of this paper is to firstly provide a detailed understanding of how these challenges call present themselves in practice in the development of e-Science applications. Secondly, this paper examines the steps that projects can undertake to ensure that security requirements are correctly identified, and security measures are usable by the intended research community. The research presented in this paper is based Oil four case studies of c-Science projects. Security design traditionally uses expert analysis of risks to the technology and deploys appropriate countermeasures to deal with them. However, these case studies highlight the importance of involving all stakeholders in the process of identifying security needs and designing secure and usable systems.For each case study, transcripts of the security analysis and design sessions were analysed to gain insight into the issues and factors that surround the design of usable security. The analysis concludes with a model explaining the relationships between the most important factors identified. This includes a detailed examination of the roles of responsibility, motivation and communication of stakeholders in the ongoing process of designing usable secure socio-technical systems such as e-Science. (C) 2007 Elsevier Ltd. All rights reserved