Identification and Authentication: Technology and Implementation Issues

Computer-based information systems in general, and Internet e-commerce and e-business systems in particular, employ many types of resources that need to be protected against access by unauthorized users. Three main components of access control are used in most information systems: identification, authentication, and authorization. In this paper we focus on authentication, which is the most problematic component. The three main approaches to user authentication are: knowledge-based, possession-based, and biometric-based. We review and compare the various authentication mechanisms of these approaches and the technology and implementation issues they involve. Our conclusion is that there is no silver bullet solution to user authentication problems. Authentication practices need improvement. Further research should lead to a better understanding of user behavior and the applied psychology aspects of computer security

Measuring IS User Satisfaction: Review and Implications

Demand for a means of measuring the success of information systems (IS) grew with the accelerated use of these systems. Defining success in this context is difficult. This paper reviews the literature on measuring IS user satisfaction, the most prevalent measure of IS success, and its implications. We present the problematic aspects of the IS user satisfaction tools, and discuss the need to develop up-to-date tools suitable for the sophisticated and complex systems developed today

Key issues in information system management: The DoD perspective

The article of record as published may be found at https://doi.org/10.1080/0743017930840558

What Can Be Learned from CMMi Failures?

The software crisis has been around since 1968 when NATO first identified the problematic nature of software development. In recognition of the need to manage the process of software development many methodologies have been proposed over the years. A recent contribution to this rich set of rigorous software development methodologies is the Software Engineering Institute\u27s (SEI) Capability Maturity Model Integration (CMMi) methodology. While the minimal previous research on CMMi has extolled it, learning how to implement CMMi successfully requires leaning also from its failures. And yet, despite apparent anecdotes, little is known on this topic possibly because of the reluctance of many companies to wash their dirty linen in public. Based on a set of in-depth interviews accompanied with survey verification, this study examines the assessed effectiveness and efficiency of CMMi as implemented in several projects in a large high tech company in which only low levels of CMMi maturity were reached. In an exploratory manner this study shows the need to differentiate between the quality of the software product developed through CMMi and the quality of the process involved. The study also shows that whether the product is an off the shelf product or a customized one has a direct bearing of the quality of the product developed under CMMi methodology and the process itself. In particular, we discuss why some projects reach only a low maturity level of CMMi even though the organization as a whole might typically reach high maturity levels

A Comprehensive Methodology for Computer-Family Selection

This paper presents a selection methodology for a computer-family. The proposed methodology incorporates the Analytic Hierarchy Process in the evaluation procedure and aims at helping organizations in selecting a family of computers from a manufacturer's product line, rather than a specific computer model. The practice of computer selection and the existing solutions for a computer-family selection procedure are briefly described. Then, Saaty's Analytic Hierarchy Process is presented and incorporated into the selection methodology. The result is a structured and comprehensive methodology that allows decision makers to rank the alternatives more objectively and select a computer-family that best fits the needs of the entire organization. Illustrative examples are embedded in the text to demonstrate the application of the various steps in the proposed methodology. (kr)Research Council of the Naval Postgraduate School.http://archive.org/details/comprehensivemet00zvirO&MN, Direct FundingNAApproved for public release; distribution is unlimited

Resume of Moshe E. Zviran, 1993-10

Naval Postgraduate School Faculty Resum

Facelock: familiarity-based graphical authentication

Authentication codes such as passwords and PIN numbers are widely used to control access to resources. One major drawback of these codes is that they are difficult to remember. Account holders are often faced with a choice between forgetting a code, which can be inconvenient, or writing it down, which compromises security. In two studies, we test a new knowledge-based authentication method that does not impose memory load on the user. Psychological research on face recognition has revealed an important distinction between familiar and unfamiliar face perception: When a face is familiar to the observer, it can be identified across a wide range of images. However, when the face is unfamiliar, generalisation across images is poor. This contrast can be used as the basis for a personalised ‘facelock’, in which authentication succeeds or fails based on image-invariant recognition of faces that are familiar to the account holder. In Study 1, account holders authenticated easily by detecting familiar targets among other faces (97.5% success rate), even after a one-year delay (86.1% success rate). Zero-acquaintance attackers were reduced to guessing (<1% success rate). Even personal attackers who knew the account holder well were rarely able to authenticate (6.6% success rate). In Study 2, we found that shoulder-surfing attacks by strangers could be defeated by presenting different photos of the same target faces in observed and attacked grids (1.9% success rate). Our findings suggest that the contrast between familiar and unfamiliar face recognition may be useful for developers of graphical authentication systems

Performance measures of net-enabled hypercompetitive industries: the case of tourism

This paper investigates the theory and practise of e-metrics. It examines the tourism sector as one of the most successful sectors on-line and identifies best practice in the industry. Qualitative research with top e-Marketing executives demonstrates the usage and satisfaction levels from current e-metrics deployment, selection of e-metrics for ROI calculation as well as intention of new e-metrics implementation and future trends and developments. This paper concludes that tourism organizations gradually realise the value of e-measurement and are willing to implement e-metrics to enable them evaluate the effectiveness of their planning processes and assess their results against their short and the long term objectives

Assessing the User Experience of Password Reset Policies in a University

Organisations may secure system access through use of passwords that comply with defined complexity rules. It may be required that passwords be changed regularly, using an in-person or online helpdesk. Helpdesk logs record password change events and support requests, but overlook the impact of compliance upon end-user productivity. System managers are not incentivised to investigate these impacts, so productivity costs remain with the end-user. We investigate how helpdesk log data can be analysed and augmented to expose the personal costs. Here we describe exploratory analysis of a university’s helpdesk log data, spanning 30 months and 500,000 system events for approximately 10,000 staff and 20,000-plus students. End-user costs were identified, where follow-on interviews and NASA-RTLX assessments with 20 students informed issues which log data did not adequately describe. The majority of users reset passwords before expiration (75% of log events). Log analysis indicated that the online self-service system was vastly preferred to the helpdesk, but that there was a 4:1 ratio of failed to successful attempts to recover account access. Log data did not describe the effort in managing passwords, where interviews exposed points of frustration. Participants saw the need for security but voiced a lack of understanding of the numerous restrictions on passwords. Frustrations led to adoption of diverse coping strategies. We propose ways to improve support, including real-time communication of reasons for failed password creation attempts, and measurement of timing for both successful and failed login attempts