Security in Practice: Examining the Collaborative Management of Sensitive Information in Childcare Centers and Physicians' Offices

Vega, Laurian

06 May 2011

Traditionally, security has been conceptualized as rules, locks, and passwords. More recently, security research has explored how people interact in secure (or insecure) ways in part of a larger socio-technical system. Socio-technical systems are comprised of people, technology, relationships, and interactions that work together to create safe praxis. Because information systems are not just technical, but also social, the scope of privacy and security concerns must include social and technical factors. Clearly, computer security is enhanced by developments in the technical arena, where researchers are building ever more secure and robust systems to guard the privacy and confidentiality of information. However, when the definition of security is broadened to encompass both human and technical mechanisms, how security is managed with and through the day-to-day social work practices becomes increasingly important. In this dissertation I focus on how sensitive information is collaboratively managed in socio-technical systems by examining two domains: childcare centers and physicians' offices. In childcare centers, workers manage the enrolled children and also the enrolled child's personal information. In physicians' offices, workers manage the patients' health along with the patients' health information. My dissertation presents results from interviews and observations of these locations. The data collected consists of observation notes, interview transcriptions, pictures, and forms. The researchers identified breakdowns related to security and privacy. Using Activity Theory to first structure, categorize, and analyze the observed breakdowns, I used phenomenological methods to understand the context and experience of security and privacy. The outcomes from this work are three themes, along with corresponding future scenarios. The themes discussed are security embodiment, communities of security, and zones of ambiguity. Those themes extend the literature in the areas of usable security, human-computer interaction, and trust. The presentation will use future scenarios to examine the complexity of developing secure systems for the real world. / Ph. D.

Security

Trust

Privacy

Usable Security

Computer Supported Collaborative Work

Security awareness of computer users : a game based learning approach

Gamagedara Arachchilage, Nalin Asanka

January 2012

The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework.

005.8

The Effects Of Coherence Of The Image Used In The Graphical Password Scheme In Terms Of Usability And Security

Arslan Aydin, Ulku

01 September 2012

There is a dilemma between security and usability, which are two fundamentally conflicting issues. From the usability perspective, authentication protocols should be easy to use and passwords generated from these protocols should be easy to remember. From the security perspective, passwords should be hard to guess and should not be written down or stored in a plain text. Instead of using text based passwords, graphical passwords have been proposed to increase both memorability and security. Biederman (1972) and Biederman, Glass, &amp / Stacy (1973) reported that the objects in a coherent image were recognized and identified more efficiently and quickly than the objects in a jumbled image in which the jumbled image was created by dividing the coherent image into sections and changing the position of the sections without rotating them. The study was designed to experimentally examine the differences in usability and security of the graphical password scheme by manipulating the coherence of the displayed image. Sixty-three volunteers participated in the main experiment. The participants were divided into groups according to the type of image they were presented in the password creation (either coherent-image or jumbled-image) task. Each participant created a graphical password and three days after the first session (i.e., second session) s/he tried to remember it in order to authenticate to the system. The results revealed that in the proposed graphical password scheme, using coherent image has more advantages over jumbled image in terms of usability and security.

QA Computer Software 76.75-76.765

Usable Security

Graphical Password

Scene Memory

Relevance pokynů pro použitelnou bezpečnost z pohledu IT profesionála / Relevance of Usable Security Guidelines from IT Professional Point of View

Galanská, Katarína

January 2021

Vyvážení bezpečnosti a použitelnosti bylo vždy výzvou. Navzdory důležitosti zabezpečení softwaru jsou bezpečnostní pokyny a standardy často příliš komplikované, náchylné k chybám nebo časově náročné. Tato nerovnováha iniciovala vznik pojmu použitelné bezpečnosti. Po celá léta to byl běžný výzkumný problém. Zatímco softvér by měl být vyvíjen s ohledem na použitelnost koncových uživatelů, bezpečnostním standardům a směrnicím, které používají IT profesionálové, není z hlediska použitelnosti často věnována dostatečná pozornost. Vzhledem k tomu, že se od odborníků v oblasti IT očekává vyšší úroveň znalostí, často čelí velmi složitým oblastem, když se snaží vyhovět konkrétním bezpečnostním standardům nebo dodržovat konkrétní pokyny. Tato práce představuje studium současného povědomí v oblasti použitelné bezpečnosti. Práce sestává z provedeného průzkumu, analýzy stávajících použitelných bezpečnostních pokynů a navrhuje vzdělávací pomůcku k řešení problémů, které výzkum přinesl. Hodnocení vzdělávací pomůcky ukázalo pozitivní dopad na povědomí IT odborníků.

Exploring the meaning of ”usable security” : A literature survey

Lennartsson, Markus

January 2020

For decades, literature has reported on the perceived conflict between usability and security. Their mutual trade-off needs to be considered and addressed whenever security products are developed. Achieving well-balanced levels of both is a precondition for sufficient security since users tend to reject unusable solutions. To assess it correctly, usability should be evaluated in the context of security. This paper aims to identify and describe universally applicable and solution-independent factors that affect the perceived usability of security mechanisms. The selected methodology was a systematic literature review during which multiple database resources were queried with different search terms. Application of predefined selection criteria led to the creation of an initial bibliography before backward snowballing was applied to minimize the risk of missing further material of importance. All 70 included publications were then analyzed through thematic analysis. The study resulted in the identification of 14 themes and 30 associated sub-themes representing aspects with reported influence on perceived usability in the context of security. While some of them were only mentioned sparsely, the most prominent and thus presumably most significant ones were: simplicity, information and support, task completion time, error rates, and error management. The identified novel themes can increase knowledge about factors that influence usability. This can be useful for different groups: end-users may be empowered to choose appropriate solutions more consciously, developers may be able to avoid common usability pitfalls when designing new products, and system administrators may benefit from a better understanding of how to configure solutions and how to educate users efficiently.

Usability

Security

Usable security

Information Systems, Social aspects

Resolving the Privacy Paradox: Bridging the Behavioral Intention Gap with Risk Communication Theory

Wu, Justin Chun Wah

30 September 2019

The advent of the Internet has led to vastly increased levels of data accessibility to both users and would-be attackers. The privacy paradox is an established phenomenon wherein users express concern about resultant security and privacy threats to their data, but nevertheless fail to enact the host of protective measures that have steadily become available. The precise nature of this phenomenon, however, is not a settled matter. Fortunately, risk communication theory, a discipline devoted to understanding the factors involved in risk-oriented decision-making and founded in years of empirical research in public health and disaster awareness domains, presents an opportunity to seek greater insight into this problem. In this dissertation, we explore the application of principles and techniques from risk communication theory to the question of factors in the grassroots adoption of secure communication technologies. First, we apply a fundamental first-step technique in risk communication—mental modeling—toward understanding users' perceptions of the structure, function, and utility of encryption in day-to-day life. Second, we apply principles of risk communication to system design by redesigning the authentication ceremony and its associated messaging in the Signal secure messaging application. Third, we evaluate the applicability of a core decision-making theory—protection motivation theory—toward the problem of secure email adoption, and then use this framework to describe the relative impact of various factors on secure email adoption. Finally, we evaluate perceptions of risk and response with respect to the adoption of secure email features in email scenarios of varying sensitivity levels. Our work identifies positive outcomes with respect to the impact that risk messaging has on feature adoption, and mixed results with respect to comprehension. We highlight obstacles to users' mental interactions with encryption, but offer recommendations for progress in the adoption of encryption. We further demonstrate that protection motivation theory, a core behavioral theory underlying many risk communication approaches, has the ability to explain the factors involved in users' decisions to adopt or not adopt in a way that can at least partially explain the privacy paradox phenomenon. In general, we find that the application of even basic principles and techniques from risk communication theory do indeed produce favorable research outcomes when applied to this domain.

privacy paradox

risk communication

online privacy

usable security

Physical Sciences and Mathematics

Managing Two-Factor Authentication Setup Through Password Managers

Dutson, Jonathan William

09 April 2020

Two-factor authentication (2FA) provides online accounts with protection against remote account compromise. Despite the security benefits, adoption of 2FA has remained low, in part due to poor usability. We explore the possibility of improving the usability of the 2FA setup process by providing setup automation through password managers. We create a proof-of-concept KeePass (a popular password manager) extension that adds browser-based automation to the 2FA setup process and conduct a 30-participant within-subjects user study to measure user perceptions about the system. Our system is found to be significantly more usable than the current manual method of 2FA setup for multiple online accounts, with our system receiving an average SUS score of ‘A’ while the manual setup method received an average score of ‘D’. We conduct a meta-analysis of some of the most common methods of 2FA used by websites today and propose a web API that could increase the speed, ease, and scalability of 2FA setup automation. Our threat analysis suggests that using password managers for 2FA automation can be implemented without introducing significant security risks to the process. The promising results from our user study and analysis indicate that password managers have strong potential for improving the usability of 2FA setup.

security

usable security

two-factor authentication

2FA

password managers

automation

usability

Physical Sciences and Mathematics

“If I could do this, I feel anyone could:” The Design and Evaluation of a Two-Factor Authentication Manager

Smith, Garrett D.

13 April 2022

Two-factor authentication (2FA) is a strong defense against account compromise. However, usability studies reveal challenges with 2FA setup. The process to manually setup and remove 2FA methods differs across websites. We present a system design for a 2FA manager to automatically setup and remove 2FA methods. Potential benefits are reduced time, fewer mistakes, consistent terminology, a single workflow for users to learn, and the ability to rapidly transition to a new 2FA method—e.g., when replacing a lost 2FA method. We create two proof-of-concept implementations of our design, one as a browser extension and one integrated as a feature in an existing password manager. We evaluated the browser extension implementation approach using a between-subjects user study (N=60). Our results show fewer mistakes and reduced time compared to manually adding and removing 2FA methods. Qualitative results show that users found the automated process easy to use and were enthusiastic about the 2FA manager's ability to help them rapidly replace 2FA methods in the case they lost their 2FA device.

Usable Security

Two-Factor Authentication

automation

user study

Physical Sciences and Mathematics

Conservation of Limited Resources: Design Principles for Security and Usability on Mobile Devices

Horcher, Ann-Marie

01 January 2018

Mobile devices have evolved from an accessory to the primary computing device for an increasing portion of the general population. Not only is mobile the primary device, consumers on average have multiple Internet-connected devices. The trend towards mobile has resulted in a shift to “mobile-first” strategies for delivering information and services in business organizations, universities, and government agencies. Though principles for good security design exist, those principles were formulated based upon the traditional workstation configuration instead of the mobile platform. Security design needs to follow the shift to a “mobile-first” emphasis to ensure the usability of the security interface. The mobile platform has constraints on resources that can adversely impact the usability of security. This research sought to identify design principles for usable security for mobile devices that address the constraints of the mobile platform. Security and usability have been seen as mutually exclusive. To accurately identify design principles, the relationship between principles for good security design and usability design must be understood. The constraints for the mobile environment must also be identified, and then evaluated for their impact on the interaction of a consumer with a security interface. To understand how the application of the proposed mobile security design principles is perceived by users, an artifact was built to instantiate the principles. Through a series of guided interactions, the importance of proposed design principles was measured in a simulation, in human-computer interaction, and in user perception. The measures showed a resounding difference between the usability of the same security design delivered on mobile vs. workstation platform. It also reveals that acknowledging the constraints of an environment and compensating for the constraints yields mobile security that is both usable and secure. Finally, the hidden cost of security design choices that distract the user from the surrounding environment were examined from both the security perspective and public safety perspective.

cybersecurity

design principles

location-based security

mobile devices

progressive security

usable security

Computer Sciences

Search Rank Fraud Prevention in Online Systems

Rahman, Md Mizanur

31 October 2018

The survival of products in online services such as Google Play, Yelp, Facebook and Amazon, is contingent on their search rank. This, along with the social impact of such services, has also turned them into a lucrative medium for fraudulently influencing public opinion. Motivated by the need to aggressively promote products, communities that specialize in social network fraud (e.g., fake opinions and reviews, likes, followers, app installs) have emerged, to create a black market for fraudulent search optimization. Fraudulent product developers exploit these communities to hire teams of workers willing and able to commit fraud collectively, emulating realistic, spontaneous activities from unrelated people. We call this behavior “search rank fraud”. In this dissertation, we argue that fraud needs to be proactively discouraged and prevented, instead of only reactively detected and filtered. We introduce two novel approaches to discourage search rank fraud in online systems. First, we detect fraud in real-time, when it is posted, and impose resource consuming penalties on the devices that post activities. We introduce and leverage several novel concepts that include (i) stateless, verifiable computational puzzles that impose minimal performance overhead, but enable the efficient verification of their authenticity, (ii) a real-time, graph based solution to assign fraud scores to user activities, and (iii) mechanisms to dynamically adjust puzzle difficulty levels based on fraud scores and the computational capabilities of devices. In a second approach, we introduce the problem of fraud de-anonymization: reveal the crowdsourcing site accounts of the people who post large amounts of fraud, thus their bank accounts, and provide compelling evidence of fraud to the users of products that they promote. We investigate the ability of our solutions to ensure that fraud does not pay off.

Usable security and social aspects

Anonymity

Machine learning

Web security and privacy

Other Computer Engineering