The Effects Of Coherence Of The Image Used In The Graphical Password Scheme In Terms Of Usability And Security

Arslan Aydin, Ulku

01 September 2012

There is a dilemma between security and usability, which are two fundamentally conflicting issues. From the usability perspective, authentication protocols should be easy to use and passwords generated from these protocols should be easy to remember. From the security perspective, passwords should be hard to guess and should not be written down or stored in a plain text. Instead of using text based passwords, graphical passwords have been proposed to increase both memorability and security. Biederman (1972) and Biederman, Glass, &amp / Stacy (1973) reported that the objects in a coherent image were recognized and identified more efficiently and quickly than the objects in a jumbled image in which the jumbled image was created by dividing the coherent image into sections and changing the position of the sections without rotating them. The study was designed to experimentally examine the differences in usability and security of the graphical password scheme by manipulating the coherence of the displayed image. Sixty-three volunteers participated in the main experiment. The participants were divided into groups according to the type of image they were presented in the password creation (either coherent-image or jumbled-image) task. Each participant created a graphical password and three days after the first session (i.e., second session) s/he tried to remember it in order to authenticate to the system. The results revealed that in the proposed graphical password scheme, using coherent image has more advantages over jumbled image in terms of usability and security.

QA Computer Software 76.75-76.765

Usable Security

Graphical Password

Scene Memory

Static Dependency Pair Method for Simply-Typed Term Rewriting and Related Technique

SAKAI, Masahiko, KUSAKARI, Keiichirou

01 February 2009

No description available.

usable rule

argument filtering

static dependency pair method

termination

simply-typed term rewriting

Countering knowledge risk in information system development project

Chiu, Chih-Yuan

16 February 2012

Information system development (ISD) has long been treated as the process that system developers craft an artifact to support business operation based on their special expertise. However, a significant portion of projects still have failed because the developed outcome cannot fit users¡¦ needs or meet predefined project schedule. Given that ISD is a knowledge intensive process, a lack of sufficient knowledge has been identified as one critical risk which may harms the effectiveness of planning and control. By viewing ISD projects as a series of problem solving process in which ISD team members generate usable knowledge, based on available potential knowledge, to counter problem, this study aims at understanding how managers can adopt approaches to increase the availability of potential knowledge and build a team which can effectively transform available knowledge into usable form. Through incorporating those concepts into research design, this study proposed a model to examine the impacts of those proposed approaches. An empirical survey methodology was adopted to collect required data. PLS was then used to test the proposed research model. The results showed that problem solving competence can benefit project performance, and the organization practices, including member selection, training, knowledge management system and external resources, reduce the insufficient potential knowledge, and indicate the important moderating role of the knowledge transfer facilitators. The implications toward academic and practitioner are also provided.

knowledge risk

problem solving competence

usable knowledge

project performance

potential knowledge

Radio frequency optimization of a Global System for Mobile (GSM) network

Sharma, Bishal.

January 2008

Thesis PlanB (M.S.)--University of Wisconsin--Stout, 2008. / Includes bibliographical references.

Social Cybersecurity: Reshaping Security Through An Empirical Understanding of Human Social Behavior

Das, Sauvik

01 May 2017

Despite substantial effort made by the usable security community at facilitating the use of recommended security systems and behaviors, much security advice is ignored and many security systems are underutilized. I argue that this disconnect can partially be explained by the fact that security behaviors have myriad unaccounted for social consequences. For example, by using two-factor authentication, one might be perceived as “paranoid”. By encrypting an e-mail correspondence, one might be perceived as having something to hide. Yet, to date, little theoretical work in usable security has applied theory from social psychology to understand how these social consequences affect people’s security behaviors. Likewise, little systems work in usable security has taken social factors into consideration. To bridge these gaps in literature and practice, I begin to build a theory of social cybersecurity and apply those theoretical insights to create systems that encourage better cybersecurity behaviors. First, through a series of interviews, surveys and a large-scale analysis of how security tools diffuse through the social networks of 1.5 million Facebook users, I empirically model how social influences affect the adoption of security behaviors and systems. In so doing, I provide some of the first direct evidence that security behaviors are strongly driven by social influence, and that the design of a security system strongly influences its potential for social spread. Specifically, security systems that are more observable, inclusive, and stewarded are positively affected by social influence, while those that are not are negatively affected by social influence. Based on these empirical results, I put forth two prescriptions: (i) creating socially grounded interface “nudges” that encourage better cybersecurity behaviors, and (ii) designing new, more socially intelligent end-user facing security systems. As an example of a social “nudge”, I designed a notification that informs Facebook users that their friends use optional security systems to protect their own accounts. In an experimental evaluation with 50,000 Facebook users, I found that this social notification was significantly more effective than a non-social control notification at attracting clicks to improve account security and in motivating the adoption of promoted, optional security tools. As an example of a socially intelligent cybersecurity system, I designed Thumprint: an inclusive authentication system that authenticates and identifies individual group members of a small, local group through a single, shared secret knock. Through my evaluations, I found that Thumprint is resilient to casual but motivated adversaries and that it can reliably differentiate multiple group members who share the same secret knock. Taken together, these systems point towards a future of socially intelligent cybersecurity that encourages better security behaviors. I conclude with a set of descriptive and prescriptive takeaways, as well as a set of open problems for future work. Concretely, this thesis provides the following contributions: (i) an initial theory of social cybersecurity, developed from both observational and experimental work, that explains how social influences affect security behaviors; (ii) a set of design recommendations for creating socially intelligent security systems that encourage better cybersecurity behaviors; (iii) the design, implementation and comprehensive evaluation of two such systems that leverage these design recommendations; and (iv) a reflection on how the insights uncovered in this work can be utilized alongside broader design considerations in HCI, security and design to create an infrastructure of useful, usable and socially intelligent cybersecurity systems.

Cybersecurity

Usable Privacy and Security

Social Psychology

HCI

Data Science

Ubiquitous Computing

Relevance pokynů pro použitelnou bezpečnost z pohledu IT profesionála / Relevance of Usable Security Guidelines from IT Professional Point of View

Galanská, Katarína

January 2021

Vyvážení bezpečnosti a použitelnosti bylo vždy výzvou. Navzdory důležitosti zabezpečení softwaru jsou bezpečnostní pokyny a standardy často příliš komplikované, náchylné k chybám nebo časově náročné. Tato nerovnováha iniciovala vznik pojmu použitelné bezpečnosti. Po celá léta to byl běžný výzkumný problém. Zatímco softvér by měl být vyvíjen s ohledem na použitelnost koncových uživatelů, bezpečnostním standardům a směrnicím, které používají IT profesionálové, není z hlediska použitelnosti často věnována dostatečná pozornost. Vzhledem k tomu, že se od odborníků v oblasti IT očekává vyšší úroveň znalostí, často čelí velmi složitým oblastem, když se snaží vyhovět konkrétním bezpečnostním standardům nebo dodržovat konkrétní pokyny. Tato práce představuje studium současného povědomí v oblasti použitelné bezpečnosti. Práce sestává z provedeného průzkumu, analýzy stávajících použitelných bezpečnostních pokynů a navrhuje vzdělávací pomůcku k řešení problémů, které výzkum přinesl. Hodnocení vzdělávací pomůcky ukázalo pozitivní dopad na povědomí IT odborníků.

Exploring the meaning of ”usable security” : A literature survey

Lennartsson, Markus

January 2020

For decades, literature has reported on the perceived conflict between usability and security. Their mutual trade-off needs to be considered and addressed whenever security products are developed. Achieving well-balanced levels of both is a precondition for sufficient security since users tend to reject unusable solutions. To assess it correctly, usability should be evaluated in the context of security. This paper aims to identify and describe universally applicable and solution-independent factors that affect the perceived usability of security mechanisms. The selected methodology was a systematic literature review during which multiple database resources were queried with different search terms. Application of predefined selection criteria led to the creation of an initial bibliography before backward snowballing was applied to minimize the risk of missing further material of importance. All 70 included publications were then analyzed through thematic analysis. The study resulted in the identification of 14 themes and 30 associated sub-themes representing aspects with reported influence on perceived usability in the context of security. While some of them were only mentioned sparsely, the most prominent and thus presumably most significant ones were: simplicity, information and support, task completion time, error rates, and error management. The identified novel themes can increase knowledge about factors that influence usability. This can be useful for different groups: end-users may be empowered to choose appropriate solutions more consciously, developers may be able to avoid common usability pitfalls when designing new products, and system administrators may benefit from a better understanding of how to configure solutions and how to educate users efficiently.

Usability

Security

Usable security

Information Systems, Social aspects

Resolving the Privacy Paradox: Bridging the Behavioral Intention Gap with Risk Communication Theory

Wu, Justin Chun Wah

30 September 2019

The advent of the Internet has led to vastly increased levels of data accessibility to both users and would-be attackers. The privacy paradox is an established phenomenon wherein users express concern about resultant security and privacy threats to their data, but nevertheless fail to enact the host of protective measures that have steadily become available. The precise nature of this phenomenon, however, is not a settled matter. Fortunately, risk communication theory, a discipline devoted to understanding the factors involved in risk-oriented decision-making and founded in years of empirical research in public health and disaster awareness domains, presents an opportunity to seek greater insight into this problem. In this dissertation, we explore the application of principles and techniques from risk communication theory to the question of factors in the grassroots adoption of secure communication technologies. First, we apply a fundamental first-step technique in risk communication—mental modeling—toward understanding users' perceptions of the structure, function, and utility of encryption in day-to-day life. Second, we apply principles of risk communication to system design by redesigning the authentication ceremony and its associated messaging in the Signal secure messaging application. Third, we evaluate the applicability of a core decision-making theory—protection motivation theory—toward the problem of secure email adoption, and then use this framework to describe the relative impact of various factors on secure email adoption. Finally, we evaluate perceptions of risk and response with respect to the adoption of secure email features in email scenarios of varying sensitivity levels. Our work identifies positive outcomes with respect to the impact that risk messaging has on feature adoption, and mixed results with respect to comprehension. We highlight obstacles to users' mental interactions with encryption, but offer recommendations for progress in the adoption of encryption. We further demonstrate that protection motivation theory, a core behavioral theory underlying many risk communication approaches, has the ability to explain the factors involved in users' decisions to adopt or not adopt in a way that can at least partially explain the privacy paradox phenomenon. In general, we find that the application of even basic principles and techniques from risk communication theory do indeed produce favorable research outcomes when applied to this domain.

privacy paradox

risk communication

online privacy

usable security

Physical Sciences and Mathematics

Managing Two-Factor Authentication Setup Through Password Managers

Dutson, Jonathan William

09 April 2020

Two-factor authentication (2FA) provides online accounts with protection against remote account compromise. Despite the security benefits, adoption of 2FA has remained low, in part due to poor usability. We explore the possibility of improving the usability of the 2FA setup process by providing setup automation through password managers. We create a proof-of-concept KeePass (a popular password manager) extension that adds browser-based automation to the 2FA setup process and conduct a 30-participant within-subjects user study to measure user perceptions about the system. Our system is found to be significantly more usable than the current manual method of 2FA setup for multiple online accounts, with our system receiving an average SUS score of ‘A’ while the manual setup method received an average score of ‘D’. We conduct a meta-analysis of some of the most common methods of 2FA used by websites today and propose a web API that could increase the speed, ease, and scalability of 2FA setup automation. Our threat analysis suggests that using password managers for 2FA automation can be implemented without introducing significant security risks to the process. The promising results from our user study and analysis indicate that password managers have strong potential for improving the usability of 2FA setup.

security

usable security

two-factor authentication

2FA

password managers

automation

usability

Physical Sciences and Mathematics

“If I could do this, I feel anyone could:” The Design and Evaluation of a Two-Factor Authentication Manager

Smith, Garrett D.

13 April 2022

Two-factor authentication (2FA) is a strong defense against account compromise. However, usability studies reveal challenges with 2FA setup. The process to manually setup and remove 2FA methods differs across websites. We present a system design for a 2FA manager to automatically setup and remove 2FA methods. Potential benefits are reduced time, fewer mistakes, consistent terminology, a single workflow for users to learn, and the ability to rapidly transition to a new 2FA method—e.g., when replacing a lost 2FA method. We create two proof-of-concept implementations of our design, one as a browser extension and one integrated as a feature in an existing password manager. We evaluated the browser extension implementation approach using a between-subjects user study (N=60). Our results show fewer mistakes and reduced time compared to manually adding and removing 2FA methods. Qualitative results show that users found the automated process easy to use and were enthusiastic about the 2FA manager's ability to help them rapidly replace 2FA methods in the case they lost their 2FA device.

Usable Security

Two-Factor Authentication

automation

user study

Physical Sciences and Mathematics