User-Centered Security Applied on Management

Bäckström, Johannes

January 2007

<p>The purpose of this study has been to research how to implement a graphical interface for presenting information security information to management. The major conclusion of the study is that management use this kind of information mainly for financial and strategic matters. Hence the information must be presented in a way that enhances this use of the information.</p><p>The study also concludes that people act insecure mainly due to:</p><p>a) Insufficient knowledge of how/why to act secure.</p><p>b) The users do not want to act secure due to social and organisational factors.</p><p>To fight the first factor, the management need a tool that helps them to see where to spend their resources. To fight the second factor, the organisation needs to be well educated and the company culture should allow the users to act secure.</p><p>Three heuristics for the design of information security solutions for management and a design solution for the interface are also presented in the study. The three heuristics are:</p><p>1. Provide overview information very early in the program. The ordinary manager does not have the time or the knowledge to make this overview by himself/herself.</p><p>2. Do not overwhelm the user. The ordinary management man/woman is not interested in the details of the information security and/or do not have time to read this sort of information. If he or she wants to access the details, he or she is likely to find them (if they are placed in a logical place).</p><p>3. Provide information in a way that is common to the manager. Use wordings that the user understands. Provide contextual help for expressions that must be presented in a technical way.</p>

Cognitive science

Kognitionsforskning

User-Centered Security Applied on Management

Bäckström, Johannes

January 2007

The purpose of this study has been to research how to implement a graphical interface for presenting information security information to management. The major conclusion of the study is that management use this kind of information mainly for financial and strategic matters. Hence the information must be presented in a way that enhances this use of the information. The study also concludes that people act insecure mainly due to: a) Insufficient knowledge of how/why to act secure. b) The users do not want to act secure due to social and organisational factors. To fight the first factor, the management need a tool that helps them to see where to spend their resources. To fight the second factor, the organisation needs to be well educated and the company culture should allow the users to act secure. Three heuristics for the design of information security solutions for management and a design solution for the interface are also presented in the study. The three heuristics are: 1. Provide overview information very early in the program. The ordinary manager does not have the time or the knowledge to make this overview by himself/herself. 2. Do not overwhelm the user. The ordinary management man/woman is not interested in the details of the information security and/or do not have time to read this sort of information. If he or she wants to access the details, he or she is likely to find them (if they are placed in a logical place). 3. Provide information in a way that is common to the manager. Use wordings that the user understands. Provide contextual help for expressions that must be presented in a technical way.

Cognitive science

Kognitionsforskning

Panic buttons, shrugged shoulders and drowning email inboxes : Stories of account takeovers and trust / Panikknappar, ryck på axlarna och drunknande emailinkorgar : Berättelser om kontoövertagandeincidenter och förtroende

Berglöf, Amalia

January 2022

Users face many risks while being online, including ones posed by their own actions, such as keeping the same passwords on multiple services. This makes them potential victims of account takeovers, in which a hacker uses stolen credentials to acquire and use accounts for their own benefit. However, few papers have researched how users experience these incidents, and how this affects their trust in the service. To fill this research gap, 4 users that were part of the same account takeover incident were interviewed. Storytelling was used to present and analyse the interviews. One participant experienced the takeover as it happened, while the other three learned about it after it was mitigated. The results show that the role the user took, and how they valued the platform, affected their trust. This paper contributes to research by giving in-depth insights into account takeovers, and what challenges and opportunities the systems face. / Användare står inför många risker när de är online, inklusive de som orsakas av deras egna handlingar, som att behålla samma lösenord på flera tjänster. Detta gör dem till potentiella offer för kontoövertaganden, där en hackare använder stulna inloggningsuppgifter för att ta kontroll över och använda konton till sin egen fördel. Men få studier har undersökt hur användare upplever dessa incidenter och hur detta påverkar deras förtroende för tjänsten. För att bidra med kunskap inom detta område intervjuades 4 användare som ingick i samma incident med kontoövertagelser. Storytelling användes för att presentera och analysera intervjuerna. En deltagare upplevde övertagandet medan det hände, medan de andra tre f ick veta om det efter att det hanterats. Resultaten visar att den roll användaren tog, och hur de värderade plattformen, påverkade deras förtroende. Denna artikel bidrar till forskningen genom att ge ingående insikter om övertaganden och vilka utmaningar och möjligheter systemen står inför.

trust

account takeover

online services

user-centered security

förtroende

kontoövertagelse

onlinetjänster

användar-centrerad säkerhet

Computer and Information Sciences

Data- och informationsvetenskap