Emerging Trends: Usable Security
Download
Report
Transcript Emerging Trends: Usable Security
Understanding the
Human in the Loop
January 16, 2008
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
1
Humans
“Humans are incapable of securely storing highquality cryptographic keys, and they have
unacceptable speed and accuracy when
performing cryptographic operations. (They are
also large, expensive to maintain, difficult to
manage, and they pollute the environment. It is
astonishing that these devices continue to be
manufactured and deployed. But they are
sufficiently pervasive that we must design our
protocols around their limitations.)”
-- C. Kaufman, R. Perlman, and M. Speciner.
Network Security: PRIVATE Communication in a PUBLIC World.
2nd edition. Prentice Hall, page 237, 2002.
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
2
Humans are weakest link
Most security breaches attributed to
“human error”
Social engineering attacks proliferate
Frequent security policy compliance
failures
Automated systems are generally more
predictable and accurate than humans
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
3
Why are humans in the loop at all?
Don’t know how or too expensive to
automate
Human judgments or policy decisions
needed
Need to authenticate humans
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
4
The human threat
Malicious humans who will attack system
Humans who don’t know when or how to
perform security-critical tasks
Humans who are unmotivated to perform
security-critical tasks properly or comply
with policies
Humans who are incapable of making
sound security decisions
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
5
Need to better understand humans
Do they know they are supposed to be
doing something?
Do they understand what they are
supposed to do?
Do they know how to do it?
Are they motivated to do it?
Are they capable of doing it?
Will they actually do it?
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
6
Proposed framework
Cranor interactions article: What do they
"indicate?": evaluating security and privacy
indicators
The Handbook of Warnings, edited by Michael S.
Wogalter
• Wogalter’s Communication-Human Information
Processing (C-HIP) Model
QuickTime™ and a
Applied C-HIP to security indicators evaluation from
TIFF (Uncompressed) decompressor
are needed to see this picture.
interactions article
Expanded it to model other types of human
interaction with secure systems
Developed “Human in the loop security framework”
and “Human threat identification and mitigation
process” - paper under review
Need validation and more work on mitigation and
how to operationalize process
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
7
C-HIP Model
CommunicationHuman Information
Processing (C-HIP)
Model
• Wogalter, M. 2006.
CommunicationHuman Information
Processing (C-HIP)
Model. In Wogalter, M.,
ed., Handbook of
Warnings. Lawrence
Erlbaum Associates,
Mahwah, NJ, 51-61.
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
8
Human in the loop security framework
Communication
Impediments
Environmental
Stimuli
Knowledge
and
Experience
Communication
Interference
Intentions
Attitudes
and Beliefs
Motivation
Capabilities
Communication
Processing
Demographics
and Personal
Characteristics
Application
Personal
Variables
Communication
Delivery
Human Receiver
Attention Switch
Attention
Maintenance
Comprehension
Behavior
Knowledge
Acquisition
Knowledge
Retention
Knowledge
Transfer
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
9
Communication processing model
Framework is based on communication
processing model
• Many models in the literature
• Used to model all sorts of different types of
communications: individual, group, media, etc.
Most end-user security actions are
triggered by some form of communication
• Pop-up alert, email, manual, etc.
Expert self-discovery of a security process
can be modeled as communication to
oneself
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
10
Communication
Communication
Impediments
Environmental
Stimuli
Knowledge
and
Experience
Communication
Interference
Intentions
Attitudes
and Beliefs
Motivation
Capabilities
Communication
Processing
Demographics
and Personal
Characteristics
Application
Personal
Variables
Communication
Delivery
Human Receiver
Attention Switch
Attention
Maintenance
Comprehension
Behavior
Knowledge
Acquisition
Knowledge
Retention
Knowledge
Transfer
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
11
Types of security communications
Warnings
• Alert users to take immediate action to avoid hazard
Notices
• Inform users about characteristics of entity or object
Status indicators
• Inform users about system status information
Training
• Teach users about threat and how to respond
Policy
• Inform users about policies
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
12
Active versus passive communications
Active
Firefox
Anti-Phishing
Warning
Passive
Indicators
with audio
alerts
Bluetooth
indicator in
Mac menu bar
Indicators
with
animation
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
13
Communication impediments
Communication
Impediments
Environmental
Stimuli
Knowledge
and
Experience
Communication
Interference
Intentions
Attitudes
and Beliefs
Motivation
Capabilities
Communication
Processing
Demographics
and Personal
Characteristics
Application
Personal
Variables
Communication
Delivery
Human Receiver
Attention Switch
Attention
Maintenance
Comprehension
Behavior
Knowledge
Acquisition
Knowledge
Retention
Knowledge
Transfer
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
14
Environmental stimuli
Divert user’s attention
Greatest impact on passive communication
Examples
• Other communications
• Ambient light and noise
• User’s primary task
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
15
Interference
Anything that may prevent a communication from
being received as the sender intended
Caused by
• Malicious attackers
• Technology failures
• Environmental stimuli that obscure the communication
Focus of traditional secure systems analysis
• How can attacker interfere with communications?
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
16
Human receiver
“The human in the loop”
Communication
Impediments
Environmental
Stimuli
Knowledge
and
Experience
Communication
Interference
Intentions
Attitudes
and Beliefs
Motivation
Capabilities
Communication
Processing
Demographics
and Personal
Characteristics
Application
Personal
Variables
Communication
Delivery
Human Receiver
Attention Switch
Attention
Maintenance
Comprehension
Behavior
Knowledge
Acquisition
Knowledge
Retention
Knowledge
Transfer
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
17
Communication delivery
Attention switch
• Noticing communication
Attention maintenance
• Paying attention long enough to process
communication
Breakdowns
• Environmental stimuli, interference
• Characteristics of communication
• Habituation
Tendency for the impact of stimuli to decrease over time
Just because the communication appeared on
the user’s screen, doesn’t mean the user actually
saw it
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
18
Communication processing
Comprehension
• Ability to understand communication
Knowledge acquisition
• User’s ability to learn what to do in response
Breakdowns
• Unfamiliar symbols, vocabulary, complex
sentences, conceptual complexity
Even if a user understands the
communication, they still may not know
what they are supposed to do
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
19
Application
Knowledge retention
• Ability to remember communication
Knowledge transfer
• Ability to recognize situations where the
communication is applicable and figure out
how to apply it
Some security communications are always
applied immediately (for example, pop-up
warnings) so retention and transfer may
not be necessary
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
20
Personal variables
Demographics and personal characteristics
• Age, gender, culture, education, occupation,
disabilities
Knowledge and experience
• Education, occupation, prior experience
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
21
Intentions
Attitudes and beliefs
• Beliefs about communication accuracy
• Beliefs about whether they should pay attention
• Self-efficacy - whether they believe they can complete
actions effectively
• Response-efficacy - whether they believe the actions
they take will be effective
• How long it will take
• General attitudes - trust, annoyance, etc.
Motivation
• Incentives, disincentives
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
22
Capabilities
User’s level of ability
• Cognitive or physical skills
• Availability of necessary software or devices
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
23
Behavior
Communication
Impediments
Environmental
Stimuli
Knowledge
and
Experience
Communication
Interference
Intentions
Attitudes
and Beliefs
Motivation
Capabilities
Communication
Processing
Demographics
and Personal
Characteristics
Application
Personal
Variables
Communication
Delivery
Human Receiver
Attention Switch
Attention
Maintenance
Comprehension
Behavior
Knowledge
Acquisition
Knowledge
Retention
Knowledge
Transfer
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
24
Behavior
Users may complete recommended action,
but do so in a way that follows a predictable
pattern that can be exploited by attackers
• Example: password choice
Users may intend to comply, but may fail to
complete necessary action
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
25
Gulfs
Don Norman. The Design of Every Day
Things.1988.
Gulf of Execution
• Gap between a person’s intentions to carry out an
action and the mechanisms provided by a system to
facilitate that action
“I can’t figure out how to make it do what I want it to do”
Gulf of Evaluation
• When a user completes an action but is unable to
interpret the results to determine whether it was
successful
“I can’t figure out whether it worked”
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
26
Generic Error-Modeling System
James Reason. Human Error. 1990.
Mistakes
• When people formulate action plans that will
not achieve the desired goal
Lapses
• When people formulate suitable action plans,
but forget to perform a planned action (for
example, skipping a step)
Slips
• When people perform actions incorrectly (for
example, press the wrong button)
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
27
Human threat identification and
mitigation process
Task
Identification
Task
Automation
Failure
Identification
Failure
Mitigation
Human-in-the-loop
Framework
User Studies
User Studies
Task identification
• Identify all points where the system relies on humans to perform securitycritical functions
Task automation
• Find ways to partially or fully automate some of these tasks
Failure identification
• Identify potential failure modes for remaining tasks
Failure mitigation
• Find ways to prevent these failures
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
28
Why don’t users follow password
policies?
Typical password policy
Pick a hard to guess password
Don’t use it anywhere else
Change it often
Don’t write it down
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
30
Typical password practice
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
31
Why don’t users follow password policies?
Task
Identification
Task
Automation
Failure
Identification
Failure
Mitigation
Human-in-the-loop
Framework
User Studies
User Studies
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
32
Why don’t users follow password policies?
Communication
Impediments
Environmental
Stimuli
Knowledge
and
Experience
Communication
Interference
Intentions
Attitudes
and Beliefs
Motivation
Capabilities
Communication
Processing
Demographics
and Personal
Characteristics
Application
Personal
Variables
Communication
Delivery
Human Receiver
Attention Switch
Attention
Maintenance
Comprehension
Behavior
Knowledge
Acquisition
Knowledge
Retention
Knowledge
Transfer
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
33
Why don’t user’s heed browser
security warnings?
Do users notice them?
“What lock icon?”
• Few users notice lock icon in browser chrome,
https, etc.
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
35
Do users know what they mean?
Web browser lock icon:
• “I think that it means secured, it symbolizes
some kind of security, somehow.”
Web browser security pop-up:
• “Yeah, like the certificate has expired. I don’t
actually know what that means.”
J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to
Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and
Security, 12-14 July 2006, Pittsburgh, PA.
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
36
Do they do what they advise?
“I would probably experience some brief,
vague sense of unease and close the box
and go about my business.”
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
37
Why don’t users heed browser security warnings?
Task
Identification
Task
Automation
Failure
Identification
Failure
Mitigation
Human-in-the-loop
Framework
User Studies
User Studies
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
38
Why don’t users heed browser security warnings?
Communication
Impediments
Environmental
Stimuli
Knowledge
and
Experience
Communication
Interference
Intentions
Attitudes
and Beliefs
Motivation
Capabilities
Communication
Processing
Demographics
and Personal
Characteristics
Application
Personal
Variables
Communication
Delivery
Human Receiver
Attention Switch
Attention
Maintenance
Comprehension
Behavior
Knowledge
Acquisition
Knowledge
Retention
Knowledge
Transfer
Usable Privacy and Security • Carnegie Mellon University • Spring 2008 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/ups.html/
39