Topic Application DCIS 0730 – 12/03/04 Fernando Doylet [email protected] Network Computer Users’...

Topic ApplicationDCIS 0730 – 12/03/04Fernando [email protected]

Network Computer Users’Single Question Survey Tool

Application Report

Problem Identification : Who is reading?Mental attitudes & web securityTypes of attacks or misuse detected

Possible Causes : User Agreements - unintended consequencesOverconfidence – on existing technologiesNew technologies – may be overwhelming

Understanding the User : Personality types & perceptual filtersBalancing behavior – chances vs. fearsUnintended consequences – internal attacks

Reality Check : Unilateral solutions vs. Shared solutionsSingle Question Survey ToolFlowcharts – Question.java & Answer.java

Reality CheckUnderstanding the UserPossible CausesProblem Identification

Who is Reading?mental attitudes & web security

Highest-ranking executives are those least likely to comply with security rules because they "don’t have time" to bother with procedures that "get in the way of more important things"

[Weirich & Sasse, 2002]


“The human factor is often described as the weakest part of a security system and users are often described as the weakest link in the security chain.”

[Patrick et al., 2003]

Who is Reading?mental attitudes & web security


[Gordon et al., 2004]

Types ofAttacksor MisuseDetected

Target:reducemisuse


eBay User Agreement and Privacy Policy on 12/01/04:

Scrolling version: 52733 characters, 8426 words, 230 lines

Printer-friendly version: 53381 characters, 8481 words, 246 lines

User Agreementsmay hide unintended consequences


Secure Sockets Layer (SSL) vulnerabilities

To guarantee a comfortable level of security, people should be checking that the certificate is:

1) signed by a known Certificate Authority (CA),

1) current, and

1) bound or connecting to the intended entity.

[Viega & Messier, 2004]

Overconfidenceon existing technologies



( Individualist )

( Hierarchist )

( Eg

alita

rian

)

( F

ata

list

)

Computer Users’personality types

Hierarchists: risk management is the responsibility of authority;

Individualists: leave decisions to individuals and the market;

Egalitarians: consensus risk management, require trust and transparency;

Fatalists: subjects to destiny and luck.

[Adams, 2004]


[Adams, 2004]

Balancing BehaviorChances vs. Fears

PC userat home

PC userat work


[Cunvin, 2004]

Unintended Consequencesallow internal attacks

Need to maintain computer users’ awareness( in non-intrusive ways )


Unilateral SolutionsUser Profiles

experts, advanced, skilled, unskilled

Assumptionsadditional options for power users

Shared SolutionsCertifications

International Computer Drivers’ License (icdlus.com)

Surveysemails, meetings, questionnaires, interviews


CentralServer

Supervisor'sComputer

Employee'sComputer

Client's INFOLDER Client's INFOLDER

Server's OUTFOLDER

ALF

SLF

ULF

Answer Question

CQF CAF

QLF

ALF:Answers Local FileSLF:Size-of-CQF Local FileULF:User-PC-id Local File

CQF:Central Questions FileCAF:Central Answers File

QLF:Questions Local File

Single Question Survey Toolreduce misuse – enhance accountability

one question a day, keeps complacency away


Start

FolderOUTFOLDER

exists?

Create folderOUTFOLDERNo

Yes

FolderINFOLDER

exists?

LocalQuestions Log

File (QLF)exists?

No

Yes

Create QLFNo

CentralQuestions File(CQF) exists?

Create CQFNo

Yes

Yes

CentralAnswers File(CAF) exists?

Create CAFNo

Create localfolder

INFOLDER

Is QLFsize > 0 ?

Yes

LoadQuestionsDrop Down

List

Is CAFsize > 0 ?

LoadAnswersArray List

Yes

YesShowQuestionFrame

No No

Option tosend

Question

Is Questioncomplete?

Count # ofCQF lines &Add questionto QLF & CQF

End Of Job

Yes

No

Option toClose

Question.javaAnswer.javaStart

FolderINFOLDER

exists?

Create localfolder

INFOLDERNo

Yes

CentralQuestions File(CQF) exists?

CentralAnswers File(CAF) exists?

No

Yes

AnswersLog File (ALF)

exists?

Create ALF

Yes

Yes

User PCid Local File(ULF) exists?

Create ULFNo

End Of Job

No

get PC name &write it to ULF

Create Sizeof CQF Local

File (SLF)

write size ofCQF to SLF

get PC nameand load userslist from ULF

Yes

Get UserIdentity

SLF exists? Create SLF

get size of CQFfrom SLF

YesIs CQF sizethe same?

AYes

Verify UserIdentityNo

A

UserVerified

UserIdentityobtained

User notlisted

ShowQuestion

add new identityto ULF

Questionanswered

Is Answercomplete?No

add answer toCAF and ALF

Yes


No

No


User NotVerified

Pick Userfrom list


References:

Adams, J. 2004. Science and Terrorism: Post-Conference after-thoughts. Post Conference Draft for World Federation of Scientist’ International Seminar on Terrorism. Erice 7-12 May 2004. http://www.geog.ucl.ac.uk/~jadams/publish.htm. 1-11

Cunvin, A. 2004. The Rise of Security Threats. Appsense - Monday, 1 November 2004. Retrieved from http://www.net-security.org/article.php?id=740

Gordon, L.A., Loeb, M.P., Lucyshyn, W., and Richardson, R. 2004. Ninth Annual 2004 CSI/FBI Computer Crime and Security Survey. Computer Security Institute. Retrieved from http://www.theiia.org/iia/download.cfm?file=9732 Patrick, A.S., Long, C.A., and Flinn, S. 2003. HCI and Security Systems. CHI 2003, April 5-10, 2003, Ft. Lauderdale, Florida USA. ACM 1-58113-637-4/03/0004. 1056-1057

Viega, J., Messier, M. 2004. Security: is harder than you think. Secure Software. ACM Queue July/August 2004. 60-65

Weirich, D., and Sasse, M.A. 2002. Pretty Good Persuasion: A First Step towards Effective Password Security in the Real World. NSPW’01, September 10-13th, 2002, Cloudcroft, New Mexico, USA. ACM 1-58113-457-6/01/0009. 137-143.


Date post:	14-Jan-2016
Category:	Documents
Upload:	ralph-simon
View:	214 times
Download:	0 times

Topic Application DCIS 0730 – 12/03/04 Fernando Doylet [email protected] Network Computer Users’...

Documents