Home >Design >Usable security

Usable security

Date post:19-Feb-2017
Category:
View:237 times
Download:0 times
Share this document with a friend
Transcript:
  • USABLE SECURITYRACHEL SIMPSON (@RILAN) & GUY PODJARNY (@GUYPOD)

  • DO YOU REMEMBER

  • 0 0 0 3 4 1HIT COUNTER

  • FOR DIGITAL SECURITY, THE STAKES HAVE NEVER BEEN HIGHER.

  • ARE USERS REALLY THE WEAKEST LINK?

  • RACHEL SIMPSON @RILAN

  • RACHEL SIMPSON @RILAN

    GUY PODJARNY @GUYPOD

  • USABLE SECURITY

    WHATS ON THE AGENDA?

    Why do people do what they do?

    Passwords

    HTTPS errors

    SSL Interstitials

    Phishing

    Takeways

  • ARE USERS REALLY THE WEAKEST LINK?

  • WERE ONLY HUMAN.

  • USABLE SECURITY

    HUMAN FACTORS

    Memory

  • USABLE SECURITY

    HUMAN FACTORS

    Memory

    Attention

  • USABLE SECURITY

    HUMAN FACTORS

    Memory

    Attention

    Cognitive load

  • USABLE SECURITY

    HUMAN FACTORS

    Memory

    Attention

    Cognitive load

    Previous context

  • PASSWORDS

  • WHY ARE PASSWORDS HARD?

  • 130 ACCOUNTS PER AMERICAN USER

    BLOG.DASHLANE.COM

  • .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

  • MEMORY IS A LIMITED RESOURCE

  • WE USE PASSWORDS THAT ARE HARD FOR HUMANS TO REMEMBER, BUT EASY FOR COMPUTERS TO GUESS

    XKCD

    WWW.XKCD.COM/936

  • [email protected]$$w0rd

  • FROM SPLASH DATAS WORST PASSWORDS OF 2015

    ATTACKERS ENUMERATE USERNAMES WITH COMMON PASSWORDS

    123456

    password

    12345

    12345678

    qwerty

    123456789

    1234

    baseball

    dragon

    football

  • WHAT CAN WE DO?

  • Photo by Mateusz Adamowski

    https://commons.wikimedia.org/wiki/File:RSA-SecurID-Tokens.jpg#file

  • BE MORE FLEXIBLETAKEAWAY #1

  • (BUT NOT TOO FLEXIBLE)TAKEAWAY #1

  • SPOT THE SECURITY INFO

  • ATTENTION IS FOCUSED ON THE TASK AT HAND

  • BE TIMELY & MEANINGFULTAKEAWAY #2

  • INTERSTITIALS

  • 63% CONTINUED THROUGH THE WARNING

    EXPERIMENTING AT SCALE WITH GOOGLE CHROMES SSL WARNING

  • 38% CONTINUED THROUGH THE WARNING

    EXPERIMENTING AT SCALE WITH GOOGLE CHROMES SSL WARNING

  • MAKING DECISIONS HAS A COST

  • OFFER AN OPINIONTAKEAWAY #3

  • PHISHING

  • HELENONLINE

  • HELENONLINE

  • THERES NO PATCH FOR HUMAN STUPIDITY

    Trolls

    GENERAL INTERNET WISDOM

  • 23% AVERAGE OPEN RATE

    THREATSIM STATE OF THE PHISH STUDY

  • 11% AVERAGE CLICK THROUGH RATE

    THREATSIM STATE OF THE PHISH STUDY

  • YOU DONT KNOW WHAT YOU DONT KNOW.

  • USERS DO NOT GENERALLY PERCEIVE THE ABSENCE OF A WARNING SIGN.

    Chrome Security Team

    MARKING HTTP AS NON-SECURE

  • https://www.youtube.com/watch?v=IGQmdoK_ZfY

  • HOW BAD IS PHISHING REALLY?

  • LABS.FT.COM/2013/05/A-SOBERING-DAY/

  • LABS.FT.COM/2013/05/A-SOBERING-DAY/

  • LABS.FT.COM/2013/05/A-SOBERING-DAY/

  • OUR LAST PHISHING EXAMPLE

    GUY GETS PHISHED

  • WHAT CAN WE DO?

  • INFO.BANKOFAMERICA.COM/NEW-SIGN-IN/

  • http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/http://www.sadtrombone.com/

  • KNOW YOUR AUDIENCE

  • BE MORE FLEXIBLE BE TIMELY & MEANINGFUL OFFER AN OPINION

    USABLE SECURITY

  • BE MORE FLEXIBLE BE TIMELY & MEANINGFUL

    USABLE SECURITY

  • BE MORE FLEXIBLE BE TIMELY & MEANINGFUL OFFER AN OPINION

    USABLE SECURITY

  • WERE HIRING!

    RACHEL SIMPSON @RILAN

    GUY PODJARNY @GUYPOD

  • USABLE SECURITY

    RESOURCES

    Transforming the weakest link a human/computer interaction approach to usable and effective security (M A Sasse, S Brushoff, D Weirich)

    Learning from Shadow Security (Iacovos Kirlappos, Simon Parkin, M. Angela Sasse)

    Users are not the enemy (Anne Adams, Martina Angela Sasse)

    Experimenting at scale with Google Chromes SSL Warning (Adrienne Porter Felt, Hazim Almuhimedi, Sunny Consolvo)

    Improving SSL Warnings: Comprehension & Adherence (Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, Jeff Grimes)

    The Emperors New Security Indicators (Stuart E. Schechter, Rachna Dhamija, Andy Ozment, Ian Fischer)

Click here to load reader

Reader Image
Embed Size (px)
Recommended