CMSC 818D – Spring 2015 Course Overview Michelle Mazurek With some slides adapted from Lorrie Cranor 1 and Blase Ur
Today’s class • Introducing me • Introducing you • Human Factors for Security and Privacy? • Overview of course topics • Course policies and syllabus 2
Who am I? • Michelle Mazurek (mmazurek@umd.edu) • Assistant professor, CS and UMIACS • Affiliated with MC2 and HCIL • Office hours: Tues 2-3 pm in AVW 3421, or by appointment 3
Who are you? • Preferred name • Academic program, adviser if applicable • Background in HCI (a lot, a little, none) • Background in security/privacy (a lot, a little, none) • Why this course? 4
Humans “Humans are incapable of securely storing high- quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations… But they are sufficiently pervasive that we must design our protocols around their limitations.” −− C. Kaufman, R. Perlman, and M. Speciner. Network Security: PRIVATE Communication in a PUBLIC World. 2nd edition. Prentice Hall, page 237, 2002. 5
More on humans “Not long ago, [I] received an e-mail purporting to be from [my] bank. It looked perfectly legitimate, and asked [me] to verify some information. [I] started to follow the instructions, but then realized this might not be such a good idea … [I] definitely should have known better.” -- former FBI Director Robert Mueller 6
And one more … “I think privacy is actually overvalued … If someone drained my cell phone, they would find a picture of my cat, some phone numbers, some email addresses, some email text. What’s the big deal?” -- Judge Richard Posner U.S. Court of Appeals, 7 th circuit 7
Better together Examining security/privacy and usability together is often critical for achieving either 8
Borrowing from many disciplines Many disciplines have experience studying humans. Can we learn from their models and methods? • Psychology • HCI • Sociology • Marketing • Ethnography • Counterterrorism • Cognitive sciences • Communication • Warning science • Persuasive technology • Risk perception • Learning science • Behavioral economics 9
Why is security/privacy different? • Presence of an adversary • Security/privacy is a secondary task • Designing for humans is not enough! – Support users who are predictable, stressed, careless, unmotivated, busy, foolish – Without Without compr compromising security and privacy omising security and privacy 10
Bridging security and HCI Security � Usability/HCI � Usable Security � Humans are a secondary Humans are the primary Human factors and constraint compared to constraint, security is security are both primary security concerns rarely considered constraints Humans considered Concerned about human Concerned about both primarily in their role as error but not human normal users and adversaries/attackers attackers adversaries Involves threat models Involves task models, Involves threat models mental models, cognitive AND task models, mental models models, etc. Focus on security metrics Focus on usability metrics Considers usability and security metrics together User studies are rare User studies are common User studies common, often involve deception or distraction 11
Bridging security and HCI Security � Usability/HCI � Usable Security � Humans are a secondary Humans are the primary Human factors and constraint compared to constraint, security is security are both primary security concerns rarely considered constraints Humans considered Concerned about human Concerned about both primarily in their role as error but not human normal users and adversaries/attackers attackers adversaries Involves threat models Involves task models, Involves threat models mental models, cognitive AND task models, mental models models, etc. Focus on security metrics Focus on usability metrics Considers usability and security metrics together User studies are rare User studies are common User studies common, often involve deception or distraction 12
User-selected graphical passwords Security � Usability/HCI � Usable Security � What is the space of How difficult is it for a All the security/privacy possible passwords? user to create, and usability HCI remember, and enter a questions How can we make the graphical password? password space larger to How long does it take? How do users select make the password graphical passwords? harder to guess? How hard is it for users to How can we help them learn the system? choose passwords harder How are the stored for attackers to predict? passwords secured? Are users motivated to put in effort to create As the password space Can an attacker gain good passwords? increases, what are the knowledge by observing impacts on usability a user entering her Is the system accessible factors and predictability password? using a variety of devices, of human selection? for users with disabilities? 13
User-selected graphical passwords Security � Usability/HCI � Usable Security � What is the space of How difficult is it for a All the security/privacy possible passwords? user to create, and usability HCI remember, and enter a questions How can we make the graphical password? password space larger to How long does it take? How do users select make the password graphical passwords? harder to guess? How hard is it for users to How can we help them learn the system? choose passwords harder How are the stored for attackers to predict? passwords secured? Are users motivated to put in effort to create As the password space Can an attacker gain good passwords? increases, what are the knowledge by observing impacts on usability a user entering her Is the system accessible factors and predictability password? using a variety of devices, of human selection? for users with disabilities? 14
Course goals • Gain an appreciation for the importance of human factors to security and privacy • Learn about current and important research in the area • Learn how to conduct user studies targeting security and privacy issues • Gain tools for critically evaluating research you hear or read about 15
Course topics • Quick overviews of security and privacy • Intro to HCI methods and experimental design – How and when to use different qualitative and quantitative study designs – Ecological validity and ethics – Overview of statistical analysis 16
Topic: Passwords • Can people make passwords that are easy to remember, yet hard to crack? Image from http://www.trypap.com 17
Topic: Graphical passwords • Humans have great visual memory… can this fact be leveraged for authentication? Image from http://www.techradar.com 18
Topic: Biometrics • Characteristics of the human body can be used to identify or authenticate – How can this be done in a user-friendly way? Image from http:// www.sciencedaily.com 19 Image from http://www.economist.com
Topic: Secondary authentication • Favorite athlete? • Make of first car? • Where Barack Obama met his wife? • Jennifer Lawrence’s mother’s maiden name? Image from http://www.wikipedia.org 20
Topic: Censorship, anonymity • How can we help people to remain anonymous on the Internet? (And should we?) • How can we help people to evade censorship? (And should we?) Image from http:// www.wikipedia.org Image from http://www.jhalderm.com 21
Topic: Usable encryption • Why don’t people encrypt their email and files? 22
Topic: SSL and PKIs • Is there any hope for making certificates and SSL warnings usable? • Can we teach developers to use SSL correctly? 23
Topic: Security warnings • When do we really need them? • Can we make them more effective? 24
Topic: Privacy policies and notices • How do we communicate privacy-critical info? – To busy users – Despite information overload Screenshot from http://www.tosdr.org 25
Topic: Access control, policy configuration • Who should have access to your files, physical spaces, and online posts? • How can we make it easier for users to express and enforce their preferences? 26 Image from http://www.about.com
Topic: Privacy and security at home • How does the increase in devices and sensors affect privacy dynamics within the home? • How can these sensors be usably secured? Image from http://www.ftc.gov Image from http:// 27 www.makezine.com
Topic: Browser privacy & security • What kind of tracking currently occurs, and what do average people think of it? • … And why has phishing been so effective? 28
Topic: HFPS for mobile • Do people understand where the information on their phone goes? • …And can someone please make app permissions usable? Image from http://www.nokia.com 29 Image from http:// www.arstechnica.com
Topic: Social networks and privacy • Can people want to share some things widely yet want other things to be private? 30
Topic: Safety-critical devices • Cars, medical devices, appliances are computers – How do we help users protect their privacy and maintain security while still reaping the benefits of these new technologies? Image from http:// 31 Image from http:// Image from http:// www.hcwreview.com www.motortrend.com www.allaboutsymbian.com
Recommend
More recommend