what does the brain tell us about usable security
play

What Does the Brain Tell Us about Usable Security? Anthony Vance - PowerPoint PPT Presentation

Aug 16, 2023 •263 likes •1.12k views

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given a choice between dancing pigs and security, users will pick dancing pigs every time. Felton and McGraw (1999) clicky lusers BYU LAB

  1. What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University

  2. Given a choice between dancing pigs and security, users will pick dancing pigs every time. —Felton and McGraw (1999)

  3. “clicky lusers”

  4. BYU LAB Neurosecurity

  6. 1. Dual-task Interference 2. Habituation 3. Generalization

  8. 1. Dual-task Interference

  12. How bad is this problem?

  14. Baseline (resting)

  15. Memory Baseline task (resting)

  16. 4382359

  17. 1. 4381358 2. 4382369 3. 4382359 4. 4383359

  18. Security task Memory Baseline task (resting)

  21. Security High DTI task Memory Baseline task (resting)

  22. 1. Memorize code 2. 3. Recall code

  23. Temporal Lobe

  24. High DTI vs. Warning Only

  25. Security Task Performance Treatment Warning Disregard High-DTI 22.9% Warning-Only 7.4%

  26. 1. Memorize code 2. 3. Recall code

  27. 1. Memorize code 2. Recall code 3.

  28. Security Task Performance Treatment Warning Disregard High-DTI 22.9% Low-DTI 8.8% Warning-Only 7.4%

  29. chrome

  34. Low-DTI times

  35. After a video

  36. On loading of a page

  37. Waiting for web-based task to complete

  38. Percentage of Disregard Ranking Code Condition Disregarded Low-DTI Conditions LowDTI-5 Low-DTI: Waiting for page load 22% LowDTI-4 Low-DTI: While processing 24% LowDTI-2 Low-DTI: After video 44% LowDTI-1 Low-DTI: On first page load 45% LowDTI-3 Low-DTI: Switching domains 46% Average 36% High-DTI Conditions HighDTI-4 High-DTI: On the way to close window 74% HighDTI-2 High-DTI: While typing 78% HighDTI-1 High-DTI: During video 79% HighDTI-3 High-DTI: While transferring information 87% Average 80%

  39. 100% Security Message Disregard 75% 50% 25% 0% Low-DTI High-DTI

  40. Take-aways

  41. 1. The brain isn’t good at handling interruptions.

  42. 2. Timing a security message to display at a low-DTI results in marked improvement.

  43. 2. Habituation

  47. How bad is this problem?

  52. Animations

  62. Mobile field experiment

  63. Adherence behavior

  66. • Charge purchases to your credit card • Delete your photos • Record microphone audio any time • Sell your web-browsing data

  69. 100% 90% Warning adherence 80% 70% 60% 50% 40% 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Days

  70. Take-aways

  71. 1. The human brain is wired to tune out things it has seen before.

  72. 2. Updating the security UI can reduce habituation.

  73. 3. Generalization

  74. Generalization of habituation

  77. How bad is this problem?

  78. Take-aways

  79. 1. Frequent notifications likely contribute to habituation to rare security messages.

  80. 2. Design security messages to be visually distinct

  81. 1. Dual-task Interference 2. Habituation 3. Generalization

  84. BYU LAB Neurosecurity neurosecurity.byu.edu @ neurosecurity

Recommend

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

350 views • 9 slides
Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell,

715 views • 34 slides
Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of Internet Speaking to a host end-to-end channel Communication security container-based authenticity: X.509, Certificate

678 views • 57 slides
Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security (CUPS) Lab Carnegie Mellon University 2 Personalization 3 Cross-System Personalization 4 Cross-System Personalization 5 Cross-System

310 views • 18 slides
Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two Six Labs working on DARPA Brandeis This talk goes over work from UCB 1 Install-time permissions A ccept all or dont use the app at all. No

944 views • 77 slides
Usable Security Spring 2015 Franziska (Franzi) Roesner

Usable Security Spring 2015 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

1.11k views • 55 slides
The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas Reynolds University at Albany a Lightning Talk Symposium On Usable Privacy & Security Carnegie Mellon University, July 2011 Usable

371 views • 5 slides
Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1 Todays class Introducing me Introducing you Human Factors for Security and

985 views • 82 slides
Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to Verifying their Vote Workshop on Usable Security 2/23/2014 Usable Security Lab Jurlind Budurushi, Marcel Woide and Melanie Volkamer Crypto Lab Current

217 views • 19 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi,

Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi,

Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi, Aditi Shah, Bharath Subramanian, and Sauvik Das The Sixteenth Symposium on Usable Privacy and Security August 7th - 11th, 2020 High attention levels

1.03k views • 6 slides
Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in Secure Systems Engineering lersse.ece.ubc.ca Electrical and Computer

348 views • 9 slides
RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications

RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications

RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications and Networking July 1, 2016 Group DFAR Conclusion 2 / 22 Stephan Sigg RF-based DFAR and implicit ad-hoc usable security Group DFAR Conclusion

824 views • 37 slides
Seeing Further: Extending Seeing Further: Extending Visualization as a Basis for Visualization

Seeing Further: Extending Seeing Further: Extending Visualization as a Basis for Visualization

Seeing Further: Extending Seeing Further: Extending Visualization as a Basis for Visualization as a Basis for Usable Security Usable Security Jennifer Rode, Carolina Johansson , Paul DiGioia, Roberto Silva Filho, Jennifer Rode,

327 views • 30 slides
Making the invisible visible Method Results A theory of security culture for secure and usable

Making the invisible visible Method Results A theory of security culture for secure and usable

Making the invisible visible S. Faily, I. Flchais Introduction Making the invisible visible Method Results A theory of security culture for secure and usable grids Cases What is Security Culture? Guidelines Future work S. Faily I.

692 views • 17 slides
Usable Security Raise the bar with implicit device pairing Stephan Sigg Department of

Usable Security Raise the bar with implicit device pairing Stephan Sigg Department of

Usable Security Raise the bar with implicit device pairing Stephan Sigg Department of Communications and Networking Aalto University, School of Electrical Engineering stephan.sigg@aalto.fi 09.10.2017 MEMORY IS A LIMITED RESOURCE Stephan

331 views • 13 slides
Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1 The human threat Malicious humans Humans who dont know what to do

569 views • 38 slides
Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy,

Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy,

Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy, Sean Smith Institute for Security Technology Studies Department of Computer Science Dartmouth College Sergey Bratus, Alex Ferguson, Doug McIlroy,

739 views • 29 slides
Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy,

Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy,

Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy, Sean Smith Institute for Security Technology Studies Department of Computer Science Dartmouth College Sergey Bratus, Alex Ferguson, Doug McIlroy,

482 views • 33 slides
Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada

764 views • 48 slides
BRAIN VENTRICULAR SYSTEM CSF THE BRAIN BRAIN The brain (encephalon) lies within the cranium. It

BRAIN VENTRICULAR SYSTEM CSF THE BRAIN BRAIN The brain (encephalon) lies within the cranium. It

BRAIN VENTRICULAR SYSTEM CSF THE BRAIN BRAIN The brain (encephalon) lies within the cranium. It receives information from, and controls the activities of, the trunk and limbs, mainly through rich connections with the spinal cord. The brain

522 views • 27 slides

More recommend