Usable security

USABLE SECURITYRACHEL SIMPSON (@RILAN) & GUY PODJARNY (@GUYPOD)

DO YOU REMEMBER…

0 0 0 3 4 1HIT COUNTER

FOR DIGITAL SECURITY, THE STAKES HAVE NEVER BEEN HIGHER.

ARE USERS REALLY THE WEAKEST LINK?

RACHEL SIMPSON @RILAN

RACHEL SIMPSON @RILAN

GUY PODJARNY @GUYPOD

USABLE SECURITY

WHAT’S ON THE AGENDA?

▸ Why do people do what they do?

▸ Passwords

▸ HTTPS errors

▸ SSL Interstitials

▸ Phishing

▸ Takeways

ARE USERS REALLY THE WEAKEST LINK?

WE’RE ONLY HUMAN.

USABLE SECURITY

HUMAN FACTORS

▸ Memory

USABLE SECURITY

HUMAN FACTORS

▸ Memory

▸ Attention

USABLE SECURITY

HUMAN FACTORS

▸ Memory

▸ Attention

▸ Cognitive load

USABLE SECURITY

HUMAN FACTORS

▸ Memory

▸ Attention

▸ Cognitive load

▸ Previous context

PASSWORDS

WHY ARE PASSWORDS HARD?

130 ACCOUNTS PER AMERICAN USER

BLOG.DASHLANE.COM

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

….

MEMORY IS A LIMITED RESOURCE

WE USE PASSWORDS THAT ARE HARD FOR HUMANS TO REMEMBER, BUT EASY FOR COMPUTERS TO GUESS

XKCD

WWW.XKCD.COM/936

P@$$w0rd

FROM SPLASH DATA’S WORST PASSWORDS OF 2015

ATTACKERS ENUMERATE USERNAMES WITH COMMON PASSWORDS

▸ 123456

▸ password

▸ 12345

▸ 12345678

▸ qwerty

▸ 123456789

▸ 1234

▸ baseball

▸ dragon

▸ football

WHAT CAN WE DO?

Photo by Mateusz Adamowski

BE MORE FLEXIBLETAKEAWAY #1

(BUT NOT TOO FLEXIBLE)TAKEAWAY #1

SPOT THE SECURITY INFO

ATTENTION IS FOCUSED ON THE TASK AT HAND

BE TIMELY & MEANINGFULTAKEAWAY #2

INTERSTITIALS

63% CONTINUED THROUGH THE WARNING

EXPERIMENTING AT SCALE WITH GOOGLE CHROME’S SSL WARNING

38% CONTINUED THROUGH THE WARNING

EXPERIMENTING AT SCALE WITH GOOGLE CHROME’S SSL WARNING

MAKING DECISIONS HAS A COST

OFFER AN OPINIONTAKEAWAY #3

PHISHING

HELENONLINE

HELENONLINE

THERE’S NO PATCH FOR HUMAN STUPIDITY

Trolls

GENERAL INTERNET WISDOM

23% AVERAGE OPEN RATE

THREATSIM STATE OF THE PHISH STUDY

11% AVERAGE CLICK THROUGH RATE

THREATSIM STATE OF THE PHISH STUDY

YOU DON’T KNOW WHAT YOU DON’T KNOW.

USERS DO NOT GENERALLY PERCEIVE THE ABSENCE OF A WARNING SIGN.

Chrome Security Team

MARKING HTTP AS NON-SECURE

HOW BAD IS PHISHING REALLY?

LABS.FT.COM/2013/05/A-SOBERING-DAY/

LABS.FT.COM/2013/05/A-SOBERING-DAY/

LABS.FT.COM/2013/05/A-SOBERING-DAY/

OUR LAST PHISHING EXAMPLE

GUY GETS PHISHED

WHAT CAN WE DO?

INFO.BANKOFAMERICA.COM/NEW-SIGN-IN/

KNOW YOUR AUDIENCE

BE MORE FLEXIBLE BE TIMELY & MEANINGFUL OFFER AN OPINION

USABLE SECURITY

BE MORE FLEXIBLE BE TIMELY & MEANINGFUL

USABLE SECURITY

BE MORE FLEXIBLE BE TIMELY & MEANINGFUL OFFER AN OPINION

USABLE SECURITY

WE’RE HIRING!

RACHEL SIMPSON @RILAN

GUY PODJARNY @GUYPOD

USABLE SECURITY

RESOURCES

▸ Transforming the ‘weakest link’ – a human/computer interaction approach to usable and effective security (M A Sasse, S Brushoff, D Weirich)

▸ Learning from “Shadow Security” (Iacovos Kirlappos, Simon Parkin, M. Angela Sasse)

▸ Users are not the enemy (Anne Adams, Martina Angela Sasse)

▸ Experimenting at scale with Google Chrome’s SSL Warning (Adrienne Porter Felt, Hazim Almuhimedi, Sunny Consolvo)

▸ Improving SSL Warnings: Comprehension & Adherence (Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, Jeff Grimes)

▸ The Emperor’s New Security Indicators (Stuart E. Schechter, Rachna Dhamija, Andy Ozment, Ian Fischer)