Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Summit 2016: Understanding Users' (In)Secure Behaviour


Published on

There is a prevailing belief that users are the weakest link the security chain. In this presentation, Dr. Chiasson discusses how this perspective is inherently counterproductive to achieving increased cyber security and explore alternatives with a higher chance of improving security. Why do users behave insecurely even though most will readily state that security and privacy are important? This talk will cover some of our recent research exploring reasons why users' actions do not necessarily reflect their desire for security and how the configuration of security systems may actually weaken security in practice. She presents her work using eye-tracking to determine how users make phishing determinations, and how we can persuade users to behave more securely through improving their mental models of passwords and by making adjustments to the system configurations.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cyber Summit 2016: Understanding Users' (In)Secure Behaviour

  1. 1. Understanding Users’ (In)Secure behaviour Prof. Sonia Chiasson Canada Research Chair in Human Oriented Computer Security Cyber Summit Banff, October 2016
  2. 2. 2
  3. 3. are the weakest link 3 Users
  4. 4. are the weakest link 4 Users Security system designs
  5. 5. WHY PHISHING STILL WORKS To understand how and why users decide whether a site is legitimate 5 M. Alsharnouby, F. Alaca, & S. Chiasson. Why phishing still works: User strategies for combating phishing attacks. Int. Jour. of Human-Computer Studies (Elsevier), 2015.
  6. 6. Still falling for phish First phishing attack: AOL, 1996 6
  7. 7. User study 7 best-case scenario, detecting ability rather than usual practice is this a phishing site? how certain are you? Chrome browser 10 legit sites 14 phishing eye tracking 21 participants
  8. 8. Websites • Hosted sites, set up own certificate authority and modified browser host files, purchased domain/SSL certificate, HTTrack to copy sites • Tricks: – Incorrect URLs (with all links to legitimate site) – IP address instead of URL – Fake chrome (double URL bars) – Fake, suspicious content – “credit card checker” 8
  9. 9. Results 9 Success rate: 53% for phishing, 78% for legit Confidence: 4.25/5 regardless of whether choice was correct Time: 87s to decide, no difference for legit/phish sites Eye-tracking: 6% time on security indicators, 85% on page content No effect of gender, age, tech expertise 52% did not recognize phishing of their own bank Quick to judge familiar sites
  10. 10. Misunderstandings 10 Look for ‘simple’ urls but missed misspellings or fabricated urls 48% said https was important, but 80% had no idea why 19% thought green EV box was important, no one knew why Only 1 participant understood sub-domains:
  11. 11. Insights • Detecting phishing is still really hard for users • Users don’t know how to accurately detect, but are confident in their abilities • Shallow, brittle understanding – is simple advice doing more harm than good? • Really, humans aren’t meant to do this! 11
  12. 12. PASSWORDS Are we doing more harm than good? 12 Leah Zhang-Kennedy, Sonia Chiasson, and P. C. van Oorschot. Revisiting Password Rules: Facilitating Human Management of Passwords. In APWG eCrime. IEEE, 2016
  13. 13. Existing password rules 13 creation rules mandatory password changes no sharing no writing down no reuse
  14. 14. Unreasonable usability? • Human memory limitations • Incompatible work practices/demands • Poor cost-benefit tradeoffs 14
  15. 15. For little added security? 15 Social engineering Offline guessing Password capture Online guessing
  16. 16. Reconsidering the rules 16
  17. 17. Reconsidering the rules (2) 17 Strategically re-use passwords Keep written passwords well hidden Share with caution Change your password as-needed
  18. 18. WRAP UP So what do we do? 18
  19. 19. Rethinking strategy • Consider policies/demands in context – Adding rule, which one is being removed? – How does this impact real work? • Consider human capabilities – Your employees don’t have wings • What are the side-effects? • Need realistic, actionable advice – Users understand why and how security action is beneficial
  20. 20. Our lab: Comics: SERENE-RISC cybersecurity network: 20