The document discusses the challenges of usable security, emphasizing that human factors such as memory, attention, and cognitive load contribute to security vulnerabilities. It highlights issues with password management, phishing susceptibility, and the importance of user-friendly security measures. The authors propose strategies for improvement, including flexibility in security prompts and timely communication to better inform users.

1. USABLE SECURITY
RACHEL SIMPSON (@RILAN) & GUY PODJARNY (@GUYPOD)

2. DO YOU REMEMBER…

4. 0 0 0 3 4 1
HIT COUNTER

9. FOR DIGITAL SECURITY, THE STAKES
HAVE NEVER BEEN HIGHER.

11. ARE USERS REALLY THE
WEAKEST LINK?

12. RACHEL SIMPSON
@RILAN

13. RACHEL SIMPSON
@RILAN
GUY PODJARNY
@GUYPOD

14. USABLE SECURITY
WHAT’S ON THE AGENDA?
▸ Why do people do what they do?
▸ Passwords
▸ HTTPS errors
▸ SSL Interstitials
▸ Phishing
▸ Takeways

15. ARE USERS REALLY THE
WEAKEST LINK?

16. WE’RE ONLY HUMAN.

17. USABLE SECURITY
HUMAN FACTORS
▸ Memory

18. USABLE SECURITY
HUMAN FACTORS
▸ Memory
▸ Attention

19. USABLE SECURITY
HUMAN FACTORS
▸ Memory
▸ Attention
▸ Cognitive load

20. USABLE SECURITY
HUMAN FACTORS
▸ Memory
▸ Attention
▸ Cognitive load
▸ Previous context

21. PASSWORDS

22. WHY ARE PASSWORDS
HARD?

27. 130 ACCOUNTS PER
AMERICAN USER
BLOG.DASHLANE.COM

29. ….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….

30. MEMORY IS A LIMITED
RESOURCE

31. WE USE PASSWORDS THAT ARE HARD
FOR HUMANS TO REMEMBER,
BUT EASY FOR COMPUTERS TO GUESS
XKCD
WWW.XKCD.COM/936

32. P@$$w0rd

33. FROM SPLASH DATA’S WORST PASSWORDS OF 2015
ATTACKERS ENUMERATE USERNAMES WITH COMMON PASSWORDS
▸ 123456
▸ password
▸ 12345
▸ 12345678
▸ qwerty
▸ 123456789
▸ 1234
▸ baseball
▸ dragon
▸ football

35. WHAT CAN WE DO?

38. Photo by Mateusz Adamowski

40. BE MORE FLEXIBLE
TAKEAWAY #1

41. (BUT NOT TOO FLEXIBLE)
TAKEAWAY #1

42. SPOT THE SECURITY
INFO

47. ATTENTION IS FOCUSED
ON THE TASK AT HAND

50. BE TIMELY & MEANINGFUL
TAKEAWAY #2

51. INTERSTITIALS

53. 63% CONTINUED
THROUGH THE WARNING
EXPERIMENTING AT SCALE WITH GOOGLE CHROME’S SSL WARNING

57. 38% CONTINUED
THROUGH THE WARNING
EXPERIMENTING AT SCALE WITH GOOGLE CHROME’S SSL WARNING

58. MAKING DECISIONS
HAS A COST

59. OFFER AN OPINION
TAKEAWAY #3

60. PHISHING

61. HELENONLINE

62. HELENONLINE

63. THERE’S NO PATCH FOR HUMAN
STUPIDITY
Trolls
GENERAL INTERNET WISDOM

64. 23% AVERAGE OPEN
RATE
THREATSIM STATE OF THE PHISH STUDY

65. 11% AVERAGE CLICK
THROUGH RATE
THREATSIM STATE OF THE PHISH STUDY

66. YOU DON’T KNOW WHAT
YOU DON’T KNOW.

67. USERS DO NOT GENERALLY PERCEIVE
THE ABSENCE OF A WARNING SIGN.
Chrome Security Team
MARKING HTTP AS NON-SECURE

69. HOW BAD IS PHISHING
REALLY?

70. LABS.FT.COM/2013/05/A-SOBERING-DAY/

71. LABS.FT.COM/2013/05/A-SOBERING-DAY/

72. LABS.FT.COM/2013/05/A-SOBERING-DAY/

73. OUR LAST PHISHING
EXAMPLE
GUY GETS PHISHED

74. WHAT CAN WE DO?

75. INFO.BANKOFAMERICA.COM/NEW-SIGN-IN/

77. KNOW YOUR AUDIENCE

78. BE MORE FLEXIBLE
BE TIMELY & MEANINGFUL
OFFER AN OPINION
USABLE SECURITY

79. BE MORE FLEXIBLE
BE TIMELY & MEANINGFUL
USABLE SECURITY

80. BE MORE FLEXIBLE
BE TIMELY & MEANINGFUL
OFFER AN OPINION
USABLE SECURITY

81. WE’RE HIRING!
RACHEL SIMPSON
@RILAN
GUY PODJARNY
@GUYPOD

82. USABLE SECURITY
RESOURCES
▸ Transforming the ‘weakest link’ – a human/computer interaction approach to usable and effective
security (M A Sasse, S Brushoff, D Weirich)
▸ Learning from “Shadow Security” (Iacovos Kirlappos, Simon Parkin, M. Angela Sasse)
▸ Users are not the enemy (Anne Adams, Martina Angela Sasse)
▸ Experimenting at scale with Google Chrome’s SSL Warning (Adrienne Porter Felt, Hazim Almuhimedi,
Sunny Consolvo)
▸ Improving SSL Warnings: Comprehension & Adherence (Adrienne Porter Felt, Alex Ainslie, Robert W.
Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, Jeff Grimes)
▸ The Emperor’s New Security Indicators (Stuart E. Schechter, Rachna Dhamija, Andy Ozment, Ian
Fischer)