Human Factors in Security & Privacy
CS/IS 698
Today
- Introductions
- What is usable security & privacy?
- What will you need to do in this course?
Introductions
Usable security and privacy
What is usable security & privacy?
- What is usable?
- What is security?
- What is privacy?
Why do I care about definitions?
If we can’t agree on our objectives, it will be hard to achieve them.
How would you define security?
- protection of any resource
- prevention of unauthorized access to any resource
- not being vulnerable to unauthorized access / misuse
- being able to rules so that the system isn’t breachable
One definition of (cyber)security
any technology, measure or practice for preventing cyberattacks or mitigating their impact
Another definition for security
Systems that do what they intend and not more
= functional requirements + security goals
Sample system: Learning Management System
What are the functional requirements?
- access coursework
- communicate with peers / profs
- calendar, see schedule of assignments
- integrations with tools like Lockdown Browser
What are the security goals?
- only registered student can access their own work
- confidentiality of assignments
- data segregation
- can only see each other’s work if intended
- role-based management
- integrity
- availability = shouldn’t go down
Security goals
- Confidentiality
- Integrity
- Availability
Confidentiality
Information is not shared unless authorized
Integrity
Information and functionality cannot be changed except by authorized parties or processes
Availability
The system should be responsive to requests
How do we achieve the security goals?
The science of security
Security techniques
- Encryption
- Abstraction
- programming languages
- Validation
- data sanitization
- control flow integrity
- Verification
- fuzzing
- …
Security domains
- Cryptography
- Memory safety
- Network security
- Web security
- AI security
- …
Security roadblocks
We have the technology…but struggle to use it.
Real-world failure examples
- Target data breach (2013)
- didn’t change default password
- Podesta emails (2016)
- spear-phishing
- Equifax data breach (2017)
- didn’t patch servers
Users are the enemy!
Users are not the enemy!
There’s a human in the loop
What factors might affect people’s decisions?
- carelessness
- mood
- urgency
- trusting the system
- laziness
- personality
- curiosity
Human-in-the-loop framework
Communication-Human Information Processing Model
C-HIP from warnings science
Taking into account human factors can ensure better security outcomes
How can we make security/privacy better for humans?
✐
Examples of more usable solutions
- encryption that’s built in
- not having to remember passwords
- not having to read privacy policies
Questions about usable security
Course overview
Topics
- Security
- Privacy mental models
- Usable encryption
- Passwords
- Two-factor authentication
- Password alternatives
- Authorization / access control
- Mobile permissions
- Phishing prevention
- Security warnings and indicators
- Breach and compliance notifications
- Privacy in social media
- Privacy policies
- Online tracking
- Usable anonymity
- Smart home privacy
- AR/VR privacy
- Deceptive design patterns
- Security professionals
- Software developers
- Vulnerable populations
- Accessibility
- Children and teens
- Older adults
- International & multicultural perspectives
Course goals
- Learn about existing research
- Learn to evaluate research
- Learn to do research
- Learn to apply research
Course components
- Reading and discussing research papers
- Lecture and practice research methods
- Research/development and presenting project
Assignments
- Current events
- Reading reflections
- Class presentations & discussions
- Methods practice
- Project
To do
- Homework 1 out soon, due next Thursday
- No reading reflections & presentations next week
- Start thinking about project ideas
Questions about course
What we covered today
- What is usable security?
- What will you need to do in this course?
What’s next?
- What’s privacy?