The following is a preliminary program, subject to change.
During the twentieth century, security - and particularly information
security - was seen as a technical problem, to be tackled using
crypto, access controls and so on. We now know that purely technical
approaches don't work. Recent years have seen the emergence at least
two research communities that mine the social sciences for ideas:
security economists who analyse incentives, and security usability
experts who work with psychology.
In this talk, I will try to sketch out a still broader research
programme. Economics can give us insights into usability failures;
research at the borders between economics and psychology teaches us
about attitudes towards risk, and can inform research on subjects from
privacy to terrorism; and the growing importance of phishing suggests
we should try to understand deception better. A lot of interesting
cross-disciplinary work remains to be done.
Ross Anderson is Professor of Security Engineering at Cambridge
University. He is one of the founders of a vigorously-growing new
discipline: the economics
of information security. Many security failures can be traced to
wrong incentives rather than technical errors, and the application of
microeconomic theory has shed new light on many problems that were
previously considered intractable. This work is particularly important
for understanding auctions, fraud, and online liability. It is also
giving insights into system safety and dependability, and into more
traditional security problems of interest to law enforcement and the
insurance industry.
Recently security economics has started to spill over into other
social sciences, with ideas being imported from anthropology,
primatology and above all psychology. Ross was an organiser of the
first workshop on security and human behaviour, on which he will
report in this keynote talk. The interaction between security and
psychology is not limited to the usability of protection mechanisms:
it ranges from the misperceptions of risk that make our societies
vulnerable to terrorism, to quite basic questions such as the extent
to which we evolved intelligence in order to deceive, and to detect
deception in others.
Ross has also made seminal contributions to peer-to-peer systems;
hardware tamper-resistance; emission security; copyright marking;
crypto protocols; and the security of APIs. He was a coauthor of
Serpent, a finalist in the AES competition. Other papers document the
failures of real world systems, including automatic teller machines,
prepayment meters and medical record systems. His team currently
monitors online fraud, the subject of a tech
talk at Google. He also chairs the Foundation for Information
Policy Research, the main UK think-tank on internet and technology
policy issues. He is a Fellow of the IET and the IMA, and wrote the
definitive book `Security Engineering -- A Guide to Building
Dependable Distributed Systems', whose second edition just appeared in
April 2008.
PANEL
Testing for Usable Security - What Relationship, If Any, Does It Have To Product Design?
The CHI community has had long debates about the place of usability
testing during product design. Recently, Greenberg and Buxton
published an article titled "Usability Evaluation Considered Harmful
(Some of the Time)", where they concluded that usability evaluation is
appropriate some of the time, and non-empirical methods ("design
critiques, design alternatives, case studies, cultural probes,
reflection, design rationale") are appropriate other times. In
addition, they state that a combination of methods will "triangulate
and enrich the discussion of a system's validity". More specifically,
they state that evaluation done too early can kill promising design
ideas, and that it ignores cultural adoption and use.
This panel moves beyond these conclusions to specifically discuss
usable security. The kinds of questions panelists will address
questions such as:
- What are the appropriate ways to validate one's work when the work
is usable security? When the goal is something other than published
research, such as product or standards, how do the validation methods
change?
- What is the roll, and limitation, for laboratory based usability
research and other design techniques when making real-life design and
standards decisions?
Each panelist will take a specific position on the topic and
include at least one specific recommendation for future changes in
this area.
Moderator: Mary Ellen Zurko, IBM [slides]
Panelists:
- Stuart Schechter, Microsoft
- Phil Hallam-Baker, Verisign [slides]
- Jon Callas, PGP [slides]
- Tyler Close, HP
POSTERS
Social Circles: Tackling Privacy in Social Networks
Fabeah Adu-Oppong, Casey Gardiner, Apu Kapadia and Patrick Tsang
A Survey to Guide Group Key Protocol Development
Ahren Studer, Christina Johns, Jaanus Kase and Kyle O'Meara
Can eye gaze reveal graphical passwords?
Daniel LeBlanc, Sonia Chiasson, Alain Forget and Robert Biddle
Design of a Privacy Label for P3P Policies
Patrick Kelley, Steve Won and Lorrie Cranor
Privacy Perceptions of Photo Sharing in Facebook
Andrew Besmer and Heather Lipford
Toward Web Browsers that Make or Break Trust
Hazim Almuhimedi, Amit Bhan, Dhruv Mohindra and Joshua Sunshine
Investigating how everyday people experience security
Niels Raabjerg Mathiasen
Understanding Security Administrators: Granting Access in Academic, Start-up, and Enterprise Environments
Luke Kowalski
Mental Models of Home Computer Security
Rick Wash
Usable Authentication for Electronic Healthcare Systems
Qihua Wang and Hongxia Jin
RUST: The Reusable Security Toolkit
Chaitanya Atreya, Adam Aviv, Maritza Johnson, Mariana Raykova, Steven M. Bellovin and Gail Kaiser
Enhancements to the Anti-Phishing Browser Toolbar
Bruno Lorentin and Kristiina Karvonen
Testing PhishGuru in the Real World
Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Cranor and Jason Hong
Enforcing POLA on Desktop Applications Through Dynamic Input Monitoring
Brett Cannon and Eric Wohlstadter
Usable Persona Interface: Persona-Bookmark
Nachi Ueno, Kei Karasawa and Kenji Takahashi
Privacy Rights Management for Mobile Applications
A. K. Bandara, B. A. Nuseibeh, B. A. Price, Y. Rogers, N. Dulay, E. C. Lupu, A.Russo, M. Sloman, A. N. Joinson
Posters Showcasing Usable Privacy and Security Papers Published in the Past Year at Other Conferences
Expandable Grids for Visualizing and Authoring Computer Security Policies
Robert Reeder, Lujo Bauer, Lorrie Cranor, Michael Reiter, Kelli Bacon, Keisha How and Heather Strong
You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
Serge Egelman, Lorrie Cranor and Jason Hong
Undercover: Authentication Usable in Front of Prying Eyes
Hirokazu Sasamoto, Nicolas Christin and Eiji Hayashi
Towards understanding user perceptions of authentication technologies
Laurie Jones, Annie Antón and Julia Earp
A User Study of Policy Creation in a Flexible Access-Control System
Lujo Bauer, Lorrie F. Cranor, Robert W. Reeder, Michael K. Reiter and Kami Vaniea
Behavioral response to phishing risk
Julie S. Downs, Mandy B. Holbrook and Lorrie Faith Cranor
Love and Authentication
Markus Jakobsson, Erik Stolterman, Susanne Wetzel and Liu Yang
Private Web Search
Felipe Saint-Jean, Aaron Johnson, Joan Feigenbaum and Dan Boneh
Where's The Beep? Security, Privacy, and User Misunderstandings of RFID
Jennifer King and Andrew McDiarmid
IRBs and Security Research: Myths, Facts and Mission Creep
Simson Garfinkel
A Framework for Reasoning About the Human in the Loop
Lorrie Cranor
Human, Organizational, and Technological Factors of IT Security
Kirstie Hawkey, David Botta, Rodrigo Werlinger, Kasia Muldner, Andre Gagne and Konstantin Beznosov
DISCUSSION SESSIONS
Understanding PCI Regulations and Applying Strategies to Ensure Cardholder Privacy
Moderator: Eric Offenberg, IBM
The PCI DSS (Payment Card Industry Data Security Standard) is
hailed as one of the most specific privacy guidelines for protecting
the sensitive information held by corporations that store, process or
transmit cardholder data. However, to fully comply with PCI 12
multi-faceted requirements, companies need to implement strategies and
technologies to ensure that effective privacy safeguards are in place.
Join this interactive panel discussion on how companies are addressing
PCI requirements, and learn about solutions that support compliance
initiatives. Discussion topics will include:
- Understanding how safeguarding customer data protects a company’s bottom line
- Assessing the impact of PCI requirements on retailers, merchants, banks, and other affected corporations.
- Overcoming the fears associated with implementing technologies to become/remain compliant with PCI
- Discovering how PCI compliance can be leveraged to reduce costs and improve operational efficiency
Eric Offenberg, CIPP and Product Marketing Manager at IBM, has
established himself as a thought leader on data governance, database
archiving, enterprise data management and data privacy. With nearly 10
years of technology marketing experience across industries, Eric is a
regular speaker in live Webinars, industry events and with media and
analysts on behalf of IBM. He holds an MBA with a concentration in
marketing from Rider University and a BA degree in communications with
a concentration in public relations from Rutgers University.
Metrics for Characterizing Research Participants' Technical Knowledge
Moderators: Serge Egelman and Ponnurangam Kumaraguru, Carnegie Mellon University
User studies can only contribute to human knowledge if they are
generalizable across a known population. Thus, the sample for a given
user study needs to be describable so that it can be generalized to a
larger population. In many user studies, a user's technical prowess
can have a profound impact on the results of the study. The ability to
quantify (or at least classify) a user's technical knowledge is
becoming increasingly necessary in order to generalize studies across
populations as well as compare the results of one study to
another. Some examples that researchers have used in the past are: (1)
Educational background, (2) Internet usage, (3) Computer usage, and
(4) Security knowledge. But, these metrics are not consistently used
in all the studies. In this discussion session we plan to examine
various metrics that can be used to quantify or classify technical
knowledge. We plan to present the metrics that have been used in
previous studies and plan to get some consensus on the metrics during
the session.
Serge Egelman is a PhD candidate in the School of Computer Science
at Carnegie Mellon University. His research is on usable privacy and
security, and his dissertation focuses on creating more effective web
browser security indicators. His recent paper, "You've Been Warned:
An Empirical Study of The Effectiveness of Web Browser Phishing
Warnings," received an honorable mention at CHI this year. Serge has
interned at Xerox PARC and Microsoft Research. His hobbies include
building things, taking things apart, and trying to graduate.
Ponnurangam Kumaraguru (PK) is a Ph.D. candidate in the COS
(Computation Organization and Society) program within the School of
Computer Science at Carnegie Mellon University. His research interests
include building system to educate users to make better trust
decisions, trust modeling and international cyber security and privacy
issues (specifically in India). PK is currently working on a NSF
funded project - Supporting Trust Decisions. PK's current research
aims at modeling trust behavior of users while using the Internet and
making use of the model to build training systems such as "PhishGuru"
and "Anti-Phishing Phil."
HCI-SEC Research, Private Data, and complying with the Common Rule
Moderator: Simson Garfinkel, Naval Postgraduate School
Even if you aren't working with living breathing human subjects,
your work into security and usability could easily require that you
involve your organization's Institutional Review Board (IRB). That's
because 45 CFR 46, the Common Rule, covers not just the use of humans
in experimental research but the use of data generated by humans under
many circumstances. In this discussion we will explore some of the
ways that federal regulations may read on research, alternative
interpretations, and formulate an agenda for change.
Simson L. Garfinkel is an Associate Professor at the Naval
Postgraduate School in Monterey, California, and a fellow at the
Center for Research on Computation and Society at Harvard
University. His research interests include computer forensics, the
emerging field of usability and security, personal information
management, privacy, information policy and terrorism. He is also a
member of the NPS IRB.
Balancing Security, Usability and Cost
Moderator: Ehab Al-Shaer, DePaul University
The main objective of deploying security in IT networks is to
minimize risks of compromising or interrupting network
services. However, deploying effective security requires dealing with
number of critical trade offs including risk, flexibility, performance
and cost. For instance, unbalanced security may cause unnecessary
restriction in service deployment or user accessibility, high increase
of networks delay and/or unjustified budget cost. Thus, due to lack of
theoretical foundations, experimentations in this area, achieving
cost-effective security configuration is very challenging. As a
result, most of the existing practice by even expert IT administrator
is ad hoc, causing errors and instability. This panel will address
many of important related issues and others in this area:
- What are the main factors of security risk? How to define and measure them objectively?
- How to consider exiting counter measures in estimating residual risk? - Although performance is well-defined, defining metrics for flexibility and cost are not far from being realized.
- How to optimize security configuration to achieve balanced cost-effective security? Is there a scalability issues here? - How security configuration can be automatically optimized to track dynamic changing in risk?
- How a solution will be envision in a multi-domain networks where they often have conflicting objectives and independent administration?
- How this framework will be interfaced to end-user to enable easy to use and manage?
Ehab Al-Shaer is an Associate Professor and the Director of the
Security & Multimedia Networking Research Lab (SMNLAB) in the School
of Computer Science, Telecommunications and Information System at
DePaul University. His primary research areas are Firewalls,
configuration management, and fault diagnosis. Prof. Al-Shaer is
Co-Editor of 6 books in the area of automated configuration
management, multimedia networking, and end-to-end monitoring. He has
published more than 80 refereed chapters, journal articles, and
conference papers. Prof. Al-Shaer has served as a Program Co-chair for
number of well-established conferences in his research area including
Automated Network Management (ANM-INFOCOM 2008), POLICY 2008,
Integrated Management (IM 2007), MMNS 2001, and E2EMON 2004-2005. He
is also the General Chair for 16th ACM Conference on Computer and
Communication Security (CCS) held in Chicago 2009 and
2010. Prof. Al-Shaer has been actively involved in many conferences in
his area including CCS, INFOCOM, ICNP, IM/NOMS, POLICY, and others.
His research is supported by NSF, Intel, Cisco and Sun
Microsystems.
SOUPS is sponsored by Carnegie Mellon CyLab.