On context in authorization policy
Proceedings of the eighth ACM symposium on Access control models and technologies
User interfaces for privacy agents
ACM Transactions on Computer-Human Interaction (TOCHI)
Why Johnny can't encrypt: a usability evaluation of PGP 5.0
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Analysis of the SSL 3.0 protocol
WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
| Hi-index | 0.00 |
Computer systems security area has received increased attention from both academics and in industry. However, recent work indicates that substantial security gaps emerge when systems are deployed, even with the use of state-of-the-art security protocols. Our findings suggest that wide-spread security problems exist even when protocols such as SSL and SSH are deployed because systems today do not give security warnings properly or make it trivial for users to bypass them. Even when these protocols are deployed correctly, systems often leave themselves vulnerable to social-engineering attacks as an artifact of their design. In one of our studies, we examined the web sites of 706 financial institutions and found over 90% of them to have made poor design choices when it comes to security, even though all deployed SSL for communicating passwords and doing transactions. In another study, we examined the usage of SSH within our own department and found that most users would be susceptible to a man-in-the-middle attack. Based on our studies, we postulate that some of the most interesting challenges for security researchers and practitioners lie at the intersection of security theory, their application to practice, and user behavior. We point out some of those challenges and hope that the research community can help address them.