A stealth approach to usable security: helping IT security managers to identify workable security solutions

Authors:
Simon Parkin;Aad van Moorsel;Philip Inglesant;M. Angela Sasse
Affiliations:
Newcastle University, Newcastle, United Kingdom;Newcastle University, Newcastle, United Kingdom;University College London, London, United Kingdom;University College London, London, United Kingdom
Venue:
Proceedings of the 2010 workshop on New security paradigms
Year:
2010

Citing 24
Cited 4

The dynamic HomeFinder: evaluating dynamic queries in a real-estate information exploration system

SIGIR '92 Proceedings of the 15th annual international ACM SIGIR conference on Research and development in information retrieval
User-centered security

NSPW '96 Proceedings of the 1996 workshop on New security paradigms
Users are not the enemy

Communications of the ACM
Information security is information risk management

Proceedings of the 2001 workshop on New security paradigms
Transforming the 'Weakest Link' — a Human/Computer Interaction Approach to Usable and Effective Security

BT Technology Journal
PassPoints: design and longitudinal evaluation of a graphical password system

International Journal of Human-Computer Studies - Special isssue: HCI research in privacy and security is critical now
Pass-thoughts: authenticating with our minds

NSPW '05 Proceedings of the 2005 workshop on New security paradigms
A large-scale study of web password habits

Proceedings of the 16th international conference on World Wide Web
Déjà Vu: a user study using images for authentication

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Why Johnny can't encrypt: a usability evaluation of PGP 5.0

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
A scalable signature scheme for video authentication

Multimedia Tools and Applications
Seeing is believing: designing visualizations for managing risk and compliance

IBM Systems Journal
A human activity approach to user interfaces

Human-Computer Interaction
Guidelines for designing IT security management tools

Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology
The compliance budget: managing security behaviour in organisations

Proceedings of the 2008 workshop on New security paradigms
A comprehensive simulation tool for the analysis of password policies

International Journal of Information Security
An information security ontology incorporating human-behavioural implications

Proceedings of the 2nd international conference on Security of information and networks
Musipass: authenticating me softly with "my" song

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
So long, and no thanks for the externalities: the rational rejection of security advice by users

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
The true cost of unusable password policies: password use in the wild

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Semantics for structured systems modelling and simulation

Proceedings of the 3rd International ICST Conference on Simulation Tools and Techniques
A collaborative ontology development tool for information security managers

Proceedings of the 4th Symposium on Computer Human Interaction for the Management of Information Technology
Strategy: Got what it takes to be a CISO?

Infosecurity

Reducing normative conflicts in information security

Proceedings of the 2011 workshop on New security paradigms workshop
Rational security: Modelling everyday password use

International Journal of Human-Computer Studies
A Proposed Architecture for Autonomous Mobile Agent Intrusion Prevention and Malware Defense in Heterogeneous Networks

International Journal of Strategic Information Technology and Applications
Designing interactive secure system: chi 2013 special interest group

CHI '13 Extended Abstracts on Human Factors in Computing Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Recent advances in the research of usable security have produced many new security mechanisms that improve usability. However, these mechanisms have not been widely adopted in practice. In most organisations, IT security managers decide on security policies and mechanisms, seemingly without considering usability. IT security managers consider risk reduction and the business impact of information security controls, but not the impact that controls have on users. Rather than trying to remind security managers of usability, we present a new paradigm -- a stealth approach which incorporates the impact of security controls on users' productivity and willingness to comply into business impact and risk reduction. During two 2-hour sessions, 3 IT security managers discussed with us mock-up tool prototypes that embody these principles, alongside a range of potential usage scenarios (e.g. cloud-based password-cracking attacks and "hot-desking" initiatives). Our tool design process elicits findings to help develop mechanisms to visualise these tradeoffs.