Time for another challenge. Today, I’d like to describe what I call the “Simon Says” problem.
A Simon Says problem occurs when the safe course of action requires the user to respond to the absence of a stimulus.
From time to time, I’ll highlight some of the special challenges faced by designers of usable security. Let’s start with a fairly obvious problem that’s often exploited in security attacks on people:
The “Obedience to Authority” problem occurs when the safe course of action requires the user to reject or contravene an apparently authoritative command.
“Obedience [...]
Hurrah! There is another blog out there on security and usability. (And by another Canadian, to boot.) Thanks for dropping by; I look forward to reading more and hope we can have some interesting and productive discussions.
71% of office workers stopped in the London Underground seemed willing to give their password in exchange for a chocolate bar, but we don’t know if those passwords were real. MailFrontier ran an online phishing IQ test, but it’s not externally valid because the user has the wrong primary task.
Rob Miller highlighted three challenges [...]
This talk discussed the effects of social indicators, such as crowds, empty spaces, or traces left behind by the presence of people, on user’s security decisions. Sometimes people follow the norm they observe, and sometimes they intentionally avoid the popular choice. Inspired by an earlier study demonstrating that users unintentionally shared sensitive files [...]
This paper talks about ways that data can be engineered to defeat information visualization tools that administrators may be using. The speaker, Greg Conti, showed us a visualization tool for IP packets called rumint that he’s developing for use at DEFCON.
This paper proposes a scheme called Dynamic Security Skins to combat phishing.
Rachna calls phishing the “ultimate SOUPS problem” because phishers and security designers battle in the user interface, because attacks are rapidly evolving, and because it’s a real-world problem. Phishers rapidly iterate on HCI designs, exactly as we are taught to do in HCI, [...]
This morning’s panel compared the design of usable security for end users and for security administrators. Kosta Beznosov introduced the panel and raised the question of the boundary between users and administrators: what about systems where users are responsible for some amount of self-administration? Mary Ellen Zurko extended the comparison to three groups: [...]
There is a YahooGroups mailing list for people interested in HCI and security issues.
Information can be found at http://groups.yahoo.com/group/hcisec/
I spent quite a few years building early community access systems and conducting public training sessions about the wonders of the Internet (see the National Capital FreeNet).
With today’s serious problems that we have been discussing, including viruses, spyware, trojans, phishing, browser hijacking, etc., I am left worndering if, at least for the time being, my [...]
During the talk on PassPoints, it occurred to me that it might be interesting to combine some of those ideas with user-selected images (inspired by the work on Dynamic Security Skins).
One concern that was mentioned about PassPoints was that the images may guide people to commonly choose the same points, leading to guessable passwords. [...]
This paper describes a study that tested how and when people chose to reveal their location information using a mobile phone. From time to time users would receive messages requesting their location and they could choose how and whether to reply. The phone also offered automatic disclosure functions (to periodically send location information [...]