1 / 77

Module 1: Usability and Information Security Systems

Module 1: Usability and Information Security Systems. Azene Zenebe, Ph.D. Claude Turner, Ph.D. Lola Staples, M.Sc. Presentation Outline. Introduction Usability and Usability Measures Security Systems Usability of Security Systems What? Challenges? Framework for studying Usability

sarah
Télécharger la présentation

Module 1: Usability and Information Security Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 1:Usability and Information Security Systems Azene Zenebe, Ph.D. Claude Turner, Ph.D. Lola Staples, M.Sc.

  2. Presentation Outline • Introduction • Usability and Usability Measures • Security Systems • Usability of Security Systems • What? • Challenges? • Framework for studying Usability • Aligning Security and Usability • Summary

  3. Overview The interdisciplinary study of integrating the principles of usability with current methods of computer and information security, calls for: Foundation concepts of connecting usability principles with computer and information security systems. Defining the need for usable security systems. Meeting the challenges associated with usable security systems 3

  4. Overview • Competing Issues between Usability and Security • Usability in Security vs. Usability in other Systems • Laying the framework for studying usability • Exploring the theoretical framework for human capability and behavior as it relates to computer and information security System(CISS) • Overview of the topics covered by other modules 4

  5. Learning Objectives and Outcomes • After completing this module, you should be able to: • Describe the concepts and factors of usability • Describe the concepts of computer and information security systems (CISS)

  6. Learning Objectives and Outcomes (Continued) • Describe the importance of usability for Computer and information security systems (CISS) • Describe the needs and challenges associated with usable security systems • Explain the framework for studying usability and CISS • Describe the factors that affect usability of CISS

  7. Introduction • The greater the complexity of CISS, the more difficult to use it. • Due to the human errors and cognitive limitations, security threats propagate • during installation • during configuration • during routine use • during routine maintenance of security systems

  8. What is Usability? • According to ISO 9241-11 “Usability refers to the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of user." • Key factors • efficiency • satisfaction • effectiveness

  9. Usability Defined with Quality • According to Step-by-Step Usability Guide, Usability refers to: “The quality of a user’s experience when interacting with a product or system …” • A system could be: • a Web site, a software application • mobile technology, or any user operated device

  10. Usability Definition Similarities Both usability definitions focus on: • the users, • tasks , • products or systems, • the context it is being used, and • several measures of the user’s experience • Efficiency, satisfaction, effectiveness, etc.

  11. Usability measures How is usability measured in CISS? • Usability is not a single, one-dimensional system property but a combination of measurable factors • Usability can be measured by using specified factors. • There are six usability measuring factors

  12. Usability Measures There are six usability measuring factors • Ease of learning How fast can a novice user learn security system basic tasks? • Efficiency of use Once learned, how fast is a task accomplished? • Memorability Once used, how much is remembered?

  13. Usability Measures • Effectiveness What is the quality or quantity of completed task output? • Error frequency and severity Watch how often the user makes errors while using the system? Are the errors serious? How are error recoveries handled? • Subjective satisfaction How much does the user like using the system?

  14. Quick Quiz • Explain the meaning of usability. • What are the different dimensions of usability? • In your opinion, which of the factors are the most important for CISS? Do you think the answer depends on the type of systems or products?

  15. Computer Security Defined Computer security is formally defined in the Oxford English Dictionary as: “Measures and controls that ensure confidentiality, integrity and availability of IS assets including hardware, software, firmware and information being processed, stored and communicated.”

  16. What about Information Assurance (IA)? • According to the US Nat’l Information Assurance Glossary, IA is defined as: “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.”

  17. CISS vs. IA The terms Computer Information Security System and Information Assurance are often used interchangeable, however; • CISS is concerned with the security of computer systems and its stored data. • IA is consider to be a superset of CISS. IA includes all aspects of information systems and is cross-disciplinary.

  18. Security Control Measures • Security Control Measures are used to protect information, and computer and information systems. • Security control measures include: • policy and law • technology-based or Technical controls • education, training and awareness programs

  19. Technical Control • Protects unauthorized users from accessing: data, information, application and operating systems, and network systems • Examples: • Access Control Technology • Cryptography Technology

  20. Access Control Technology • Access Control Technology (ACT) is mainly used to identify, authenticate, authorize and insure accountability. • ACT is designed to prevent unauthorized users from accessing information. • ACT technologies include: • Passwords, Passphrases, Tokens, Smart cards • Bio-recognition • fingerprint, retinal, iris, or voice recognition • Signature recognition

  21. Technical Control • Cryptography Technology • Symmetric-key vs. Public-key cryptography • Cryptosystems include RSA encryption, Digital signature, digital certificate, PGP, etc • Other Technical controls are: • Anti-Virus and Spyware • Systems’ Patches and upgrades • Firewalls, Intrusion Detection & Prevention systems (IDPS)

  22. Technical Control • These technical controls are complex system. • Threats may arise at any time from human cognitive limitations and errors made during installation and configuration, while using and during maintenance of these technical controls.

  23. Security Policy Rules Computer and information security policy provide needed rules for • Protection of computers • Protection of information assets

  24. Security Policies (Continued) The Nat’l Institute of Science and Technology presents three types of policies: • Enterprise Information Security Policies (EISP) • Issue-Specific Security policies (ISSP) • Systems-Specific Security Policies (SSSP)

  25. Security Policies • Employees and users are expected to comply with the rules and requirements specified in the policies. • Studies found that security policies are not easy to locate, read and comprehend. • This creates associated usability challenges – covered in the teaching materials for Usability of Security Policy topic.

  26. Quick Quiz • 1. What are the three different security control and measures? • 2. Describe the different types of security systems. Give examples of hardware, software or hybrid security control and measures. • 3. Describe an information security policy.

  27. Usability of Computer and Information Security Systems • Usability can be studied for three types of systems (see figure): • The traditional focus on Computer Information Systems (CIS), e.g. financial software; • Focus on security systems such as firewall; and • Focus on secured CIS such as a network protected by a firewall.

  28. Sphere of Usability SecuritySystems Computer Information Systems OF Usability Secured CIS Usability of CIS Usability of SS Usability of Secured CIS

  29. Usable Security Systems • Computer and Information Security Systems are useable if users • Easily and quickly learn a security system they have not previously seen to accomplish basic tasks like • Install, configure, patch and take action for alerts • Can remember enough to use later without major costs, training, etc • Can effectively perform and complete supported security tasks • Cannot make frequent errors, but if errors occur… • Can the user recover easily? • Are satisfied with the interface and functions of the system?

  30. Usable Security Systems - Examples Example- Usable PGP: “If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP’s current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all?” (Whitten & Tygar, 1998b, pp. 7) 6/13/2009 30

  31. Usability in Security vs. in Other Systems • Security systems users’ must avoid making a variety of dangerous errors, because once those errors are made, it is difficult or impossible to reverse their effects. • Security is a secondary goal and users are not motivated. • User interface design for security will need to take security polices into account. • Users need to be guided to attend to all aspects of their security, not left to proceed through random exploration.

  32. Usability Challenges • Usability issues can be looked at into two areas: • Interface components • associated with the command prompt or GUI • Functional components • associated with the design, implementation, deployment and maintenance of security systems

  33. Usability Challenges • Schneier - a leading security expert states: “… to the average home user, security is an intractable problem….there are a dizzying array of rules, options, and choices that user have to make, e.g., How should they configure their anti-virus program? What sort of backup regime should they employ? What are the best settings for their wireless network?” • “… home user’s computers are not secured because they do not know how to secure them.”

  34. Usability Challenges (Con’t) • Researches (e.g. Payne & Edwards, 2008) indicate that using security products is more than the interface problems. • The most elegant and intuitively designed interface does not improve security if users… • ignore warning • choose poor settings, or • unintentionally subvert corporate policies (Rayn, 2008).

  35. Usability Challenges (Cont.) Is this interface useable? The user may not be qualified to make the right decision.

  36. Usability Challenges (Cont.) Security Dialogue using Mozilla Firefox

  37. Usability Challenges (Cont.) • Security dialogue screens often offer confusing choices for the novice user. • Security packages such as anti-virus, and anti-spyware and firewalls are intentionally noisy…users get frustrated and may turn off. • Public key cryptography is nearly 30 years old and can secure electronic mail but it is not widely used.

  38. Usability Challenges (Cont.) • IE Security Options are complex for novice users • IE offers several confusing options

  39. Usability Challenges Security & critical updates for Windows OS

  40. Usability Challenges

  41. Usability advocates Let’s make it easy to use a system… no special access procedures requires Security people Let’s make it difficultto access a system for unauthorized users. special access procedures requires Usability and Security

  42. Security Should not obstruct computer usability as traditionally done! It affects productivity. Usability Make security control measures useable! It improves security by mitigating threats that arise from human errors and cognitive limitations Usability and Security (Cont.)

  43. Usability and Security (Cont.) • Usability means designing and building computer information systems that can be easily and efficiently used. • Never compromised security to make easy to use computer systems. • How is a balance achieved?

  44. Usability and Security (Cont.)

  45. Aligning Security and Usability • How do we strike a better balance between usability and security? • Security and usability requirements differ when building systems, but BOTH must be satisfied. • Therefore, both security and usability requirements must be considered from the very beginning of the Systems Development Project.

  46. Quick Quiz 1.Describe the three types of systems for which usability can be studied. 2.What are the different distinguishing features of usability in security systems compared to usability of OSs or CIS? 3.Describe what a usable security system mean? 4.What are the different challenges associated with usability of security systems?

  47. Quick Quiz (Cont.) 5. Compare and contrast usability challenges associated with the functionality and interface components of security systems. 6.Describe the competing issues between usability and security 7. How one can balance the need for usability and security?

  48. Framework for Studying Usability of Security Systems The four principal components in a human-machine system: • Tool - refers to CISS systems • User – Who? what is users’ expertise • Task - what the system will be used for • Environment – where task is performed • Required Knowledgebase for useable security - knowledge about users, tasks, work context and environment as well as their interactions

  49. Framework for Studying Usability of Security Systems Example: USER – security systems users, analyst, developers, administrators, etc. TASK - securing information and systems TOOL - security systems such as a Firewall, Anti-Virus software Environment – At Home or Work Usability of security systems depends on the dynamic interplay of these four components 6/13/2009 49

  50. Who are the Users? • Four groups of users are identified by Whitman and Mattord (2004): those who define, those who build, those who administrate, and those who use. • Definers – Those who provide policy, guidelines, and standards • Examples: • chief security officer, security consultants, senior managers, security analysts, developers and managers

More Related