M. Angela Sasse scite author profile

The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the "weakest link in the security chain". We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing Human-Computer Interaction (HCI) knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security.

show abstract

Are Passfaces More Usable Than Passwords? A Field Trial Investigation

Brostoff

Sasse

2000

285

164

View full text Add to dashboard Cite

The true cost of unusable password policies

2010

View full text Add to dashboard Cite

HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use.We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation.We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use.

show abstract

Security Education against Phishing: A Modest Proposal for a Major Rethink

Kirlappos

Sasse

2012

IEEE Secur. Privacy Mag.

104

View full text Add to dashboard Cite

Online shoppers are targeted by many scams. To date, user education on phishing has tried to persuade them to check URLs and a number of other indicators, with limited success. We evaluated a novel anti-phishing tool in a realistic setting-participants had to buy tickets under time pressure, and lost money if they bought from bad sites. While none of our participants bought from sites the tool clearly identified as bad, 40% of participants risked money with sites flagged as potentially risky, but offering "bargains". The analysis of post-session interviews with participants revealed that-when tempted by a "good deal", they did not focus on the warnings. Rather, they looked for signs they thought confirm a site"s trustworthiness: familiar designs or brands, trust seals, ads, reference to social networking sites and professional-looking design were mentioned as reliable indicators of a legitimate site. We argue that user education needs to focus on challenging and correcting the misconceptions that guide current user behavior, and present an outline such an approach.

show abstract

Measuring perceived quality of speech and video in multimedia conferencing applications

Watson

Sasse

1998

130

View full text Add to dashboard Cite

i-44 (0)171 3807212A.Sasse@cs.ucl.ac.uk 1. ABSTRACT 'I&m is currenffymuch discussion of Quality of service (Qos) measurements at the network IeveIof real-time mdimedia serviq but it is theszd.jectie @typerwivedbytie-r that will determine whether these applications are adopteil This paperangues that ITU-recommended metiodsfor subjective quality msessment of _ and video arenotsuitalie for asssing the qua?ityof many newer services and applications. We present an outline of what we beiieve to be a more suitabIe testingmethodoIogy, vddchacknowkdges tie muklimensional mture of perceived audio and video qwdity.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

M. Angela Sasse

Transforming the 'Weakest Link' - a Human-Computer Interaction Approach to Usable and Effective security

Are Passfaces More Usable Than Passwords? A Field Trial Investigation

The true cost of unusable password policies

Security Education against Phishing: A Modest Proposal for a Major Rethink

Measuring perceived quality of speech and video in multimedia conferencing applications

Contact Info

Product

Resources

About