Sacha Brostoff scite author profile

The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the "weakest link in the security chain". We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing Human-Computer Interaction (HCI) knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security.

show abstract

Are Passfaces More Usable Than Passwords? A Field Trial Investigation

Brostoff

Sasse

2000

285

164

View full text Add to dashboard Cite

Shoulder surfing defence for recall-based graphical passwords

et al. 2011

View full text Add to dashboard Cite

Graphical passwords are often considered prone to shouldersurfing attacks, where attackers can steal a user"s password by peeking over his or her shoulder in the authentication process. In this paper, we explore shoulder surfing defence for recall-based graphical password systems such as Draw-A-Secret and Background Draw-A-Secret, where users doodle their passwords (i.e. secrets) on a drawing grid. We propose three innovative shoulder surfing defence techniques, and conduct two separate controlled laboratory experiments to evaluate both security and usability perspectives of the proposed techniques. One technique was expected to work to some extent theoretically, but it turned out to provide little protection. One technique provided the best overall shoulder surfing defence, but also caused some usability challenges. The other technique achieved reasonable shoulder surfing defence and good usability simultaneously, a good balance which the two other techniques did not achieve. Our results appear to be also relevant to other graphical password systems such as Pass-Go.

show abstract

Untitled

Sasse¹,

Brostoff²,

Weirich³

2001

440

View full text Add to dashboard Cite

Would You Sell Your Mother’s Data? Personal Data Disclosure in a Simulated Credit Card Application

Malheiros

Brostoff

Jennett

et al. 2013

View full text Add to dashboard Cite

To assess the risk of a loan applicant defaulting, lenders feed applicants" data into credit scoring algorithms. They are always looking to improve the effectiveness of their predictions, which means improving the algorithms and/or collecting different data. Research on financial behavior found that elements of a person"s family history and social ties can be good predictors of financial responsibility and control. Our study investigated how loan applicants applying for a credit card would respond to questions such as "Did any of your loved ones die while you were growing up?" 48 participants were asked to complete a new type of credit card application form containing such requests as part of a "Consumer Acceptance Test" of a credit card with lower interest rates, but only available to "financially responsible customers." This was a double-blind studythe experimenters processing participants were told exactly the same. We found that: (1) more sensitive items are disclosed less often -e.g. friends" names and contact had only a 69% answer rate; (2) privacy fundamentalists are 5.6 times less likely to disclose data; and (3) providing a justification for a question has no effect on its answer rate. Discrepancies between acceptability and disclosure were observed -e.g. 43% provided names and contact of friends, having said they found the question unacceptable. We conclude that collecting data items not traditionally seen as relevant could be made acceptable if lenders can credibly establish relevance, and assure applicants they will be assessed fairly. More research needs to be done on how to best communicate these qualities.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Sacha Brostoff

Transforming the 'Weakest Link' - a Human-Computer Interaction Approach to Usable and Effective security

Are Passfaces More Usable Than Passwords? A Field Trial Investigation

Shoulder surfing defence for recall-based graphical passwords

Untitled

Would You Sell Your Mother’s Data? Personal Data Disclosure in a Simulated Credit Card Application

Contact Info

Product

Resources

About