User-Centered Security: Stepping Up to the Grand Challenge

Zurko, Mary Ellen

doi:10.1109/csac.2005.60

Cited by 50 publications

(38 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These limitations can lead to "failures" of automation that are not only technical (i.e., when the automation system simply stops working, for example), but are also failures of meeting the actual needs of the users. We further contend that such failures to meet users' needs are not simply annoying nuisances, but rather are at the heart of many of the problems described under the rubric of "usable security" [53]. We therefore ask, "To what extent is it appropriate to automate security for end-users?…”

Section: Introductionmentioning

confidence: 99%

Security automation considered harmful?

Edwards

Poole

Stoll

2008

Proceedings of the 2007 Workshop on New Security Paradigms

View full text Add to dashboard Cite

End-users are often perceived as the weakest link in information security. Because of this perception, a growing body of research and commercial activity is focused on automated approaches to security. With these approaches, security decisions are removed from the hands of the users, and are placed instead in systems themselves, or in remote services or organizations that establish policies that are automatically enforced. We contend that although security automation is potentially beneficial in theory, in practice it is not a panacea for end-user information security. A number of technical and social factors mitigate against the acceptance and efficacy of automated end-user security solutions in many cases. In this paper, we present a discussion of the inherent limitations of automating security for end-users. We then discuss a set of design guidelines for choosing whether to automate end-user security systems. We conclude with a set of research directions focused on increasing the acceptance and efficacy of security solutions for end-users.

show abstract

Section: Introductionmentioning

confidence: 99%

Security automation considered harmful?

Edwards

Poole

Stoll

2008

Proceedings of the 2007 Workshop on New Security Paradigms

View full text Add to dashboard Cite

show abstract

“…This is particularly true when the user is part of a larger organizational structure involving a variety of users where the overall organizational security is at stake [8]. Also, since it is the user who will be deploying and using the technical solutions and preventive measures that are in place, a system cannot be protected through considering technical solutions in isolation [9], [10], [11], [12]. For addressing user-related security issues, user awareness has been observed to be a key factor [2], [13], [14], [15].…”

Section: Introductionmentioning

confidence: 99%

The security awareness paradox: A case study

Tariq¹,

Brynielsson²,

Artman³

2014

2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2014)

View full text Add to dashboard Cite

Abstract-Knowledge-intensive organizations are characterized by their dependency on highly skilled personnel who perform their daily work in a decentralized manner. In these organizations it is the users who make the important decisions, and therefore the organization's information security awareness is upheld by and depends on its users' combined security awareness. To assess the overall organizational security awareness it therefore becomes interesting to assess both the users' individual level of security awareness, as well as their level of consistency and conformity with regard to other users' awareness.In the present case study, 15 semi-structured interviews have been undertaken within a large telecommunication company in order to understand how significant IT security aspects are understood within the organization. The study highlights a number of perception differences where the technical IT staff and the ordinary users do not share the same understanding. It is suggested that these perception differences result from a paradoxical situation where the users' possibility to uphold security awareness is hindered because of security concerns.

show abstract

“…For the user to be able to apply security in their day-to-day activities, they need to understand security in their own context of use. In [3] the author points to the need to understand user behavior in terms of security in order to improve the security of a system. Further, the author argues that phrasing the system security requirements in terms of user mental models can be beneficial, but that there is no framework that could be applied to achieve such goals.…”

Section: Introductionmentioning

confidence: 99%

Framing the Attacker in Organized Cybercrime

Tariq

Brynielsson

Artman

2012

2012 European Intelligence and Security Informatics Conference

View full text Add to dashboard Cite

Abstract-When large values are at stake, the attacker and the attacker's motives cannot be easily modeled, since both the organization at stake and the possible attackers are unique and have complex motives. Hence, rather than using stereotypical attacker models, recent work proposes realistic profiling of the opponent by the use of user-centered design principles in form of the persona methodology.Today, cybercrime is often organized, i.e., attacks are planned and executed by an organization that has put together a tailormade team consisting of the necessary skills for the task. The actual individuals taking part in the attack might not be aware of or interested in the overall organizational motives. Rather, taking motives behind espionage, fraud, etc., into account requires consideration of the attacking organization rather than the individuals. In this paper, based on interviews with IT security experts, we build on the attacker persona methodology and extend it with methodology to also handle organizational motives in order to tackle organized cybercrime. The resulting framework presented in the paper extends the attacker persona methodology by also using narratives in order to assess the own organization's security. These narratives give rise to intrigue sketches involving any number of attacker personas which, hence, make it possible to take organized cybercrime into account.

show abstract

User-Centered Security: Stepping Up to the Grand Challenge

Abstract: Abstract

Cited by 50 publications

References 30 publications

Security automation considered harmful?

Security automation considered harmful?

The security awareness paradox: A case study

Framing the Attacker in Organized Cybercrime

Contact Info

Product

Resources

About