![Page 1: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/1.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Towards a Scientific Basis for User Centric Security Design
Presented by Zach Jorgensen1
PIs: Ting Yu1, Ninghui Li2 and Robert Proctor2
1. North Carolina State University; 2. Purdue University
![Page 2: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/2.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
SECURE + USABLE
![Page 3: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/3.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
![Page 4: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/4.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
1. Reduce: Ask users for security decisions sparingly
2. Simplify: Ask questions that a user can understand
![Page 5: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/5.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
3. Active: Avoid putting users on the spot to make security decisions 4. Safe: Do not provide the user with an easy and insecure way out
![Page 6: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/6.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
CodeShield
Personalized Application Whitelisting
Image from: www.psdgraphics.com
![Page 7: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/7.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Normal Mode Only execute white-listed code
Installation Mode Execute all software
Executed = added to whitelist
![Page 8: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/8.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
1. Reduce: “do I want to add new software now?”
2. Simplify: closely matches how typical users understand their actions.
![Page 9: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/9.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
3. Active: user must explicitly trigger installation mode. 4. Safe: not allowing new code is the easiest action.
![Page 10: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/10.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
• Switch – Median: 17
• Reboot – Median: 3.5
![Page 11: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/11.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Risk Communication in Mobile Devices
![Page 12: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/12.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
1. No risk information until after decision is made 2. The same permissions screen is shown for all apps
![Page 13: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/13.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
3. Does not actively discourage risky behavior 4. Not personalized
![Page 14: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/14.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Risk Scores
![Page 15: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/15.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Generating Risk Scores
![Page 16: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/16.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Risk scores lead to better decisions…
![Page 17: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/17.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
430
450
470
490
510
530
550
570
590
Medium-Risk/Safety Low-Risk/High-Safety
Res
pons
e Ti
me
(ms)
Decision Time for Installing an App
(Risk/Safety Level Only)
Risk Condition
Safety Condition
Safety
Risk
![Page 18: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/18.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Discouraging Risky Actions via Installation Hurdles
![Page 19: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/19.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Tapping Into Other Sources of Risk Information
![Page 20: Towards a Scientific Basis for User Centric Security Design · Understanding & Accounting Human Behavior Towards a Scientific Basis for User Centric Security Design Presented by Zach](https://reader035.vdocuments.us/reader035/viewer/2022063010/5fc41ece7b7ccf61a12e4db4/html5/thumbnails/20.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Collaboration Opportunities
• Usable security mechanisms • Usable interfaces • Communicating risk information • User studies