Psychology and Security
Download
Report
Transcript Psychology and Security
PSYCHOLOGY AND SECURITY
Agenda
Tuesday, June 28th
Psychology and Security
Thursday, June 30th
Usable Security
References
Ross Anderson, Security Engineering
Chapter 2 “Usability and Psychology”
Ryan West, “The Psychology of Security”,
Communications of the ACM, April 2008, p3440.
People
Only amateurs attack machines; professionals
target people.
— Bruce Schneier
Many real attacks exploit psychology at least
as much as technology.
Kevin Mitnick, Art of Deception
Phishing
it is much easier for crooks to build a bogus
bank website that passes casual inspection
than it is for them to create a bogus bank in a
shopping mall.
Phishing Examples
US Bank
Amazon
Twitter
Pretexting & Social
Engineering
The most common way for private
investigators to steal personal information is
pretexting — phoning someone who has the
information under a false pretext, usually by
pretending to be someone authorized to be
told it. Such attacks are sometimes known
collectively as social engineering.
Trusting people
Many frauds work by appealing to our
atavistic instincts to trust people more in
certain situations.
Psychological manipulation
As designers learn how to forestall the easier
techie attacks, psychological manipulation of
system users or operators becomes ever
more attractive.
The security engineer simply must
understand basic psychology and ‘security
usability’.
IRS Social Engineering
Fixing the problem is hard. Despite
continuing publicity about pretexting, there
was an audit of the IRS in 2007 by the
Treasury Inspector General for Tax
Administration, whose staff called 102 IRS
employees at all levels, asked for their user
ids, and told them to change their passwords
to a known value. 62 did so.
Policies & Training
It’s not enough for rules to exist; you have to
train all the staff who have access to the
confidential material, and explain to them the
reasons behind the rules.
Research Areas
Information security and psychology
Human-computer interaction (HCI)
Poorly understood by systems developers
Information security and economics
Perception of Risk
Terrorism is largely about manipulating
perceptions of risk.
Many protection mechanisms are sold using
scaremongering.
Cognitive psychology
How we think, remember, and make
decisions.
What makes security harder than safety is
that we have a sentient attacker who will try
to provoke exploitable errors.
Practiced actions
People are trained to click ‘OK’ to pop-up
boxes as that’s often the only way to get
the work done.
Risk Evaluation
Risk and uncertainty are extremely difficult
concepts for people to evaluate.
For designers of security systems, it is
important to understand how users evaluate
and make decisions regarding security.
The most elegant and intuitively designed
interface does not improve security if users
ignore warnings, choose poor settings, or
unintentionally subvert corporate policies.
Risk Evaluation
The user problem in security systems is not
just about user interfaces or system
interaction. Fundamentally, it is about how
people think of risk that guides their
behavior.
Following rules
Starting URLs with the impersonated bank’s
name, as
www.citibank.secureauthentication.com—
looking for the name being for many people a
stronger rule than parsing its position.
Mental Model
Attackers exploit dissonances between users’
mental models of a system and its actual
logic.
A cognitive walkthrough can be aimed at
identifying attack points, just as a code
walkthrough can be used to search for
software vulnerabilities.
Behavioral economics
People’s decision processes depart from the
rational behavior.
The heuristics we use in everyday judgment
and decision making lie somewhere between
rational thought and the unmediated input
from the senses.
Calculating Probabilities
We’re also bad at calculating probabilities,
and use all sorts of heuristics to help us make
decisions:
We also worry too much about unlikely
events.
Many people perceive terrorism to be a much
worse threat than food poisoning or road
traffic accidents.
Problem 1
Read “Users do not think they are at risk” on
page 36 of Ryan West, “The Psychology of
Security”.
Complete Problem 1
Users aren’t stupid, they’re
unmotivated
To conserve mental resources, we generally
tend to favor quick decisions based on
learned rules and heuristics.
It is efficient in the sense it is quick, it
minimizes effort, and the outcome is good
enough most of the time. (cognitive miser)
This partially accounts for why users do not
reliably read all the text relevant in a display
or consider all the consequences of their
actions.
Problem 2
Safety is an abstract concept.
Chose a partner.
Complete Problem #2
Evaluating the security/cost
trade-off
While the gains of security are generally
abstract the cost is real and immediate.
it usually comes with a price paid in time,
effort, and convenience.
Users weigh the cost of the effort against the
perceived value of the gain (safety/security)
and the perceived chance that nothing bad
would happen either way.
Risk aversion
People dislike losing $100 they already have
more than they value winning $100.
Marketers talk in terms of ‘discount’ and
‘saving’ — by framing an action as a gain
rather than as a loss makes people more likely
to take it.
Problem 3
Security as a secondary task.
Losses perceived disproportionately to
gains
With your partner, complete Problem #3.
Principle of Psychological Acceptability
Security Mechanisms should not make the
resource more difficult to access than if the
security mechanisms were not present.
Salzer & Schroeder 1975
Principle of Psychological Acceptability
The security mechanism may add some extra
burden, but that burden must be both
minimal and reasonable.
Every file access requires the user enter his
password?
Password Policies
Many users want to use a simple easy to
remember password. They do not want to
change their password. They write down
their password. They want to use the same
password for all their accounts.
It is a challenge to write a password policy
that is psychologically acceptable and still
provides security.
Airport Security
Is it psychologically acceptable?
How about full body scans and pat downs?
IMPROVING SECURITY COMPLIANCE AND
DECISION MAKING
Reward pro-security behavior.
Users must be motivated to take pro-security
actions.
There must be a tangible reward for making
good security decisions.
One form of reward is to see that the security
mechanisms are working and that the action
the user chose is, in fact, making them safer.
IMPROVING SECURITY COMPLIANCE AND
DECISION MAKING
When an antivirus or antispyware product finds
and removes malicious code. The security
application often issues a notification that it has
found and mitigated a threat.
Improve the awareness of risk
People often believe they are at less risk
compared to others.
Increase user awareness of the risks they
face.
Security messages should be instantly
distinguishable from other message dialogs.
Security messages should look and sound
very different
Catch corporate security policy
violators
Having a corporate security policy that is not
monitored or enforced is tantamount to
having laws but no police.
Security systems should have good auditing
capabilities.
The best deterrent to breaking the rules is not
the severity of consequences but the
likelihood of being caught.
Reduce the cost of implementing
security
To accomplish a task, users often seek the
path of least resistance that satisfies the
primary goal.
Making the secure choice the easiest for the
user to implement, one takes advantage of
normal user behavior and gains compliance.
Reduce the cost of implementing
security
To reduce the cost of security is to employ
secure default settings.
Most users never change the default settings
of their applications.
“Secure by Default” principle.
While good default settings can increase
security, system designers must be careful
that users do not find an easier way to slip
around them.
CONCLUSION
We can increase compliance if we work with
the psychological principles that drive
behavior.
Problem #4
1. Consider some software product that you
regularly use, some website that you regularly
visit, or some software product that you
develop as part of your job. Briefly describe this
product.
2. Discuss how well it meets the Principle of
Psychological Acceptability for users of this
product or website.
3. Discuss how this product or website could be
improved from the psychological viewpoint.