Transcript Psychology and Security

PSYCHOLOGY AND SECURITY
Agenda
 Tuesday, June 28th
 Psychology and Security
 Thursday, June 30th
 Usable Security
References
 Ross Anderson, Security Engineering
 Chapter 2 “Usability and Psychology”
 Ryan West, “The Psychology of Security”,
Communications of the ACM, April 2008, p3440.
People
 Only amateurs attack machines; professionals
target people.
— Bruce Schneier
 Many real attacks exploit psychology at least
as much as technology.
 Kevin Mitnick, Art of Deception
Phishing
 it is much easier for crooks to build a bogus
bank website that passes casual inspection
than it is for them to create a bogus bank in a
shopping mall.
Phishing Examples
 US Bank
 Amazon
 Twitter
Pretexting & Social
Engineering
 The most common way for private
investigators to steal personal information is
pretexting — phoning someone who has the
information under a false pretext, usually by
pretending to be someone authorized to be
told it. Such attacks are sometimes known
collectively as social engineering.
Trusting people
 Many frauds work by appealing to our
atavistic instincts to trust people more in
certain situations.
Psychological manipulation
 As designers learn how to forestall the easier
techie attacks, psychological manipulation of
system users or operators becomes ever
more attractive.
 The security engineer simply must
understand basic psychology and ‘security
usability’.
IRS Social Engineering
 Fixing the problem is hard. Despite
continuing publicity about pretexting, there
was an audit of the IRS in 2007 by the
Treasury Inspector General for Tax
Administration, whose staff called 102 IRS
employees at all levels, asked for their user
ids, and told them to change their passwords
to a known value. 62 did so.
Policies & Training
 It’s not enough for rules to exist; you have to
train all the staff who have access to the
confidential material, and explain to them the
reasons behind the rules.
Research Areas
 Information security and psychology
 Human-computer interaction (HCI)
 Poorly understood by systems developers
 Information security and economics
Perception of Risk
 Terrorism is largely about manipulating
perceptions of risk.
 Many protection mechanisms are sold using
scaremongering.
Cognitive psychology
 How we think, remember, and make
decisions.
 What makes security harder than safety is
that we have a sentient attacker who will try
to provoke exploitable errors.
Practiced actions
 People are trained to click ‘OK’ to pop-up
boxes as that’s often the only way to get
the work done.
Risk Evaluation
 Risk and uncertainty are extremely difficult
concepts for people to evaluate.
 For designers of security systems, it is
important to understand how users evaluate
and make decisions regarding security.
 The most elegant and intuitively designed
interface does not improve security if users
ignore warnings, choose poor settings, or
unintentionally subvert corporate policies.
Risk Evaluation
 The user problem in security systems is not
just about user interfaces or system
interaction. Fundamentally, it is about how
people think of risk that guides their
behavior.
Following rules
 Starting URLs with the impersonated bank’s
name, as
www.citibank.secureauthentication.com—
looking for the name being for many people a
stronger rule than parsing its position.
Mental Model
 Attackers exploit dissonances between users’
mental models of a system and its actual
logic.
 A cognitive walkthrough can be aimed at
identifying attack points, just as a code
walkthrough can be used to search for
software vulnerabilities.
Behavioral economics
 People’s decision processes depart from the
rational behavior.
 The heuristics we use in everyday judgment
and decision making lie somewhere between
rational thought and the unmediated input
from the senses.
Calculating Probabilities
 We’re also bad at calculating probabilities,
and use all sorts of heuristics to help us make
decisions:
 We also worry too much about unlikely
events.
 Many people perceive terrorism to be a much
worse threat than food poisoning or road
traffic accidents.
Problem 1
 Read “Users do not think they are at risk” on
page 36 of Ryan West, “The Psychology of
Security”.
 Complete Problem 1
Users aren’t stupid, they’re
unmotivated
 To conserve mental resources, we generally
tend to favor quick decisions based on
learned rules and heuristics.
 It is efficient in the sense it is quick, it
minimizes effort, and the outcome is good
enough most of the time. (cognitive miser)
 This partially accounts for why users do not
reliably read all the text relevant in a display
or consider all the consequences of their
actions.
Problem 2
 Safety is an abstract concept.
 Chose a partner.
 Complete Problem #2
Evaluating the security/cost
trade-off
 While the gains of security are generally
abstract the cost is real and immediate.
 it usually comes with a price paid in time,
effort, and convenience.
 Users weigh the cost of the effort against the
perceived value of the gain (safety/security)
and the perceived chance that nothing bad
would happen either way.
Risk aversion
 People dislike losing $100 they already have
more than they value winning $100.
 Marketers talk in terms of ‘discount’ and
‘saving’ — by framing an action as a gain
rather than as a loss makes people more likely
to take it.
Problem 3
 Security as a secondary task.
 Losses perceived disproportionately to
gains
 With your partner, complete Problem #3.
Principle of Psychological Acceptability
 Security Mechanisms should not make the
resource more difficult to access than if the
security mechanisms were not present.
 Salzer & Schroeder 1975
Principle of Psychological Acceptability
 The security mechanism may add some extra
burden, but that burden must be both
minimal and reasonable.
 Every file access requires the user enter his
password?
Password Policies
 Many users want to use a simple easy to
remember password. They do not want to
change their password. They write down
their password. They want to use the same
password for all their accounts.
 It is a challenge to write a password policy
that is psychologically acceptable and still
provides security.
Airport Security
 Is it psychologically acceptable?
 How about full body scans and pat downs?
IMPROVING SECURITY COMPLIANCE AND
DECISION MAKING
 Reward pro-security behavior.
 Users must be motivated to take pro-security
actions.
 There must be a tangible reward for making
good security decisions.
 One form of reward is to see that the security
mechanisms are working and that the action
the user chose is, in fact, making them safer.
IMPROVING SECURITY COMPLIANCE AND
DECISION MAKING
 When an antivirus or antispyware product finds
and removes malicious code. The security
application often issues a notification that it has
found and mitigated a threat.
Improve the awareness of risk
 People often believe they are at less risk
compared to others.
 Increase user awareness of the risks they
face.
 Security messages should be instantly
distinguishable from other message dialogs.
Security messages should look and sound
very different
Catch corporate security policy
violators
 Having a corporate security policy that is not
monitored or enforced is tantamount to
having laws but no police.
 Security systems should have good auditing
capabilities.
 The best deterrent to breaking the rules is not
the severity of consequences but the
likelihood of being caught.
Reduce the cost of implementing
security
 To accomplish a task, users often seek the
path of least resistance that satisfies the
primary goal.
 Making the secure choice the easiest for the
user to implement, one takes advantage of
normal user behavior and gains compliance.
Reduce the cost of implementing
security
 To reduce the cost of security is to employ
secure default settings.
 Most users never change the default settings
of their applications.
 “Secure by Default” principle.
 While good default settings can increase
security, system designers must be careful
that users do not find an easier way to slip
around them.
CONCLUSION
 We can increase compliance if we work with
the psychological principles that drive
behavior.
Problem #4
1. Consider some software product that you
regularly use, some website that you regularly
visit, or some software product that you
develop as part of your job. Briefly describe this
product.
2. Discuss how well it meets the Principle of
Psychological Acceptability for users of this
product or website.
3. Discuss how this product or website could be
improved from the psychological viewpoint.
