Embed Size (px)
Citation preview
Understanding Users’ (In)Secure behaviour
Prof. Sonia ChiassonCanada Research Chair in Human Oriented Computer Security
Cyber SummitBanff, October 2016
2
are the weakest link
3
Users
are the weakest link
4
Users
Security system designs
WHY PHISHING STILL WORKSTo understand how and why users decide whether a site is legitimate
5
M. Alsharnouby, F. Alaca, & S. Chiasson. Why phishing still works: User strategies for combating phishing attacks. Int. Jour. of Human-Computer Studies (Elsevier), 2015.
6
Still falling for phishFirst phishing attack: AOL, 1996
User study
7
best-case scenario, detecting ability rather than usual practice
is this a phishing site? how certain are you?
Chrome browser
10 legit sites 14 phishing
eye tracking
21 participants
Websites
• Hosted sites, set up own certificate authority and modified browser host files, purchased domain/SSL certificate, HTTrack to copy sites
• Tricks:– Incorrect URLs (with all links to legitimate site)– IP address instead of URL– Fake chrome (double URL bars)– Fake, suspicious content – “credit card checker”
8
Results
9
Success rate: 53% for phishing, 78% for legitConfidence: 4.25/5 regardless of whether choice was correctTime: 87s to decide, no difference for legit/phish sitesEye-tracking: 6% time on security indicators, 85% on page content
No effect of gender, age, tech expertise
52% did not recognize
phishing of their own
bank
Quick to judge
familiar sites
Misunderstandings
10
Look for ‘simple’ urls but missed misspellings or
fabricated urls
48% said https was important, but 80% had no
idea why
19% thought green EV box was important, no one knew
why
Only 1 participant understood sub-domains:
paypal.evil.com
Insights• Detecting phishing is still really hard for users
• Users don’t know how to accurately detect, but are confident in their abilities
• Shallow, brittle understanding – is simple advice doing more harm than good?
• Really, humans aren’t meant to do this!
11
PASSWORDSAre we doing more harm than good?
12
Leah Zhang-Kennedy, Sonia Chiasson, and P. C. van Oorschot. Revisiting Password Rules: Facilitating Human Management of Passwords. In APWG eCrime. IEEE, 2016
Existing password rules
13
creation rules
mandatory password changes
no sharing
no writing down
no reuse
Unreasonable usability?• Human memory limitations
• Incompatible work practices/demands
• Poor cost-benefit tradeoffs
14
For little added security?
15
Social engineering
Offline guessing Password capture
Online guessing
Reconsidering the ruleshttp://www.versipass.com/edusec/
16
Reconsidering the rules (2)
17
Strategically re-use passwords
Keep written passwords well hidden Share with caution
Change your password as-needed
WRAP UPSo what do we do?
18
Rethinking strategy• Consider policies/demands in context
– Adding rule, which one is being removed?– How does this impact real work?
• Consider human capabilities– Your employees don’t have wings
• What are the side-effects?
• Need realistic, actionable advice– Users understand why and how security action is beneficial
Our lab: http://chorus.scs.carleton.caComics: http://www.versipass.com/edusec/
SERENE-RISC cybersecurity network: http://www.serene-risc.ca/
20
