Frontiers of Usable Security: New Challenges and New Models
Much of life is now online, and new challenges involving security and privacy have arisen. In particular, the human factor has become increasingly important with the increase in the number of users, and the scale and diversity usage. The field of “usable security” initially emerged to address making security software easier to use. This continues to be relevant, but the field now needs to address a wider range of complex issues. For example, mobile devices and cloud computing involve new and ever-changing contexts of use, new populations now rely on computing infrastructure, and organizations without any previous security orientation must now ensure security to protect their business interests.
While engagement and reliance by users on computing infrastructure expands, some supporting roles also increase in importance. One aspect of this involves security operations centres, where the human factors challenges include situation awareness, workflow, and collaborative analysis. Another new area involves security within organizations, where people are not administrators, but still have responsibilities beyond themselves. There are some standards, but these typically take a management perspective where security behaviour is addressed more by edict than by good design. Even programmers are also involved in the human factors challenges facing usable security, because apparently small slips in specialized software can cause cascading and devastating weaknesses: this is the lesson of the “Heartbleed” vulnerability in OpenSSL, the “Shellshock” vulnerability in a widely used Unix command interpreter, and most recently (July 2015) the “Stagefright” code weaknesses in the Android mobile platform.
This presentation will review these new challenges, and outline some models of human behaviour that may help.
Robert Biddle is Professor of Human-Computer Interaction at Carleton University in Ottawa, Canada. He is appointed both to the School of Computer Science and the Institute of Cognitive Science. He has won awards for teaching and research, and his research program involves active collaboration with a range of government and industry partners.
His current research is primarily in human factors in cyber-security and software design, especially creating and evaluating innovative designs for computer security software.
Previously his research emphasis was on agile methods for software development, and especially on the relationship between customers and developers. He leads research themes for cross-Canada research networks on human-oriented computer security, for software engineering for surface applications, and for privacy and security in new media environments.
Fabio Massacci is a full professor at the University of Trento (IT). He has a Ph.D. in Computing from the University of Rome La Sapienza in 1998. He has been in Cambridge (UK), Toulouse (FR) and Siena (IT). He has published more than 250 articles in peer reviewed journals and conferences and his h-index is 35. His current research interest is in empirical methods for cyber security. He was the European Coordinator of the project SECONOMICS (www.seconomics.org) on socio-economic aspects of security. He is now working on the SESAR EMFASE project on empirical validation of security risk assessment in aviation. With Luca Allodi he contributed to a more scientific approach for vulnerability risk assessment for the CVSS standard.