References of "Stojkovski, Borce 50030235"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailEvaluating ambiguity of privacy indicators in a secure email app
Stojkovski, Borce UL; Lenzini, Gabriele UL

in Loreti, Michele; Spalazzi, Luca (Eds.) Proceedings of the Fourth Italian Conference on Cyber Security, Ancona Italy, February 4th to 7th, 2020 (2020)

Informing laymen of security situations is a notoriously hard problem. Users are usually not cognoscenti of all the various secure and insecure situations that may arise, and this can be further worsened ... [more ▼]

Informing laymen of security situations is a notoriously hard problem. Users are usually not cognoscenti of all the various secure and insecure situations that may arise, and this can be further worsened by certain visual indicators that instead of helping users, fail to convey clear and unambiguous messages. Even in well-established and studied applications, like email clients providing end-to-end encryption, the problem seems far from being solved. Motivated to verify this claim, we studied the communication qualities of four privacy icons (in the form of coloured shapes) in conveying specific security messages, relevant for a particular secure emailing system called p≡p. We questioned 42 users in three different sessions, where we showed them 10 privacy ratings, along with their explanations, and asked them to match the rating and explanation with the four privacy icons. We compared the participants’ associations to those made by the p≡p developers. The results, still preliminary, are not encouraging. Except for the two most extreme cases, Secure and trusted and Under attack, users almost entirely missed to get the indicators’ intended messages. In particular, they did not grasp certain concepts such as Unsecure email and Secure email, which in turn were fundamental for the engineers. Our work has certain limitations and further investigation is required, but already at this stage our research calls for a closer collaboration between app engineers and icon designers. In the context of p≡p, our work has triggered a deeper discussion on the icon design choices and a potential revamp is on the way. [less ▲]

Detailed reference viewed: 38 (4 UL)
Full Text
Peer Reviewed
See detailDetecting misalignments between system security and user perceptions: a preliminary socio-technical analysis of an E2E email encryption system
Stojkovski, Borce UL; Vazquez Sandoval, Itzel UL; Lenzini, Gabriele UL

in 4th European Workshop on Usable Security - 2019 IEEE European Symposium on Security and Privacy Workshops (2019)

The set of impressions that a user has about distinct aspects of a system depends on the experience perceived while interacting with the system. Considering the effects of these interactions in a security ... [more ▼]

The set of impressions that a user has about distinct aspects of a system depends on the experience perceived while interacting with the system. Considering the effects of these interactions in a security analysis allows for a new class of security properties in terms of misalignments between the system’s technical guarantees and the user’s impressions of them. For instance, a property that we call “false sense of insecurity” identifies a situation in which a secure system injects uncertainty in users, thus improperly transmitting the degree of protection that it actually provides; another, which we call “false sense of security”, captures situations in which a system instills a false sense of security beyond what a technical analysis would justify. Both situations leave room for attacks. In this paper we propose a model to define and reason about such socio-technical misalignments. The model refers to and builds on the concept of security ceremonies, but relies on user experience notions and on security analysis techniques to put together the information needed to verify misalignment properties about user’s impressions and system’s security guarantees. We discuss the innovative insight of this pilot model for a holistic understanding of a system’s security. We also propose a formal model that can be used with existing model checkers for an automatic analysis of misalignments. We exemplify the approach by modelling one specific application for end-to-end email encryption within which we analyze a few instances of misalignment properties. [less ▲]

Detailed reference viewed: 173 (43 UL)
Full Text
Peer Reviewed
See detailA Protocol to Strengthen Password-Based Authentication
Vazquez Sandoval, Itzel UL; Lenzini, Gabriele UL; Stojkovski, Borce UL

in Emerging Technologies for Authorization and Authentication (2018, November)

We discuss a password-based authentication protocol that we argue to be robust against password-guessing and o -line dictionary attacks. The core idea is to hash the passwords with a seed that comes from ... [more ▼]

We discuss a password-based authentication protocol that we argue to be robust against password-guessing and o -line dictionary attacks. The core idea is to hash the passwords with a seed that comes from an OTP device, making the resulting identity token unpredictable for an adversary. We believe that the usability of this new protocol is the same as that of password-based methods with OTP, but has the advan- tage of not burdening users with having to choose strong passwords. [less ▲]

Detailed reference viewed: 177 (64 UL)