Detecting misalignments between system security and user perceptions: a preliminary socio-technical analysis of an E2E email encryption system

Stojkovski, Borce; Vazquez Sandoval, Itzel; Lenzini, Gabriele

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Stojkovski, Borce; Vazquez Sandoval, Itzel; Lenzini, Gabriele

2019 • In 4th European Workshop on Usable Security - 2019 IEEE European Symposium on Security and Privacy Workshops

Peer reviewed

Permalink
https://hdl.handle.net/10993/39726

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

21.pdf

Author postprint (1.12 MB)

Request a copy

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

socio-technical security; UX; formal models

Abstract :

[en] The set of impressions that a user has about distinct aspects of a system depends on the experience perceived while interacting with the system. Considering the effects of these interactions in a security analysis allows for a new class of security properties in terms of misalignments between the system’s technical guarantees and the user’s impressions of them. For instance, a property that we call “false sense of insecurity” identifies a situation in which a secure system injects uncertainty in users, thus improperly transmitting the degree of protection that it actually provides; another, which we call “false sense of security”, captures situations in which a system instills a false sense of security beyond what a technical analysis would justify. Both situations leave room for attacks. In this paper we propose a model to define and reason about such socio-technical misalignments. The model refers to and builds on the concept of security ceremonies, but relies on user experience notions and on security analysis techniques to put together the information needed to verify misalignment properties about user’s impressions and system’s security guarantees. We discuss the innovative insight of this pilot model for a holistic understanding of a system’s security. We also propose a formal model that can be used with existing model checkers for an automatic analysis of misalignments. We exemplify the approach by modelling one specific application for end-to-end email encryption within which we analyze a few instances of misalignment properties.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)

Disciplines :

Computer science

Author, co-author :

Stojkovski, Borce ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)

Vazquez Sandoval, Itzel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Lenzini, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

Language :

English

Title :

Detecting misalignments between system security and user perceptions: a preliminary socio-technical analysis of an E2E email encryption system

Publication date :

2019

Event name :

4th European Workshop on Usable Security

Event place :

Stockholm, Sweden

Event date :

20-06-2019

Audience :

International

Main work title :

4th European Workshop on Usable Security - 2019 IEEE European Symposium on Security and Privacy Workshops

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

FnR Project :

FNR10621687 - Security And Privacy For System Protection, 2015 (01/01/2017-30/06/2023) - Sjouke Mauw

Name of the research project :

PRIDE15/10621687/SPsquared

Funders :

FNR - Fonds National de la Recherche [LU]

Available on ORBilu :

since 24 June 2019

Statistics

Number of views

240 (56 by Unilu)

Number of downloads

7 (4 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

K. M. Martin, Everyday cryptography: fundamental principles and applications, Oxford New York, 2012.
ENISA, Study on cryptographic protocols (ISBN 978-92-9204-103-8), European Union Agency for Network and Information Security, Heraklion, Tech. Rep., 2014.
L. F. Cranor, A framework for reasoning about the human in the loop, Proceedings of the 1st Conference on Usability, Psychology, and Security (UPSEC08), pp. 1-15, 2008.
I. Flechais, J. Riegelsberger, and M. A. Sasse, Divide and Conquer: The Role of Trust and Assurance in the Design of Secure Sociotechnical Systems, in Proceedings of the 2005 Workshop on New Security Paradigms. New York, NY, USA: ACM, 2005, pp. 33-41. [Online]. Available: http://doi.acm.org/10.1145/1146269.1146280
G. Baxter and I. Sommerville, Socio-technical systems: From design methods to systems engineering, Interacting with Computers, vol. 23, no. 1, pp. 4-17, jan 2011.
G. P. Bella, P. Curzon, and G. Lenzini, Service security and privacy as a socio-technical problem, vol. 23, no. 5, pp. 563-585, 2015.
R. Abu-Salma, E. M. Redmiles, B. Ur, and M. Wei, Exploring User Mental Models of End-to-End Encrypted Communication Tools, 8th USENIX Workshop on Free and Open Communications on the Internet (FOCI), 2018.
G. Bella and L. Coles-Kemp, Layered Analysis of Security Ceremonies, D. Gritzalis, S. Furnell, and M. Theoharidou, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 273-286.
C. Ellison, Ceremony Design and Analysis, Citeseer, vol. 399, pp. 1-17, 2007. [Online]. Available: http://eprint.iacr.org/2007/399
K. J. Radke, Security ceremonies : including humans in cryptographic protocols, Ph.D. dissertation, Queensland University of Technology, 2013. [Online]. Available: https://eprints.qut.edu.au/63704/
M. C. Carlos, J. E. Martina, G. Price, and R. F. Custodio, An updated threat model for security ceremonies, p. 1836, 2013.
S. W. Smith, Humans in the loop: Human-computer interaction and security, IEEE Security and Privacy, vol. 1, no. 3, pp. 75-79, 2003.
B. Beckert and G. Beuster, A Method for Formalizing, Analyzing, and Verifying Secure User Interfaces BT -Formal Methods and Software Engineering, Z. Liu and J. He, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 55-73.
S. Gibbons, Journey Mapping 101, 2018 (accessed 2019-04-19). [Online]. Available: https://www.nngroup.com/articles/journeymapping-101/
K.-P. Yee, Aligning security and usability, IEEE Security & Privacy, vol. 2, no. 5, pp. 48-55, 2004.
K. Renaud, M. Volkamer, and A. Renkema-Padmos, Why Doesnt Jane Protect Her Privacy? in Privacy Enhancing Technologies, E. De Cristofaro and S. J. Murdoch, Eds. Cham: Springer International Publishing, 2014, pp. 244-262.
R. Abu-Salma, M. A. Sasse, J. Bonneau, A. Danilova, A. Naiakshina, and M. Smith, Obstacles to the Adoption of Secure Communication Tools, in 2017 IEEE Symposium on Security and Privacy (SP), 2017, pp. 137-153.
D. K. Smetters and R. E. Grinter, Moving from the Design of Usable Security Technologies to the Design of Useful Secure Applications, in Proceedings of the 2002 Workshop on New Security Paradigms, ser. NSPW 02. New York, NY, USA: ACM, 2002, pp. 82-89.
D. A. Norman, The design of everyday things, New York, 2013.
McKinsey & Company, Customer experience: New capabilities, new audiences, new opportunities, Tech. Rep. 2, 2017.
K. Kaplan, When and How to Create Customer Journey Maps, 2016 (accessed 2019-04-19). [Online]. Available: https://www.nngroup.com/articles/customer-journey-mapping/
K. Kaplanh, Journey Mapping in Real Life: A Survey of UX Practitioners, 2016 (accessed 2019-04-19). [Online]. Available: http://www.nngroup.com/articles/journey-mapping-ux-practitioners/
S. Mauw and C. Cremers, Operational Semantics and Verification of Security Protocols. Springer Science & Business Media, 2012.
A. Degani and M. Heymann, Formal verification of human-automation interaction, Human Factors, vol. 44, no. 1, pp. 28-43, 2002.
P. Curzon, R. Ruksenas, and A. Blandford, An approach to formal verification of human-computer interaction, Formal Aspects of Computing, vol. 19, no. 4, pp. 513-550, Nov 2007.
M. D. Harrison, P. Masci, J. C. Campos, and P. Curzon, Verification of user interface software: The example of use-related safety requirements and programmable medical devices, IEEE Trans. Human-Machine Systems, vol. 47, no. 6, pp. 834-846, 2017.
C. Baier and J. Katoen, Principles of model checking. MIT Press, 2008.
E. M. Clarke and E. A. Emerson, Design and synthesis of synchronization skeletons using branching-time temporal logic, in Logic of Programs, Workshop. Springer-Verlag, 1982, pp. 52-71.
Pretty Easy Privacy, (accessed 2019-04-19). [Online]. Available: https://www.pep.security/
The Radicati Group, Email Statistics Report, 2018-2022, Tech. Rep., 2018.
A. Whitten and J. D. Tygar, Why Johnny Cant Encrypt: A Usability Evaluation of PGP 5.0, ser. SSYM99. USENIX Association, 1999.
S. E. Mcgregor, P. Charters, T. Holliday, and S. E. Mcgregor, 2015. Survey. Investigating the Computer Security Practices and Needs of Journalists. This Paper Is Included in the Proceedings of the Investigating the Computer Security Practices and Needs of Journalists, 24th USENIX Security Symposium (USENIX Security 15), 2015.
S. L. Garfinkel and R. C. Miller, Johnny 2: a user test of key continuity management with S/MIME and Outlook Express, Proceedings of the 2005 symposium on Usable privacy and security, vol. 6, pp. 13-24, 2005.
S. Gaw, E. W. Felten, and P. Fernandez-Kelly, Secrecy, flagging, and paranoia, p. 591, 2006.
S. Ruoti, J. Andersen, S. Heidbrink, M. ONeill, E. Vaziripour, J. Wu, D. Zappala, and K. Seamons, WeRe on the Same Page: A Usability Study of Secure Email Using Pairs of Novice Users, ser. CHI 16. ACM, 2016, pp. 4298-4308.
S. Ruoti, N. Kim, B. Burgon, T. van der Horst, and K. Seamons, Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes, ser. SOUPS 13. ACM, 2013, pp. 5:1-5:12.
E. Atwater, C. Bocovich, U. Hengartner, E. Lank, and I. Goldberg, Leading Johnny toWater: Designing for Usability and Trust. USENIX Association, 2015, pp. 69-88.
W. Bai, D. Kim, M. Namara, Y. Qian, P. G. Kelley, and M. L. Mazurek, Balancing Security and Usability in Encrypted Email, IEEE Internet Computing, vol. 21, no. 3, pp. 30-38, 2017.
A. Lerner, E. Zeng, and F. Roesner, Confidante: Usable Encrypted Email: A Case Study with Lawyers and Journalists, in 2017 IEEE European Symposium on Security and Privacy, 2017, pp. 385-400.
C. Wharton, J. Rieman, C. Lewis, and P. Polson, The Cognitive Walkthrough Method: A Practitioners Guide, in Usability Inspection Methods, J. Nielsen and R. L. Mack, Eds. New York, NY, USA: John Wiley & Sons, Inc., 1994, pp. 105-140.
J. Yoon, A. Pohlmeyer, and P. Desmet, Positive Emotional Granularity Cards. Delft: Delft University of Technology, 2015.
S. Fokkinga, Negative emotion typology, 2019 (accessed 2019-04-19), https://emotiontypology.com/.
A. Cimatti, E. Clarke, F. Giunchiglia, and M. Roveri, NUSMV: a new Symbolic Model Verifier, in Proceedings Eleventh Conference on Computer-Aided Verification (CAV99), ser. Lecture Notes in Computer Science, N. Halbwachs and D. Peled, Eds., no. 1633. Trento, Italy: Springer, July 1999, pp. 495-499.