Paper published in a book (Scientific congresses, symposiums and conference proceedings)
Detecting misalignments between system security and user perceptions: a preliminary socio-technical analysis of an E2E email encryption system
STOJKOVSKI, Borce; VAZQUEZ SANDOVAL, Itzel; LENZINI, Gabriele
2019In 4th European Workshop on Usable Security - 2019 IEEE European Symposium on Security and Privacy Workshops
Peer reviewed
 

Files


Full Text
21.pdf
Author postprint (1.12 MB)
Request a copy

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
socio-technical security; UX; formal models
Abstract :
[en] The set of impressions that a user has about distinct aspects of a system depends on the experience perceived while interacting with the system. Considering the effects of these interactions in a security analysis allows for a new class of security properties in terms of misalignments between the system’s technical guarantees and the user’s impressions of them. For instance, a property that we call “false sense of insecurity” identifies a situation in which a secure system injects uncertainty in users, thus improperly transmitting the degree of protection that it actually provides; another, which we call “false sense of security”, captures situations in which a system instills a false sense of security beyond what a technical analysis would justify. Both situations leave room for attacks. In this paper we propose a model to define and reason about such socio-technical misalignments. The model refers to and builds on the concept of security ceremonies, but relies on user experience notions and on security analysis techniques to put together the information needed to verify misalignment properties about user’s impressions and system’s security guarantees. We discuss the innovative insight of this pilot model for a holistic understanding of a system’s security. We also propose a formal model that can be used with existing model checkers for an automatic analysis of misalignments. We exemplify the approach by modelling one specific application for end-to-end email encryption within which we analyze a few instances of misalignment properties.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)
Disciplines :
Computer science
Author, co-author :
STOJKOVSKI, Borce ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)
VAZQUEZ SANDOVAL, Itzel ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
LENZINI, Gabriele ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
External co-authors :
no
Language :
English
Title :
Detecting misalignments between system security and user perceptions: a preliminary socio-technical analysis of an E2E email encryption system
Publication date :
2019
Event name :
4th European Workshop on Usable Security
Event place :
Stockholm, Sweden
Event date :
20-06-2019
Audience :
International
Main work title :
4th European Workshop on Usable Security - 2019 IEEE European Symposium on Security and Privacy Workshops
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
FnR Project :
FNR10621687 - Security And Privacy For System Protection, 2015 (01/01/2017-30/06/2023) - Sjouke Mauw
Name of the research project :
PRIDE15/10621687/SPsquared
Funders :
FNR - Fonds National de la Recherche
Available on ORBilu :
since 24 June 2019

Statistics


Number of views
256 (56 by Unilu)
Number of downloads
7 (4 by Unilu)

Scopus citations®
 
3
Scopus citations®
without self-citations
2

Bibliography


Similar publications



Contact ORBilu