[en] The set of impressions that a user has about distinct aspects of a system depends on the experience perceived while interacting with the system. Considering the effects of these interactions in a security analysis allows for a new class of security properties in terms of misalignments between the system’s technical guarantees and the user’s impressions of them. For instance, a property that we call “false sense of insecurity” identifies a situation in which a secure system injects uncertainty in users, thus improperly transmitting the degree of protection that it actually provides; another, which we call “false sense of security”, captures situations in which a system instills a false sense of security beyond what a technical analysis would justify. Both situations leave room for attacks. In this paper we propose a model to define and reason about such socio-technical misalignments. The model refers to and builds on the concept of security ceremonies, but relies on user experience notions and on security analysis techniques to put together the information needed to verify misalignment properties about user’s impressions and system’s security guarantees. We discuss the innovative insight of this pilot model for a holistic understanding of a system’s security. We also propose a formal model that can be used with existing model checkers for an automatic analysis of misalignments. We exemplify the approach by modelling one specific application for end-to-end email encryption within which we analyze a few instances of misalignment properties.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)
Disciplines :
Computer science
Author, co-author :
Stojkovski, Borce ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)
Vazquez Sandoval, Itzel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Lenzini, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
External co-authors :
no
Language :
English
Title :
Detecting misalignments between system security and user perceptions: a preliminary socio-technical analysis of an E2E email encryption system
Publication date :
2019
Event name :
4th European Workshop on Usable Security
Event place :
Stockholm, Sweden
Event date :
20-06-2019
Audience :
International
Main work title :
4th European Workshop on Usable Security - 2019 IEEE European Symposium on Security and Privacy Workshops
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
FnR Project :
FNR10621687 - Security And Privacy For System Protection, 2015 (01/01/2017-30/06/2023) - Sjouke Mauw
K. M. Martin, Everyday cryptography: fundamental principles and applications, Oxford New York, 2012.
ENISA, Study on cryptographic protocols (ISBN 978-92-9204-103-8), European Union Agency for Network and Information Security, Heraklion, Tech. Rep., 2014.
L. F. Cranor, A framework for reasoning about the human in the loop, Proceedings of the 1st Conference on Usability, Psychology, and Security (UPSEC08), pp. 1-15, 2008.
I. Flechais, J. Riegelsberger, and M. A. Sasse, Divide and Conquer: The Role of Trust and Assurance in the Design of Secure Sociotechnical Systems, in Proceedings of the 2005 Workshop on New Security Paradigms. New York, NY, USA: ACM, 2005, pp. 33-41. [Online]. Available: http://doi.acm.org/10.1145/1146269.1146280
G. Baxter and I. Sommerville, Socio-technical systems: From design methods to systems engineering, Interacting with Computers, vol. 23, no. 1, pp. 4-17, jan 2011.
G. P. Bella, P. Curzon, and G. Lenzini, Service security and privacy as a socio-technical problem, vol. 23, no. 5, pp. 563-585, 2015.
R. Abu-Salma, E. M. Redmiles, B. Ur, and M. Wei, Exploring User Mental Models of End-to-End Encrypted Communication Tools, 8th USENIX Workshop on Free and Open Communications on the Internet (FOCI), 2018.
G. Bella and L. Coles-Kemp, Layered Analysis of Security Ceremonies, D. Gritzalis, S. Furnell, and M. Theoharidou, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 273-286.
C. Ellison, Ceremony Design and Analysis, Citeseer, vol. 399, pp. 1-17, 2007. [Online]. Available: http://eprint.iacr.org/2007/399
K. J. Radke, Security ceremonies : including humans in cryptographic protocols, Ph.D. dissertation, Queensland University of Technology, 2013. [Online]. Available: https://eprints.qut.edu.au/63704/
M. C. Carlos, J. E. Martina, G. Price, and R. F. Custodio, An updated threat model for security ceremonies, p. 1836, 2013.
S. W. Smith, Humans in the loop: Human-computer interaction and security, IEEE Security and Privacy, vol. 1, no. 3, pp. 75-79, 2003.
B. Beckert and G. Beuster, A Method for Formalizing, Analyzing, and Verifying Secure User Interfaces BT -Formal Methods and Software Engineering, Z. Liu and J. He, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 55-73.
K.-P. Yee, Aligning security and usability, IEEE Security & Privacy, vol. 2, no. 5, pp. 48-55, 2004.
K. Renaud, M. Volkamer, and A. Renkema-Padmos, Why Doesnt Jane Protect Her Privacy? in Privacy Enhancing Technologies, E. De Cristofaro and S. J. Murdoch, Eds. Cham: Springer International Publishing, 2014, pp. 244-262.
R. Abu-Salma, M. A. Sasse, J. Bonneau, A. Danilova, A. Naiakshina, and M. Smith, Obstacles to the Adoption of Secure Communication Tools, in 2017 IEEE Symposium on Security and Privacy (SP), 2017, pp. 137-153.
D. K. Smetters and R. E. Grinter, Moving from the Design of Usable Security Technologies to the Design of Useful Secure Applications, in Proceedings of the 2002 Workshop on New Security Paradigms, ser. NSPW 02. New York, NY, USA: ACM, 2002, pp. 82-89.
D. A. Norman, The design of everyday things, New York, 2013.
McKinsey & Company, Customer experience: New capabilities, new audiences, new opportunities, Tech. Rep. 2, 2017.
K. Kaplan, When and How to Create Customer Journey Maps, 2016 (accessed 2019-04-19). [Online]. Available: https://www.nngroup.com/articles/customer-journey-mapping/
K. Kaplanh, Journey Mapping in Real Life: A Survey of UX Practitioners, 2016 (accessed 2019-04-19). [Online]. Available: http://www.nngroup.com/articles/journey-mapping-ux-practitioners/
S. Mauw and C. Cremers, Operational Semantics and Verification of Security Protocols. Springer Science & Business Media, 2012.
A. Degani and M. Heymann, Formal verification of human-automation interaction, Human Factors, vol. 44, no. 1, pp. 28-43, 2002.
P. Curzon, R. Ruksenas, and A. Blandford, An approach to formal verification of human-computer interaction, Formal Aspects of Computing, vol. 19, no. 4, pp. 513-550, Nov 2007.
M. D. Harrison, P. Masci, J. C. Campos, and P. Curzon, Verification of user interface software: The example of use-related safety requirements and programmable medical devices, IEEE Trans. Human-Machine Systems, vol. 47, no. 6, pp. 834-846, 2017.
C. Baier and J. Katoen, Principles of model checking. MIT Press, 2008.
E. M. Clarke and E. A. Emerson, Design and synthesis of synchronization skeletons using branching-time temporal logic, in Logic of Programs, Workshop. Springer-Verlag, 1982, pp. 52-71.
The Radicati Group, Email Statistics Report, 2018-2022, Tech. Rep., 2018.
A. Whitten and J. D. Tygar, Why Johnny Cant Encrypt: A Usability Evaluation of PGP 5.0, ser. SSYM99. USENIX Association, 1999.
S. E. Mcgregor, P. Charters, T. Holliday, and S. E. Mcgregor, 2015. Survey. Investigating the Computer Security Practices and Needs of Journalists. This Paper Is Included in the Proceedings of the Investigating the Computer Security Practices and Needs of Journalists, 24th USENIX Security Symposium (USENIX Security 15), 2015.
S. L. Garfinkel and R. C. Miller, Johnny 2: a user test of key continuity management with S/MIME and Outlook Express, Proceedings of the 2005 symposium on Usable privacy and security, vol. 6, pp. 13-24, 2005.
S. Gaw, E. W. Felten, and P. Fernandez-Kelly, Secrecy, flagging, and paranoia, p. 591, 2006.
S. Ruoti, J. Andersen, S. Heidbrink, M. ONeill, E. Vaziripour, J. Wu, D. Zappala, and K. Seamons, WeRe on the Same Page: A Usability Study of Secure Email Using Pairs of Novice Users, ser. CHI 16. ACM, 2016, pp. 4298-4308.
S. Ruoti, N. Kim, B. Burgon, T. van der Horst, and K. Seamons, Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes, ser. SOUPS 13. ACM, 2013, pp. 5:1-5:12.
E. Atwater, C. Bocovich, U. Hengartner, E. Lank, and I. Goldberg, Leading Johnny toWater: Designing for Usability and Trust. USENIX Association, 2015, pp. 69-88.
W. Bai, D. Kim, M. Namara, Y. Qian, P. G. Kelley, and M. L. Mazurek, Balancing Security and Usability in Encrypted Email, IEEE Internet Computing, vol. 21, no. 3, pp. 30-38, 2017.
A. Lerner, E. Zeng, and F. Roesner, Confidante: Usable Encrypted Email: A Case Study with Lawyers and Journalists, in 2017 IEEE European Symposium on Security and Privacy, 2017, pp. 385-400.
C. Wharton, J. Rieman, C. Lewis, and P. Polson, The Cognitive Walkthrough Method: A Practitioners Guide, in Usability Inspection Methods, J. Nielsen and R. L. Mack, Eds. New York, NY, USA: John Wiley & Sons, Inc., 1994, pp. 105-140.
J. Yoon, A. Pohlmeyer, and P. Desmet, Positive Emotional Granularity Cards. Delft: Delft University of Technology, 2015.
S. Fokkinga, Negative emotion typology, 2019 (accessed 2019-04-19), https://emotiontypology.com/.
A. Cimatti, E. Clarke, F. Giunchiglia, and M. Roveri, NUSMV: a new Symbolic Model Verifier, in Proceedings Eleventh Conference on Computer-Aided Verification (CAV99), ser. Lecture Notes in Computer Science, N. Halbwachs and D. Peled, Eds., no. 1633. Trento, Italy: Springer, July 1999, pp. 495-499.