Abstract
Computer systems security area has received increased attention from both academics and in industry. However, recent work indicates that substantial security gaps emerge when systems are deployed, even with the use of state-of-the-art security protocols. Our findings suggest that wide-spread security problems exist even when protocols such as SSL and SSH are deployed because systems today do not give security warnings properly or make it trivial for users to bypass them. Even when these protocols are deployed correctly, systems often leave themselves vulnerable to social-engineering attacks as an artifact of their design. In one of our studies, we examined the web sites of 706 financial institutions and found over 90% of them to have made poor design choices when it comes to security, even though all deployed SSL for communicating passwords and doing transactions. In another study, we examined the usage of SSH within our own department and found that most users would be susceptible to a man-in-the-middle attack. Based on our studies, we postulate that some of the most interesting challenges for security researchers and practitioners lie at the intersection of security theory, their application to practice, and user behavior. We point out some of those challenges and hope that the research community can help address them.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, Reading (2000)
Ylonen, T., Lonvick, C.: The secure shell (SSH) protocol architecture, RFC 4251, IETF draft (January 2006)
Clippingale, B., Prakash, A.: Usability vulnerabilities in SSH: When good users go bad. Unpublished manuscript. Contact author(s) for a copy (September 2007)
Prakash, A., Falk, L.: Web security analysis of financial institutions. Technical Report CSE-TR-534-07, Department of EECS, University of Michigan (2007)
Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In: IEEE Symposium on Security and Privacy (2007)
Whitten, A., Tygar, J.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: Proc. of the 8th Usenix Security Symposium (1999)
Cranor, L., Guduru, P., Arjula, M.: User interfaces for privacy agents. ACM Transactions on Computer Human Interaction 12(2), 135–178 (2006)
Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proc. of The 2nd Usenix Workshop on Electronic Commerce, Revised April, 2007 (November 1996)
McDaniel, P.: On context in authorization policy. In: SACMAT. Proc. of the 8th ACM Symposium on Access Control Models and Technologies, pp. 80–89 (June 2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Prakash, A. (2007). Security in Practice – Security-Usability Chasm. In: McDaniel, P., Gupta, S.K. (eds) Information Systems Security. ICISS 2007. Lecture Notes in Computer Science, vol 4812. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77086-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-77086-2_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77085-5
Online ISBN: 978-3-540-77086-2
eBook Packages: Computer ScienceComputer Science (R0)