Skip to main content
SpringerLink
Log in

Understanding the Weaknesses of Human-Protocol Interaction

  • Conference paper
Financial Cryptography and Data Security (FC 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7398))

Included in the following conference series:

Abstract

A significant number of attacks on systems are against the non-cryptographic components such as the human interaction with the system. In this paper, we propose a taxonomy of human-protocol interaction weaknesses. This set of weaknesses presents a harmonization of many findings from different research areas. In doing so we collate the most common human-interaction problems that can potentially result in successful attacks against protocol implementations. We then map these weaknesses onto a set of design recommendations aimed to minimize those weaknesses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42, 40–46 (1999)

    Article  Google Scholar 

  2. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley Publishing (2008)

    Google Scholar 

  3. Bellovin, S.M., Merritt, M.: Limitations of the kerberos authentication system. ACM SIGCOMM Computer Communication Review 20, 119–132 (1990)

    Article  Google Scholar 

  4. Brustoloni, J.C., Villamarín-Salomón, R.: Improving security decisions with polymorphic and audited dialogs. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS 2007, pp. 76–85. ACM, New York (2007)

    Chapter  Google Scholar 

  5. Cranor, L.F.: A framework for reasoning about the human in the loop. In: Proceedings of the 1st Conference on Usability, Psychology, and Security, pp. 1–15. USENIX Association, Berkeley (2008)

    Google Scholar 

  6. Dhamija, R., Tygar, J.D.: The battle against phishing: Dynamic security skins. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS 2005, pp. 77–88. ACM, New York (2005)

    Chapter  Google Scholar 

  7. Dhamija, R., Tygar, J.D.: Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks. In: Baird, H.S., Lopresti, D.P. (eds.) HIP 2005. LNCS, vol. 3517, pp. 127–141. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  8. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 581–590. ACM, New York (2006)

    Chapter  Google Scholar 

  9. Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 79–90. ACM, New York (2006)

    Chapter  Google Scholar 

  10. Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems, CHI 2008, pp. 1065–1074. ACM, New York (2008)

    Chapter  Google Scholar 

  11. Ellison, C.: Ceremony Design and Analysis. Cryptology ePrint Archive, Report 2007/399 (October 2007)

    Google Scholar 

  12. Finucane, M.L., Alhakami, A., Slovic, P., Johnson, S.M.: The affect heuristic in judgments of risks and benefits. Journal of Behavioral Decision Making 13(1), 1–17 (2000)

    Article  Google Scholar 

  13. Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, pp. 383–392. ACM, New York (2010)

    Google Scholar 

  14. Jakobsson, M.: The human factor in phishing. In: Privacy & Security of Consumer Information 2007 (2007)

    Google Scholar 

  15. Karlof, C., Tygar, J., Wagner, D.: Conditioned-safe ceremonies and a user study of an application to web authentication. In: Sixteenth Annual Network and Distributed Systems Security Symposium, NDSS 2009 (February 2009)

    Google Scholar 

  16. Martina, J.E., Carlos, M.C.: Why should we analyse security ceremonies? In: First CryptoForma Workshop (May 2010)

    Google Scholar 

  17. Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, Inc., New York (2003)

    Google Scholar 

  18. Neuman, C., Yu, T., Hartman, S., Raeburn, K.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 4120 (Standards Track) (July 2005)

    Google Scholar 

  19. Norman, D.A.: Design rules based on analyses of human error. Commun. ACM 26, 254–258 (1983)

    Article  Google Scholar 

  20. Norman, D.A.: The design of everyday things. Basic Books, New York (2002)

    Google Scholar 

  21. Oppliger, R., Gajek, S.: Effective Protection Against Phishing and Web Spoofing. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 32–41. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  22. Reason, J.: Understanding adverse events: human factors. Quality in Health Care 4(2), 80–89 (1995)

    Article  Google Scholar 

  23. Ruksenas, R., Curzon, P., Blandford, A.: Modelling and analysing cognitive causes of security breaches. Innovations in Systems and Software Engineering 4, 143–160 (2008)

    Article  Google Scholar 

  24. Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ’weakest link’ - a human/computer interaction approach to usable and effective security. BT Technology Journal 19, 122–131 (2001)

    Article  Google Scholar 

  25. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: Emperor’s new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 51–65. IEEE (May 2007)

    Google Scholar 

  26. Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Technical Report 754, Cambridge (August 2009)

    Google Scholar 

  27. Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Communications of the ACM 54(3), 70–75 (2011)

    Article  Google Scholar 

  28. West, R.: The psychology of security. Communications of the ACM 51, 34–40 (2008)

    Article  Google Scholar 

  29. Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 601–610. ACM, New York (2006)

    Chapter  Google Scholar 

  30. Yee, K.-P.: Aligning security and usability. IEEE Security and Privacy 2, 48–55 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Royal Holloway University of London, Egham, Surrey, TW20 0EX, United Kingdom

    Marcelo Carlos & Geraint Price

Authors
  1. Marcelo Carlos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Geraint Price
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. USC Information Sciences Institute, 4676 Admiralty Way, Suite 1001, 90292, Marina del Rey, CA, USA

    Jim Blyth

  2. Department of Computer Science, Stevens Institute of Technology, Castle Point on Hudson, 07030, Hoboken, NJ, USA

    Sven Dietrich

  3. Indiana University, 414 E First St, 47401, Bloomington, IN, USA

    L. Jean Camp

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Carlos, M., Price, G. (2012). Understanding the Weaknesses of Human-Protocol Interaction. In: Blyth, J., Dietrich, S., Camp, L.J. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7398. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34638-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34638-5_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34637-8

  • Online ISBN: 978-3-642-34638-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation