Abstract
A significant number of attacks on systems are against the non-cryptographic components such as the human interaction with the system. In this paper, we propose a taxonomy of human-protocol interaction weaknesses. This set of weaknesses presents a harmonization of many findings from different research areas. In doing so we collate the most common human-interaction problems that can potentially result in successful attacks against protocol implementations. We then map these weaknesses onto a set of design recommendations aimed to minimize those weaknesses.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42, 40–46 (1999)
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley Publishing (2008)
Bellovin, S.M., Merritt, M.: Limitations of the kerberos authentication system. ACM SIGCOMM Computer Communication Review 20, 119–132 (1990)
Brustoloni, J.C., VillamarÃn-Salomón, R.: Improving security decisions with polymorphic and audited dialogs. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS 2007, pp. 76–85. ACM, New York (2007)
Cranor, L.F.: A framework for reasoning about the human in the loop. In: Proceedings of the 1st Conference on Usability, Psychology, and Security, pp. 1–15. USENIX Association, Berkeley (2008)
Dhamija, R., Tygar, J.D.: The battle against phishing: Dynamic security skins. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS 2005, pp. 77–88. ACM, New York (2005)
Dhamija, R., Tygar, J.D.: Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks. In: Baird, H.S., Lopresti, D.P. (eds.) HIP 2005. LNCS, vol. 3517, pp. 127–141. Springer, Heidelberg (2005)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 581–590. ACM, New York (2006)
Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 79–90. ACM, New York (2006)
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems, CHI 2008, pp. 1065–1074. ACM, New York (2008)
Ellison, C.: Ceremony Design and Analysis. Cryptology ePrint Archive, Report 2007/399 (October 2007)
Finucane, M.L., Alhakami, A., Slovic, P., Johnson, S.M.: The affect heuristic in judgments of risks and benefits. Journal of Behavioral Decision Making 13(1), 1–17 (2000)
Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, pp. 383–392. ACM, New York (2010)
Jakobsson, M.: The human factor in phishing. In: Privacy & Security of Consumer Information 2007 (2007)
Karlof, C., Tygar, J., Wagner, D.: Conditioned-safe ceremonies and a user study of an application to web authentication. In: Sixteenth Annual Network and Distributed Systems Security Symposium, NDSS 2009 (February 2009)
Martina, J.E., Carlos, M.C.: Why should we analyse security ceremonies? In: First CryptoForma Workshop (May 2010)
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, Inc., New York (2003)
Neuman, C., Yu, T., Hartman, S., Raeburn, K.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 4120 (Standards Track) (July 2005)
Norman, D.A.: Design rules based on analyses of human error. Commun. ACM 26, 254–258 (1983)
Norman, D.A.: The design of everyday things. Basic Books, New York (2002)
Oppliger, R., Gajek, S.: Effective Protection Against Phishing and Web Spoofing. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 32–41. Springer, Heidelberg (2005)
Reason, J.: Understanding adverse events: human factors. Quality in Health Care 4(2), 80–89 (1995)
Ruksenas, R., Curzon, P., Blandford, A.: Modelling and analysing cognitive causes of security breaches. Innovations in Systems and Software Engineering 4, 143–160 (2008)
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ’weakest link’ - a human/computer interaction approach to usable and effective security. BT Technology Journal 19, 122–131 (2001)
Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: Emperor’s new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 51–65. IEEE (May 2007)
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Technical Report 754, Cambridge (August 2009)
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Communications of the ACM 54(3), 70–75 (2011)
West, R.: The psychology of security. Communications of the ACM 51, 34–40 (2008)
Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 601–610. ACM, New York (2006)
Yee, K.-P.: Aligning security and usability. IEEE Security and Privacy 2, 48–55 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Carlos, M., Price, G. (2012). Understanding the Weaknesses of Human-Protocol Interaction. In: Blyth, J., Dietrich, S., Camp, L.J. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7398. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34638-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-34638-5_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34637-8
Online ISBN: 978-3-642-34638-5
eBook Packages: Computer ScienceComputer Science (R0)