publications

Google Scholar profileMicrosoft Academic Search profilepublications list in DBLP, ACM DL Author Profile

all Konstantin’s publications in LERSSE DL (you can download each)

most recent publications

journal publications

  • Android users in the wild: Their authentication and usage behavior
    In this paper, we performed a longitudinal field study with 41 participants, who installed our monitoring framework on their Android smartphones and ran it for at least 20 days. We examined how unlocking mechanisms perform in the wild in terms of time it takes to authenticate and error-rate, and how the users’ choices of the unlocking mechanisms are linked to the different patterns of smartphone usage. Based on our findings,... Read more »
  • Decoupling data-at-rest encryption and smartphone locking with wearable devices
    Smartphones store sensitive and confidential data, e.g., business related documents or emails. If a smartphone is stolen, such data are at risk of disclosure. To mitigate this risk, modern smartphones allow users to enable data encryption, which uses a locking password to protect the data encryption key. Unfortunately, users either do not lock their devices at all, due to usability issues, or use weak and easy to guess 4-digit PINs.... Read more »
  • Phishing threat avoidance behaviour: An empirical investigation
    Abstract Phishing is an online identity theft that aims to steal sensitive information such as username, password and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework... Read more »
  • Heuristics for Evaluating IT Security Management Tools
    The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. In this paper, we explore how domain specific heuristics are created by examining prior research in the area of heuristic and guideline creation. We then describe our approach of creating usability heuristics for ITSM tools, which is based on guidelines for ITSM tools that are interpreted and abstracted with activity theory.... Read more »
  • Investigating Users' Perspectives of Web Single Sign-On: Conceptual Gaps and Acceptance Model
    OpenID and OAuth are open and simple web single sign-on (SSO) protocols that have been adopted by major service providers, and millions of supporting websites. However, the average user's perception of web SSO is still poorly understood. Through several user studies, this work investigates users' perceptions and concerns when using web SSO for authentication. We found several misconceptions and concerns that hinder our participants' adoption intentions, from their... Read more »
  • Speculative Authorization
    We present Speculative Authorization (SPAN), a prediction technique that reduces authorization latency in enterprise systems. SPAN predicts requests that a system client might make in the near future, based on its past behavior. SPAN allows authorization decisions for the predicted requests to be made before the requests are issued, thus virtually reducing the authorization latency to zero. We developed SPAN algorithms, implemented a prototype, and evaluated it using two real-world... Read more »
  • Design and Analysis of a Social Botnet
    Online Social Networks (OSNs) have attracted millions of active users and have become an integral part of today's Web ecosystem. Unfortunately, in the wrong hands, OSNs can be used to harvest private user data, distribute malware, control botnets, perform surveillance, spread misinformation, and even influence algorithmic trading. Usually, an adversary starts off by running an infiltration campaign using hijacked or adversary-owned OSN accounts, with an objective to connect with a... Read more »
  • Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures
    OpenID 2.0 is a user-centric Web single sign-on protocol with over one billion OpenID-enabled user accounts, and tens of thousands of supporting websites. While the security of the protocol is clearly critical, so far its security analysis has only been done in a partial and ad-hoc manner. This paper presents the results of a systematic analysis of the protocol using both formal model checking and an empirical evaluation of 132... Read more »
  • Analysis of ANSI RBAC Support in EJB
    This paper analyzes access control mechanisms of the Enterprise Java Beans (EJB) architecture and defines a configuration of the EJB protection system in a more precise and less ambiguous language than the EJB 3.0 standard. Using this configuration, the authors suggest an algorithm that formally specifies the semantics of authorization decisions in EJB. The level of support is analyzed for the American National Standard Institute’s (ANSI) specification of Role-Based Access... Read more »
  • Toward Understanding Distributed Cognition in IT Security Management: The Role of Cues and Norms
    Information technology security management (ITSM) entails significant challenges, including the distribution of tasks and stakeholders across the organization, the need for security practitioners to cooperate with others, and technological complexity. We investigate the organizational processes in ITSM using qualitative analysis of interviews with ITSM practitioners. To account for the distributed nature of ITSM, we utilized and extended a distributed cognition framework that includes as key aspects the themes of cues... Read more »
  • Analysis of ANSI RBAC Support in COM+
    We analyze access control mechanisms of the COM+ architecture and define a configuration of the COM+ protection system in more precise and less ambiguous language than the COM+ documentation. Using this configuration, we suggest an algorithm that formally specifies the semantics of authorization decisions in COM+. We analyze the level of support for the American National Standard Institute's (ANSI) specification of role-based access control (RBAC) components and functional specification in... Read more »
  • Authorization Recycling in Hierarchical RBAC Systems
    As distributed applications increase in size and complexity, traditional authorization architectures based on a dedicated authorization server become increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization caching, which enables the re-use of previous authorization decisions, is one technique that has been used to address these challenges. This paper introduces and evaluates the mechanisms for authorization "recycling" in RBAC enterprise systems. The... Read more »
  • Preparation, detection, and analysis: the diagnostic work of IT security incident response
    Purpose — The purpose of this study is to examine security incident response practices of IT security practitioners as a diagnostic work process, including the preparation phase, detection, and analysis of anomalies. Design/methodology/approach — The data set consisted of 16 semi-structured interviews with IT security practitioners from 7 organizational types (e.g., academic, government, private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data... Read more »
  • Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks
    This paper presents an approach for retrofitting existing web applications with run-time protection against known as well as unseen SQL injection attacks (SQLIAs) without the involvement of application developers. The precision of the approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers' intention for individual SQL statements made by web applications. The proposed approach... Read more »
  • Identification of sources of failures and their propagation in critical infrastructures from 12 years of public failure reports
    Understanding the origin of infrastructure failures and their propagation patterns in critical infrastructures can provide important information for secure and reliable infrastructure design. Among the critical infrastructures, the Communication and Information Technology Infrastructure (CITI) is crucial, as it provides the basic mechanism for sharing information among all infrastructures. Failures in CITI can disrupt the effective functionality of the other critical infrastructures. Conversely, failures in... Read more »
  • An integrated view of human, organizational, and technological challenges of IT security management
    Abstract Purpose – The purpose of this study is to determine the main challenges that IT security practitioners face in their organizations, including the interplay among human, organizational, and technological factors. Design/methodology/approach – The data set consisted of 36 semi-structured interviews with IT security practitioners from 17 organizations (academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive... Read more »
  • Security Practitioners in Context: Their Activities and Interactions with Other Stakeholders within Organizations
    This study investigates the context of interactions of IT security practitioners, based on a qualitative analysis of 30 interviews and participatory observation. We identify nine different activities that require interactions between security practitioners and other stakeholders, and describe in detail two of these activities that may serve as useful references for usability scenarios of security tools. We propose a model of the factors contributing to the complexity of interactions between... Read more »
  • On the Imbalance of the Security Problem Space and its Expected Consequences
    Purpose – This paper aims to report on the results of an analysis of the computer security problem space, to suggest the areas with highest potential for making progress in the attacker-defender game, and to propose questions for future research. Design/methodology/approach – The decomposition of the attacker-defender game into technological, human, and social factors enables one to analyze the concentration of public research efforts by defenders. First, representative activities are... Read more »
  • Cooperative Secondary Authorization Recycling
    As enterprise systems, Grids, and other distributed applications scale up and become increasingly complex, their authorization infrastructures—based predominantly on the request-response paradigm—are facing challenges of fragility and poor scalability. We propose an approach where each application server recycles previously received authorizations and shares them with other application servers to mask authorization server failures and network delays. This paper presents the design of our cooperative secondary authorization recycling system and its... Read more »
  • Searching for the Right Fit: Balancing IT Security Management Model Trade-Offs
    IT security professionals’ effectiveness in an organization is influenced not only by how usable their security management tools are but also by how well the organization’s security management model (SMM) fits. Finding the right SMM is critical but can be challenging — trade-offs are inherent to each approach but their implications aren’t always clear. The authors present a case study of one academic institution that created a centralized security team... Read more »
  • Multiple-Channel Security Architecture and Its Implementation over SSL
    This paper presents multiple-channel SSL (MC-SSL), an architecture and protocol for protecting client-server communications. In contrast to SSL, which provides a single end-to-end secure channel, MC-SSL enables applications to employ multiple channels, each with its own cipher suite and data-flow direction. Our approach also allows for several partially trusted application proxies. The main advantages of MC-SSL over SSL are (a) support for end-to-end security in the presence of partially trusted... Read more »
  • Supporting end-to-end Security Across Proxies with Multiple-Channel SSL
    Security system architecture governs the composition of components in security systems and interactions between them. It plays a central role in the design of software security systems that ensure secure access to distributed resources in networked environment. To this end, the security system must not only make constituent components work together, but also ensure that the components as a whole behave consistently and guarantee certain end-to-end properties. One such critical... Read more »

refereed workshop and conference publications

  • The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences
    Current smartphone operating systems regulate application permissions by prompting users on an ask-on-first-use basis. Prior research has shown that this method is ineffective because it fails to account for context: the circumstances under which an application first requests access to data may be vastly different than the circumstances under which it subsequently requests access. We performed a longitudinal 131-person field study to analyze the contextuality behind user privacy decisions to... Read more »
  • Characterizing Social Insider Attacks on Facebook
    Facebook accounts are secured against unauthorized access through passwords and device-level security. Those defenses, however, may not be sufficient to prevent social insider attacks, where attackers know their victims, and gain access to a victim’s account by interacting directly with their device. To characterize these attacks, we ran two MTurk studies. In the first (n = 1,308), using the list experiment method, we estimated that 24% of participants had perpetrated... Read more »
  • I’m too Busy to Reset my LinkedIn Password: On the Effectiveness of Password Reset Emails
    A common security practice used to deal with a password breach is locking user accounts and sending out an email to tell users that they need to reset their password to unlock their account. This paper evaluates the effectiveness of this security practice based on the password reset email that LinkedIn sent out around May 2016, and through an online survey conducted on 249 LinkedIn users who received that email.... Read more »
  • I Don’t Use Apple Pay Because It’s Less Secure ...: Perception of Security and Usability in Mobile Tap-and-Pay
    This paper reports on why people use, not use, or have stopped using mobile tap-and-pay in stores. The results of our online survey with 349 Apple Pay and 511 Android Pay participants suggest that the top reason for using mobile tap-andpay is usability. Surprisingly, for nonusers of Apple Pay, security was their biggest concern. A common security misconception we found among the nonusers (who stated security as their biggest concern)... Read more »
  • Harvesting the Low-hanging Fruits: Defending Against Automated Large-Scale Cyber-Intrusions
by Focusing on the Vulnerable Population
    The orthodox paradigm to defend against automated social-engineering attacks in large-scale socio-technical systems is reactive and victim-agnostic. Defenses generally focus on identifying the attacks/attackers (e.g., phishing emails, social-bot infiltrations, malware offered for download). To change the status quo, we propose to identify, even if imperfectly, the vulnerable user population, that is, the users that are likely to fall victim to such attacks. Once identified, information about the vulnerable population can... Read more »
  • Snooping on Mobile Phones: Prevalence and Trends
    Personal mobile devices keep private information which people other than the owner may try to access. Thus far, it has been unclear how common it is for people to snoop on one another’s devices. Through an anonymity-preserving survey experiment, we quantify the pervasiveness of snooping attacks, defined as "looking through someone else’s phone without their permission." We estimated the 1-year prevalence to be 31% in an online participant pool. Weighted... Read more »
  • Sharing Health Information on Facebook: Practices, Preferences, and Risk Perceptions of North American Users
    Motivated by the benefits, people have used a variety of webbased services to share health information (HI) online. Among these services, Facebook, which enjoys the largest population of active subscribers, has become a common place for sharing various types of HI. At the same time, Facebook was shown to be vulnerable to various attacks, resulting in unintended information disclosure, privacy invasion, and information misuse. As such, Facebook users face the... Read more »
  • Android Rooting: Methods, Detection, and Evasion
    Android rooting enables device owners to freely customize their own devices and run useful apps that require root privileges. While useful, rooting weakens the security of Android devices and opens the door for malware to obtain privileged access easily. Thus, several rooting prevention mechanisms have been introduced by vendors, and sensitive or high-value mobile apps perform rooting detection to mitigate potential security exposures on rooted devices. However, there is a... Read more »
  • Surpass: System-initiated User-replaceable Passwords
    System-generated random passwords have maximum pass- word security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system- initiated password scheme called “Surpass” that lets users re- place few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four... Read more »
  • Thwarting Fake OSN Accounts by Predicting their Victims
    Traditional defense mechanisms for fighting against automated fake accounts in online social networks are victim-agnostic. Even though victims of fake accounts play an important role in the viability of subsequent attacks, there is no work on utilizing this insight to improve the status quo. In this position paper, we take the first step and propose to incorporate predictions about victims of unknown fakes into the workflows of existing defense mechanisms.... Read more »
  • Android Permissions Remystified: A Field Study on Contextual Integrity
    We instrumented the Android platform to collect data regarding how often and under what circumstances smartphone applications access protected resources regulated by permissions. We performed a 36-person field study to explore the notion of “contextual integrity,” i.e., how often applications access protected resources when users are not expecting it. Based on our collection of 27M data points and exit interviews with participants, we examine the situations in which users would... Read more »
  • On the Memorability of System-generated PINs: Can Chunking Help?
    To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased security we get from using system-generated PINs, however, comes at the cost of memorability. And while banks are increasingly adopting system-generated PINs, the impact on memorability of such PINs has not been studied.... Read more »
  • A Study on the Influential Neighbors to Maximize Information Diffusion in Online Social Networks
    The problem of spreading information is a topic of considerable recent interest, but the traditional influence maximization problem is inadequate for a typical viral marketer who cannot access the entire network topology. To fix this flawed assumption that the marketer can control any arbitrary k nodes in a network, we have developed a decentralized version of the influential maximization problem by influencing k neighbors rather than arbitrary users in the... Read more »
  • On the Impact of Touch ID on iPhone Passcodes
    Smartphones today store large amounts of data that can be confidential, private or sensitive. To protect such data, all mobile OSs have a phone lock mechanism, a mechanism that requires user authentication before granting access to applications and data on the phone. iPhone’s unlocking secret (a.k.a., passcode in Apple’s terminology) is also used to derive a key for encrypting data on the device. Recently, Apple has introduced Touch ID, that... Read more »
  • Integro: Leveraging Victim Prediction for Robust Fake Account Detection in OSNs
    Detecting fake accounts in online social networks (OSNs) protects OSN operators and their users from various malicious activities. Most detection mechanisms attempt to predict and classify user accounts as real (i.e., benign, honest) or fake (i.e., malicious, Sybil) by analyzing user-level activities or graph-level structures. These mechanisms, however, are not robust against adversarial attacks in which fake accounts cloak their operation with patterns resembling real user behavior. We herein observe... Read more »
  • To authorize or not authorize: helping users review access policies in organizations
    This work addresses the problem of reviewing complex access policies in an organizational context using two studies. In the first study, we used semi-structured interviews to explore the access review activity and identify its challenges. The interviews revealed that access review involves challenges such as scale, technical complexity, the frequency of reviews, human errors, and exceptional cases. We also modeled access review in the activity theory framework. The model shows... Read more »
  • To Befriend Or Not? A Model of Friend Request Acceptance on Facebook
    Accepting friend requests from strangers in Facebook-like online social networks is known to be a risky behavior. Still, empirical evidence suggests that Facebook users often accept such requests with high rate. As a first step towards technology support of users in their decisions about friend requests for, we investigate why users accept such requests. We conducted two studies of users' befriending behavior on Facebook. Based on 20 interviews with active... Read more »
  • Finding Influential Neighbors to Maximize Information Diffusion in Twitter
    The problem of spreading information is a topic of considerable recent interest, but the traditional influence maximization problem is inadequate for a typical viral marketer who cannot access the entire network topology. To fix this flawed assumption that the marketer can control any arbitrary k nodes in a network, we have developed a decentralized version of the influential maximization problem by influencing k neighbours rather than arbitrary users in the... Read more »
  • Privacy Aspects of Health Related Information Sharing in Online Social Networks
    Online social networks (OSNs) have formed virtual social networks where people meet and share information. Among all shared information, health related information (HRI) has received considerable attention from researchers and individual users. While considered beneficial, sharing HRI, which is personal in nature, comes with its privacy drawback. Privacy is a process of boundary regulation that is related to the individual and her perception of the surrounding environment. As a result,... Read more »
  • Know Your Enemy: The Risk of Unauthorized Access in Smartphones by Insiders
    Smartphones store large amounts of sensitive data, such as SMS messages, photos, or email. In this paper, we report the results of a study investigating users’ concerns about unauthorized data access on their smartphones (22 interviewed and 724 surveyed subjects). We found that users are generally concerned about insiders (e.g., friends) accessing their data on smartphones. Furthermore, we present the first evidence that the insider threat is a real problem... Read more »
  • Graph-based Sybil Detection in Social and Information Systems
    Sybil attacks in social and information systems have serious security implications. Out of many defence schemes, Graph-based Sybil Detection (GSD) had the greatest attention by both academia and industry. Even though many GSD algorithms exist, there is no analytical framework to reason about their design, especially as they make different assumptions about the used adversary and graph models. In this paper, we bridge this knowledge gap and present a unified... Read more »
  • Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection
    Password meters tell users whether their passwords are "weak" or "strong." We performed a laboratory experiment to examine whether these meters influenced users' password selections when they were forced to change their real passwords, and when they were not told that their passwords were the subject of a study. We observed that the presence of meters yielded significantly stronger passwords. We performed a followup field experiment to test a different... Read more »
  • The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems
    Millions of web users today employ their Facebook accounts to sign into more than one million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled by OAuth 2.0, a web resource authorization protocol that has been adopted by major service providers. The OAuth 2.0 protocol has proven secure by several formal methods, but whether it is indeed secure in practice remains an open question. We examine the... Read more »
  • Key Challenges in Defending Against Malicious Socialbots
    The ease with which we adopt online personas and relationships has created a soft spot that cyber criminals are willing to exploit. Advances in artificial intelligence make it feasible to design bots that sense, think and act cooperatively in social settings just like human beings. In the wrong hands, these bots can be used to infiltrate online communities, build up trust over time and then send personalized messages to elicit... Read more »
  • Understanding Users’ Requirements for Data Protection in Smartphones
    Securing smartphones’ data is a new and growing concern, especially when this data represents valuable or sensitive information. Even though there are many data protection solutions for smartphones, there are no studies that investigate users’ requirements for such solutions. In this paper, we approach smartphones’ data protection problem in a user-centric way, and analyze the requirements of data protection systems from users’ perspectives. We elicit the data types that... Read more »
  • The Socialbot Network: When Bots Socialize for Fame and Money
    Online Social Networks (OSNs) have become an integral part of today's Web. Politicians, celebrities, revolutionists, and others use OSNs as a podium to deliver their message to millions of active web users. Unfortunately, in the wrong hands, OSNs can be used to run astroturf campaigns to spread misinformation and propaganda. Such campaigns usually start off by infiltrating a targeted OSN on a large scale. In this paper, we evaluate how... Read more »
  • A Brick Wall, a Locked Door, and a Bandit: A Physical Security Metaphor For Firewall Warnings
    We used an iterative process to design firewall warnings in which the functionality of a personal firewall is visualized based on a physical security metaphor. We performed a study to determine the degree to which our proposed warnings are understandable for users, and the degree to which they convey the risks and encourage safe behavior as compared to text warnings based on those from a popular personal firewall. The evaluation... Read more »
  • Heuristics for Evaluating IT Security Management Tools
    The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, standard usability heuristics are hard to apply as IT security management occurs within a complex and collaborative context that involves diverse stakeholders. We propose a set of ITSM usability heuristics that are based on activity theory, are supported by prior research, and consider the complex and cooperative nature of security... Read more »
  • On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings
    We replicated and extended a 2008 study conducted at CMU that investigated the e effectiveness of SSL warnings. We adjusted the experimental design to mitigate some of the limitations of that prior study; adjustments include allowing participants to use their web browser of choice and recruiting a more representative user sample. However, during our study we observed a strong disparity between our participants actions during the laboratory tasks and their... Read more »
  • What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID
    OpenID is an open and promising Web single sign-on (SSO) solution. This work investigates the challenges and concerns web users face when using OpenID for authentication, and identifies what changes in the login flow could improve the users' experience and adoption incentives. We found our participants had several behaviors, concerns, and misconceptions that hinder the OpenID adoption process: (1) their existing password management strategies reduce the perceived usefulness of SSO;... Read more »
  • The Socialbot Network: When Bots Socialize for Fame and Money
    Online Social Networks (OSNs) have become an integral part of today's Web. Politicians, celebrities, revolutionists, and others use OSNs as a podium to deliver their message to millions of active web users. Unfortunately, in the wrong hands, OSNs can be used to run astroturf campaigns to spread misinformation and propaganda. Such campaigns usually start off by infiltrating a targeted OSN on a large scale. In this paper, we evaluate how... Read more »
  • Improving Malicious URL Re-Evaluation Scheduling Through an Empirical Study of Malware Download Centers
    The retrieval and analysis of malicious content is an essential task for security researchers. At the same time, the distrib- utors of malicious files deploy countermeasures to evade the scrutiny of security researchers. This paper investigates two techniques used by malware download centers: frequently updating the malicious payload, and blacklisting (i.e., re- fusing HTTP requests from researchers based on their IP). To this end, we sent HTTP requests to malware... Read more »
  • Heuristics for Evaluating IT Security Management Tools
    The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, ITSM occurs within a complex and collaborative context that involves diverse stakeholders; this makes standard usability heuristics difficult to apply. We propose a set of ITSM usability heuristics that are based on activity theory and supported by prior research. We performed a study to compare the use of the ITSM... Read more »
  • OpenID-Enabled Browser: Towards Usable and Secure Web Single Sign-On
    OpenID is an open and promising Web single sign-on solution; however, the interaction flows provided by OpenID are inconsistent and counter-intuitive, and vulnerable to phishing attacks. In this work, we investigated the challenges web users face when using OpenID for authentication, and designed a phishing-resistant, privacy-preserving browser add-on to provide a consistent and intuitive single sign-on user experience for the average web users.... Read more »
  • It's Too Complicated, So I Turned It Off! Expectations, Perceptions, and Misconceptions of Personal Firewalls
    Even though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an understanding of their knowledge, requirements, perceptions, and misconceptions of personal firewalls. Through a qualitative analysis of the data, we found that most of our participants were not aware of the functionality of personal... Read more »
  • OpenIDemail Enabled Browser: Towards Fixing the Broken Web Single Sign-On Triangle
    Current Web single sign-on (SSO) solutions impose a cognitive burden on web users and do not provide content-hosting and service providers (CSPs) with sufficient incentives to become relying parties (RPs). We propose a browser-based Web SSO solution that requires minimal user interaction and provide RPs with clear value propositions to motivate their adoption. Our approach builds OpenID support into web browsers, hides OpenID identifiers from users by using their existing... Read more »
  • A Billion Keys, but Few Locks: The Crisis of Web Single Sign-On
    OpenID and InfoCard are two mainstream Web single sign-on (SSO) solutions intended for Internet-scale adoption. While they are technically sound, the business model of these solutions does not provide content-hosting and service providers (CSPs) with sufficient incentives to become relying parties (RPs). In addition, the pressure from users and identity providers (IdPs) is not strong enough to drive CSPs toward adopting Web SSO. As a result, there are currently over... Read more »
  • Challenges in evaluating complex IT security management systems
    Performing ecologically valid user studies for IT security management (ITSM) systems is challenging. The users of these systems are security professionals who are difficult to recruit for interviews, let alone controlled user studies. Furthermore, evaluation of ITSM systems inherits the difficulties of studying collaborative and complex systems. During our research, we have encountered many challenges in studying ITSM systems in their real context of use. This has resulted in... Read more »
  • The Challenges of Understanding Users’ Security-related Knowledge, Behaviour, and Motivations
    In order to improve current security solutions or devise novel ones, it is important to understand users' knowledge, behaviour, motivations and challenges in using a security solution. However, achieving this understanding is challenging because of the limitations of current research methodologies. We have been investigating the experiences of users with two practical implementations of the principle of least privilege (PLP) Windows Vista and Windows 7. PLP requires that users be... Read more »
  • "I did it because I trusted you": Challenges with the Study Environment Biasing Participant Behaviours
    We recently replicated and extended a 2009 study that investigated the effectiveness of SSL warnings. Our experimental design aimed to mitigate some of the limitations of that prior study, including allowing participants to use their web browser of choice and recruiting a more representative user sample. However, during this study we observed and measured a strong bias in participants’ behaviour due to the laboratory environment. In this paper we discuss... Read more »
  • Do Windows Users Follow the Principle of Least Privilege? Investigating User Account Control Practices
    The principle of least privilege requires that users and their programs be granted the most restrictive set of privileges possible to perform required tasks in order to limit the damages caused by security incidents. Low-privileged user accounts (LUA) and user account control (UAC) in Windows Vista and Windows 7 are two practical implementations of this principle. To be successful, however, users must apply due diligence, use appropriate accounts, and respond... Read more »
  • A Case Study of Enterprise Identity Management System Adoption in an Insurance Organization
    This case study describes the adoption of an enterprise identity management(IdM) system in an insurance organization. We describe the state of the organization before deploying the IdM system, and point out the challenges in its IdM practices. We describe the organization's requirements for an IdM system, why a particular solution was chosen, issues in the deployment and configuration of the solution, the expected benefits, and the new challenges that arose... Read more »
  • Secure Web 2.0 Content Sharing Beyond Walled Gardens
    Web 2.0 users need usable mechanisms for sharing their content with each other in a controlled manner across boundaries of content-hosting or application-service providers (CSPs). In this paper, we describe the architecture, design, and implementation of a proposed system for Web 2.0 content sharing across CSPs. With our approach, users use their existing email account to login to CSPs, and content owners use their email-based contact-lists to specify access... Read more »
  • Towards Understanding Diagnostic Work During the Detection and Investigation of Security Incidents
    This study investigates how security practitioners perform diagnostic work during the identification of security incidents. Based on empirical data from 16 interviews with security practitioners, we identify the tasks, skills, strategies and tools that security practitioners use to diagnose security incidents. Our analysis shows that diagnosis is a highly collaborative activity, which may involve practitioners developing their own tools to perform specific tasks. Our results also show that diagnosis during... Read more »
  • Towards Enabling Web 2.0 Content Sharing Beyond Walled Gardens
    Web 2.0 users have many choices of content-hosting or application-service providers (CSPs). It can be difficult for a user to share content with a set of real-life friends and associates; intended viewers of the content may have different CSP memberships than the content sharer. Web 2.0 users need usable mechanisms for sharing their content with each other in a controlled manner across boundaries of CSPs. In this position paper,... Read more »
  • Open Problems in Web 2.0 User Content Sharing
    Users need useful mechanisms for sharing their Web 2.0 content with each other in a controlled manner across boundaries of content-hosting and service providers (CSPs). In this paper, we discuss open problems and research opportunities in the domain of Web 2.0 content sharing among users. We explore issues in the categories of user needs, current sharing solutions provided by CSPs, and distributed access-control related technologies. For each open problem, we... Read more »
  • Revealing Hidden Context: Improving Mental Models of Personal Firewall Users
    The Windows Vista personal firewall provides its diverse users with a basic interface that hides many operational details. However, concealing the impact of network context on the security state of the firewall may result in users developing an incorrect mental model of the protection provided by the firewall. We present a study of participants' mental models of Vista Firewall (VF). We investigated changes to those mental models and their... Read more »
  • Application-Based TCP Hijacking
    We present application-based TCP hijacking (ABTH), a new attack on TCP applications that exploits flaws due to the interplay between TCP and application protocols to inject data into an application session without either server or client applications noticing the spoofing attack. Following the injection of a TCP packet, ABTH resynchronizes the TCP stacks of both the server and the client. To evaluate the feasibility and effectiveness of ABTH, we developed... Read more »
  • Mobile Applications for Public Sector: Balancing Usability and Security
    Development of mobile software applications for use in specific domains such as Public Security must conform to stringent security requirements. While mobile devices have many known limitations, assuring complex fine-grained security policies poses an additional challenge to quality mobile services and raises usability concerns. We address these challenges by means of a novel approach to authentication and gradual multi-factor authorization for access to sensitive data.... Read more »
  • Authorization Using the Publish-Subscribe Model
    Traditional authorization mechanisms based on the request-response model are generally supported by point-to-point communication between applications and authorization servers. As distributed applications increase in size and complexity, an authorization architecture based on point-to-point communication becomes fragile and difficult to manage. This paper presents the use of the publish-subscribe (pub-sub) model for delivering authorization requests and responses between the applications and the authorization servers. Our analysis suggests that using the pub-sub... Read more »
  • Guidelines for Designing IT Security Management Tools
    An important factor that impacts the effectiveness of security systems within an organization is the usability of security management tools. In this paper, we present a survey of design guidelines for such tools. We gathered guidelines and recommendations related to IT security management tools from the literature as well as from our own prior studies of IT security management. We categorized and combined these into a set of high level... Read more »
  • The Challenges of Using an Intrusion Detection System: Is It Worth the Effort?
    An intrusion detection system (IDS) can be a key component of security incident response within organizations. Traditionally, intrusion detection research has focused on improving the accuracy of IDSs, but recent work has recognized the need to support the security practitioners who receive the IDS alarms and investigate suspected incidents. To examine the challenges associated with deploying and maintaining an IDS, we analyzed 9 interviews with IT security practitioners who have... Read more »
  • Human, Organizational and Technological Challenges of Implementing IT Security in Organizations
    Our qualitative research provides a comprehensive list of challenges to the practice of IT security within organizations, including the interplay between human, organizational, and technical factors. We validate and extend prior work through an integration of these challenges into a framework that organizations can use to identify their limitations with respect to IT security. Furthermore, we suggest research opportunities for the improvement of IT security technologies from a holistic point... Read more »
  • Identifying Differences Between Security and Other IT Professionals: a Qualitative Analysis.
    We report factors differentiating security and other IT responsibilities. Our findings are based on a qualitative analysis of data from 27 interviews across 11 distinct organizations. The results show that compared to general IT, security professionals have to manage a higher level of complexity, stemming from factors such as the need to balance usability and security, negative stakeholder perception, and external threats. We synthesize the differences into an overall model... Read more »
  • Authorization Recycling in RBAC Systems
    As distributed applications increase in size and complexity, traditional authorization mechanisms based on a single policy decision point are increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization recycling is one technique that has been used to address these challenges. This paper introduces and evaluates the mechanisms for authorization recycling in RBAC enterprise systems. The algorithms that support these mechanisms allow precise... Read more »
  • Security Practitioners in Context: Their Activities and Interactions
    This study develops the context of interactions of IT security practitioners. Preliminary qualitative analysis of 22 interviews (to date) and participatory observation has identified eight different types of activities that require interactions between security practitioners and different stakeholders. Our analysis shows that the tools used by our participants do not provide sufficient support for their complex security tasks, including the interactions with other stakeholders. We provide recommendations to improve tool... Read more »
  • Towards Understanding IT Security Professionals and Their Tools
    We report preliminary results of our ongoing field study of IT professionals who are involved in security management. We interviewed a dozen practitioners from five organizations to understand their workplace and tools. We analyzed the interviews using a variation of Grounded Theory and predesigned themes. Our results suggest that the job of IT security management is distributed across multiple employees, often affiliated with different organizational units or groups within a... Read more »
  • Cooperative Secondary Authorization Recycling
    As distributed applications such as Grid and enterprise systems scale up and become increasingly complex, their authorization infrastructures—based predominantly on the request-response paradigm—are facing challenges in terms of fragility and poor scalability. We propose an approach where each application server caches previously received authorizations at its secondary decision point and shares them with other application servers to mask authorization server failures and network delays. This paper presents the design of... Read more »
  • On the Imbalance of the Security Problem Space and its Expected Consequences
    This paper considers the attacker-defender game in the field of computer security as a three-dimensional phenomenon. The decomposition of the problem space into technological, human, and social factors enabled us to analyze the concentration of public research efforts by defenders. Our analysis suggests that over 94% of the public research in computer security has been concentrated on technological advances. Yet attackers seem to employ more and more human and social... Read more »
  • Studying IT Security Professionals: Research Design and Lessons Learned
    The HOT Admin Field Study used qualitative methods to study information technology security administrators. Both the nature of the field and the difficulty of gaining access to subjects had implications for the study design. We present the lessons we learned, and offer some suggestions for future similar research.... Read more »
  • A Security Analysis of the Precise Time Protocol (Short Paper)
    This paper reports on a security analysis of the IEEE 1588 standard, a.k.a. Precise Time Protocol (PTP). We show that attackers can use the protocol to (a) incorrectly resynchronize clocks, (b) rearrange or disrupt the hierarchy of PTP clocks, (c) bring the protocol participants into an inconsistent state, or (d) deprive victim slave clocks from synchronization in ways undetectable by generic network intrusion detection systems. We also propose countermeasures for... Read more »
  • The Secondary and Approximate Authorization Model and its Application to Bell-LaPadula Policies
    We introduce the concept, model, and policy-specific algorithms for inferring new access control decisions from previous ones. Our secondary and approximate authorization model (SAAM) defines the notions of primary vs. secondary and precise vs. approximate authorizations. Approximate authorization responses are inferred from cached primary responses, and therefore provide an alternative source of access control decisions in the event that the authorization server is unavailable or slow. The ability to compute... Read more »
  • Extending XP Practices to Support Security Requirements Engineering
    This paper proposes a way of extending eXtreme Programming (XP) practices, in particular the original planning game and the coding guidelines, to aid the developers and the customer to engineer security requirements while maintaining the iterative and rapid feedback-driven nature of XP. More specifically, these steps result in two new security-specific flavours of XP User stories: Abuser stories (threat scenarios) and Security-related User stories (security functionalities). The introduced extensions also... Read more »
  • Towards Agile Security Assurance
    Agile development methods are promising to become the next generation replacing water-fall development. They could eventually replace the plan-driven methodologies not only in pure software solutions in such benign domains as word processing and office automation but also in security-critical projects with both software and hardware parts developed or integrated together. At the same time, the accepted practices for security assurance appear to go totally contrary to agile approaches. Can... Read more »
  • Supporting Relationships in Access Control Using Role Based Access Control
    The Role Based Access Control (RBAC) model and mechanism have proven to be useful and effective. This is clear from the many RBAC implementations in commercial products. However, there are many common examples where access decisions must include other factors, in particular, relationships between entities, such as, the user, the object to be accessed, and the subject of the information contained within the object. Such relationships are often not efficiently... Read more »
  • SPAPI: A Security and Protection Architecture for Physical Infrastructures and Its Deployment Strategy Using Sensor Networks
    In recent years, concerns about the safety and security of critical infrastructures have increased enormously. The se infrastructures can easily become subjects of physical and cyber attacks. In this paper, we propose a software architecture named Security and Protection Architecture for Physical Infrastructures (SPAPI) for the protection of these critical infrastructures and for other non-military uses. SPAPI has hierarchical, loosely coupled, autonomous management modules for authentication, monitoring and the policy-based... Read more »
  • Performance Considerations for a CORBA-based Application Authorization Service
    Resource Access Decision (RAD) Service allows separation of authorization from application functionality in distributed application systems by providing a logically centralized authorization control mechanism. RAD has attractive features such as decoupling of authorization logic from application logic, simplicity, generality, flexibility, support for complex application level access control, and ease of policy administration in heterogeneous, distributed systems. However, there is a concern of performance penalty for obtaining authorization decisions from a... Read more »
  • Object Security Attributes: Enabling Application-specific Access Control in Middleware
    This paper makes two primary contributions toward establishing support for application-specific factors in middleware security mechanisms. First, it develops a simple classification framework for reasoning about the architecture of the security mechanisms in distributed applications that follow the decision-enforcement paradigm of the reference monitor. It uses the framework to demonstrate that the existing solutions lack satisfying trade-offs for a wide range of those applications that require application-specific factors to be... Read more »
  • Implementing Multiple Channels over SSL
    Multiple-Channel SSL (MC-SSL) is our model and protocol for the security of client-server communication. In contrast to SSL, MC-SSL can securely provide applications with multiple channels, and each of them can have a specific cipher suite and a various number of application proxies; meanwhile, the channel negotiation and operation in MC-SSL are still based on SSL, which needs a small change in order to support multiple cipher suites. In this... Read more »
  • Here’s Your Lego™ Security Kit: How to Give Developers All Protection Mechanisms They Will Ever Need
    By presenting a protection architecture for ASP.NET Web services, this paper demonstrates the feasibility of creating middleware mechanisms in the form of composable, flexible, and extensible building blocks. Like Lego™ constructor parts, such blocks enable the reduction of the effort of constructing, extending, and adjusting the application properties and middleware services in response to requirements or environment changes.... Read more »
  • eXtreme Security Engineering: On Employing XP Practices to Achieve “Good Enough Security” without Defining It
    This paper examines practices of eXtreme Programming (XP) on the subject of their application to the development of security solutions. We introduce eXtreme Security Engineering (XSE), an application of XP practices to security engineering, and discuss its potential benefits and applicability scope. We argue that XSE could help achieve “good enough security” while avoiding defining a priory what it is.... Read more »
  • Supporting End-to-end security Across Proxies with Multiple-channel SSL
    Secure Socket Layer (SSL) has functional limitations that prevent end-to-end security in the presence of untrusted intermediary application proxies used by clients to communicate with servers. This paper introduces Multiple-Channel SSL (MC-SSL), an extension of SSL, and describes and analyzes the design of MC-SSL proxy channel protocol that enables the support for end-to-end security of client-server communications in the presence of application proxies. MC-SSL is able to securely negotiate multiple... Read more »
  • Applying Aspect-Orientation in Designing Security Systems: A Case Study
    As a security policy model evolves, the design of security systems using that model could become increasingly complicated. It is necessary to come up with an approach to guide the development, reuse and evolution of the design. In this paper, we propose an aspect-oriented design approach to designing flexible and extensible security systems. A case study demonstrates that such an approach has multifold benefits and is worth further exploration.... Read more »
  • A Resource Access Decision Service for CORBA-based Distributed Systems
    Decoupling authorization logic from application logic allows applications with fine-grain access control requirements to be independent from a particular access control policy and from factors that are used in authorization decisions as well as access control models, no matter how dynamic those polices and factors are. It also enables elaborate and consistent access control policies across heterogeneous systems. We present design of a service for re-source access authorization in distributed... Read more »
  • A Framework for Implementing Role-based Access Control Using CORBA Security Service
    The paper shows how role-based access control (RBAC) models could be implemented using CORBA Security service. A configuration of CORBA protection system is defined. We provide definitions of RBAC0 and RBAC1 implementations in the framework of CORBA Security and describe what is required from an implementation of CORBA Security service in order to support RBAC0-RBAC3 models.... Read more »
  • Experience Report: Design and Implementation of a Component-Based Protection Architecture for ASP.NET Web Services
    This report reflects, from a software engineering perspective, on the experience of designing and implementing protection mechanisms for ASP.NET Web services. The limitations of Microsoft ASP.NET container security mechanisms render them inadequate for hosting enterprise-scale applications that have to be protected according to diverse and/or complex applicationspecific security policies. In this paper we report on our experience of designing and implementing a component-based architecture for protecting enterprisegrade Web service applications... Read more »
  • On the Benefits of Decomposing Policy Engines into Components
    In order for middleware systems to be adaptive, their properties and services need to support a wide variety of application-specific policies. However, application developers and administrators should not be expected to cope with complex policy languages and evaluation engines or to develop custom engines from scratch. In this paper, we discuss the benefits of policy engines designed as component frameworks with a mix of parameterized pre-built and custom logic composed... Read more »
  • Flooding and Recycling Authorizations
    The request-response paradigm used for access control solutions commonly leads to point-to-point (PTP) architectures with security enforcement logic obtaining decisions from the authorization servers through remote procedure calls. In massive-scale and complex enterprises, PTP authorization architectures result in fragile and subefficient solutions. The architectures also fail to exploit virtually free CPU resources and network bandwidth. This paper proposes to leverage publish-subscribe architectures for increasing failure resilience and efficiency by flooding... Read more »