Automated defenses are often the first line against cyber-attacks. But human factors play a major role both in terms of attack and defense. The fourteen papers cited here examine a number of issues correlated with human factors to expose vulnerabilities. The first four papers were presented at HOT SoS 2014, the Symposium and Bootcamp on the Science of Security (HotSoS), a research event centered on the Science of Security held April 8-9, 2014 in Raleigh, North Carolina.

• Lucas Layman, Sylvain David Diffo, Nico Zazworka. “Human Factors in Webserver Log File Analysis: A Controlled Experiment on Investigating Malicious Activity” 2014 HOT SoS, Symposium and Conference on. Raleigh, NC. (To be published in Journals of the ACM, 2014) (ID#:14-1395) Available at: http://www.hot-sos.org/2014/proceedings/papers.pdf While automated methods are the first line of defense for detecting attacks on webservers, a human agent is required to understand the attacker's intent and the attack process. The goal of this research is to understand the value of various log fields and the cognitive processes by which log information is grouped, searched, and correlated. Such knowledge will enable the development of human-focused log le investigation technologies. We performed controlled experiments with 65 subjects (IT professionals and novices) who investigated excerpts from six webserver log files. Quantitative and qualitative data were gathered to: 1) analyze subject accuracy in identifying malicious activity; 2) identify the most useful pieces of log file information; and 3)understand the techniques and strategies used by subjects to process the information. Statistically significant effects were observed in the accuracy of identifying attacks and time taken depending on the type of attack. Systematic differences were also observed in the log fields used by high-performing and low-performing groups. The findings include: 1) new insights into how specific log data fields are used to effectively assess potentially malicious activity; 2) obfuscating factors in log data from a human cognitive perspective; and 3) practical implications for tools to support log file investigations. Keywords: security, science of security, log files, human factors

• Alain Forget , Saranga Komanduri , Alessandro Acquisti, Nicolas Christin , Lorrie Faith Cranor , Rahul Telang. “Building the Security Behavior Observatory: An Infrastructure for Long-term Monitoring of Client Machines” 2014 HOT SoS, Symposium and Conference on. Raleigh, NC. (To be published in Journals of the ACM, 2014) (ID#:14-1396) Available at: http://www.hot-sos.org/2014/proceedings/papers.pdf We present an architecture for the Security Behavior Observatory (SBO), a client-server infrastructure designed to collect a wide array of data on user and computer behavior from hundreds of participants over several years. The SBO infrastructure had to be carefully designed to fulfill several requirements. First, the SBO must scale with the desired length, breadth, and depth of data collection. Second, we must take extraordinary care to ensure the security of the collected data, which will inevitably include intimate participant behavioral data. Third, the SBO must serve our research interests, which will inevitably change as collected data is analyzed and interpreted. This short paper summarizes some of our design and implementation benefits and discusses a few hurdles and trade-offs to consider when designing such a data collection system.

• Wei Yang, Xusheng Xiao, Rahul Pandita, William Enck Tao Xie. “Improving Mobile Application Security via Bridging User Expectations and Application Behaviors” 2014 HOT SoS, Symposium and Conference on. Raleigh, NC. (To be published in Journals of the ACM, 2014) (ID#:14-1397) Available at: http://www.hot-sos.org/2014/proceedings/papers.pdf To keep malware out of mobile application markets, various existing techniques analyze the security aspects of application behaviors and summarize patterns of these security aspects to determine what applications do. However, there is lack of incorporating user expectations, reflected via user perceptions in combination with user judgment, into the analysis to determine whether the application behaviors are expected by the users. This poster presents our recent work on bridging the semantic gap between user perceptions of the application behavior and the actual application behavior. Keywords: Mobile Application, Privacy Control, Information Flow Analysis, Natural Language Processing

• Agnes Davis, Ashwin Shashidharan, Qian Liu, William Enck, Anne McLaughlin, Benjamin Watson. “Insecure Behaviors on Mobile Devices under Stress” 2014 HOT SoS, Symposium and Conference on. Raleigh, NC. (To be published in Journals of the ACM, 2014) (ID#:14-1398) Available at: http://www.hot-sos.org/2014/proceedings/papers.pdf One of the biggest challenges in mobile security is human behavior. The most secure password may be useless if it is sent as a text or in an email. The most secure network is only as secure as its most careless user. Thus, in the current project we sought to discover the conditions under which users of mobile devices were most likely to make security errors. This scaffolds a larger project where we will develop automatic ways of detecting such environments and eventually supporting users during these times to encourage safe mobile behaviors.

• Bakdash, J.Z.; Pizzocaro, D.; Precee, A., "Human Factors in Intelligence, Surveillance, and Reconnaissance: Gaps for Soldiers and Technology Recommendations," Military Communications Conference, MILCOM 2013 - 2013 IEEE , vol., no., pp.1900,1905, 18-20 Nov. 2013. (ID#:14-1399) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6735902&isnumber=6735577 We investigate the gaps for Soldiers in information collection and resource management for Intelligence, Surveillance, and Reconnaissance (ISR). ISR comprises the intelligence functions supporting military operations, we concentrate on ISR for physical sensors (air and ground platforms). To identify gaps, we use approaches from Human Factors (interactions between humans and technical systems to optimize human and system performance) at the level of Soldier functions/activities in ISR. Key gaps (e.g., the loud auditory signatures of some air assets, unofficial ISR requests, and unintended battlefield effects) are identified. These gaps illustrate that ISR is not purely a technical problem. Instead, interactions between technical systems, humans, and the environment result in unpredictability and adaptability in using technical systems. To mitigate these gaps, we provide technology recommendations. Keywords: human factors; surveillance; ISR; battlefield effects; human factors; human-system integration; information collection; intelligence functions; intelligence surveillance reconnaissance; military operations; resource management; soldier functions; technical systems; Artificial intelligence; Human factors; Intelligent sensors; Interviews; Resource management; Security; SR; and reconnaissance; cognitive systems engineering; human factors; human-systems integration; intelligence; surveillance

•  Adeka, M.; Shepherd, S.; Abd-Alhameed, R., "Resolving the password security purgatory in the contexts of technology, security and human factors," Computer Applications Technology (ICCAT), 2013 International Conference on , vol., no., pp.1,7, 20-22 Jan. 2013. (ID#:14-1400) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6522044&isnumber=6521952 Passwords are the most popular and constitute the first line of defense in computer-based security systems; despite the existence of more attack-resistant authentication schemes. In order to enhance password security, it is imperative to strike a balance between having enough rules to maintain good security and not having too many rules that would compel users to take evasive actions which would, in turn, compromise security. It is noted that the human factor is the most critical element in the security system for at least three possible reasons; it is the weakest link, the only factor that exercises initiatives, as well as the factor that transcends all the other elements of the entire system. This illustrates the significance of social engineering in security designs, and the fact that security is indeed a function of both technology and human factors; bearing in mind the fact that there can be no technical hacking in vacuum. This paper examines the current divergence among security engineers as regards the rules governing best practices in the use of passwords: should they be written down or memorized; changed frequently or remain permanent? It also attempts to elucidate the facts surrounding some of the myths associated with computer security. This paper posits that destitution of requisite balance between the factors of technology and factors of humanity is responsible for the purgatory posture of password security related problems. It is thus recommended that, in the handling of password security issues, human factors should be given priority over technological factors. The paper proposes the use of the (k, n)- Threshold Scheme, such as the Shamir's secret-sharing scheme, to enhance the security of the password repository. This presupposes an inclination towards writing down the password: after all, Diamond, Platinum, Gold and Silver are not memorized; they are stored. Keywords: authorization; cryptography; social aspects of automation; Shamir secret-sharing scheme; attack-resistant authentication scheme; computer-based security system; human factors context; password repository; password security purgatory; security context; security design; security rule; social engineering; technology context; threshold scheme; computer security; cryptography; human hacking; password; password repository; purgatory; social engineering; socio-cryptanalysis; technology},

•  Rajbhandari, L., "Consideration of Opportunity and Human Factor: Required Paradigm Shift for Information Security Risk Management," Intelligence and Security Informatics Conference (EISIC), 2013 European , vol., no., pp.147,150, 12-14 Aug. 2013. . (ID#:14-1401) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6657142&isnumber=6657109 Most of the existing Risk Analysis and Management Methods (RAMMs) focus on threat without taking account of the available opportunity to an entity. Besides, human aspects are not often given much importance in these methods. These issues create a considerable drawback as the available opportunities to an entity (organization, system, etc.) might go unnoticed which might hamper the entity from achieving its objectives. Moreover, understanding the motives of humans plays an important role in guiding the risk analysis. This paper reviews several existing RAMMs to highlight the above issues and provides reasoning as to emphasize the importance of these two issues in information security management. From the analysis of the selected methods, we identified that a majority of the methods acknowledge only threat and the consideration of human factors have not been reflected. Although, the issues are not new, these still remain open and the field of risk management needs to be directed towards addressing them. The review is expected to be helpful both to the researchers and practitioners in providing relevant information to consider these issues for further improving the existing RAMMs or when developing new methods. Keywords: business data processing; human factors; risk management; security of data; RAMM; human aspects; human factor; information security risk management; paradigm shift; risk analysis and management methods; Human factors; Information security; NIST; Risk management; human factors; opportunity; risk management

• Chowdhury, S.; Poet, R.; Mackenzie, L., "Exploring the Guessability of Image Passwords Using Verbal Descriptions," Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on , vol., no., pp.768,775, 16-18 July 2013. . (ID#:14-1402) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6680913&isnumber=6680793 One claimed advantage of the image passwords used in recognition based graphical authentication systems (RBGSs) over text passwords is that they cannot be written down or verbally disclosed. However, there is no empirical evidence to support this claim. In this paper, we present the first published comparison of the vulnerability of four different image types -Mikon, doodle, art and everyday object images to verbal/spoken descriptions, when used as passwords in RBGS. This paper considers one of the human factors in security i.e. password sharing through spoken descriptions. The user study conducted with 126 participants (56 callers/ describer and 70 listeners/ attacker) measures how easy it is for an attacker to guess a password in a RBGS, if the passwords are verbally described. The experimental set up is a two way dialogue between a caller and a listener over telephone using repeated measures protocol, which measures mean successful login percentage. The results of the study show the object images to be most guessable, and doodles follow close behind. Mikon images are less guessable than doodle followed by art images, which are the least guessable. We believe that unless, the human factors in security like the one considered in this paper is taken into account, the RBGSs will always look secure on paper, but fail in practice. Keywords: human factors; image coding; security of data; Mikon image; RBGS; art image; doodle image; everyday object images; human factors; image password guessability; password sharing; recognition based graphical authentication systems; repeated measure protocol; spoken descriptions; text passwords; verbal descriptions; Art; Authentication; Educational institutions; Electronic mail; Image recognition; Protocols; graphical authentication; guessability study; human factors in security; image passwords; password disclosure; verbal descriptions

• Phuong Cao, Hongyang Li, Klara Nahrstedt, Zbigniew Kalbarczyk, Ravishankar Iyer, Adam J. Slagell. “Personalized Password Guessing: a New Security Threat” 2014 HOT SoS, Symposium and Conference on. Raleigh, NC. (To be published in Journals of the ACM, 2014) . (ID#:14-1403) Available at: http://www.hot-sos.org/2014/proceedings/papers.pdf This paper presents a model for generating personalized passwords (i.e., passwords based on user and service profile). A user's password is generated from a list of personalized words, each word is drawn from a topic relating toa user and the service in use. The proposed model can be applied to: (i) assess the strength of a password (i.e., determine how many guesses are used to crack the password), and (ii) generate secure (i.e., contains digits, special characters, or capitalized characters) yet easy to memorize passwords. Keywords: guessing, password, personalized, suggestion

• Sambit Bakshi, Tugkan Tuglular. “Security through human-factors and biometrics” Proceedings of the 6th International Conference on Security of Information and Networks November 2013 (Pages 463-463) . (ID#:14-1404) Available at:http://dl.acm.org/citation.cfm?id=2523514.2523597&coll=DL&dl=GUIDE&CFID=449173199&CFTOKEN=84629271  or  http://doi.acm.org/10.1145/2523514.2523597   Biometrics is the science of identifying or verifying every individual uniquely in a set of people by using physiological or behavioral characteristics possessed by the user. Opposed to the knowledge-based and token-based security systems, cutting-edge biometrics-based identification systems offer higher security and less probability of spoofing. The need of biometric systems is increasing in day-to-day activities due to its ease of use by common people in any sector of personalized access, e.g. in attendance system of organizations, citizenship proof, door lock for high security zones, etc. Financial sector, government, and reservation systems are adopting biometric technologies to ensure highest possible security in their own domains and to maintain signed activity log of every individual. Keywords: human factors, human computer interaction

• Lisa Rajbhandari. “Consideration of Opportunity and Human Factor: Required Paradigm Shift for Information Security Risk Management” EISIC '13 Proceedings of the 2013 European Intelligence and Security Informatics Conference August 2013 (Pages 147-150) . (ID#:14-1405) Available at: http://dl.acm.org/citation.cfm?id=2547608.2547651&coll=DL&dl=GUIDE&CFID=449173199&CFTOKEN=84629271 or http://dx.doi.org/10.1109/EISIC.2013.32 Most of the existing Risk Analysis and Management Methods (RAMMs) focus on threat without taking account of the available opportunity to an entity. Besides, human aspects are not often given much importance in these methods. These issues create a considerable drawback as the available opportunities to an entity (organization, system, etc.) might go unnoticed which might hamper the entity from achieving its objectives. Moreover, understanding the motives of humans plays an important role in guiding the risk analysis. This paper reviews several existing RAMMs to highlight the above issues and provides reasoning as to emphasize the importance of these two issues in information security management. From the analysis of the selected methods, we identified that a majority of the methods acknowledge only threat and the consideration of human factors have not been reflected. Although, the issues are not new, these still remain open and the field of risk management needs to be directed towards addressing them. The review is expected to be helpful both to the researchers and practitioners in providing relevant information to consider these issues for further improving the existing RAMMs or when developing new methods.

• Hannah Quay-de la Vallee, James M. Walsh, William Zimrin, Kathi Fisler, Shriram Krishnamurthi, “Usable security as a static-analysis problem: modeling and reasoning about user permissions in social-sharing systems” Proceedings of the 2013 ACM international symposium on New ideas, new paradigms, and reflections on programming & software October 2013 (Pages 1-16) . (ID#:14-1406) Available at: http://dl.acm.org/citation.cfm?id=2509578.2509589&coll=DL&dl=GUIDE&CFID=449173199&CFTOKEN=84629271 or http://doi.acm.org/10.1145/2509578.2509589 The privacy policies of many websites, especially those designed for sharing data, are a product of many inputs. They are defined by the program underlying the website, by user configurations (such as privacy settings), and by the interactions that interfaces enable with the site. A website's security thus depends partly on users' ability to effectively use security mechanisms provided through the interface. Questions about the effectiveness of an interface are typically left to manual evaluation by user-experience experts. However, interfaces are generated by programs and user input is received and processed by programs. This suggests that aspects of usable security could also be approached as a program-analysis problem. This paper establishes a foundation on which to build formal analyses for usable security. We define a formal model for data-sharing websites. We adapt a set of design principles for usable security to modern websites and formalize them with respect to our model. In the formalization, we decompose each principle into two parts: one amenable to formal analysis, and another that requires manual evaluation by a designer. We demonstrate the potential of this approach through a preliminary analysis of models of actual sites. Keywords: formal methods, human factors, protection mechanisms

• Amir Herzberg, Ronen Margulies. “Forcing Johnny to login safely” Journal of Computer Security - Research in Computer Security and Privacy: Emerging Trends. Volume 21 Issue 3, May 2013 ( Pages 393-424) . (ID#:14-1407) Available at: http://dl.acm.org/citation.cfm?id=2590618.2590622&coll=DL&dl=GUIDE&CFID=449173199&CFTOKEN=84629271 or  http://dl.acm.org/citation.cfm?id=2590618.2590622  We present the results of the first long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70% detection rates, which is significantly better than the results received by the typical login ceremony and with passive defense indicators [in: CHI'06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM, New York, 2006, pp. 601--610; Computers & Security 281,2 2009, 63--71; in: SP'07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, IEEE Computer Society, Washington, 2007, pp. 51--65]. We also found that combining login bookmarks with interactive images and 'non-working' buttons/links achieved the best detection rates 82% and overall resistance rates 93%.We also present WAPP Web Application Phishing-Protection, an effective server-side solution which combines the login bookmark and the interactive custom image indicators. WAPP provides two-factor and two-sided authentication.

• Song Chen, Vandana P. Janeja, “Human perspective to anomaly detection for cybersecurity” Journal of Intelligent Information Systems, Volume 42 Issue 1, February 2014 ( Pages 133-153) . (ID#:14-1408) Available at: http://dl.acm.org/citation.cfm?id=2583732.2583763&coll=DL&dl=GUIDE&CFID=449173199&CFTOKEN=84629271 or http://dx.doi.org/10.1007/s10844-013-0266-3 Traditionally signature-based network Intrusion Detection Systems (IDS) rely on inputs from domain experts and can only identify the attacks if they occur as individual event. IDS generate large number of alerts and it becomes very difficult for human users to go through each message. Previous researches have proposed analytics based approaches to analyze IDS alert patterns based on anomaly detection models, multi-steps models or probabilistic approaches. However, due to the complexities of network intrusions, it is impossible to develop all possible attack patterns or to avoid false positives. With the advance in technologies and popularity of networks in our daily life, it is becoming more and more difficult to detect network intrusions. However, no matter how rapid the technologies change, the human behaviors behind the cyber attacks stay relatively constant. This provides us an opportunity to develop an improved system to detect the unusual cyber attacks. In this paper, we developed four network intrusion models based on consideration of human factors. We then tested these models on ITOC Cyber Defense Competition (CDX) 2009 data. Our results are encouraging. These Models are not only able to recognize most network attacks identified by SNORT log alerts, they are also able to distinguish the non-attack network traffic that was potentially missed by SNORT as indicated by ground truth validation of the data.

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.