Human aspects of cyber security

It is commonly acknowledged that security requirements cannot be addressed by technical means alone, and that a significant aspect of protection comes down to the attitudes, awareness, behaviour and capabilities of the people involved. Indeed, people can potentially represent a key asset in achieving security, but at present, factors such as lack of awareness and understanding, combined with unreasonable demands from security technologies, can dramatically impede their ability to do so. Ensuring appropriate attention and support for the needs of users should therefore be seen as a vital element of a successful security strategy. 

CSCAN has undertaken a substantial body of research into a variety of areas that ultimately have a human-element – whether that be in making security tools more usable, developing new technologies to remove minimise user inconvenience or enabling security professionals to visualise and process security alerts in a more efficient and effective manner.

Research themes include: 

  • information security culture
  • awareness and education methods
  • enhancing risk perception
  • usable security
  • user acceptance of security policies and technologies
  • user-friendly authentication methods
  • biometric technologies and impacts
  • simplifying risk and threat assessment
  • social engineering and other human-related risks
  • privacy attitudes and practices.

Project insights

Transparent user authentication 

Researcher: Professor Nathan Clarke

User authentication is a fundamental security control that enables access to systems and services. Without successful authentication, subsequent security controls are meaningless. Unfortunately, authentication approaches: secret knowledge, token and biometric, all fail to provide universally strong and acceptable solutions, with a substantial body of literature evidencing this. There is a longstanding dichotomy between the security a particular authentication technique can provide, and the convenience experienced by the user. For example, whilst passwords have the ability to be amongst the most secure authentication approaches (with long and random compositions), the reality is often very different – with studies frequently finding users selecting passwords that are easily attacked.

Our research has focused upon the development of frictionless or transparent authentication, where the approach is predicated on the concept of capturing authentication credentials in a non-intrusive manner whilst the user is naturally interacting with the system or device. This typically involves the capturing of biometric-based information that can be subsequent used to authenticate an individual on a continual basis.

Securing cloud storage

Researcher: Professor Nathan Clarke

Cloud computing has become ubiquitous, whether directly or indirectly consuming services. Amongst the most popular are cloud storage services that allow users to store and access their information. Unfortunately, information stored on the cloud provides additional opportunities for attackers to compromise their data.

Recognising that simply placing additional security controls would likely increase user inconvenience, our research has explored opportunities to provide more secure yet usable security. 

Exploiting our research on transparent authentication one approach has focused upon developing biometric-based encryption of cloud storage data. The technique adds an additional cloud-independent layer of encryption to all cloud documents but without the hassle of having to manage cryptographic keys or type passwords to encrypt and decrypt data. The frictionless capture of biometric data is used directly generate relevant key information required for use within industry standardized cryptographic algorithms.

Another approach has focused upon developing a misuse detection capability. Leveraging behavioral profiling (a biometric-based approach to authentication based upon how a user uses a computing device and its application), our research has empirically shown the viability of monitoring and detecting intrusions via a users’ interactions with their cloud storage information.

Links for more information:

https://www.jinfowar.com/journal/volume-17-issue-4/behavioral-profiling-transparent-verification-cloud-storage-services 

https://link.springer.com/chapter/10.1007%2F978-3-030-12942-2_9

Graphical one-time passwords 

Researchers: Dr Paul Dowland, Dr Hussain Alsairai, Dr Maria Papadaki

Passwords have notoriously been a challenge for people to use securely and effectively. Mechanisms have been devised to help reduce the burden placed upon users. Graphical passwords were created to capitalize upon an individual’s ability to recall images better than a random string of characters improving usability but arguably often at the expense of security. One-time passwords were also created to mitigate against replay and shoulder-surfing attacks; however they suffer from usability issues when used in practice. Our research developed an innovative approach through combining both graphical and one-time passwords together – providing a usable yet more secure approach to user authentication.

Links for more information:

https://www.tandfonline.com/doi/abs/10.1080/19393555.2016.1179374 

https://www.techrepublic.com/article/good-bye-weak-passwords-hello-gotpass-graphical-authentication/

 

Developing usable security for users 

Researchers: Professor Nathan Clarke, Dr Fudong Li, Dr Manal Alohali

Research has traditionally focused upon organisations – typically large Enterprises, although there is a growing focus towards Small-to-Medium Enterprises (SMEs). However, individuals are increasingly targeted by attackers and have become a particular focus in recent years. Our research has sought to develop tools and techniques that have enabled novice users to better understand the threats they face and enable them to make informed decisions about how they wish to proceed.

Research has explored opportunities for risk modelling of information and interactions on mobile devices, measuring, quantifying and adapting in real-time to user’s security behaviors – so as they act in a more secure fashion the system adapts, minimising the inconvenience of reminders, notifications and repeated guidance.

Links for more information:

https://www.emerald.com/insight/content/doi/10.1108/ICS-03-2018-0037/full/html 

https://pearl.plymouth.ac.uk/handle/10026.1/13698

IFIP International Symposium on the Human Aspects of Information Security and Assurance

The centre created and annually organises the IFIP International Symposium on the Human Aspects of Information Security and Assurance

The symposium publishes papers addressing research and case studies in relation to any aspect of information security that pertains to the attitudes, perceptions and behaviour of people, and how human characteristics or technologies may be positively modified to improve the level of protection.