Visible to the public Biblio

Filters: Author is Ross Koppel, University of Pennsylvania  [Clear All Filters]
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 
A
B
Ross Koppel, University of Pennsylvania, Jim Blythe, University of Southern California, Vijay Kothari, Dartmouth College, Sean Smith, Dartmouth College.  2016.  Beliefs about Cybersecurity Rules and Passwords: A Comparison of Two Survey Samples of Cybersecurity Professionals Versur Regular Users. 12th Symposium On Usable Privacy and Security.

In this paper we explore the differential perceptions of cybersecurity professionals and general users regarding access rules and passwords. We conducted a preliminary survey involving 28 participants: 15 cybersecurity professionals and 13 general users. We present our preliminary findings and explain how such survey data might be used to improve security in
practice. We focus on user fatigue with access rules and passwords.
 

Ross Koppel, University of Pennsylvania, Jim Blythe, University of Southern California, Vijay Kothari, Dartmouth College, Sean W. Smith, Darthmouth Colleg.  2016.  Beliefs about Cybersecurity Rules and Passwords: A Comparison of Two Survey Samples of Cybersecurity Professionals Versus Regular Users. 12th Symposium On Usable Privacy and Security.

In this paper we explore the differential perceptions of cybersecurity professionals and general users regarding access rules and passwords. We conducted a preliminary survey involving 28 participants: 15 cybersecurity professionasl and 13 general users. We present our preliminary findings and explain how such survey data might be used to improve security in practice. We focus on user fatigue with access rules and passwords.

C
Jim Blythe, University of Southern California, Ross Koppel, University of Pennsylvania, Sean Smith, Dartmouth College.  2013.  Circumvention of Security: Good Users Do Bad Things.

Conventional wisdom is that the textbook view describes reality, and only bad people (not good people trying to get their jobs done) break the rules. And yet it doesn't, and good people circumvent.
 

Published in IEEE Security & Privacy, volume 11, issue 5, September - October 2013.

E
Jim Blythe, University of Southern California, Ross Koppel, University of Pennsylvania, Vijay Kothari, Dartmouth College, Sean W. Smith, Dartmouth College.  2014.  Ethnography of Computer Security Evasions in Healthcare Settings: Circumvention as the Norm.

Healthcare professionals have unique motivations, goals, perceptions, training, tensions, and behaviors, which guide workflow and often lead to unprecedented workarounds that weaken the efficacy of security policies and mechanisms. Identifying and understanding these factors that contribute to circumvention, as well as the acts of circumvention themselves, is key to designing, implementing, and maintaining security subsystems that achieve security goals in healthcare settings. To this end, we present our research on workarounds to computer security in healthcare settings without compromising the fundamental health goals. We argue and demonstrate that understanding workarounds to computer security, especially in medical settings, requires not only analyses of computer rules and processes, but also interviews and observations with users and security personnel. In addition, we discuss the value of shadowing clinicians and conducting focus groups with them to understand their motivations and tradeoffs for circumvention. Ethnographic investigation of workflow is paramount to achieving security objectives.

Presented at Safety, Security, Privacy and Interoperability of Health Information Technologies (HealthTec 2014), August 19, 2014 in San Diego, CA. See video at URL below.

F
H
Harold Thimbleby, Swansea University, Ross Koppel, University of Pennsylvania.  2015.  The Healthtech Declaration. IEEE Security and Privacy. 13(6):82-84.

Healthcare technology—sometimes called “healthtech” or “healthsec”—is enmeshed with security and privacy via usability, performance, and cost-effectiveness issues. It is multidisciplinary, distributed, and complex—and it also involves many competing stakeholders and interests. To address the problems that arise in such a multifaceted field—comprised of physicians, IT professionals, management information specialists, computer scientists, edical informaticists, and epidemiologists, to name a few—the Healthtech Declaration was initiated at the most recent USENIX Summit on Information Technologies for Health (Healthtech 2015) held in Washington, DC. This Healthtech Declaration includes an easy-touse—and easy-to-cite—checklist of key issues that anyone proposing a solution must consider (see “The Healthtech Declaration Checklist” sidebar). In this article, we provide the context and motivation for the declaration.

M
Vijay Kothari, Dartmouth College, Jim Blythe, University of Southern California, Ross Koppel, University of Pennsylvania, Sean Smith, Dartmouth College.  2015.  Measuring the Security Impacts of Password Policies Using Cognitive Behavioral Agent Based Modeling. Symposium and Bootcamp on the Science of Security (HotSoS).

Agent-based modeling can serve as a valuable asset to security personnel who wish to better understand the security landscape within their organization, especially as it relates to user behavior and circumvention. In this paper, we ar- gue in favor of cognitive behavioral agent-based modeling for usable security, report on our work on developing an agent- based model for a password management scenario, perform a sensitivity analysis, which provides us with valuable insights into improving security (e.g., an organization that wishes to suppress one form of circumvention may want to endorse another), and provide directions for future work.

Sean Smith, Dartmouth College, Ross Koppel, University of Pennsylvania, Jim Blythe, University of Southern California, Vijay Kothari, Dartmouth College.  2015.  Mismorphism: A Semiotic Model of Computer Security Circumvention.

In real world domains, from healthcare to power to finance, we deploy computer systems intended to streamline and improve the activities of human agents in the corresponding non-cyber worlds. However, talking to actual users (instead of just computer security experts) reveals endemic circumvention of the computer-embedded rules. Good-intentioned users, trying to get their jobs done, systematically work around security and other controls embedded in their IT systems.

This paper reports on our work compiling a large corpus of such incidents and developing a model based on semiotic triads to examine security circumvention. This model suggests that mismorphisms— mappings that fail to preserve structure—lie at the heart of circumvention scenarios; differential percep- tions and needs explain users’ actions. We support this claim with empirical data from the corpus.

Sean Smith, Dartmouth College, Ross Koppel, University of Pennsylvania, Jim Blythe, University of Southern California, Vijay Kothari, Dartmouth College.  2015.  Mismorphism: A Semiotic Model of Computer Security Circumvention (poster abstract). Symposium and Bootcamp on the Science of Security (HotSoS).

In real world domains, from healthcare to power to finance, we deploy computer systems intended to streamline and im- prove the activities of human agents in the corresponding non-cyber worlds. However, talking to actual users (instead of just computer security experts) reveals endemic circum- vention of the computer-embedded rules. Good-intentioned users, trying to get their jobs done, systematically work around security and other controls embedded in their IT systems.

This poster reports on our work compiling a large corpus of such incidents and developing a model based on semi- otic triads to examine security circumvention. This model suggests that mismorphisms—mappings that fail to preserve structure—lie at the heart of circumvention scenarios; dif- ferential perceptions and needs explain users’ actions. We support this claim with empirical data from the corpus.

P
R
S
V
Bruno Korbar, Dartmouth College, Jim Blythe, University of Southern California, Ross Koppel, University of Pennsylvania, Vijay Kothari, Dartmouth College, Sean Smith, Dartmouth College.  2016.  Validating an Agent-Based Model of Human Password Behavior. AAAI-16 Workshop on Artificial Intelligence for Cyber Security .

Effective reasoning about the impact of security policy decisions requires understanding how human users actually behave, rather than assuming desirable but incorrect behavior. Simulation could help with this reasoning, but it requires building computational models of the relevant human behavior and validating that these models match what humans actually do. In this paper we describe our progress on building agent-based models of human behavior with passwords, and we demonstrate how these models reproduce phenomena
shown in the empirical literature.