Computer security impaired by legitimate users

Computers and Security

Volumn 23, Issue 3, 2004, Pages 253-264

  Besnard, Denis ^a   Arief, Budi ^a  

^a NEWCASTLE UNIVERSITY   (United Kingdom)

Author keywords

Cognitive psychology; Computer security; Cost benefit trade offs; Risk; Work practices

Indexed keywords

BEHAVIORAL RESEARCH; COST BENEFIT ANALYSIS; ELECTRONIC COMMERCE; INFORMATION TECHNOLOGY; MONITORING; ONLINE SYSTEMS; PROFESSIONAL ASPECTS; RISKS; USER INTERFACES;

COGNITIVE PSYCHOLOGY; COST BENEFIT TRADE-OFFS; WORK PRACTICES;

SECURITY OF DATA;

EID: 2342598277     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2003.09.002     Document Type: Article

References (64)

1. Ackerman MS, Cranor L. Privacy critics: UI components to safeguard users' privacy. ACM Proceedings of Conference on Human Factors in Computing Systems (CHI'99). Pittsburg, Pennsylvania, short paper v.2; 1999. p. 158-9.
2. Adams A., Sasse M.A. Privacy issues in ubiquitous multimedia environments: wake sleeping dogs or let them lie? Sasse A., Johnson C. Human computer interaction - INTERACT'99. 1999;214-221 IOS Press, Amsterdam.
3. Adams A., Sasse M.A. Users are not the enemy. Commun ACM. 42:1999;41-46.
4. Adams A, Sasse MA, Lunt P. Making passwords secure and usable. Springer Proceedings of HCI'97 People and Computers XII; 1997. p. 1-19.
5. Amalberti R. La conduite des systèmes à risques. 1996;Presses Universitaires de France, Paris.
6. Arief B, Besnard D. Technical and human issues in computer-based systems security. School of Computing Science, University of Newcastle upon Tyne, UK. Technical Report CS-TR-790; 2003.
7. Armstrong I. Viruses: preparing for the onslaught. Secure Comput. (May):2001;24-30.
8. Bainbridge L. Difficulties in complex dynamic tasks. http://www.bainbrdg. demon.co.uk/Papers/CogDiffErr.html:1998;
9. Bastien C. Les connaissances de l'enfant a l'adulte: organisation et mise en œuvre. 1997;Armand Colin, Paris.
10. Besnard D, Greathead D. A cognitive approach to safe violations. University of Newcastle, UK. Technical Report CS-TR-791; 2002.
11. Bhandari I.S., Simon H.A., Sieworek D.P. Optimal probe selection in diagnosis search. IEEE Trans Syst Man Cybernet. 20:1990;990-999.
12. Briney A., Prince F. Does size matter? 2002 survey. Inf Secur. (September):2002.
13. Brostoff S, Sasse MA. Are passfaces more usable than passwords? People and Computers-XIV Usability or Else! Proceedings of HCI2000, Sunderland, UK; 2000. p. 405-24.
14. Brostoff S, Sasse MA. Safe and sound: a safety-critical approach to security. Proceedings of New Security Paradigms Workshop, Cloudcroft, NM; 2001. p. 41-50.
15. Brostoff S, Sasse MA. Ten strikes and you're out: increasing the number of login attempts can improve password usability. Proceedings of CHI 2003 Workshop on HCI and Security Systems, Fort Lauderdale, Florida; 2003.
16. Burkardt J-M, Detienne F. La réutilisation en génie logiciel: une définition d'un cadre de recherche en ergonomie cognitive. Proceedings of ErgoIA 94, Bayonne, France; 1994. p. 83-95.
17. Cranor L.F., Reagle J., Ackerman M.S. Beyond concern: understanding net users' attitudes about online privacy. Vogelsang I., Compaine B. The Internet upheaval: raising questions, seeking answers in communication policy. 2000;47-70 MIT Press, Cambridge, MA.
18. CSI/FBI. Computer crime and security survey. 2003;Computer Security Institute, Southampton, PA. Available from: http://www.gocsi.com/forms/fbi/pdf. html.
19. Default password list. http://www.phenoelit.de/dpl/dpl.html.
20. Dekker S. Failure to adapt or adaptations that fail: contrasting models on procedures and safety. Appl Ergon. 34:2003;233-238.
21. Denning D. Information warfare and security. 1999;Addison Wesley-ACM Press Books.
22. Dourish P, Flor JDdl, Joseph M. Security as a practical problem: some preliminary observations of everyday mental models. Proceedings of CHI 2003 Workshop on HCI and Security Systems, Fort Lauderdale, Florida; 2003.
23. DTI-UK. Information security breaches survey 2002. United Kingdom's Department of Trade and Industry. Technical Report; 2002. Available from: http://www.dti.gov.uk/industry_files/pdf/sbsreport_2002.pdf.
24. Evans S.B.T., Harries C., Dennis I., Dean I. General practitioners' tacit and stated policies in the prescription of lipid lowering agents. Br J Gen Pract. 45:1995;15-18.
25. Flechais I, Sasse MA. Developing secure and usable software. Summary of workshop WS9 held at OT 2003, Cambridge, UK, March 2003. Available from: http://www.cs.ucl.ac.uk/staff/I.Flechais/downloads/oct2003.pdf.
26. Friedman B, Hurley D, Howe DC, Felten E, Nissenbaum H. Users' conceptions of web security: a comparative study. Proceedings of CHI 2002, Minneapolis, Minnesota; 2002. p. 746-7.
27. Fujita Y. Actualities need to be captured. Cogn Technol Work. 2:2000;212-214.
28. Furuta K., Sasou K., Kubota R., Ujita H., Shuto Y., Yagi E. Human factor analysis of JCO criticality accident. Cogn Technol Work. 2:2000;182-203.
29. Gasser L. The integration of computing and routine work. ACM Trans Off Inf Syst. 4:1986;205-225.
30. Geek.com. Major open source code repository hacked for months, says FSF. http://www.geek.com/news/geeknews/2003Aug/gee20030814021314.htm:2003;
31. Gnuftp Compromise. ftp://ftp.gnu.org/MISSING-FILES.README:2003;
32. Gordon S., Ford R. Cyberterrorism? Symantec security response. http://www.symantec.com/avcenter/reference/cyberterrorism.pdf.
33. Grinter RE, Smetters DK. Three challenges for embedding security into applications. Proceedings of CHI 2003 Workshop on HCI and Security Systems, Fort Lauderdale, Florida; 2003.
34. Hafner K., Markoff J. Cyberpunk: outlaws and hackers on the computer frontier. 1995;Simon & Schuster, New York.
35. Hatch B., Lee J., Kurtz G. Hacking Linux exposed: Linux security secrets & solutions. 2001;Osborne/McGraw-Hill.
36. Hoc J.-M., Amalberti R. Diagnostic et prise de décision dans les situations dynamiques. Psychologie Française. 39:1994;177-192.
37. Holmström U. User-centered design of secure software. Proceedings of Human Factors in Telecommunications, Copenhagen, Denmark; 1999.
38. Honeynet-Project. Know your enemy: revealing the security tools, tactics, and motives of the blackhat community. 2001;Addison-Wesley.
39. Jermyn I. The design and analysis of graphical passwords. Proceedings of the Eighth USENIX Security Symposium. Washington, DC; 1999.
40. Leveson N. High pressure steam engines and computer software. IEEE Comput. 10:1994;65-73.
41. Mancini G. Commentary: models of the decision maker in unforeseen accidents. Int J Man Mach Stud. 27:1987;631-639.
42. McClure S., Scrambray J., Kurtz G. Hacking exposed: network security secrets & solutions. 1999;Osborne/McGraw-Hill.
43. Middleton J. DoS attack storms port 445. http://www.vnunet.com/News/ 1131065:2002;
44. Mitnick K., Simon W. The art of deception: controlling the human element of security. 2002;Wiley.
45. NetworkAssociates. W32/Deloder.worm. http://vil.nai.com/vil/content/ v_100127.htm.
46. Nielsen J. Security and human factors. http://www.useit.com/alertbox/ 20001126.html:2000;
47. Patrick AS, Long AC, Flinn S. HCI and security systems. Proceedings of CHI 2003 Workshop on HCI and Security Systems, Fort Lauderdale, Florida; 2003.
48. Reason J. Human error. 1990;Cambridge University Press.
49. Redmill F. The COTS question is one of evidence. Saf Syst. 10:2001;8-10.
50. Redmill F. Some dimensions of risk not often considered by engineers. J Syst Saf. Q4:2002;22-40.
51. Rescorla E. Security holes... Who cares? Proceedings of 12th USENIX Security Symposium, Washington, DC, USA; August 2003. p. 75-90.
52. Richards D. The reuse of knowledge: a user-centered approach. Int J Hum Comput Stud. 52:2000;553-579.
53. Sasse A. Computer security: anatomy of a usability disaster, and a plan for recovery. Proceedings of CHI 2003 Workshop on HCI and Security Systems, Fort Lauderdale, Florida; 2003.
54. Sasse M.A., Brostoff S., Weirich D. Transforming the weakest link - a human computer interaction approach to usable effective security. BT Technol J. 19:2001;122-131.
55. Simon H.A. Models of man. 1957;Wiley, New York.
56. Taylor P. Hackers: crime in the digital sublime. 1999;Routledge.
57. Todd P.A., Bensabat I. The influence of decision aids on choice strategies under conditions of high cognitive load. IEEE Trans Syst Man Cybernet. 24:1994;537-547.
58. Veyrac H., Cellier J.-M., Bertrand A. Modèle de l'opérateur et modèle du prescripteur. Le cas des consignes de résolution de situations incidentelles pour les conducteurs de trains. Le Travail Humain. 60:1997;387-407.
59. Weirich D, Sasse MA. Pretty good persuasion: a first step towards effective password security in the real world. Proceedings of New Security Paradigms Workshop, Cloudcroft, NM; 2002. p. 137-44.
60. Whitten A, Tygar JD. Usability of security: a case study. School of Computing Science, Carnegie Mellon University. Technical Report CMU-CS-98-155; 1998.
61. Whitten A, Tygar JD. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. Proceedings of Ninth USENIX Security Symposium, Washington, DC, USA; 1999.
62. Yee K-P. User interaction design for secure systems. Proceedings of the Fourth International Conference on Information and Communication Security, Singapore; 2002.
63. Zetter K. Viruses: the next generation. http://www.pcworld.com/resource/ printable/article/0,aid,32802,00.asp:2000;
64. Zurko ME, Simon RT. User-centred security. Proceedings of Workshop on New Security Paradigms, Lake Arrowhead, CA; 1996. p. 27-33.