Where do security policies come from?

ACM International Conference Proceeding Series

Volumn , Issue , 2010, Pages

  Florêncio, Dinei ^a   Herley, Cormac ^a  

^a MICROSOFT RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INVERSE CORRELATION; SECURITY IMPROVEMENT; SECURITY POLICY;

ELECTRONIC COMMERCE; SECURITY SYSTEMS;

SALES;

EID: 77956241667     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1837110.1837124     Document Type: Conference Paper

References (42)

1. http://www.internetworldstats.com.
2. http://www.worldmapper.org/display.php?selected=336.
3. http://www.openwall.com/john/.
4. Regulation E of the Federal Reserve Board. http://ecfr.gpoaccess.gov/cgi/ t/text/text-idx?c=ecfr&sid=0283a311c8b13f29f284816d4dc5aeb7&rgn= div9&view=text&node=12:2.0.1.1.6.0.3.19.14&idno=12.
5. The Fidelity Customer Protection Guarantee. http://personal.fidelity.com/ accounts/services/findanswer/content/security.shtml.cvsr?refpr=custopq11.
6. Wells Fargo: Online Security Guarantee. https://www.wellsfargo.com/ privacy-security/online/guarantee.
7. Wired: Weak Password Brings 'Happiness' to Twitter Hacker. http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html.
8. Department of Defense Password Management Guideline. Technical Report CSC-STD-002-85, U.S. Dept. of Defense, Computer Security Center, 1985.
9. A. Acquisti and R. Gross. Predicting Social Security Numbers from Public Data. Proc. Natl. Acad. Science, 2009.
10. A. Beautement, M.A. Sasse and M. Wonham. The Compliance Budget: Managing Security Behaviour in Organisations. NSPW, 2008.
11. A. Adams and M. A. Sasse. Users Are Not the Enemy. Commun. ACM, 42(12), 1999.
12. Avira TechBlog. The Most Phished Brands of 2009. http://techblog.avira. com/2009/12/19/the-most-phished-brands-of-2009/en/.
13. C. Herley, P.C. van Oorschot and A.S. Patrick. Passwords: If We're So Smart Why Are We Still Using Them? Proc. Financial Crypto 2009.
14. D.A. Norman. The Way I See It: When security gets in the way. Interactions, 16(6):60-63, 2009.
15. E. Zwicky. Brute Force and Ignorance.; login, April 2010.
16. E.H. Spafford. Security Myths and Passwords. http://www.cerias.purdue. edu/site/blog/post/password-change-myths/.
17. Federal Financial Institutions Examination Council. Top 50 Bank Holding Companies 2009. http://www.ffiec.gov/nicpubweb/nicweb/Top50form.aspx.
18. D. Florêncio and C. Herley. A Large-Scale Study of Web Password Habits. WWW 2007, Banff.
19. D. Florêncio and C. Herley. Stopping Phishing Attacks Even when the Victims Ignore Warnings. MSR Tech. Report, 2005.
20. D. Florêncio and C. Herley. KLASSP: Entering Passwords on a Spyware Infected Machine. ACSAC, 2006.
21. D. Florêncio, C. Herley, and B. Coskun. Do Strong Web Passwords Accomplish Anything? Proc. Usenix Hot Topics in Security, 2007.
22. N. Haller. The S/KEY One-Time Password System. Proc. ISOC Symposium on Network and Distributed System Security, 1994.
23. C. Herley. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. NSPW 2009, Oxford.
24. C. Herley and D. Florêncio. A Profitless Endeavor: Phishing as Tragedy of the Commons. NSPW 2008, Lake Tahoe, CA.
25. C. Herley and D. Florêncio. Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy. WEIS 2009, London.
26. K. Hole, V. Moen, and T. Tjostheim. Case Study: Online Banking Security. In IEEE Security and Privacy, pages 14-20, 2006.
27. I. Jermyn and A. Mayer and F. Monrose and M.K. Reiter and A.D. Rubin. The Design and Analysis of Graphical Passwords. In Usenix Security, 1999.
28. Imperva. Consumer Password Worst Practices.
29. J. Bonneau and S. Preibusch. The Password Thicket: technical and Market Failures in Human Authentication on the Web. WEIS, 2010.
30. J. Franklin and V. Paxson and A. Perrig and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Proc. CCS, 2007.
31. K. J. Hole and V. Moen and T. Tjostheim. Case Study: Online banking Security. IEEE Security & Privacy Magazine, 2006.
32. L. St. Clair and L. Johansen and W. Enck and M. Pirretti and P. Traynor and P. McDaniel and T. Jaeger. Password Exhaustion: Predicting the End of Password Usefulness. In Proc. of 2nd Intl Conf. on Information Systems Security (ICISS), 2006.
33. M. Mannan and P.C. van Oorschot. Security and Usability: The Gap in Real-World Online Banking. NSPW, 2007.
34. M.A. Sasse, S. Brostoff and D. Weirich. Transforming the "weakest link": a human-computer interaction approach to usable and effective security. In BT Technology Journal, 2001.
35. M.E. Zurko and R. T. Simon. User-Centered Security. NSPW, 1996.
36. P. Oechslin. Making a faster crytanalytical time-memory trade-off. Advances in Cryptology - CRYPTO 2003, 2003.
37. P. Inglesant and M. A. Sasse. The True Cost of Unusable Password Policies: Password use in the Wild. CHI, 2010.
38. P.C. van Oorschot, S. Stubblebine. On Countering Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. ACM TISSEC vol. 9 issue 3, 2006.
39. R. Thomas and J. Martin. The Underground Economy: Priceless. Usenix; login:, 2006.
40. S. Bellovin. Security by Checklist. IEEE Security & Privacy Mag., 2008.
41. S. Gaw and E.W. Felten. Password Management Strategies for Online Accounts. Proc. SOUPS.
42. W. E. Burr, D. F. Dodson W. T. Polk. Electronic Authentication Guideline. In NIST Special Publication 800-63, 2006. http://csrc.nist.gov/publications/ nistpubs/800-63/SP800-63V1-0-2.pdf.