Human-oriented computer security

以人为本的计算机安全

• 批准号: RGPIN-2017-06273
• 负责人: Chiasson, Sonia
• 金额: $ 2.48万
• 依托单位: Carleton University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=750344
• 关键词: Human; oriented; computer; security

Effects of poor cybersecurity impact everyone, from individuals to large corporations, not-for-profit organizations, or government agencies. While many security incidents have a human component, these can frequently be traced back to system designs and configurations that placing unreasonable demands on users by ignore human capabilities and real-world context of use. In the same way that network protocols are resilient to network interruptions or dropped packets, I suggest that security systems should be resilient and adaptable to human behaviour. My research program relates to such human-oriented computer security. The main objectives are to identify strengths and vulnerabilities in real-world security mechanisms, to develop improved designs and understand their security and usability implications, and to identify foundational design principles applicable to the general usable security space. For this grant, the following three themes will be explored.Domain experts such as security analysts or software developers are not typical end-users and are often overlooked in terms of usable security. However, consequences of unusable or inadequate tools can be devastating for entire networks or for software deployed worldwide. A first research direction includes improving support for security code reviews by developing tools to help programmers detect security vulnerabilities, prioritize security fixes, and encourage collaborative reviewing of code, partially inspired by Agile software engineering methods. A second direction relates to security analysts who must frequently merge several data sets, find previously undetermined associations among them, and share expertise. We intend to explore such collaborative work and devise new security visualization of large data sets.We have conducted significant research into understanding the human factors and security implications of knowledge-based authentication, and will continue working towards real-world solutions. For example, we have recently turned our attention to user authentication for children, a subject which has received almost no attention in the research community. We are working towards a child-friendly authentication scheme and a parent-child password manager addressing the need for autonomy and privacy while ensuring some parental oversight. In more exploratory research, we are interested in the usable security and privacy for the Internet of Things devices and implications for Smart Cities. This emerging area has significant usable privacy and security implications for end-users, and offers opportunity to affect the implementation of new technologies while their design is still flexible.

糟糕的网络安全影响到每个人，从个人到大公司，非营利组织或政府机构。 虽然许多安全事件都有人为因素，但这些事件通常可以追溯到系统设计和配置，这些设计和配置通过忽视人的能力和实际使用环境而对用户提出不合理的要求。就像网络协议对网络中断或丢失的数据包具有弹性一样，我建议安全系统应该具有弹性并适应人类行为。我的研究计划涉及到这种以人为本的计算机安全。主要目标是识别现实世界安全机制中的优势和漏洞，开发改进的设计并了解其安全性和可用性影响，并确定适用于一般可用安全空间的基本设计原则。安全分析师或软件开发人员等领域专家不是典型的最终用户，在可用的安全性方面往往被忽视。然而，无法使用或不适当的工具可能会对整个网络或部署在世界各地的软件造成破坏性后果。第一个研究方向包括通过开发工具来帮助程序员检测安全漏洞，优先考虑安全修复，并鼓励代码的协作审查，部分灵感来自敏捷软件工程方法。第二个方向与安全分析师有关，他们必须经常合并多个数据集，找到它们之间以前未确定的关联，并分享专业知识。我们打算探索这种协作工作，并为大型数据集设计新的安全可视化。我们已经进行了大量研究，以了解基于知识的身份验证的人为因素和安全影响，并将继续致力于现实世界的解决方案。例如，我们最近将注意力转向了儿童用户身份验证，这是一个在研究界几乎没有受到关注的主题。我们正在努力实现一个儿童友好的身份验证方案和一个父母-孩子密码管理器，以满足自主和隐私的需要，同时确保一些父母的监督。在更多的探索性研究中，我们对物联网设备的可用安全性和隐私性以及对智能城市的影响感兴趣。这一新兴领域对最终用户具有重要的可用隐私和安全影响，并提供了在设计仍然灵活的情况下影响新技术实施的机会。