Usable Security Project
Western Illinois University
 
 
Welcome to Usable Security Education Project Home Page
  

Computer Security Fundamentals (for Majors)

  1. What is 3P Method of teaching computer security?

    3P Method encourages students to view security problems from three perspectives, namely, Defense, Offense and Use.

  2. Why does it work?

    Any problem analyzed from different angles results in better solutions. In computer security, the above three perspectives are extremely important.

  3. What is novel about this method?

    Security professionals tend to view security as a technical problem. Most courses on computer security focuses on technical aspects. However, human factors are equally important as technical factors in ensuring system security. Encouraging students to analyze problems from three different perspectives can help develop the habit of considering security issues from users' viewpoint resulting in better usable security. This, we hope, will prepare them to tackle current or evolving issues such as phishing, tabnabbing and electronic social engineering.

  4. Usability sounds easy. So where is the challenge?

    Challenge is to make students aware that usability problems can lead to security problems and therefore system design should take into account of usable security issues.

  5. Designing for Usability needs expertise. How can you expect students to have that kind of expertise in a sixteen week course?

    Yes, we agree. Developing expertise in sixteen weeks is not easy and that is not expected. What is expected is to make them understand that human factors are equally important and should be paid attention to. Security professionals are stake holders when usability problems lead to security violations.

  6. Can you give me some examples of actual problems solved better when viewed from 3P?

    3P Method
    Figure 1: 3P Learning Outcome Example


    1. Fudamentals: traditional computer security approach focuses on security properties such as confidentiality, integrity and availability. However, viewing from Use perspective, students quickly realize that even though users are expected to make decisions on the confidentiality of their data, authenticity of a website etc., users are unable to do so in an effective manner due to Usability issues. So the security properties may be expanded to include Human factor security (including usability of security functions).
    2. Password Problem: analyzing passwords from the Defense side would suggest password policies that would call for longer and complex passwords. Analyzing from Use perspective help students realize that users may find it hard to remember password, so they could set easy to remember password. Analyzing from Offense perspective would help them find most common passwords on the Internet. Having usability knowlege would let them know that people remember pictures better and therefore in some case picture passwords make sense (e.g., touch screen input). Security analysis determines the minimum number of pictures to be used for ensuring reasonable level of security. Again, analyzing from the Offense perspective makes students aware of the shoulder surfing possibilities.
    3. Biometrics: biometric system ROC curve plots two properties. False Match Rate (FMR) and False Non-Match Rate (FNMR). It wouldn't take much time for students to realize that FMR is very important from the Defense perspective. Soon, they also see that FNMR is important from the Use viewpoint. Students would understand the need for striking the balance between security and usability, depending on the application domain.
    4. Authorization: In an example where students have to determine the right level of authorization, they arrive at a set of access rights, when they follow the principle of least privilege. However, when they pay attention to Use aspect, they realize the current and future communication needs. Students understand that it is not always feasible to go to the supervisor when they need to share something with their team members. Further, they realize that having stricter than necessary policy may result in less security since people may start sharing information on a thumbdrive, which is a security risk when viewed from Offense side.
    5. Encryption: students will quickly learn that the longer the key the better would be the strength of the cipher. However, when they analyze from the Use perspective, they realize that people cannot remember long keys. So they need to be stored somewhere. If those are stored in files, they may be stolen (Offense). Thus the file may be password protected or somehow a password may be incorporated to generate the encryption key (Use). Again, having usable security knowledge would help them understand that encryption is not user's primary task. Thus, they understand the need for designing an interface that follows user's mental model.
    6. Mandatory Security: Students understand that sometimes it is a good idea for the system to enforce security than leaving it to user's discretion. They however will be mindful of user's communication needs in such systems. This results in suggesting a design where a user would be given multiple accounts with different security levels upto his/her clearance on a need-to-know and need-to-use basis.
    7. Threat Modeling: during the threat modeling process, students traditionally look at threats arising from factors such as buffer overflow, viruses, trojan horses, dns spoofing, phishing, pharming, etc. Although they might touch up on threats arising from human factors, they tend to blame users for the violations. Analyzing the problem from Use help them realize that most of the problems are due to bad design and most users want to do their best to ensure security. The STRIDE threat analysis doesn't specifically emphasize enough to look for threats arising from human factors.
    8. SSL: From the Defense point of view, students learn that SSL helps protect data privacy by encryption. Offense point of view may detect person-in-the-middle attack. It might point to the need of protecting the private key lest be found by a hacker. However, when looking from Use side, students understand that even with all these in place the security may be compromised, if users don't properly understand SSL warning or give importance to their primary task by ignoring the warning, i.e., accessing the website compared to their secondary task of security.

  7. Three perspectives are overlapping. For example when students analyze from Offense perspective students can uncover a usability issue. So why 3P?

    In fact, all problems may be uncovered if you view the system from Defense perspective. However, the value of looking the system from an attacker's perspective (Offense) has already been established. What we advocate is to look from Use perspective as well, which has the potential to uncover security problems.

  8. Why should we spend time on Usability, students can always learn it on their own. Let us focus on difficult subject matter in the classroom.

    Evidence has shown that it doesn't happen. Security due to both technical and human factors should both be an integral part of the system design. Failure to address the problem in a comprehensive manner gives rise to unsecure system design.

  9. It is very hard to add additional topics into an already crowded curriculum.

    That is exactly the point. We try to integrate usable security into existing topics using 3P method. It helps learn students better security as well as usable security. We don't expect students to be usable security experts after taking this course. For that matter, we don't even expect them to be security experts after taking this course.

  10. Slides lack some details I want. Comments?

    Slides are designed to be supporting materials. Instructors are free to change them to adapt to their classroom use. Instructors are also free to design their own course materials and using 3P should help while designing their courses. Our efforts will be a success even if an instructor decides to incorporate usable security topics in a traditional mannner. Becuase, we think that it has not been done widely.

  11. Designing a secure system is more complex than what can be covered in an intro course on security. Comments?

    Yes, designing a secure system can be complex. However, it is never too early to lay the foundation of doing so. The secure design strategy may be introduced with even simple example such as adding two numbers. Students learn to ask the questions such as are they integers or real numbers? What are the confidentiality requirements? Are these numbers confidential? Can users make entry errors? What is the best way to warn users? How to handle overflow errors? What would be the mental model of someone using the system? How can system design follow the mental model? Can these numbers be read from a keyboard, using a barcode reader or a touch screen? Would it be easier to use a calculator or can additional keys cause users to slow down or make calculation errors?
    Students can then draw a DFD and identify trust boundaries. They can perform threat analysis and draw threat trees. Students should be encouraged to view the system from three perspectives and look for threats arising from both human factors and technical factors. Some sample DFDs are below.

Simple DFD
Figure 2: Level 0 DFD - "Add Two Numbers" System


DFD 2
Figure 3: Level 1 DFD - "Add Two Numbers" System; Identification of Trust Boundaries.


Top
 
 
 
 
WIU Cybersecurity Center (WIU-CC)
Stipes 447I
Computer Science Department
Western Illinois University
1 University Circle
Macomb IL-61455		 Western Illinois University Valid XHTML 1.0 Transitional Valid XHTML 1.0 Transitional National Science Foundation
 
 
 
 

This material is based upon work supported by the National Science Foundation under Grant No. 0736643. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.