All abstracts

Andrew Clark Andrew Clark: Can I trust my television? The rise of untrusted appliances

John Stewart, Vice President and Chief Security Officer of Cisco reported in 2010 that by the end of the year each of us would have on average 5 ip connected devices. He further predicted that by the end of 2013 we would each have 140 devices (a world population in excess of 1 Trillion devices). One catalyst for this change is the exponential growth of ip based appliances such as IPTV, Blu Ray and even refrigerators! Combine this with smartphones and wifi enabled players and we realise that the very shape of our personal networks is changing. For many years we have relied on a protective security model where the end point devices can exert some measure of control (anti virus, anti malware etc) but these new appliances will not have the capability to undertake the same level of protection. We will need new approaches to protective security that will have to harness the power of the network. In this talk I shall seek to expose how challenging this will be and discuss the degree to which the (security naiive?) user can reasonably be expected to play a role.

Heather Lipford Heather Lipford: Personal Privacy Management

A variety of online and mobile applications allow people to post and share photos and documents, personal and contact information, relationships with people and organizations, and location and activities. The goal of all of these applications is to allow people to share useful information with each other for social benefits, and with organizations for customized and useful services. Yet, users are required to act as administrators for all of their own data, managing who can access which pieces of information in which circumstances. On one hand, users can seem oblivious to the security and privacy of their information, doing little to protect their personal data. On the other hand, there has been much media coverage and even consumer backlash over privacy issues. In this talk, I will present the results of several projects aimed at understanding and addressing the privacy needs of users. Our research demonstrates that users do have privacy concerns and problems, and could benefit from greater awareness and control over the sharing of their information. We have designed several new access control mechanisms and interfaces to address these problems, aimed at maintaining the benefits of information sharing while reducing the risks information disclosures.

Angela Sasse Angela Sasse: Re-engineering security thinking

There has been a significant amount of research on usable security over the past decade. Much of this work has focussed on "making it easier for users" to understand security mechanisms, and operating them correctly. A deeper examination of usability principles, however, suggest that a fundamental re-thinking of security thinking is required. Traditionally, people have been regarded as a components whose behaviour is controlled by security policies, and who need to be taught to use security controls correctly. The impact of this approach on individual and organisational productivity has not been considered. As the number of systems and services that people interact with have increased, employees and consumers have become overwhelmed by the demands placed on them in the name of security - examples include the number of passwords and PINs people are expected to remember, and the number of patches, updates and warnings they encounter every day. We need to re-consider the way we design systems - security and usability requirements need to be integrated, and user interaction with security mechanisms minimised. The talk will draw on recent research in economics of security and software engineering, which have produced methods and tools for realising these goals in practice.

Gerhard Schabhüser Gerhard Schabhüser: Usability and Security - A Contradiction?! IT security in public administration

In this talk a set of examples of information assurance systems used by the governmental adminstration will be presented. The aspect usability will be discussed. We will trade off the security requirements against the usability requirements.

Thorsten Strufe Thorsten Strufe: User-friendly privacy controls for Online Social Networks

The popularity of online social networks has increased rapidly in the last few years. In Germany alone, the number of users at Facebook increased by 40 percent in the last six months. Because of Facebook’s strong popularity there is a wealth of private data aggregated and available for automatic access. To protect personal data from being automatically read out, privacy controls need to be set correctly. However, several studies demonstrate that users have trouble adjusting these settings correctly. We developed a new interface for setting the privacy for this reason. Using three simple principles, color coding, ease of access, and standard controls we increase the usability significantly. A user study documents that users can adjust the settings better and more quickly when working with the new interface, compared with the conventional system.

Andreas Türk Andreas Türk: Privacy as a product

As cloud based services become increasingly popular "privacy as a product" becomes more and more important. This talk will cover Google's approach on "Privacy as a product". We will look into existing privacy features in different Google products, discuss the Google Dashbard, and raise the question how this approach may be extended to a broader scope.