Conference Agenda

Overview and details of the sessions of this conference. Please select a date or location to show only sessions at that day or location. Please select a single session for detailed view (with abstracts and downloads if available).

 
Session Overview
Session
MCI-WS05: 3. Workshop Usable Security: Ziele der Usability und Security ausbalancieren
Time:
Sunday, 10/Sep/2017:
10:00am - 4:30pm

Session Chair: Luigi Lo Iacono
Session Chair: Hartmut Schmitt
Location: VG 2.45 (Vielberth-Gebäude)
26 seats (variable)

Session Abstract

Unser beruflicher wie privater Alltag wird zunehmend digitaler. Mit diesem Trend einher geht ein steigender Bedarf an adäquaten Sicherheitslösungen in digitalen Produkten und Dienstleistungen, die sowohl Unternehmen als auch privaten Endanwendern das notwendige Maß an wirksamem Schutz der sensiblen Daten ermöglichen. Eine wesentliche Rolle kommt hierbei der Usability dieser Schutzmechanismen zu, da diese nur dann einen effektiven Schutz bieten, wenn sie von allen betreffenden Nutzergruppen verstanden und benutzt werden können. Ziel des „3. Workshop Usable Security: Ziele der Usability und Security ausbalancieren“ ist es, ein Forum zu etablieren, in dem sich Experten aus Wissenschaft und Praxis zum Thema benutzerfreundliche Informationssicherheit austauschen können. Zugleich soll durch den Workshop die Diskussion für ein breiteres Fachpublikum geöffnet werden.


External Resource: https://www.usecured.de/muc17/
Presentations

3. Workshop Usable Security: Ziele der Usability und Security ausbalancieren

Luigi Lo Iacono1, Hartmut Schmitt2, Andreas Heinemann3

1Technische Hochschule Köln; 2HK Business Solutions GmbH; 3Hochschule Darmstadt

Zusammenfassung nicht verfügbar


Integration von UX in den Security Engineering-Prozess

Katharina Joos1,2, Tobias Straub1

1Studiengang Wirtschaftsinformatik, Duale Hochschule Baden-Württemberg Stuttgart; 2CI/ISI, Robert Bosch GmbH Stuttgart

Ein etablierter Security Engineering-Prozess gewährleistet, dass bei der Softwareentwicklung Sicherheitsaspekte systematisch berücksichtigt werden. Außerdem orientieren sich Unternehmen bei der Produktentwicklung zunehmend am Nutzererlebnis (UX) und machen auch hierfür verbindliche Vorgaben. Der vorliegende Beitrag beschreibt, wie getrennt entstandene Security Engineering- und UX-Prozesse in einem Großunternehmen zusammengeführt werden, um den besonderen Anforderungen benutzbarer Sicherheit gerecht zu werden. Auf Basis bekannter Usable Security-Prinzipien und -Patterns wurde ein Katalog für Entwickler erstellt. Anhand von drei für den Unternehmenseinsatz typischen Szenarien wurden Lösungen entwickelt und in Nutzertests und durch Experten evaluiert.


Exploring Security Processes in Organizations: the Case of Smartphones

Lena Reinfelder, Zinaida Benenson

Friedrich-Alexander-Universität Erlangen-Nürnberg

We present results of two exploratory qualitative studies of smartphone security in organizations. The first study provides insights into the process of security development. The second study analyzes the effects of smartphone security measures on the productivity and behavior of end users. We find that smartphones create specific conflicts between security and productivity, because they have different technical characteristics and are used for different purposes than laptops and PCs. Nevertheless, security development processes for smartphones do not differ from other security processes, and the conflicts with productivity cannot be observed by security experts due to lack of structured feedback in organizations. Structured user involvement has a great potential to improve alignment of security processes with specific technologies and decrease negative effects of security measures on productivity. This, in turn, can increase the compliance behavior and consequently the organizational security level.


Promoting Secure Email Communication and Authentication

Verena Zimmermann1, Birgit Henhapl2, Nina Gerber1, Matthias Enzmann3

1Research Group Work and Engineering Psychology, Technische Universität Darmstadt; 2Research Group Security, Usability & Society, Technische Universität Darmstadt; 3Dept. for Cloud Computing and Identity & Privacy, Fraunhofer SIT Darmstadt

Nowadays, the possibility to communicate securely is crucial for users in the private as well as in the business context. However, to do so they have to face problems regarding mismatching mental models of encryption and bad usability not only concerning the encryption, but also the authentication process. To solve this problem, we evaluate users’ perception on encryption and authentication schemes in order to (1) derive a process, which is more in line with their expectations and (2) use authentication schemes which provide security but also achieve a high acceptance rate from users. We plan to integrate our findings into a prototypical software in order to evaluate users’ acceptance for our technical approach.


Security vs. privacy? User preferences regarding text passwords and biometric authentication

Nina Gerber, Verena Zimmermann

Department of Human Sciences, Technische Universität Darmstadt

Although text passwords suffer from several flaws, they are still wide-spread. Biometric authentication schemes are one possible alternative.However, previous study results suggest there might be two user groups preferring either knowledge-based or biometric authentication, due to different reasons. We conducted an online survey with 95 German participants to test this assumption. Our results provide evidence for the existence of two user groups, with preferences varying between different usage scenarios. Main reasons named for both methods are efficiency, security and habit, whereas privacy is another advantage provided by text passwords. Service providers should consider this diverging preferences in their decision to implement a particular authentication method.


Transparency through Contextual Privacy Statements

Denis Feth

Fraunhofer Institute for Experimental Software Engineering IESE, Kaiserslautern, Germany

Privacy policies are the state of the practice technique to achieve data transparency. However, they have a variety of issues in practice: They are presented in a non-prominent way, are typically quite lengthy, and not written in the users’ language. Additionally, they are quite abstract, as privacy policies are generic documents that do not relate to the current activity of the user but give a high level overview on the overall system. In this paper, we present our idea of "contextual privacy statements" that overcome the shortcomings of state of the practice privacy policies. Instead of having one generic privacy policy that has to fit every use case and every user group, contextual privacy statements provide concrete information about privacy and data protection in a specific use case or activity. We aim for better understandability of privacy policies, resulting in an increased transparency and user acceptance.