Publications

Technology Should Be Smarter Than This!: A Vision for Overcoming the Great Authentication Fatigue

M. Angela Sasse Abstract Security researchers identified 15 years ago that passwords create too much of a burden on users. But despite much research activity on alternative authentication mechanisms, there has been very little change for users in practice, and the implications for individual and organisations productivity are now severe. Read more…

By Subscriber, ago
Publications

Security Policy Alignment: A Formal Approach

Wolter Pieters, Trajce Dimkov and Dusko Pavlovic ABSTRACT Security policy alignment concerns the matching of security policies specified at different levels in socio-technical systems, and delegated to different agents, technical as well as human. For example, the policy that sales data should not leave an organisation is refined into policies Read more…

By Subscriber, ago
Publications

How Users Bypass Access Control – and Why: the impact of authorization problems on individuals and the organisation

Steffen Bartsch and M. Angela Sasse Abstract Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not consider the full range of underlying problems, and Read more…

By Subscriber, ago
Publications

Adding Insult to Injury

Jennett, Charlene; Brostoff, Sacha; Malheiros, Miguel; Sasse, M. Angela Abstract: To inspire confidence in consumer credit and improve outcomes for consumers, negative experiences such as being denied credit must be handled appropriately. We conducted an online survey with 298 UK citizens who had a credit application denied to gain a Read more…

By Subscriber, ago
Publications

”Comply or Die” is Dead: Long Live Security-Aware Principal Agents

Iacovos Kirlappos, Adam Beautement and M. Angela Sasse Abstract Information security has adapted to the modern collaborative organisational nature, and abandoned “command-and-control” approaches of the past. But when it comes to managing employee’s information security behaviour, many organisations still use policies proscribing behaviour and sanctioning non-compliance. Whilst many organisations are Read more…

By Subscriber, ago