Technology Should Be Smarter Than This!: A Vision for Overcoming the Great Authentication Fatigue

M. Angela Sasse


Security researchers identified 15 years ago that passwords create too much of a burden on users. But despite much research activity on alternative authentication mechanisms, there has been very little change for users in practice, and the implications for individual and organisations productivity are now severe. I argue that – rather than looking for alternative ‘front-end’ solutions, we must re-think the nature of authentication: we must drastically reduce the number of explicit authentication events users have to participate in, and use advanced technologies to implicitly authenticate users, without disrupting their productive activity.

Date: August 30, 2013
Presented: Secure Data Management: 10th VLDB Workshop, SDM 2013, Trento, Italy, August 30, 2013
Published: Lecture Notes in Computer Science, Volume 8425, 2014, pp 33-36
Publisher: Springer
Full Text:

Security Policy Alignment: A Formal Approach

Wolter Pieters, Trajce Dimkov and Dusko Pavlovic


Security policy alignment concerns the matching of security policies specified at different levels in socio-technical systems, and delegated to different agents, technical as well as human. For example, the policy that sales data should not leave an organisation is refined into policies on door locks, firewalls and employee behaviour, and this refinement should be correct with respect to the original policy. Although alignment of security policies in socio-technical systems has been discussed in literature, especially in relation to business goals, there has been no formal treatment of this topic so far in terms of consistency and completeness of policies. Where formal approaches are used in policy alignment, these are applied to well-defined technical access control scenarios instead. We therefore aim at formalising security policy alignment for complex socio-technical systems in this paper, and our formalisation is based on predicates over sequences of actions. We discuss how this formalisation provides the foundations for existing and future methods for finding security weaknesses induced by misalignment of policies in socio-technical systems.

Source: IEEE Systems Journal 7/2
Date: June 2013
Pages: 275-287
Full Text:

How Users Bypass Access Control – and Why: the impact of authorization problems on individuals and the organisation

Steffen Bartsch and M. Angela Sasse


Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not consider the full range of underlying problems, and their impact on organizations. We present a study of 118 individuals’ experiences of authorization measures in a multi-national company, and their self-reported subsequent behavior. Building on recent research that applies economic models to show the impact of lack of usability, we analyze the interrelations of authorization issues with individuals’ behaviors and organizational goals. Our results indicate that authorization problems significantly reduce the productivity and effective security of organizations. We analyzed the authorization problems of different stakeholders, and found they are mostly caused by the procedures for policy changes (e.g. long change lead-times) and the decision-making (e.g. inexperienced decision makers); the consequence is the circumvention of access control (e.g. by sharing passwords). As one research contribution, we develop a holistic model of authorization problems. More practically, we recommend to provide guidance for non-compliance, such as password-sharing, and to establish light-weight procedures for policy changes with adequate degrees of centralization and formalization, and support for decision-making.

Date: June 6, 2013
Presented: 21st European Conference on Information Systems, June 5-8, 2013, Utrecht, The Netherlands.
Published: Proceedings of the 21st European Conference on Information Systems, June 5-8, 2013, Utrecht, The Netherlands.
ISBN: 9789039361122
Publisher URL:
Full Text:

Adding Insult to Injury

Jennett, Charlene; Brostoff, Sacha; Malheiros, Miguel; Sasse, M. Angela


To inspire confidence in consumer credit and improve outcomes for consumers, negative experiences such as being denied credit must be handled appropriately. We conducted an online survey with 298 UK citizens who had a credit application denied to gain a better understanding of their experience of being denied credit. We found that privacy issues make this experience more upsetting for consumers than necessary. When being denied credit, respondents are most concerned about (1) being denied credit ‘in public’; and (2) not being informed about the reasons why they are denied. Only 23% of our respondents knew why they had been denied; 116 (62%) believed they had been denied credit because of their credit record, but 28% had never checked it. Out of the 194 respondents who had checked their record, 38 identified errors in their credit reports, and in 14 of these cases (38%) debts that they had paid off were incorrectly listed as outstanding. Based on our findings, we propose several changes to the credit application process: (1) providing sensitive but helpful information in a private manner, e.g. a preview of their credit score before they commit a loan application; (2) credit denial notifications with information on what to do next; and (3) giving applicants more information about checking their credit report and who to contact for correcting errors.

Source: International Journal of Consumer Studies
Volume 36
Issue: 5
Pages: 549-555
Published: 2012

”Comply or Die” is Dead: Long Live Security-Aware Principal Agents

Iacovos Kirlappos, Adam Beautement and M. Angela Sasse


Information security has adapted to the modern collaborative organisational nature, and abandoned “command-and-control” approaches of the past. But when it comes to managing employee’s information security behaviour, many organisations still use policies proscribing behaviour and sanctioning non-compliance. Whilst many organisations are aware that this “comply or die” approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behaviour. We present an interview analysis of 126 employees’ reasons for not complying with organisational policies, identifying the perceived conflict of security with productive activities as the key driver for non-compliance and confirm the results using a survey of 1256 employees. We conclude that effective problem detection and security measure adaptation needs to be de-centralised – employees are the principal agents who must decide how to implement security in specific contexts. But this requires a higher level of security awareness and skills than most employees currently have. Any campaign aimed at security behaviour needs to transform employee’s perception of their role in security, transforming them to security-aware principal agents.

Date: April 1, 2013
Presented: Financial Cryptography 2013 Workshop on Usable Security (USEC ‘13), Okinawa, Japan, 01 Apr 2013 – 05 Oct 2013
Published: Lecture Notes in Computer Science Volume 7862, 2013, pp 70-82.
Publisher URL:
Full Text:

Formalizing Physical Security Properties

Catherine Meadows and D.Pavlovic


Although the problems of physical security emerged more than 10,000 years before the problems of computer security, no formal methods have been developed for them, and the solutions have been evolving slowly, mostly through social procedures. But as the traffic on physical and social networks is now increasingly expedited by computers, the problems of physical and social security are becoming technical problems. From various directions, many security researchers and practitioners have come to a realization that the areas such as transportation security, public and private space protection, or critical infrastructure defense, are in need of formalized engineering methodologies. Following this lead, we extended Protocol Derivation Logic (PDL) to Procedure Derivation Logic (still PDL). In contrast with a protocol, where some principals send and receive some messages, in a procedure they can also exchange and move some objects. For simplicity, in the present paper we actually focus on the security issues arising from traffic of objects, and leave the data flows, and the phenomena emerging from the interaction of data and objects, for future work. We illustrate our approach by applying it to a flawed airport security procedure described by Schneier.

Keywords: formal security protocol analysis, physical procedure analysis, physical security, security policies
Date: September 14, 2012
Presented: 8th International Workshop on Security and Trust Management (STM 2012), Pisa, Italy, September 13-14, 2012.
Published: Security and Trust Management‚ STM 2012, Lecture Notes in Computer Science vol 7783, 2012, pp. 193-208.
Publisher: Springer
Publisher URL:
Full Text:

Too Close for Comfort: a study of the effectiveness and acceptability of rich-media personalized advertising

Miguel Malheiros, Charlene Jennett, Snehalee Patel, Sacha Brostoff and Martina Angela Sasse 


Online display advertising is predicted to make $29.53 billion this year. Advertisers believe targeted and personalized ads to be more effective, but many users are concerned about their privacy. We conducted a study where 30 participants completed a simulated holiday booking task; each page showing ads with different degrees of personalization. Participants fixated twice as long when ads contained their photo. Participants reported being more likely to notice ads with their photo, holiday destination, and name, but also increasing levels of discomfort with increasing personalization. We conclude that greater personalization in ad content may achieve higher levels of attention, but that the most personalized ads are also the least acceptable. The notice-ability benefit in using someone’s photo to make them look at an ad may be offset by the privacy cost. As more personal data becomes available to advertisers, it becomes important that these trade-offs are considered.

Date: May 5, 2012
Presented: 30th ACM Conference on Human Factors in Computing Systems (CHI 2012)
Published: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI 2012), ACM, New York, NY, USA, pp. 579-588.
Publisher: ACM
ISBN: 978-1-4503-1015-4
Publisher URL:
Full Text: