Dissertations / Theses on the topic 'Usable security and privacy'
To see the other types of publications on this topic, follow the link: Usable security and privacy.
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Usable security and privacy.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Vaziripour, Elham. "Usable Security and Privacy for Secure Messaging Applications." BYU ScholarsArchive, 2018. https://scholarsarchive.byu.edu/etd/8830.
Full textAbstract:
The threat of government and corporate surveillance around the world, as well as the publicity surrounding major cybersecurity attacks, have increased interest in secure and private end-to-end communications. In response to this demand, numerous secure messaging applications have been developed in recent years. These applications have been welcomed and publically used not just by political activists and journalists but by everyday users as well. Most of these popular secure messaging applications are usable because they hide many of the details of how encryption is provided. The strength of the security properties of these applications relies on the authentication ceremony, wherein users validate the keys being used for encryption that is exchanged through the service providers. The validation process typically involves verifying the fingerprints of encryption keys to protect the communication from being intercepted.In this dissertation, we explore how to help users enhance the privacy of their communica- tions, with a particular focus on secure messaging applications. First, we explore whether secure messaging applications are meeting the security and privacy needs of their users, especially in countries that practice censorship and restrict civil liberties, including blocking access to social media and communication applications. Second, we studied existing popular secure messaging applications to explore how users interact with these applications and how well they are using the authentication ceremony during lab studies. Third, we applied design principles to improve the interfaces for the authentication ceremony, and also to help users find and perform the authentication ceremony faster. Forth, we applied the lessons from our interviews with participants in our user studies to help users comprehend the importance of authentication. As part of the effort, we developed an authentication ceremony using social media accounts to map key fingerprints to social features, pushing the ceremony to a more natural domain for users. We modified the Signal secure messaging application to include this social authentication ceremony and used a user study to compare this method to other common methods. We found that social authentication has some promising features, but that social media companies are too distrusted by users. Based on our results, we make several recommendations to improve the use of security and privacy features in secure messaging applications and outline areas for future work.
2
Vega, Laurian. "Security in Practice: Examining the Collaborative Management of Sensitive Information in Childcare Centers and Physicians' Offices." Diss., Virginia Tech, 2011. http://hdl.handle.net/10919/37552.
Full textAbstract:
Traditionally, security has been conceptualized as rules, locks, and passwords. More recently, security research has explored how people interact in secure (or insecure) ways in part of a larger socio-technical system. Socio-technical systems are comprised of people, technology, relationships, and interactions that work together to create safe praxis. Because information systems are not just technical, but also social, the scope of privacy and security concerns must include social and technical factors. Clearly, computer security is enhanced by developments in the technical arena, where researchers are building ever more secure and robust systems to guard the privacy and confidentiality of information. However, when the definition of security is broadened to encompass both human and technical mechanisms, how security is managed with and through the day-to-day social work practices becomes increasingly important.
In this dissertation I focus on how sensitive information is collaboratively managed in socio-technical systems by examining two domains: childcare centers and physiciansâ offices. In childcare centers, workers manage the enrolled children and also the enrolled childâ s personal information. In physiciansâ offices, workers manage the patientsâ health along with the patientsâ health information. My dissertation presents results from interviews and observations of these locations. The data collected consists of observation notes, interview transcriptions, pictures, and forms. The researchers identified breakdowns related to security and privacy. Using Activity Theory to first structure, categorize, and analyze the observed breakdowns, I used phenomenological methods to understand the context and experience of security and privacy.
The outcomes from this work are three themes, along with corresponding future scenarios. The themes discussed are security embodiment, communities of security, and zones of ambiguity. Those themes extend the literature in the areas of usable security, human-computer interaction, and trust. The presentation will use future scenarios to examine the complexity of developing secure systems for the real world.Ph. D.
3
Angulo, Julio. "Usable privacy for digital transactions : Exploring the usability aspects of three privacy enhancing mechanisms." Licentiate thesis, Karlstads universitet, Avdelningen för informatik och projektledning, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:kau:diva-14832.
Full textAbstract:
The amount of personal identifiable information that people distribute over different online services has grown rapidly and considerably over the last decades. This has led to increased probabilities for identity theft, profiling and linkability attacks, which can in turn not only result in a threat to people’s personal dignity, finances, and many other aspects of their lives, but also to societies in general. Methods and tools for securing people’s online activities and protecting their privacy on the Internet, so called Privacy Enhancing Technologies (PETs), are being designed and developed. However, these technologies are often seen by ordinary users as complicated and disruptive of their primary tasks. In this licentiate thesis, I investigate the usability aspects of three main privacy and security enhancing mechanisms. These mechanisms have the goal of helping and encouraging users to protect their privacy on the Internet as they engage in some of the steps necessary to complete a digital transaction. The three mechanisms, which have been investigated within the scope of different research projects, comprise of (1) graphical visualizations of service providers’ privacy policies and user-friendly management and matching of users’ privacy preferences “on the fly”, (2) methods for helping users create appropriate mental models of the data minimization property of anonymous credentials, and (3) employing touch-screen biometrics as a method to authenticate users into mobile devices and verify their identities during a digital transaction. Results from these investigations suggest that these mechanisms can make digital transactions privacy-friendly and secure while at the same time delivering convenience and usability for ordinary users.
4
Wu, Justin Chun Wah. "Resolving the Privacy Paradox: Bridging the Behavioral Intention Gap with Risk Communication Theory." BYU ScholarsArchive, 2019. https://scholarsarchive.byu.edu/etd/8702.
Full textAbstract:
The advent of the Internet has led to vastly increased levels of data accessibility to both users and would-be attackers. The privacy paradox is an established phenomenon wherein users express concern about resultant security and privacy threats to their data, but nevertheless fail to enact the host of protective measures that have steadily become available. The precise nature of this phenomenon, however, is not a settled matter. Fortunately, risk communication theory, a discipline devoted to understanding the factors involved in risk-oriented decision-making and founded in years of empirical research in public health and disaster awareness domains, presents an opportunity to seek greater insight into this problem. In this dissertation, we explore the application of principles and techniques from risk communication theory to the question of factors in the grassroots adoption of secure communication technologies. First, we apply a fundamental first-step technique in risk communication—mental modeling—toward understanding users' perceptions of the structure, function, and utility of encryption in day-to-day life. Second, we apply principles of risk communication to system design by redesigning the authentication ceremony and its associated messaging in the Signal secure messaging application. Third, we evaluate the applicability of a core decision-making theory—protection motivation theory—toward the problem of secure email adoption, and then use this framework to describe the relative impact of various factors on secure email adoption. Finally, we evaluate perceptions of risk and response with respect to the adoption of secure email features in email scenarios of varying sensitivity levels. Our work identifies positive outcomes with respect to the impact that risk messaging has on feature adoption, and mixed results with respect to comprehension. We highlight obstacles to users' mental interactions with encryption, but offer recommendations for progress in the adoption of encryption. We further demonstrate that protection motivation theory, a core behavioral theory underlying many risk communication approaches, has the ability to explain the factors involved in users' decisions to adopt or not adopt in a way that can at least partially explain the privacy paradox phenomenon. In general, we find that the application of even basic principles and techniques from risk communication theory do indeed produce favorable research outcomes when applied to this domain.
5
Das, Sauvik. "Social Cybersecurity: Reshaping Security Through An Empirical Understanding of Human Social Behavior." Research Showcase @ CMU, 2017. http://repository.cmu.edu/dissertations/982.
Full textAbstract:
Despite substantial effort made by the usable security community at facilitating the use of recommended security systems and behaviors, much security advice is ignored and many security systems are underutilized. I argue that this disconnect can partially be explained by the fact that security behaviors have myriad unaccounted for social consequences. For example, by using two-factor authentication, one might be perceived as “paranoid”. By encrypting an e-mail correspondence, one might be perceived as having something to hide. Yet, to date, little theoretical work in usable security has applied theory from social psychology to understand how these social consequences affect people’s security behaviors. Likewise, little systems work in usable security has taken social factors into consideration. To bridge these gaps in literature and practice, I begin to build a theory of social cybersecurity and apply those theoretical insights to create systems that encourage better cybersecurity behaviors. First, through a series of interviews, surveys and a large-scale analysis of how security tools diffuse through the social networks of 1.5 million Facebook users, I empirically model how social influences affect the adoption of security behaviors and systems. In so doing, I provide some of the first direct evidence that security behaviors are strongly driven by social influence, and that the design of a security system strongly influences its potential for social spread. Specifically, security systems that are more observable, inclusive, and stewarded are positively affected by social influence, while those that are not are negatively affected by social influence. Based on these empirical results, I put forth two prescriptions: (i) creating socially grounded interface “nudges” that encourage better cybersecurity behaviors, and (ii) designing new, more socially intelligent end-user facing security systems. As an example of a social “nudge”, I designed a notification that informs Facebook users that their friends use optional security systems to protect their own accounts. In an experimental evaluation with 50,000 Facebook users, I found that this social notification was significantly more effective than a non-social control notification at attracting clicks to improve account security and in motivating the adoption of promoted, optional security tools. As an example of a socially intelligent cybersecurity system, I designed Thumprint: an inclusive authentication system that authenticates and identifies individual group members of a small, local group through a single, shared secret knock. Through my evaluations, I found that Thumprint is resilient to casual but motivated adversaries and that it can reliably differentiate multiple group members who share the same secret knock. Taken together, these systems point towards a future of socially intelligent cybersecurity that encourages better security behaviors. I conclude with a set of descriptive and prescriptive takeaways, as well as a set of open problems for future work. Concretely, this thesis provides the following contributions: (i) an initial theory of social cybersecurity, developed from both observational and experimental work, that explains how social influences affect security behaviors; (ii) a set of design recommendations for creating socially intelligent security systems that encourage better cybersecurity behaviors; (iii) the design, implementation and comprehensive evaluation of two such systems that leverage these design recommendations; and (iv) a reflection on how the insights uncovered in this work can be utilized alongside broader design considerations in HCI, security and design to create an infrastructure of useful, usable and socially intelligent cybersecurity systems.
6
Grunwell, Daniel K. "Designing and implementing an information accountability framework for usable and useful eHealth systems." Thesis, Queensland University of Technology, 2017. https://eprints.qut.edu.au/103323/1/Daniel%20Grunwell%20Thesis.pdf.
Full textAbstract:
This research examined the design and implementation of an Information Accountability Framework for eHealth with the aim of enabling the creation of more useful eHealth systems. The study explored the challenges of implementing the accountability mechanisms as a means to balance patient privacy concerns and the information access needs of healthcare professionals. Through the use of modelling, user studies, and case studies, the thesis presented an architecture and requirements for implementing the protocols, proposed an extended model of the framework, and provided concrete examples of modifying existing eHealth systems to include the protocols.
7
Gamagedara, Arachchilage Nalin Asanka. "Security awareness of computer users : a game based learning approach." Thesis, Brunel University, 2012. http://bura.brunel.ac.uk/handle/2438/7620.
Full textAbstract:
The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework.
8
Galanská, Katarína. "Relevance pokynů pro použitelnou bezpečnost z pohledu IT profesionála." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2021. http://www.nusl.cz/ntk/nusl-445558.
Full textAbstract:
Vyvážení bezpečnosti a použitelnosti bylo vždy výzvou. Navzdory důležitosti zabezpečení softwaru jsou bezpečnostní pokyny a standardy často příliš komplikované, náchylné k chybám nebo časově náročné. Tato nerovnováha iniciovala vznik pojmu použitelné bezpečnosti. Po celá léta to byl běžný výzkumný problém. Zatímco softvér by měl být vyvíjen s ohledem na použitelnost koncových uživatelů, bezpečnostním standardům a směrnicím, které používají IT profesionálové, není z hlediska použitelnosti často věnována dostatečná pozornost. Vzhledem k tomu, že se od odborníků v oblasti IT očekává vyšší úroveň znalostí, často čelí velmi složitým oblastem, když se snaží vyhovět konkrétním bezpečnostním standardům nebo dodržovat konkrétní pokyny. Tato práce představuje studium současného povědomí v oblasti použitelné bezpečnosti. Práce sestává z provedeného průzkumu, analýzy stávajících použitelných bezpečnostních pokynů a navrhuje vzdělávací pomůcku k řešení problémů, které výzkum přinesl. Hodnocení vzdělávací pomůcky ukázalo pozitivní dopad na povědomí IT odborníků.
9
Rahman, Md Mizanur. "Search Rank Fraud Prevention in Online Systems." FIU Digital Commons, 2018. https://digitalcommons.fiu.edu/etd/3909.
Full textAbstract:
The survival of products in online services such as Google Play, Yelp, Facebook and Amazon, is contingent on their search rank. This, along with the social impact of such services, has also turned them into a lucrative medium for fraudulently influencing public opinion. Motivated by the need to aggressively promote products, communities that specialize in social network fraud (e.g., fake opinions and reviews, likes, followers, app installs) have emerged, to create a black market for fraudulent search optimization. Fraudulent product developers exploit these communities to hire teams of workers willing and able to commit fraud collectively, emulating realistic, spontaneous activities from unrelated people. We call this behavior “search rank fraud”. In this dissertation, we argue that fraud needs to be proactively discouraged and prevented, instead of only reactively detected and filtered. We introduce two novel approaches to discourage search rank fraud in online systems. First, we detect fraud in real-time, when it is posted, and impose resource consuming penalties on the devices that post activities. We introduce and leverage several novel concepts that include (i) stateless, verifiable computational puzzles that impose minimal performance overhead, but enable the efficient verification of their authenticity, (ii) a real-time, graph based solution to assign fraud scores to user activities, and (iii) mechanisms to dynamically adjust puzzle difficulty levels based on fraud scores and the computational capabilities of devices. In a second approach, we introduce the problem of fraud de-anonymization: reveal the crowdsourcing site accounts of the people who post large amounts of fraud, thus their bank accounts, and provide compelling evidence of fraud to the users of products that they promote. We investigate the ability of our solutions to ensure that fraud does not pay off.
10
Sunkaralakunta, Venkatarama Reddy Rakesh. "A User-Centric Security Policy Enforcement Framework for Hybrid Mobile Applications." University of Dayton / OhioLINK, 2019. http://rave.ohiolink.edu/etdc/view?acc_num=dayton1564744609523447.
Full text
11
Kolter, Jan Paul. "User-centric privacy a usable and provider-independent privacy infrastructure." Lohmar Köln Eul, 2009. http://d-nb.info/1002958776/04.
Full text
12
Feraudo, Angelo. "Distributed Federated Learning in Manufacturer Usage Description (MUD) Deployment Environments." Master's thesis, Alma Mater Studiorum - Università di Bologna, 2020.
Find full textAbstract:
Il costante avanzamento dei dispositivi Internet of Things (IoT) in diversi ambienti, ha provocato la necessità di nuovi meccanismi di sicurezza e monitoraggio in una rete. Tali dispositvi sono spesso considerati fonti di vulnerabilità sfruttabili da malintenzionati per accedere alla rete o condurre altri attacchi. Questo è dovuto alla natura stessa dei dispositivi, ovvero offrire servizi aventi a che fare con dati sensibili (p.es. videocamere) seppur con risorse molto limitate. Una soluzione in questa direzione, è l'impiego della specifica Manufacturer Usage Description (MUD), che impone al maufacturer dei dispositivi di fornire dei file contenenti un particolare pattern di comunicazione che i dispositivi da lui prodotti dovranno adottare. Tuttavia, tale specifica riduce solo parzialmente le suddette vulnerabilità. Infatti, diventa inverosimile definire un pattern di comunicazione per dispositivi IoT aventi un traffico di rete molto generico (p.es. Alexa). Perciò, è di grande interesse studiare un sistema di anomaly detection basato su tecniche di machine learning, che riesca a colmare tali vulnerabilità.
In questo lavoro, verranno esplorate tre prototipi di implementazione della specifica MUD, che si concluderà con la scelta di una tra queste. Successivamente, verrà prodotta una Proof-of-Concept uniforme a tale specifica, contenente un'ulteriore entità in grado di fornire maggiore autorità all'amministratore di rete in quest'ambiente. In una seconda fase, verrà analizzata un'architettura distribuita che riesca ad effettuare learning di anomalie direttamente sui dispositivi sfruttando il concetto di Federated Learning, il che significa garantire la privacy dei dati. L'idea fondamentale di questo lavoro è quindi quella di proporre un'architettura basata su queste due nuove tecnologie, in grado di ridurre al minimo vulnerabilità proprie dei dispositivi IoT in un ambiente distribuito garantendo il più possibile la privacy dei dati.
13
Herzog, Almut. "Usable Security Policies for Runtime Environments." Doctoral thesis, Linköpings universitet, IISLAB - Laboratoriet för intelligenta informationssystem, 2007. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-8809.
Full textAbstract:
The runtime environments provided by application-level virtual machines such as the Java Virtual Machine or the .NET Common Language Runtime are attractive for Internet application providers because the applications can be deployed on any platform that supports the target virtual machine. With Internet applications, organisations as well as end users face the risk of viruses, trojans, and denial of service attacks. Virtual machine providers are aware of these Internet security risks and provide, for example, runtime monitoring of untrusted code and access control to sensitive resources. Our work addresses two important security issues in runtime environments. The first issue concerns resource or release control. While many virtual machines provide runtime access control to resources, they do not provide any means of limiting the use of a resource once access is granted; they do not provide so-called resource control. We have addressed the issue of resource control in the example of the Java Virtual Machine. In contrast to others’ work, our solution builds on an enhancement to the existing security architecture. We demonstrate that resource control permissions for Java-mediated resources can be integrated into the regular Java security architecture, thus leading to a clean design and a single external security policy. The second issue that we address is the usabilityhttps://www.diva-portal.org/liu/webform/form.jsp DiVA Web Form and security of the setup of security policies for runtime environments. Access control decisions are based on external configuration files, the security policy, which must be set up by the end user. This set-up is security-critical but also complicated and errorprone for a lay end user and supportive, usable tools are so far missing. After one of our usability studies signalled that offline editing of the configuration file is inefficient and difficult for end users, we conducted a usability study of personal firewalls to identify usable ways of setting up a security policy at runtime. An analysis of general user help techniques together with the results from the two previous studies resulted in a proposal of design guidelines for applications that need to set up a security policy. Our guidelines have been used for the design and implementation of the tool JPerM that sets the Java security policy at runtime. JPerM evaluated positively in a usability study and supports the validity of our design guidelines.
14
Althobaiti, Maha. "Assessing usable security of multifactor authentication." Thesis, University of East Anglia, 2016. https://ueaeprints.uea.ac.uk/61540/.
Full textAbstract:
An authentication mechanism is a security service that establishes the difference between authorised and unauthorised users. When used as part of certain website processes such as online banking, it provides users with greater safety and protection against service attacks and intruders. For an e-banking website to be considered effective, it should provide a usable and secure authentication mechanism. Despite existing research on usability and security domains, there is a lack of research on synthesising the contributions of usable security and evaluating multifactor authentication methods. Without understanding the usability and security of authentication mechanisms, the authenticating process is likely to become cumbersome and insecure. This negatively affects a goal of the authentication process, convenience for the user. This thesis sought to investigate the usability and security of multifactor authentication and filled an important gap in the development of authenticating processes. It concentrated on users’ perspectives, which are crucial for the deployment of an authenticating process. To achieve the thesis goal, a systematic series of three studies has been conducted. First, an exploratory study was used to investigate the current state of the art of using multifactor authentication and to evaluate the usability and security of these methods. The study involved a survey of 614 e-banking users, who were selected because they were likely long-term users of online banking and they had two different bank accounts, a Saudi account and a foreign account (most foreign accounts were British). The study indicated that multifactor authentication has been widely adopted in e-banking in Saudi Arabia and the United Kingdom, with high levels of security and trustworthiness as compared to single factor authentication. The second study was a descriptive study of the most common authentication methods. This study aimed to learn more about commonly used methods that were identified in the previous study and sought to propose an appropriate combination of authentication methods to be evaluated in the third study. The third study was an experimental study with 100 users to evaluate the usable security of three different multifactor authentication methods: finger print, secure device and card reader. A web based system was designed specifically for this study to simulate an original UK e-banking website. One of the main contribution of this study was that the system allowed users to choose their preferred authentication method. Moreover, the study contributed to the field of usable security by proposing security evaluation criteria based on users’ awareness of security warnings. The key result obtained indicated that fingerprinting was the most usable and secure method. Additionally, the users’ level of understanding security warnings was very low, as shown by their reaction to the security indicators presented during the experiment.
15
Herzog, Almut. "Usable security policies in runtime environments /." Linköping : Department of Computer and Information Science, Linköpings universitet, 2007. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-8809.
Full text
16
Katsouraki, Athanasia. "Sharing and Usage Control of Personal Information." Thesis, Université Paris-Saclay (ComUE), 2016. http://www.theses.fr/2016SACLV089/document.
Full textAbstract:
Nous vivons une véritable explosion du volume des données personnelles numériques qui sont générés dans le monde chaque jour (ex. capteurs, web, réseaux sociaux, etc.). En conséquence, les particuliers se sentent exposés tandis qu'ils partagent et publient leurs données. Ainsi, il est clair que des outils et des méthodes sont nécessaires pour contrôler la façon dont leurs données sont collectées, gérées et partagées. Les défis sont principalement axées sur le manque d'applications ou de solutions techniques qui assurent la gestion et le partage sécurisés de données personnelles. Le défi principal est de fournir un outil sécurisé et adaptable qui peut être utilisé par tout utilisateur, sans formation technique. Cette thèse fait trois contributions importantes dans le domaine de la protection de la vie privée : (i) Une implémentation du model UCONABC, un modèle de contrôle d'usage, appliqué à un scénario de réseau social, (ii) une extension algébrique de UCON pour contrôler des partages complexes de données (en transformant des données personnelles en données partageable et/ou publiables), et (iii) la conception, l'implémentation et le déploiement sur le terrain d'une plateforme pour la gestion de données sensibles collectées au travers de formulaires d'enquêtesWe are recently experiencing an unprecedented explosion of available personal data from sensors, web, social networks, etc. and so people feel exposed while they share and publish their data. There is a clear need for tools and methods to control how their data is collected managed and shared. The challenges are mainly focused on the lack of either applications or technical solutions that provide security on how to collect, manage and share personal data. The main challenge is to provide a secure and adaptable tool that can be used by any user, without technical background. This thesis makes three important contributions to the field of privacy: (i) a prototype implementation of the UCONABC model, a usage control model, applied to an online social networks scenario, (ii) an algebraic extension to UCON to control the complex sharing of data (by transforming personal data into sharable and publishable data) and (iii) the design, implementation and field testing of a secure platform to manage sensitive data collected through online forms
17
Angulo, Julio. "Designing for Usable Privacy and Transparency in Digital Transactions." Doctoral thesis, Karlstads universitet, Centrum för HumanIT, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:kau:diva-35921.
Full textAbstract:
People engage with multiple online services and carry out a range of different digital transactions with these services. Registering an account, sharing content in social networks, or requesting products or services online are a few examples of such digital transactions. With every transaction, people take decisions and make disclosures of personal data. Despite the possible benefits of collecting data about a person or a group of people, massive collection and aggregation of personal data carries a series of privacy and security implications which can ultimately result in a threat to people's dignity, their finances, and many other aspects of their lives. For this reason, privacy and transparency enhancing technologies are being developed to help people protect their privacy and personal data online. However, some of these technologies are usually hard to understand, difficult to use, and get in the way of people's momentary goals. The objective of this thesis is to explore, and iteratively improve, the usability and user experience provided by novel privacy and transparency technologies. To this end, it compiles a series of case studies that address identified issues of usable privacy and transparency at four stages of a digital transaction, namely the information, agreement, fulfilment and after-sales stages. These studies contribute with a better understanding of the human-factors and design requirements that are necessary for creating user-friendly tools that can help people to protect their privacy and to control their personal information on the Internet.People engage with multiple online services and carry out a range of different digital transactions with these services. Registering an account, sharing content in social networks, or requesting products or services online are a few examples of such digital transactions. With every transaction, people take decisions and make disclosures of personal data. Despite the possible benefits of collecting data about a person or a group of people, massive collection and aggregation of personal data carries a series of privacy and security implications which can ultimately result in a threat to people's dignity, their finances, and many other aspects of their lives. For this reason, privacy and transparency enhancing technologies are being developed to help people protect their privacy and personal data online. However, some of these technologies are usually hard to understand, difficult to use, and get in the way of people's momentary goals. The objective of this thesis is to explore, and iteratively improve, the usability and user experience provided by novel privacy and transparency technologies. To this end, it compiles a series of case studies that address identified issues of usable privacy and transparency at four stages of a digital transaction, namely the information, agreement, fulfilment and after-sales stages. These studies contribute with a better understanding of the human-factors and design requirements that are necessary for creating user-friendly tools that can help people to protect their privacy and to control their personal information on the Internet.
18
Voronkov, Artem. "Usable Firewall Rule Sets." Licentiate thesis, Karlstads universitet, Institutionen för matematik och datavetenskap (from 2013), 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:kau:diva-64703.
Full textAbstract:
Correct functioning is the most important requirement for any system. Nowadays there are a lot of threats to computer systems that undermine confidence in them and, as a result, force a user to abandon their use. Hence, a system cannot be trusted if there is no proper security provided. Firewalls are an essential component of network security and there is an obvious need for their use. The level of security provided by a firewall depends on how well it is configured. Thus, to ensure the proper level of network security, it is necessary to have properly configured firewalls. However, setting up the firewall correctly is a very challenging task. These configuration files might be hard to understand even for system administrators. This is due to the fact that these configuration files have a certain structure: the higher the position of a rule in the rule set, the higher priority it has. Challenging problems arise when a new rule is being added to the set, and a proper position, where to place it, needs to be found. Misconfiguration might sooner or later be made and that will lead to an inappropriate system's security. This brings us to the usability problem associated with the configuration of firewalls. The overall aim of this thesis is to identify existing firewall usability gaps and to mitigate them. To achieve the first part of the objective, we conducted a series of interviews with system administrators. In the interviews, system administrators were asked about the problems they face when dealing with firewalls. After having ascertained that the usability problems exist, we turned to literature to get an understanding on the state-of-the-art of the field and therefore conducted a systematic literature review. This review presents a classification of available solutions and identifies open challenges in this area. To achieve the second part of the objective, we started working on one identified challenge. A set of usability metrics was proposed and mathematically formalized. A strong correlation between our metrics and how system administrators describe usability was identified.Network security is an important aspect that must be taken into account. Firewalls are systems that are used to make sure that authorized network traffic is allowed and unauthorized traffic is prohibited. However, setting up a firewall correctly is a challenging task. Their configuration files might be hard to understand even for system administrators. The overall aim of this thesis is to identify firewall usability gaps and to mitigate them. To achieve the first part of the objective, we conduct a series of interviews with system administrators. In the interviews, system administrators are asked about the problems they face when dealing with firewalls. After having ascertained that the usability problems exist, we conduct a systematic literature review to get an understanding on the state of the art of the field. This review classifies available solutions and identifies open challenges. To achieve the second part of the objective, a set of usability metrics is proposed and mathematically formalized. A strong correlation between our metrics and how system administrators describe usability is identified.
HITS, 4707
19
Najafian, Razavi Maryam. "Towards usable end-user privacy control for social software systems." Thesis, University of British Columbia, 2009. http://hdl.handle.net/2429/13403.
Full textAbstract:
The recent growth and wide adoption of social software systems have transformed the Web from an information pool to a platform for communication and social interaction. While often times social software systems are used with the goal of sharing information, studies have shown that many users struggle to properly manage selective sharing of the vast and diverse information artifacts they dispose in such tools. Most existing social software systems define privacy either as a private/public dichotomy or in terms of a “network of friends” relationship, in which all “friends” are created equal and all relationships are reciprocal. These models fail to support the privacy expectations that non-technical users bring from their real-life experiences, such as segregating one’s disparate groups, enabling different degrees of intimacy within one’s network, and providing flexible, natural means of managing the volatile social relationships that social software systems confront. Furthermore, both models suffer from lack of empirical grounding and systematic evaluation.
The research described in this thesis employs a qualitative research methodology to deepen understanding of the information sharing process in the context of social software systems, in order to propose guidelines for building privacy management mechanisms in this domain that provide users with more control over privacy, and yet, are intuitive and easy to use for the average, non-technical user population of social software. The research is based on a grounded theory study of users’ information sharing behavior in a social software tool, and offers several contributions, including clarifying users’ privacy needs, concerns, and strategies, and identifying factors that affect users’ decisions regarding sharing various information artifacts with different audiences. The findings lead to the development of several design heuristics and a general framework for usable privacy in social software domain, which inform the design of OpnTag's, a novel prototype that facilitates creation, organization, and sharing of information for an individual operating in various social contexts. Results of an empirical evaluation of OpnTag’s privacy management mechanism show that our proposed privacy framework is flexible enough to meet users’ varying information sharing needs in different contexts while maintaining adequate support for usability.
20
Fischer-Hübner, Simone. "IT-security and privacy : design and use of privacy-enhancing security mechanisms /." Berlin [u.a.] : Springer, 2001. http://www.loc.gov/catdir/enhancements/fy0812/2001034161-d.html.
Full text
21
Литвиненко, Галина Іванівна, Галина Ивановна Литвиненко, Halyna Ivanivna Lytvynenko, and R. Pelepei. "Internet security and privacy." Thesis, Видавництво СумДУ, 2008. http://essuir.sumdu.edu.ua/handle/123456789/16048.
Full text
22
Lennartsson, Markus. "Exploring the meaning of ”usable security” : A literature survey." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-18511.
Full textAbstract:
For decades, literature has reported on the perceived conflict between usability and security. Their mutual trade-off needs to be considered and addressed whenever security products are developed. Achieving well-balanced levels of both is a precondition for sufficient security since users tend to reject unusable solutions. To assess it correctly, usability should be evaluated in the context of security. This paper aims to identify and describe universally applicable and solution-independent factors that affect the perceived usability of security mechanisms. The selected methodology was a systematic literature review during which multiple database resources were queried with different search terms. Application of predefined selection criteria led to the creation of an initial bibliography before backward snowballing was applied to minimize the risk of missing further material of importance. All 70 included publications were then analyzed through thematic analysis. The study resulted in the identification of 14 themes and 30 associated sub-themes representing aspects with reported influence on perceived usability in the context of security. While some of them were only mentioned sparsely, the most prominent and thus presumably most significant ones were: simplicity, information and support, task completion time, error rates, and error management. The identified novel themes can increase knowledge about factors that influence usability. This can be useful for different groups: end-users may be empowered to choose appropriate solutions more consciously, developers may be able to avoid common usability pitfalls when designing new products, and system administrators may benefit from a better understanding of how to configure solutions and how to educate users efficiently.
23
Shay, Richard. "Creating Usable Policies for Stronger Passwords with MTurk." Research Showcase @ CMU, 2015. http://repository.cmu.edu/dissertations/476.
Full textAbstract:
People are living increasingly large swaths of their lives through their online accounts. These accounts are brimming with sensitive data, and they are often protected only by a text password. Attackers can break into service providers and steal the hashed password files that store users’ passwords. This lets attackers make a large number of guesses to crack users’ passwords. The stronger a password is, the more difficult it is for an attacker to guess. Many service providers have implemented password-composition policies. These policies constrain or restrict passwords in order to prevent users from creating easily guessed passwords. Too lenient a policy may permit easily cracked passwords, and too strict a policy may encumber users. The ideal password-composition policy balances security and usability. Prior to the work in this thesis, many password-composition policies were based on heuristics and speculation, rather than scientific analysis. Passwords research often examined passwords constructed under a single uniform policy, or constructed under unknown policies. In this thesis, I contrast the strength and usability of passwords created under different policies. I do this through online, crowdsourced human-subjects studies with randomized, controlled password-composition policies. This result is a scientific comparison of how different password-composition policies affect both password strength and usability. I studied a range of policies, including those similar to policies found in the wild, policies that trade usability for security by requiring longer passwords, and policies in which passwords are system-assigned with known security. One contribution of this thesis is a tested methodology for collecting passwords under different policies. Another contribution is the comparison between password policies. I find that some password-composition policies make more favorable tradeoffs between security and usability, allowing evidence-based recommendations for service providers. I also offer insights for researchers interested in conducting larger-scale online studies, having collected data from tens of thousands of participants.
24
Yeratziotis, Alexandros. "A framework to evaluate usable security in online social networking." Thesis, Nelson Mandela Metropolitan University, 2011. http://hdl.handle.net/10948/d1012933.
Full textAbstract:
It is commonly held in the literature that users find security and privacy difficult to comprehend. It is also acknowledged that most end-user applications and websites have built-in security and privacy features. Users are expected to interact with these in order to protect their personal information. However, security is generally a secondary goal for users. Considering the complexity associated with security in combination with the notion that it is not users’ primary task, it makes sense that users tend to ignore their security responsibilities. As a result, they make poor security-related decisions and, consequently, their personal information is at risk. Usable Security is the field that investigates these types of issue, focusing on the design of security and privacy features that are usable. In order to understand and appreciate the complexities that exist in the field of Usable Security, the research fields of Human-Computer Interaction and Information Security should be examined. Accordingly, the Information Security field is concerned with all aspects pertaining to the security and privacy of information, while the field of Human-Computer Interaction is concerned with the design, evaluation and implementation of interactive computing systems for human use. This research delivers a framework to evaluate Usable Security in online social networks. In this study, online social networks that are particular to the health domain were used as a case study and contributed to the development of a framework consisting of three components: a process, a validation tool and a Usable Security heuristic evaluation. There is no existing qualitative process that describes how one would develop and validate a heuristic evaluation. In this regard a heuristic evaluation is a usability inspection method that is used to evaluate the design of an interface for any usability violations in the field of Human-Computer Interaction. Therefore, firstly, a new process and a validation tool were required to be developed. Once this had been achieved, the process could then be followed to develop a new heuristic evaluation that is specific to Usable Security. In order to assess the validity of a new heuristic evaluation a validation tool is used. The development of tools that can improve the design of security and privacy features on end-user applications and websites in terms of their usability is critical, as this will ensure that the intended users experience them as usable and can utilise them effectively. The framework for evaluating Usable Security contributes to this objective in the context of online social networks.
25
Chia, Pern Hui. "Information Security on the Web and App Platforms : An Economic and Socio-Behavioral Perspective." Doctoral thesis, Norges teknisk-naturvitenskapelige universitet, Centre for Quantifiable Quality of Service in Communication Systems, 2012. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-19751.
Full textAbstract:
Various security measures are ineffective having been designed without adequate usability and economic considerations. The primary objective of this thesis is to add an economic and socio-behavioral perspective to the traditional computer science research in information security. The resulting research is interdisciplinary, and the papers combine different approaches, ranging from analytic modeling to empirical measurements and user studies. Contributing to the fields of usable security and security economics, this thesis fulfills three motivations. First, it provides a realistic game theoretical model for analyzing the dynamics of attack and defense on the Web. Adapted from the classical Colonel Blotto games, our Colonel Blotto Phishing model captures the asymmetric conflict (resource, information, action) between a resource-constrained attacker and a defender. It also factors in the practical scenario where the attacker creates large numbers of phishing websites (endogenous dimensionality), while the defender reactively detects and strives to take them down promptly. Second, the thesis challenges the conventional view that users are always the weakest link or liability in security. It explores the feasibility of leveraging inputs from expert and ordinary users for improving information security. While several potential challenges are identified, we find that community inputs are more comprehensive and relevant than automated assessments. This does not imply that users should be made liable to protect themselves; it demonstrates the potentials of community efforts in complementing conventional security measures. We further analyze the contribution characteristics of serious and casual security volunteers, and suggest ways for improvement. Third, following the rise of third party applications (apps), the thesis explores the security and privacy risks and challenges with both centralized and decentralized app control models. Centralized app control can lead to the risk of central judgment and the risk of habituation, while the increasingly widespread decentralized user-consent permission model also suffers from the lack of effective risk signaling. We find the tendency of popular apps requesting more permissions than average. Compound with the absence of alternative risk signals, users will habitually click through the permission request dialogs. In addition, we find the free apps, apps with mature content, and apps with names mimicking the popular ones, request more permissions than typical. These indicate possible attempts to trick the users into compromising their privacy.
26
Monson, Tyler Jay. "Usable Secure Email Through Short-Lived Keys." BYU ScholarsArchive, 2017. https://scholarsarchive.byu.edu/etd/6568.
Full textAbstract:
Participants from recent secure email user studies have expressed a need to use secure email tools only a few times a year. At the same time, Internet users are expressing concerns over the permanence of personal information on the Internet. Support for short-lived keys has the potential to address both of these problems. However, the short-lived keys usability and security space is underdeveloped and unexplored. In this thesis, we present an exploration of the short-lived keys usability and security design space. We implement both a short-lived keys and a long-term keys secure email prototype. With these two prototypes, we conduct a within-subjects user study. Results from our study show that participants believe the short-lived keys prototype is more secure and more trusted. Participants also provide feedback on what they want in a system supporting short-lived keys. They also discuss how concerned they are about the permanence of their information on the Internet and on their devices.
27
Ruoti, Scott. "Usable, Secure Content-Based Encryption on the Web." BYU ScholarsArchive, 2016. https://scholarsarchive.byu.edu/etd/6083.
Full textAbstract:
Users share private information on the web through a variety of applications, such as email, instant messaging, social media, and document sharing. Unfortunately, recent revelations have shown that not only is users' data at risk from hackers and malicious insiders, but also from government surveillance. This state of affairs motivates the need for users to be able to encrypt their online data.In this dissertation, we explore how to help users encrypt their online data, with a special focus on securing email. First, we explore the design principles that are necessary to create usable, secure email. As part of this exploration, we conduct eight usability studies of eleven different secure email tools including a total of 347 participants. Second, we develop a novel, paired-participant methodology that allows us to test whether a given secure email system can be adopted in a grassroots fashion. Third, we apply our discovered design principles to PGP-based secure email, and demonstrate that these principles are sufficient to create the first PGP-based system that is usable by novices. We have also begun applying the lessons learned from our secure email research more generally to content-based encryption on the web. As part of this effort, we develop MessageGuard, a platform for accelerating research into usable, content-based encryption. Using MessageGuard, we build and evaluate Private Facebook Chat (PFC), a secure instant messaging system that integrates with Facebook Chat. Results from our usability analysis of PFC provided initial evidence that our design principles are also important components to usable, content-based encryption on the Web.
28
Ur, Blase Eric. "Supporting Password-Security Decisions with Data." Research Showcase @ CMU, 2016. http://repository.cmu.edu/dissertations/845.
Full textAbstract:
Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make passwords. Users frequently create passwords that are predictable for attackers or make other decisions (e.g., reusing the same password across accounts) that harm their security. In this thesis, I use data-driven methods to better understand how users choose passwords and how attackers guess passwords. I then combine these insights into a better password-strength meter that provides real-time, data-driven feedback about the user’s candidate password. I first quantify the impact on password security and usability of showing users different passwordstrength meters that score passwords using basic heuristics. I find in a 2,931-participant online study that meters that score passwords stringently and present their strength estimates visually lead users to create stronger passwords without significantly impacting password memorability. Second, to better understand how attackers guess passwords, I perform comprehensive experiments on password-cracking approaches. I find that simply running these approaches in their default configuration is insufficient, but considering multiple well-configured approaches in parallel can serve as a proxy for guessing by an expert in password forensics. The third and fourth sections of this thesis delve further into how users choose passwords. Through a series of analyses, I pinpoint ways in which users structure semantically significant content in their passwords. I also examine the relationship between users’ perceptions of password security and passwords’ actual security, finding that while users often correctly judge the security impact of individual password characteristics, wide variance in their understanding of attackers may lead users to judge predictable passwords as sufficiently strong. Finally, I integrate these insights into an open-source password-strength meter that gives users data-driven feedback about their specific password. I evaluate this meter through a ten-participant laboratory study and 4,509-participant online study.
29
Faily, Shamal. "A framework for usable and secure system design." Thesis, University of Oxford, 2011. http://ora.ox.ac.uk/objects/uuid:520b939f-b1d9-4a53-9a47-21f0ffcfd68d.
Full textAbstract:
Despite existing work on dealing with security and usability concerns during the early stages of design, there has been little work on synthesising the contributions of these fields into processes for specifying and designing systems. Without a better understanding of how to deal with both concerns at an early stage, the design process risks disenfranchising stakeholders, and resulting systems may not be situated in their contexts of use. The research problem this thesis addresses is how techniques and tools can be integrated and improved to support the design of usable and secure systems. To develop this understanding, we present IRIS (Integrating Requirements and Information Security) --- a framework for specifying usable and secure systems. IRIS considers the system design process from three different perspectives --- Usability, Security, and Requirements --- and guides the selection of techniques towards integrative Security, Usability, and Requirements Engineering processes. This thesis claims that IRIS is an exemplar for integrating existing techniques and tools towards the design of usable and secure systems. In particular, IRIS makes three significant contributions towards the stated research problem. First, a conceptual model for usable secure Requirements Engineering is presented, upon which the IRIS framework is founded; this meta-model informs changes to elicitation and specification techniques for improved interoperability in the design process. Second, several characteristics of tool-support needed to elicit and specify usable and secure systems are introduced; the CAIRIS (Computer Aided Integration of Requirements and Information Security) software tool is presented to illustrate how these characteristics can be embodied. Third, we describe how the results of applying IRIS can be used to improve the design of existing User-Centered Design techniques for secure systems design. We validate the thesis by applying the IRIS framework to three case studies. In the first, IRIS is used to specify requirements for a software repository used by a UK water company. In the second, IRIS is used to specify security requirements for a meta-data repository supporting the sharing of medical research data. In the final case study, IRIS is used to analyse a proposed security policy at a UK water company, and identify missing policy requirements. In each case study, IRIS is applied within the context of an Action Research intervention, where findings and lessons from one case study are fed into the action plan of the next.
30
Langlotz, Benjamin. "Usable Security : A seamless user authentication method using NFC and Bluetooth." Thesis, Uppsala universitet, Institutionen för informationsteknologi, 2016. http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-297835.
Full textAbstract:
Currently, the majority of user authentication procedures for computers, web services or software involve typing user names and passwords. Passwords which should have a reasonable complexity to be considered secure. The securest password, however, does not guard a user's data if she does not log out when leaving the computer. The research question posed in this thesis is "How should a user authentication method be designed to automate login/logout and to mitigate negative effects of lacking security awareness?". Based on this question, the goal of this work is to develop a new solution for user authentication with NFC and Bluetooth, that takes care of logging in and out of computers and services without the user having to lose a thought about it. This is done by first looking at currently existing alternatives to password authentication. Secondly, the qualities and requirements of a new user authentication concept are devised and described. Thirdly, a testable prototype called NFCLogin, implementing the key aspects of logging in and logging out of Google chrome as well as saving and reopening of the user's opened tabs is implemented. Finally, an observational assessment test is conducted. The aim of the study is to get a hint about whether the system could be useful, if users are inclined to trust it and in which way it could be improved. The main outcome of this thesis is the definition of a user authentication method coupled with suggestions for improvement gathered from a usability study, conducted with the method's prototype, NFCLogin. An important take away from the study is that participants seem to appreciate the prototype and are likely willing to use the proposed method, if it is sufficiently secure.
31
Haver, Torstein. "Security and Privacy in RFID Applications." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2006. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-9325.
Full textAbstract:
Radio Frequency Identification (RFID) is a very versatile technology. It has the potential to increase the efficiency of many common applications and is thus becoming increasingly popular. The main drawback is that the general principles the technology is built on are very vulnerable to attack. The ID imbedded in every chip combined with the openness of the radio interface exposes the users to tracking. As additional sensitive information may be stored on the tags, the user may also be exposed to other security and privacy threats. This thesis investigates how easily the reading distance of RFID tags can be increased by modifying a regular reader. A thorough presentation of general privacy and security threats to RFID systems is also given together with an analysis of how the results from the experiments influence these threats. General countermeasures to defend against threats are also evaluated. Finally, the thesis investigates how easily a user can reduce the reading distance of tags he is carrying by physical shielding. The general results are that moderately increasing the reading distance of RFID tags by modifying a regular reader is possible. It is, however, not trivial. Given that the attacker has extensive knowledge of the technology and its implementation, obtaining extensive increases in reading distance by using very sophisticated techniques may be possible. Users can, on the other hand, relatively easily decrease the reading distances of tags by physically shielding them. The obtainable reading distance using an electronics hobbyists tools, skills and knowledge is sufficient to greatly simplify the execution of several attacks aimed at RFID systems. As the technological development is likely to increase the obtainable reading distance even further, inclusion of on-tag security measures for the future is of great importance.
32
DeYoung, Mark E. "Privacy Preserving Network Security Data Analytics." Diss., Virginia Tech, 2018. http://hdl.handle.net/10919/82909.
Full textAbstract:
The problem of revealing accurate statistics about a population while maintaining privacy of individuals is extensively studied in several related disciplines. Statisticians, information security experts, and computational theory researchers, to name a few, have produced extensive bodies of work regarding privacy preservation.
Still the need to improve our ability to control the dissemination of potentially private information is driven home by an incessant rhythm of data breaches, data leaks, and privacy exposure. History has shown that both public and private sector organizations are not immune to loss of control over data due to lax handling, incidental leakage, or adversarial breaches. Prudent organizations should consider the sensitive nature of network security data and network operations performance data recorded as logged events. These logged events often contain data elements that are directly correlated with sensitive information about people and their activities -- often at the same level of detail as sensor data.
Privacy preserving data publication has the potential to support reproducibility and exploration of new analytic techniques for network security. Providing sanitized data sets de-couples privacy protection efforts from analytic research. De-coupling privacy protections from analytical capabilities enables specialists to tease out the information and knowledge hidden in high dimensional data, while, at the same time, providing some degree of assurance that people's private information is not exposed unnecessarily.
In this research we propose methods that support a risk based approach to privacy preserving data publication for network security data. Our main research objective is the design and implementation of technical methods to support the appropriate release of network security data so it can be utilized to develop new analytic methods in an ethical manner. Our intent is to produce a database which holds network security data representative of a contextualized network and people's interaction with the network mid-points and end-points without the problems of identifiability.Ph. D.
33
Groat, Stephen Lawrence. "Privacy and Security in IPv6 Addressing." Thesis, Virginia Tech, 2011. http://hdl.handle.net/10919/76978.
Full textAbstract:
Due to an exponentially larger address space than Internet Protocol version 4 (IPv4), the Internet Protocol version 6 (IPv6) uses new methods to assign network addresses to Internet nodes. StateLess Address Auto Configuration (SLAAC) creates an address using a static value derived from the Media Access Control (MAC) address of a network interface as host portion, or interface identifier (IID). The Dynamic Host Configuration Protocol version 6 (DHCPv6) uses a client-server model to manage network addresses, providing stateful address configuration. While DHCPv6 can be configured to assign randomly distributed addresses, the DHCP Unique Identifier (DUID) was designed to remain static for clients as they move between different DHCPv6 subnets and networks. Both the IID and DUID are static values which are publicly exposed, creating a privacy and security threat for users and nodes.
The static IID and DUID allow attackers to violate unsuspecting IPv6 users' privacy and security with ease. These static identifiers make geographic tracking and network traffic correlation over multiple sessions simple. Also, different classes of computer and network attacks, such as system-specific attacks and Denial-of-Service (DoS) attacks, are easier to successfully employ due to these identifiers. This research identifies and tests the validity of the privacy and security threat of static IIDs and DUIDs. Solutions which mitigate or eliminate the threat posed by static identifiers in IPv6 are identified.Master of Science
34
Taylor, Vincent. "Security and privacy in app ecosystems." Thesis, University of Oxford, 2017. https://ora.ox.ac.uk/objects/uuid:01f3b0ca-b24e-4949-9efa-ec56dfba7a36.
Full textAbstract:
Smartphones are highly-capable mobile computing devices that have dramatically changed how people do business, interact with online services, and receive entertainment. Smartphone functionality is enhanced by an ecosystem of apps seemingly covering the entire gamut of functionality. While smartphone apps have undoubtedly provided immeasurable benefit to users, they also contribute their fair share of drawbacks, such as increases in security risks and the erosion of user privacy. In this thesis, I focus on the Android smartphone operating system, and pave the way for improving the security and privacy of its app ecosystem. Chapter 3 starts by doing a comprehensive study on how Android apps have evolved over a three-year period, both in terms of their dangerous permission usage and the vulnerabilities they contain. It uncovers a trend whereby apps are using increasing numbers of dangerous permissions over time and at the same time becoming increasingly vulnerable to attack by adversaries. By analysing the Google Play Store, Android's official app marketplace, Chapter 4 shows that many general-purpose apps can be replaced with functionallysimilar alternatives to the benefit of the user. This confirms that users still wield power to improve their own security and privacy. Chapter 5 combines this insight with real-world data from approximately 30,000 smartphones to understand the actual risk that the average user faces as a result of their use of apps, and takes an important first step in measuring the improvements that can be made. Users, however, are not always aware of the risks they face and thus Chapter 6 demonstrates the feasibility of a classification system that can transparently and unobtrusively identify and alert users to the presence of apps of concern on their devices. This classification system identifies apps from features in the network traffic they generate, without itself analysing the payload of their traffic, thus maintaining a high threshold of privacy. While the work presented in this thesis has uncovered undesirable trends in app evolution, and shows that a large fraction of users are exposed to non-trivial risk from the apps they use, in many cases there is suficient diversity in the offerings of general-purpose apps in the Google Play Store to empower users to mitigate the risks coming from the apps they use. This work takes us a step further in keeping users safe as they navigate and enjoy app ecosystems.
35
Zaaba, Zarul Fitri. "Enhancing usability using automated security interface adaptation (ASIA)." Thesis, University of Plymouth, 2014. http://hdl.handle.net/10026.1/3025.
Full textAbstract:
Many users are now significantly dependent upon computer application. Whilst many aspects are now used very successfully, an area in which usability difficulties continue to be encountered is in relation to security. Thus can become particularly acute in situations where users are required to interact and make decisions, and a key context here is typically when they need to respond to security warnings. The current implementation of security warnings can often be considered as an attempt to offer a one size fits all solution. However, it can be argued that many implementations are still lacking the ability to provide meaningful and effective warnings. As such, this research focuses upon achieving a better understanding of the elements that aid end-users in comprehending the warnings, the difficulties with the current approaches, and the resulting requirements in order to improve the design and implementation of such security dialogues. In the early stage of research, a survey was undertaken to investigate perceptions of security dialogues in practice, with a specific focus upon security warnings issued within web browsers. This provided empirical evidence of end-users’ experiences, and revealed notable difficulties in terms of their understanding and interpretation of the security interactions. Building upon this, the follow-up research investigated understanding of application level security warnings in wider contexts, looking firstly at users’ interpretation of what constitutes a security warning and then at their level of comprehension when related warnings occurred. These results confirmed the need to improve the dialogues so that the end-users are able to act appropriately, and consequently promoted the design and prototype implementation of a novel architecture to improve security warnings, which has been titled Automated Security Interface Adaptation (ASIA). The ASIA approach aims to improve security warnings by tailoring the interaction more closely to individual user needs. By automatically adapting the presentation to match each user’s understanding and preferences, security warnings can be modified in ways that enable users to better comprehend them, and thus make more informed security decisions and choices. A comparison of the ASIA-adapted interfaces compared to standard versions of warnings revealed that the modified versions were better understood. As such, the ASIA approach has significant potential to assist (and thereby protect) the end-user community in their future interactions with security.
36
Purandare, Darshan. "ENHANCING MESSAGE PRIVACY IN WIRED EQUIVALENT PRIVACY." Master's thesis, University of Central Florida, 2005. http://digital.library.ucf.edu/cdm/ref/collection/ETD/id/2998.
Full textAbstract:
The 802.11 standard defines the Wired Equivalent Privacy (WEP) and encapsulation of data frames. It is intended to provide data privacy to the level of a wired network. WEP suffered threat of attacks from hackers owing to certain security shortcomings in the WEP protocol. Lately, many new protocols like WiFi Protected Access (WPA), WPA2, Robust Secure Network (RSN) and 802.11i have come into being, yet their implementation is fairly limited. Despite its shortcomings one cannot undermine the importance of WEP as it still remains the most widely used system and we chose to address certain security issues and propose some modifications to make it more secure. In this thesis we have proposed a modification to the existing WEP protocol to make it more secure. We achieve Message Privacy by ensuring that the encryption is not breached. The idea is to update the shared secret key frequently based on factors like network traffic and number of transmitted frames. We also develop an Initialization Vector (IV) avoidance algorithm that eliminates IV collision problem. The idea is to partition the IV bits among different wireless hosts in a predetermined manner unique to every node. We can use all possible 224 different IVs without making them predictable for an attacker. Our proposed algorithm eliminates the IV collision ensuring Message Privacy that further strengthens security of the existing WEP. We show that frequent rekeying thwarts all kinds of cryptanalytic attacks on the WEP.M.S.
School of Computer Science
Engineering and Computer Science
Computer Science
37
Wakim, Mike. "Employing Android Security Features for Enhanced Security and Privacy Preservation." Thesis, Université d'Ottawa / University of Ottawa, 2017. http://hdl.handle.net/10393/36353.
Full textAbstract:
In this thesis, we examine the architecture and the security framework underlying the Android operating system. We explore existing Android end-to-end encrypted (E2EE) messaging applications and derive four categories of common issues that are applicable to these applications. We then provide an overview of the known issue of privilege escalation wherein a malicious privileged application can utilize inter-process communication techniques to send protected data to an unauthorized application on a user’s device. We demonstrate through a proof of concept how this behavior can be achieved in real applications, and we suggest potential countermeasures that can help prevent this issue. Furthermore, in the interest of diminishing the common issues that are applicable to E2EE messaging applications, we propose a new design for such applications that employs some of the principal security features offered by the Android operating system. We explain how our design can help eliminate trust-related issues associated with such applications, as well as how it can help minimize issues in other categories. Finally, we demonstrate how our proposed design can be used in practice by implementing a proof of concept.
38
Barton, Daniel John Trevino. "Usable Post-Classification Visualizations for Android Collusion Detection and Inspection." Thesis, Virginia Tech, 2016. http://hdl.handle.net/10919/72286.
Full textAbstract:
Android malware collusion is a new threat model that occurs when multiple Android apps communicate in order to execute an attack. This threat model threatens all Android users' private information and system resource security. Although recent research has made advances in collusion detection and classification, security analysts still do not have robust tools which allow them to definitively identify colluding Android applications. Specifically, in order to determine whether an alert produced by a tool scanning for Android collusion is a true-positive or a false-positive, the analyst must perform manual analysis of the suspected apps, which is both time consuming and prone to human errors. In this thesis, we present a new approach to definitive Android collusion detection and confirmation by rendering inter-component communications between a set of potentially collusive Android applications. Inter-component communications (abbreviated to ICCs), are a feature of the Android framework that allows components from different applications to communicate with one another. Our approach allows Android security analysts to inspect all ICCs within a set of suspicious Android applications and subsequently identify collusive attacks which utilize ICCs. Furthermore, our approach also visualizes all potentially collusive data-flows within each component within a set of apps. This allows analysts to inspect, step-by-step, the the data-flows that are currently used by collusive attacks, or the data-flows that could be used for future collusive attacks. Our tool effectively visualizes the malicious and benign ICCs in sets of proof-of-concept and real-world colluding applications. We conducted a user study which revealed that our approach allows for accurate and efficient identification of true- and false-positive collusive ICCs while still maintaining usability.Master of Science
39
Murmann, Patrick. "Towards Usable Transparency via Individualisation." Licentiate thesis, Karlstads universitet, Institutionen för matematik och datavetenskap (from 2013), 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:kau:diva-71120.
Full textAbstract:
The General Data Protection Regulation grants data subjects the legal rights of transparency and intervenability. Ex post transparency provides users of data services with insight into how their personal data have been processed, and potentially clarifies what consequences will or may arise due to the processing of their data. Technological artefacts, ex post transparency-enhancing tools (TETs) convey such information to data subjects, provided the TETs are designed to suit the predisposition of their audience. Despite being a prerequisite for transparency, however, many of the TETs available to date lack usability in that their capabilities do not reflect the needs of their final users. The objective of this thesis is therefore to systematically apply the concept of human-centred design to ascertain design principles that demonstrably lead to the implementation of a TET that facilitates ex post transparency and supports intervenability. To this end, we classify the state of the art of usable ex post TETs published in the literature and discuss the gaps therein. Contextualising our findings in the domain of fitness tracking, we investigate to what extent individualisation can help accommodate the needs of users of online mobile health services. We introduce the notion of privacy notifications as a means to inform data subjects about incidences worthy of their attention and examine how far privacy personas reflect the preferences of distinctive groups of recipients. We suggest a catalogue of design guidelines that can serve as a basis for specifying context-sensitive requirements for the implementation of a TET that leverages privacy notifications to facilitate ex post transparency, and which also serve as criteria for the evaluation of a future prototype.Paper 2 ingick som manuskript i avhandlingen, nu publicerad.
40
Zeba, Vedrana, and Lykke Levin. "Security vs. Usability: designing a secure and usable access control event log." Thesis, Malmö universitet, Fakulteten för teknik och samhälle (TS), 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-20614.
Full textAbstract:
Säkerhet och användbarhet beskrivs ofta som motpoler. I detta examensarbete så undersöks möjligheterna till att inkorporera både säkerhet och användbarhet i ett passagekontrollsgränssnitt. Forskningen är fokuserad på den del av passagekontrollen som benämns som händelseloggen. Loggens ändamål är att lagra och presentera information om händelser som sker i övervakade entréer. Syftet med forskningen är att undersöka i vilken utsträckning det är möjligt att implementera användarkrav och samtidigt uppfylla säkerhets- och användbarhetsheuristik. En klassisk interaktionsdesignsprocess utförs. Semi-strukturerade intervjuer genomförs med respondenter från två olika målgrupper, för att kontrollera om deras behov skiljer sig åt. Den ena gruppen består av användare som primärt jobbar med säkerhetsrelaterade arbetsuppgifter medan den andra gruppen har säkerhet som sekundär arbetsuppgift. Svaren analyseras genom en tematisk analys. Analysen resulterar i fyra olika teman innehållandes 26 stycken användarkrav. Användarkraven och heuristiken tas i beaktning när en prototyp skapas. Prototypen utvärderas sedan genom en heuristisk utvärdering av experter. Resultatet av denna forskning tyder på att användarkrav bidrar till att uppfylla heuristik. Utöver detta, så visar det sig att de två målgrupperna, på flera punkter, har olika behov. Användarkrav som härstammar från den första gruppen anses vara mer dynamiska och omedelbara, medan den andra gruppen har krav som är desto mer statiska och sporadiska.Security and usability are often thought of as being contradictive. In this thesis, we explore the possibility of incorporating both security and usability in an access control GUI. The research is concentrated towards the part of the access control that is referred to as the event log. The purpose of the log is to store and present information about events that occur at monitored entry points. The intention of the research is to investigate to what extent it is possible to implement user requirements, while still complying with security and usability heuristics. A traditional interaction design process is conducted. Semi-structured interviews are held with respondents from two different target groups, to see if their needs differ. One of the groups consists of users who primarily do security related work, and the other one consists of users who have security as a secondary job assignment. The answers undergo a thematic analysis. The outcome of the analysis is four different themes, consisting of a total of 26 user requirements. The user requirements and the heuristics are taken into consideration when creating a prototype. The prototype is then subjected to a heuristic evaluation by experts. The results of this research indicate that the gathering of user requirements does aid the compliance with heuristics. Moreover, the user needs between the two groups do differ on several accounts. The requirements that originate from the first group can be thought of as more dynamic and instantaneous, while the other group has requirements that are more static and occasional.
41
Årnes, Andre. "Risk, Privacy, and Security in Computer Networks." Doctoral thesis, Norwegian University of Science and Technology, Faculty of Information Technology, Mathematics and Electrical Engineering, 2006. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-1725.
Full textAbstract:
With an increasingly digitally connected society comes complexity, uncertainty, and risk. Network monitoring, incident management, and digital forensics is of increasing importance with the escalation of cybercrime and other network supported serious crimes. New laws and regulations governing electronic communications, cybercrime, and data retention are being proposed, continuously requiring new methods and tools.
This thesis introduces a novel approach to real-time network risk assessment based on hidden Markov models to represent the likelihood of transitions between security states. The method measures risk as a composition of individual hosts, providing a precise, fine-grained model for assessing risk and providing decision support for incident response. The approach has been integrated with an existing framework for distributed, large-scale intrusion detection, and the results of the risk assessment are applied to prioritize the alerts produced by the intrusion detection sensors. Using this implementation, the approach is evaluated on both simulated and real-world data.
Network monitoring can encompass large networks and process enormous amounts of data, and the practice and its ubiquity can represent a great threat to the privacy and confidentiality of network users. Existing measures for anonymization and pseudonymization are analyzed with respect to the trade-off of performing meaningful data analysis while protecting the identities of the users. The results demonstrate that most existing solutions for pseudonymization are vulnerable to a range of attacks. As a solution, some remedies for strengthening the schemes are proposed, and a method for unlinkable transaction pseudonyms is considered.
Finally, a novel method for performing digital forensic reconstructions in a virtual security testbed is proposed. Based on a hypothesis of the security incident in question, the testbed is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate reconstruction experiments in digital forensics. Two examples are given to demonstrate the approach; one overview example based on the Trojan defense and one detailed example of a multi-step attack. Although a reconstruction can neither prove a hypothesis with absolute certainty, nor exclude the correctness of other hypotheses, a standardized environment combined with event reconstruction and testing can lend credibility to an investigation and can be a valuable asset in court.
42
Moe, Marie Elisabeth Gaup. "Security, Privacy and Trust in Dynamic Networks." Doctoral thesis, Norges teknisk-naturvitenskapelige universitet, Institutt for telematikk, 2009. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-5540.
Full textAbstract:
Emergent networks like mobile ad hoc networks, sensor networks, opportunistic networks, peer-to-peer networks and social networks are introducing new and exciting opportunities of communication between people and devices. But these dynamic networks also introduce many security- and privacy-related challenges. When dealing with complex and dynamic environments, information about the current level of security or privacy, expressed in a quantified manner, could be of great value in a decision-making process. In order to derive such quantified measures there is a need for mathematical models for security, privacy and trust. The development, application and evaluation of such models are the topics of this thesis. In order to obtain quantitative measures of security, a state modeling approach, which has traditionally been used to model dependable systems is used. The modeling is based on the view that the notions of security and dependability are integrated concepts, both describing aspects of trustworthy computer systems. The state modeling allows for a probabilistic evaluation of the security of the system, which can be used for security quantification, prediction, risk assessment, intrusion detection and intrusion prevention. The first part of the thesis describes a real-time risk assessment method for computer networks using hidden Markov modeling. Hidden Markov models are well suited for the modeling of sensor trustworthiness in an intrusion prevention system, and as a result of this research, a new method for aggregation of intrusion detection alerts from multiple intrusion detection systems is proposed. New security metrics for computer networks, such as computer network risk, the mean time to next intrusion and the intrusion frequency, are derived from the Markov models. Hidden Markov models are also used for supporting the actions of agents in dynamic networking environments who are faced with significant degrees of uncertainty in making decisions. Assuming access to perfect information about the environment and the properties of the interacting partners is unrealistic, but if agents are able to establish appropriate trust in each other, the decisions-making process would be facilitated and the risk associated with the interactions could still be acceptable. Trust may also play a significant role for the efficient operation of more general multiagent systems. A novel trust model based on hidden Markov modeling and reinforcement learning has been developed, where the measuring of agent trustworthiness is based on the predicted state probability distribution. Trust modeling is also used as a basis for a decentralized reputation system suitable for dynamic multiagent environments.As infrastructures are gradually becoming more intelligent, trust may play an increasingly important role in the interactions between network components. A trust-based security extension to the mobile ad hoc network dynamic source routing protocol is given, where the state probability of a node, according to its corresponding hidden Markov model, is being used for deciding the node’s trustworthiness. Nodes with different trustworthiness may be offered different service levels based on a trust policy. Since network services normally will be denied to untrusted nodes, an incentive for nodes not to misbehave is created. Users in dynamic networking environments like mobile ad hoc networks would be particularly exposed to threats against their privacy since they have limited control over the trustworthiness of network nodes that handle the messages sent. Appropriate privacy enhancing cryptographic mechanisms, which can be trusted to work as intended, are required to handle this problem. A novel approach to quantifying the amount of privacy that is offered by anonymous ad hoc routing protocols using conditional entropy is given, which takes into account the proportion of adversarial nodes and includes the a priori knowledge of the attacker.
43
Kong, Yibing. "Security and privacy model for association databases." Access electronically, 2003. http://www.library.uow.edu.au/adt-NWU/public/adt-NWU20031126.142250/index.html.
Full text
44
Vahedi, Ehsan. "Security, privacy and efficiency in RFID systems." Thesis, University of British Columbia, 2013. http://hdl.handle.net/2429/45181.
Full textAbstract:
Radio frequency identification (RFID) is a ubiquitous wireless technology that allows objects to be identified automatically. Using the RFID technology can simplify many applications and provide many benefits but meanwhile, the security and privacy of RFID systems should be taken into account. In this thesis, we have two goals. The first one is to improve the security and privacy in RFID systems. Our second goal is to provide accurate analytical models for the most important tag singulation schemes. We use these analytical models to evaluate and compare the efficiency of the tag singulation schemes. First, we study the blocking attack in RFID systems and develop an analytical model for it. Using this analytical model, we propose two probabilistic blocker tag detection (P-BTD) algorithms for RFID systems that operate based on the binary tree walking and ALOHA techniques. Then, we study the security and privacy of some recently introduced light-weight authentication protocols, and discuss their advantages and drawbacks. Based on this analysis and considering the hardware limitations of RFID tags, we propose a new authentication protocol that improves the security and privacy in RFID systems. By taking advantage of the analytical model we proposed for the ALOHA-based P-BTD algorithm, we develop an accurate tag estimate method. Using the proposed method, we can estimate the number of tags in RFID systems accurately, and design more efficient ALOHA-based tag singulation mechanisms. Next, we study the EPC Gen-2 protocol and its tag singulation mechanism. We model the EPC Gen-2 protocol as an absorbing Markov chain. Using the model proposed, we derive accurate analytical expressions for the expected number of queries and the expected number of transmitted bits needed to identify all tags in the RFID system. Finally, we study the use of the CDMA technique for RFID systems. We model the CDMA-based tag singulation procedure as an absorbing Markov chain, and derive accurate analytical expressions for the expected number of queries and the amount of transmitted data needed to identify all tags in the system. Using the analytical models developed, we compare the performance of the CDMA-based and the EPC Gen-2 tag singulation schemes.
45
Clarke, David A. Jr. "Making U.S. security and privacy rights compatible." Thesis, Monterey California. Naval Postgraduate School, 2013. http://hdl.handle.net/10945/37603.
Full textAbstract:
CHDS State/LocalApproved for public release; distribution is unlimited
The terror attacks against the United States on September 11, 2001, necessitated changes in the way domestic intelligence agencies and services conducted information-collection activities to protect against further attacks. Congress acted quickly to prevent the next attack by expanding government authority under the USA PATRIOT Act and the Federal Intelligence Surveillance Court. This gave domestic intelligence services the tools needed due to advances in technology that allowed terror organizations and suspects to travel, communicate, raise money and recruit using the Internet. Safeguards were written into the enhanced authority to protect against privacy abuses by government. Ten years after 9/11, civil-liberties advocates called for more transparency, more privacy protections and better oversight because of past abuses by government officials operating in the name of national security. Leaks about government spying on U.S. citizens have heightened the balance debate between security and privacy. Privacy or security is not a zero-sum game. A policy that incorporates an adversarial process in the FISC and a streamlined oversight mechanism in Congress for more effective oversight, and the release of redacted classified documents to educate the public about surveillance techniques, would instill more balance and greater public trust.
46
Tuchinda, Rattapoom 1979. "Security and privacy in the Intelligent Room." Thesis, Massachusetts Institute of Technology, 2002. http://hdl.handle.net/1721.1/87299.
Full textAbstract:
Thesis (M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2002.Includes bibliographical references (leaves 73-74).
by Rattapoom Tuchinda.
M.Eng.
47
Calmon, Flavio du Pin. "Information-theoretic metrics for security and privacy." Thesis, Massachusetts Institute of Technology, 2015. http://hdl.handle.net/1721.1/101567.
Full textAbstract:
Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2015.Cataloged from PDF version of thesis.
Includes bibliographical references (pages 143-150).
In this thesis, we study problems in cryptography, privacy and estimation through the information-theoretic lens. We introduce information-theoretic metrics and associated results that shed light on the fundamental limits of what can be learned from noisy data. These metrics and results, in turn, are used to evaluate and design both symmetric-key encryption schemes and privacy-assuring mappings with provable information-theoretic security guarantees. We start by studying information-theoretic properties of symmetric-key encryption in the "small key" regime (i.e. when the key rate is smaller than the entropy rate of the message source). It is well known that security against computationally unbounded adversaries in such settings can only be achieved when the communicating parties share a key that is at least as long as the secret message (i.e. plaintext) being communicated, which is infeasible in practice. Nevertheless, even with short keys, we show that a certain level of security can be guaranteed, albeit not perfect secrecy. In order to quantify exactly how much security can be provided with short keys, we propose a new security metric, called symbol secrecy, that measures how much an adversary that observes only the encrypted message learns about individual symbols of the plaintext. Unlike most traditional rate-based information-theoretic metrics for security, symbol secrecy is non-asymptotic. Furthermore, we demonstrate how fundamental symbol secrecy performance bounds can be achieved through standard code constructions (e.g. Reed-Solomon codes). While much of information-theoretic security has considered the hiding of the plaintext, cryptographic metrics of security seek to hide functions thereof. Consequently, we extend the definition of symbol secrecy to quantify the information leaked about certain classes of functions of the plaintext. This analysis leads to a more general question: can security claims based on information metrics be translated into guarantees on what an adversary can reliably infer from the output of a security system? On the one hand, information metrics usually quantify how far the probability distribution between the secret and the disclosed information is from the ideal case where independence is achieved. On the other hand, estimation guarantees seek to assure that an adversary cannot significantly improve his estimate of the secret given the information disclosed by the system. We answer this question in the positive, and present formulations based on rate-distortion theory that allow security bounds given in terms of information metrics to be transformed into bounds on how well an adversary can estimate functions of secret variable. We do this by solving a convex program that minimizes the average estimation error over all possible distributions that satisfy the bound on the information metric. Using this approach, we are able to derive a set of general sharp bounds on how well certain classes of functions of a hidden variable can(not) be estimated from a noisy observation in terms of different information metrics. These bounds provide converse (negative) results: If an information metric is small, then any non-trivial function of the hidden variable cannot be estimated with probability of error or mean-squared error smaller than a certain threshold. The main tool used to derive the converse bounds is a set of statistics known as the Principal Inertia Components (PICs). The PICs provide a fine-grained decomposition of the dependence between two random variables. Since there are well-studied statistical methods for estimating the PICs, we can then determine the (im)possibility of estimating large classes of functions by using the bounds derived in this thesis and standard statistical tests. The PICs are of independent interest, and are applicable to problems in information theory, statistics, learning theory, and beyond. In the security and privacy setting, the PICs fulfill the dual goal of providing (i) a measure of (in)dependence between the secret and disclosed information of a security system, and (ii) a complete characterization of the functions of the secret information that can or cannot be reliably inferred given the disclosed information. We study the information-theoretic properties of the PICs, and show how they characterize the fundamental limits of perfect privacy. The results presented in this thesis are applicable to estimation, security and privacy. For estimation and statistical learning theory, they shed light on the fundamental limits of learning from noisy data, and can help guide the design of practical learning algorithms. Furthermore, as illustrated in this thesis, the proposed converse bounds are particularly useful for creating security and privacy metrics, and characterize the inherent trade-off between privacy and utility in statistical data disclosure problems. The study of security systems through the information-theoretic lens adds a new dimension for understanding and quantifying security against very powerful adversaries. Furthermore, the framework and metrics discussed here provide practical insight on how to design and improve security systems using well-known coding and optimization techniques. We conclude the thesis by presenting several promising future research directions.
by Flavio du Pin Calmon.
Ph. D.
48
Parris, Iain. "Practical privacy and security for opportunistic networks." Thesis, University of St Andrews, 2014. http://hdl.handle.net/10023/5357.
Full textAbstract:
When in physical proximity, data can be directly exchanged between the mobile devices people carry - for example over Bluetooth. If people cooperate to store, carry and forward messages on one another's behalf, then an opportunistic network may be formed, independent of any fixed infrastructure. To enable performant routing within opportunistic networks, use of social network information has been proposed for social network routing protocols. But the decentralised and cooperative nature of the networks can however expose users of such protocols to privacy and security threats, which may in turn discourage participation in the network. In this thesis, we examine how to mitigate privacy and security threats in opportunistic networks while maintaining network performance. We first demonstrate that privacy-aware routing protocols are required in order to maintain network performance while respecting users' privacy preferences. We then demonstrate novel social network routing protocols that mitigate specific threats to privacy and security while maintaining network performance.
49
Krupp, Brian Michael. "Enhancing Security And Privacy For Mobile Systems." Cleveland State University / OhioLINK, 2015. http://rave.ohiolink.edu/etdc/view?acc_num=csu1432156543.
Full text
50
Liao, Weixian. "SECURITY AND PRIVACY OF CYBER-PHYSICAL SYSTEMS." Case Western Reserve University School of Graduate Studies / OhioLINK, 2018. http://rave.ohiolink.edu/etdc/view?acc_num=case1525718335240014.
Full text