Financial Cryptography and Data Security

With the embedding of EEG (electro-encephalography) sensors in wireless headsets and other consumer electronics, authenticating users based on their brainwave signals has become a realistic possibility. We undertake an experimental study of the usability and performance of user authentication using consumer-grade EEG sensor technology. By choosing custom tasks and custom acceptance thresholds for each subject, we can achieve 99% authentication accuracy using single-channel EEG signals, which is on par with previous research employing multichannel EEG signals using clinical-grade devices. In addition to the usability improvement offered by the single-channel dry-contact EEG sensor, we also study the usability of different classes of mental tasks. We find that subjects have little difficulty recalling chosen “pass-thoughts” (e.g., their previously selected song to sing in their mind). They also have different preferences for tasks based on the perceived difficulty and enjoyability of the tasks. These results can inform the design of authentication systems that guide users in choosing tasks that are both usable

[1]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[2]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[3]  Julie Thorpe,et al.  Analyzing User Choice in Graphical Passwords , 2004 .

[4]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[5]  Paul Kearney,et al.  Human vulnerabilities in security systems , 2007 .

[6]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[7]  M. Angela Sasse,et al.  Guiding decisions on authorization policies: a participatory approach to decision support , 2012, SAC '12.

[8]  Alireza Sahami Shirazi,et al.  Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks , 2012, CHI.

[9]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[10]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[11]  Batya Friedman,et al.  Informed consent in the Mozilla browser: implementing value-sensitive design , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[12]  Jens Riegelsberger,et al.  Divide and conquer: the role of trust and assurance in the design of secure socio-technical systems , 2005, NSPW '05.

[13]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[14]  Ivan Flechais,et al.  Designing Secure and Usable Systems , 2005 .

[15]  M. Angela Sasse,et al.  How Users Bypass Access Control - And Why: The Impact Of Authorization Problems On Individuals And The Organization , 2013, ECIS.

[16]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[17]  Alexander De Luca,et al.  PassShapes: utilizing stroke based authentication to increase password memorability , 2008, NordiCHI.

[18]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[19]  Jan H. P. Eloff,et al.  Special Features: A Framework for the Implementation of Socio-ethical Controls in Information Security , 2001 .

[20]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.

[21]  Julie Thorpe,et al.  Exploiting predictability in click-based graphical passwords , 2011, J. Comput. Secur..

[22]  Charles Cresson Wood An Unappreciated Reason Why Information Security Policies Fail , 2000 .

[23]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[24]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[25]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[26]  Huong Ngo Higgins,et al.  Corporate system security: towards an integrated management approach , 1999, Inf. Manag. Comput. Secur..

[27]  Neil F. Doherty,et al.  The application of information security policies in large UK-based organizations: an exploratory investigation , 2003, Inf. Manag. Comput. Secur..

[28]  Peter Checkland,et al.  Learning For Action: A Short Definitive Account of Soft Systems Methodology, and its use for Practitioners, Teachers and Students , 2007 .

[29]  Evangelos A. Kiountouzis,et al.  Information systems security policies: a contextual perspective , 2005, Comput. Secur..

[30]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[31]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[32]  Rossouw von Solms,et al.  From information security to ... business security? , 2005, Comput. Secur..

[33]  Heinrich Hußmann,et al.  Look into my Eyes! Can you guess my Password? , 2009 .

[34]  Julie Thorpe,et al.  Purely Automated Attacks on PassPoints-Style Graphical Passwords , 2010, IEEE Transactions on Information Forensics and Security.

[35]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[36]  Dirk Weirich,et al.  Persuasive password security , 2001, CHI Extended Abstracts.

[37]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[38]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[39]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[40]  Jens Riegelsberger,et al.  The mechanics of trust: A framework for research and design , 2005, Int. J. Hum. Comput. Stud..

[41]  M. Angela Sasse,et al.  Security Education against Phishing: A Modest Proposal for a Major Rethink , 2012, IEEE Security & Privacy.

[42]  David Griffiths,et al.  Shoulder surfing defence for recall-based graphical passwords , 2011, SOUPS.

[43]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[44]  William R. King,et al.  Integration between Business Planning and Information Systems Planning: An Evolutionary-Contingency Perspective , 1997, J. Manag. Inf. Syst..

[45]  Frank Pallas,et al.  Information Security Inside Organizations - A Positive Model and Some Normative Arguments Based on New Institutional Economics , 2009 .

[46]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..