Dodier-Lazaro, Steve;
(2020)
Appropriate security and confinement technologies: methods for the design of appropriate security and a case study on confinement technologies for desktop computers.
Doctoral thesis (Ph.D), UCL (University College London).
Preview |
Text
Dodier-Lazaro_Thesis.pdf - Published Version Download (6MB) | Preview |
Abstract
Despite significant research, desktop computers remain fundamentally insecure. Malware is a prime culprit for data breaches in organisations. A vast number of user machines are connected to the Internet unprotected, leading to global ransomware attacks costing billions to world economies. Confinement systems are technologies that can thwart malware. Several security researchers have claimed to have designed usable confinement, and both Microsoft and Apple have deployed confinement into their desktop OSs in the form of sandboxes, but application developers avoid supporting it. Commercial off-the-shelf confinement systems exist which users can adopt and use, but very few do. My thesis investigates the design process of confinement technologies, to understand why they are not in use. It is divided in two parts. Firstly, I examine why the methods of usable security may not be judicious when it comes to designing for adoption. I propose alternative methods and goals, focused on the adoption and appropriation of technologies, rather than on their usability. This alternative process, named appropriate security, rests on four principles: security research is about users, not technology; it is about appropriation, not usability; it should not cause harm to users; and it should involve users in shaping security goals, rather than impose others’ goals onto them. Next, I apply this approach to sandboxes, through a field study with users at risk of being disenfranchised by sandboxing if it were mandatory. In this study, I document users’ appropriations of their computers to elicit design requirements and to invent new types of file access policies for existing sandboxes. I build metrics and tools to evaluate the security provided by file access policies, and their cost to users. Using ground-truth data from users, I demonstrate that my policies (designed with users’ appropriations in mind) outperform existing ones in Windows both on security and usability. I then co-design confinement-based services with users, based on their own experiences of security, and which provide actual value to them, as a way to bootstrap security adoption. This study demonstrates the substantial benefits of implementing an appropriate security design process.
Type: | Thesis (Doctoral) |
---|---|
Qualification: | Ph.D |
Title: | Appropriate security and confinement technologies: methods for the design of appropriate security and a case study on confinement technologies for desktop computers |
Event: | UCL (University College London) |
Open access status: | An open access version is available from UCL Discovery |
Language: | English |
Additional information: | Copyright © The Author 2019. Original content in this thesis is licensed under the terms of the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) Licence (https://creativecommons.org/licenses/by-nc/4.0/). Any third-party copyright material present remains the property of its respective owner(s) and is licensed under its existing terms. Access may initially be restricted at the author’s request. |
UCL classification: | UCL UCL > Provost and Vice Provost Offices UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/10046583 |
Archive Staff Only
View Item |