Three New Themes in Software Security

I was privileged to attend the Workshop on Security and Human Behaviour last month in Cambridge, UK. This fascinating two day workshop brought together around ninety leading researchers in Human-Centred Security, most working in software security. The delegate page alone is worth a look: most attendees linked their key papers so it makes a good introduction to the field.

The workshop format was very effective and energising: virtually every delegate gave a short presentation, and there was lots of time for questions and discussion. Lancaster was well represented, with Richard Harper presenting on the security of habit, Jeff Yan presenting on stock market fraud, and myself on helping app developers.


Ross Anderson wrote up all the sessions in a long blog here – take a look. And Sophie van der Zee produced the word cloud above from the first day.  I myself observed three wider themes that were new to me:


Security paternalism: this is the tendency for security practitioners to decide what is best for the users, often without much reference to users’ own needs. A particularly bad effect of this has been pushing work on to users – such as long passwords, SSL warnings – rather than finding more appropriate solutions. I was particularly amused by the observation that for a web site the “long password frequently changed” advice only addresses the threat of attackers stealing the entire password file, something handled better by salting and perimeter defences.


Cyber as a militaristic term: I had always treated ‘cyber’ as meaning ‘related to computer-machine interfaces’. There was agreement in  the workshop about how ‘cyber security’ has come to have connotations of military ‘cyber warfare’; that encourages government spending, but we need to be careful to avoid emphasising adversarial security over cooperation, economics and human benefit.


The Dread Bias cycle: several of the non-software researchers discussed the effect where a major event such as 9/11 may cause more damage by changing people’s behaviour than the original disaster. So more people died from increased accidents in the two months afterwards than died in the London bombings; and by making flying less convenient the USA TSA has killed many more people than airline terrorists. That suggests an interesting research project to see how that might apply to software!


Try looking out for examples of these three themes over the next few months – I think you’ll see quite a few!


- Charles