Steven Furnell Research Articles

Getting past passwords

Having been a core feature of IT systems for several decades, passwords continue to represent both one of the most familiar and most maligned aspects of security technology. While their potential weaknesses have been well recognised (but largely unchanged) over many years, there has equally been little sign of other approaches emerging to supplant them in terms of all-round usage and applicability. In spite of long-standing and well-recognised weaknesses, passwords continue to represent the most commonly encountered form of user authentication. However, there are now signs of viable alternatives. New approaches range from the more involved login processes demanded by services such as online banking, and the more user-friendly graphical approaches offered on mobile devices. Steven Furnell of Plymouth University finds that, while none of them represents a panacea, they do collectively serve to reduce the overall dependency upon passwords and ensure that users are exposed to a wider range of options.

Routes to security compliance: be good or be shamed?

Information security can benefit from multiple approaches to achieve staff compliance. While some people naturally accept their responsibilities, others require encouragement to stay on the right path. One potential factor is the desire to avoid feeling shamed by managers or peers. Mark Harris and Steven Furnell examine the potential of shaming as a means of dissuading employees from breaching policy, using original research. The results reveal that shaming could indeed have a positive influence, but there are also potential risks involved. It is widely recognised that security cannot succeed through technology alone and therefore won't work unless people are on board. Many organisations consequently face the questions of how to get staff to understand their roles when it comes to security, and then to enact their security responsibilities. This, of course, presents them with a situation for which there are multiple right answers, as well as several techniques that are less likely to be successful in some contexts. As such, it is worth understanding the techniques that are likely to have value.

Online privacy: a matter of policy?

Privacy policies are a standard element of most online sites, but can differ markedly in the degree to which they are understandable to users, thanks to the volume of information and the complexity of the language used. Steven Furnell and Andy Phippen of Plymouth University, UK examine the policies of some leading sites and assess the implications for users. They also consider other ways in which users may tend to seek reassurance if understanding the policy is beyond their ability. Privacy is a key topic of interest and concern for those involved with any aspect of online activity. While the concept of privacy may have existed for many hundreds of years, it has become more important as the value of personal data has increased. Indeed, in Magna Carta, one of the first definitions of the rights of the individual in history, there is no mention of privacy, and personal information had little value. With the advent of the merchant classes came competition and with it the concept of competitive advantage, the value of personal information began to increase and with it the need for privacy. However, it is only in post-war capitalist societies that we see an exponential interest. It was the advent of the Internet, with its facilitation of global instant access to information at virtually no cost, that has raised massive concerns for the privacy of one's personal data. And this is due to the number of companies and organisations wishing to access such information, and their reasons for doing so.

Disguising the dangers: hiding attacks behind modern masks

There's a well-known proverb that says, “the more things change, the more they stay the same”. Unfortunately, this can often prove to be the case with our attempts to provide security. Just when we start to get a grip on the nature of the threats and what to look out for, the changing face of the technology we use can serve to confound our efforts. As the technologies change, they can enable old threats to persist in a new guise. Such a pattern has been seen many times with malware, which has managed to hijack a succession of new technologies (from email through to social networks, from desktops through to mobile devices), thus ensuring that as soon as users have been educated and trained to be aware of the threat in one context, it pops up in another that they are not expecting. A variety of technologies aims to simplify users' interactions with their devices and online services. Unfortunately, in some cases, there is potential for these to come at the expense of security and protection, or at least to amplify the risk from the user perspective. Prof Steven Furnell of Plymouth University examines the phenomenon and shows how these simplifications of the navigation experience can potentially be used to disguise malicious links. And he examines how the simplified online fraud protection to be found on some mobile devices can expose users to phishing threats.

Understanding the influences on information security behaviour

Over the years, various observers have commented upon the imbalance in organisations' approaches to security. In many cases, significantly more attention appears to be devoted to technical aspects rather than those relating to people and processes. However, if survey findings are to be believed, there are at least signs of practices having improved in more recent times. Despite being exposed to the same policies and related training, employees within an organisation can exhibit very different security behaviours. Professor Steven Furnell and Anish Rajendran of Plymouth University propose a model that more fully identifies the factors influencing security behaviour and compliance. It considers forces that originate within the workplace, alongside various workplace-independent factors that might also affect security behaviour. The role of personality is considered within this model, as is the potential for inconsistencies to arise due to situational factors. Organisations might then use these insights to differentiate security-compliant from non-compliant employees and produce effective mitigation plans.

Assessing password guidance and enforcement on leading websites

For more than five decades, passwords have been the dominant means of user authentication for IT systems and are now used on a daily basis by millions of users worldwide. 1 Their significance is such that recent research has suggested 11% of people are now leaving (or planning to leave) details of Internet passwords in their wills so that they are able to pass on valuable online content to loved ones. 2 Meanwhile, in Italy the use of passwords has even become a matter of law, with privacy legislation laying down some minimum requirements (including that, where permitted by the system, they should be at least eight characters long, and be changed every six months). 3 Although passwords continue to dominate the field in user authentication, their use is accompanied by a significant lack of awareness and bad practice on the part of users. So how do websites go about providing advice and guidance when it comes to choosing passwords? Prof Steven Furnell at the University of Plymouth offers new research, studying 10 leading websites, and assesses how well they support and encourage the use of strong passwords. He finds there are some potentially surprising limitations and inconsistencies, and few of the market-leading sites are failing to show the way in terms of promoting good security practice.

Selecting security champions

It takes a certain type of person to properly promote and manage security issues. But can we identify specific links between security behaviours and personality types? Trevor Gabriel and Steven Furnell of the University of Plymouth carried out a research study to find out. Experimental findings suggest that the personality facets of imagination and immoderation emerge as the strongest indicators, and so may provide a foundation for using personality tests as a contributor towards selecting the most appropriate staff to act as security champions. Recent years have seen an increased recognition of the need to assign security responsibilities. This is particularly evident at the management level, with the growth of security executive roles (eg, CISO, CSO). For instance, it has been reported that by 2009 approximately 85% of large organisations had such an executive in place, compared to 56% in 2008 and just 43% in 2006. 1 While this can certainly be considered to represent progress, there has perhaps been less attention to where, or more specifically to whom, security responsibilities should be assigned.

Vulnerability management: an attitude of mind?

A multitude of online attacks is now made possible through the exploitation of vulnerabilities in operating systems, applications and online services. As a consequence, vulnerability management should be seen as an essential and non-optional task for responsible IT users. However, the persistence of open and unpatched systems demonstrates that this is far from the default mindset across the related user community. And it clearly demonstrates that, while technical measures such as automated updates can contribute towards a solution, vulnerability management is also very much a human issue. In short, successfully tackling the matter requires both an awareness of the problem and a willingness to address it. However, the persistence of open and unpatched systems demonstrates that this is far from the default mindset across the related user community. And it clearly demonstrates that, while technical measures such as automated updates can contribute towards a solution, vulnerability management is also very much a human issue. In short, successfully tackling the matter requires both an awareness of the problem and a willingness to address it. Steven Furnell and Maria Papadaki examine how vulnerability management can be undermined by the scale and difficulty of the task, and the need to accept responsibility for the job.

From security policy to practice: Sending the right messages

If it is to be truly successful, security requires engagement right across an organisation. It needs to be embedded in everyday operations and championed from both the top of an organisation and at a local level. It also needs effort and consideration to ensure that messages are appropriate to the likely audience, as well as shaped and communicated in a way that suits the different, but equally important range of stakeholders. This article considers the challenge of promoting security policy by ensuring the message is appropriate and effective for the many different individuals likely to be involved and/or affected. The discussion draws upon theories of leadership, communication within organisations and ways of influencing organisational change, emphasising the importance of framing the message in the right way in order to maximise support from the different constituents of the target audience. A range of approaches are consequently identified that could form part of an overall promotion portfolio, based upon a combination of push and pull style mechanisms that are likely to appeal to different people in relation to different aspects of the overall message. Caroline Chipperfield and Steven Furnell explore this intricate subject. It is hardly a revelation to state that successful security requires the support and commitment of those around it. Unfortunately, however, many people do not find security to be a naturally exciting or engaging topic, and it is therefore unrealistic to expect that the mere mention of its name will automatically drum up much enthusiasm. A rare exception may be when they have suffered an incident and feel a keen interest to recover and/or prevent it from happening again. The problem is that security is often something that people will not want to use by their own choice. They can find it time consuming, inconvenient and generally an obstacle to getting on with what they want to use a system for.

Beyond the PIN: Enhancing user authentication for mobile devices

There is now an increasing need for an enhanced level of user authentication on mobile devices. In this article, Steven Furnell, Nathan Clarke and Sevasti Karazouni begin by examining the existing provision, which is dominated by PIN and password-based approaches. They established that these may be both inconvenient and inadequate for securing modern devices and services. Mobile devices have changed significantly over the last decade, in terms of both their form factor and underlying capabilities. The introduction of third generation (3G) technologies has provided the underlying mechanism for a wide variety of innovative data-orientated services, with approximately one million users every day adopting these new features. 1

End-user security culture: A lesson that will never be learnt?

Professor Steven Furnell looks at reckless users online, as they make friends with complete strangers, even putting themselves at risk.

Identity impairment: The problems facing victims of identity fraud

Professor Steven Furnell looks at how identity theft affected one real-life victim.

A comparison of website user authentication mechanisms

Banks take a vastly different approach to authenticating users online. Bank of Ireland and RaboDirect have opted for two-factor authentication using security tokens with dynamically changing numbers. A security token is also offered by Paypal, which charges £5 for it. Others still lag behind with passwords and ID codes only. This month Computer Fraud & Security examines in detail how two major banks authenticate their customers. Steven Furnell examines how two major banks – HSBC and ING authenticate users

Phishing: can we spot the signs?

Dr Steven Furnell at Plymouth University has conducted research, which looks at why some computer users still can't tell the difference between an official email and a phishing scam. Steven Furnell looks at the increasing sophistication of phishing emails and examines why users are still vulnerable.