A Model To Improve Security Questions Through Individualized Assistance
No Thumbnail Available
Links to Files
Permanent Link
Collections
Author/Creator
Author/Creator ORCID
Date
2014
Type of Work
Department
Business and Management
Program
Doctor of Philosophy
Citation of Original Publication
Rights
This item is made available by Morgan State University for personal, educational, and research purposes in accordance with Title 17 of the U.S. Copyright Law. Other uses may require permission from the copyright owner.
Abstract
Security questions are considered a viable alternative for secondary and supplementary authentication. Security questions can offer a low-cost alternative for password resets as well as an additional layer of security beyond traditional username and passwords, security questions are a human-authentication method leveraging unique private knowledge. Information system security is meant to protect and limit access to select individuals. All access control techniques are susceptible to attackers. Security questions are susceptible to three types of attacks - blind (brute force), focused (statistical) guess, and observation (research/personal). Any proposed solution must address existing and potential threats by balancing usability, privacy, trust and security. This research outlines how informing users of potential security threats through a security meter may improve security with minimal impact to usability, privacy and trust. In order to achieve the goal of the research, a security meter was integrated into a traditional security question framework. Security meter combined individual responses with common responses and social networking information to assess the entropy of the response. Shannon (1948) defined entropy of a system as the amount of uncertainty of the probability of events. In Shannon's (1948) entropy calculation function, entropy is calculated by the inversing the probably of occurrence of an event. Entropy, which is the measure of the security of a response, is determined by evaluating the probability of responses based on the number and type of characters, similar answers, and responses available through various data sources. The security meter incorporated the entropy of the response as well as an assessment of the susceptibility of the response to an attack to provide an accurate assessment of the question and answer pairing. The data sources include public, semi-private and private data (including Facebook and search engine results). The available data sources are analyzed to assess a response's entropy and strength and then inform users of the level of security of their response via a security meter. The security meter also assists participants in recognizing if they are susceptible to guessing or focused attacks and provides suggestions on how to improve the strength of their response. This research makes a contribution to security domain. The empirical reviewed solution's attempts to improve security questions as a form of secondary human authentication as well as other forms of access control that rely on information known to the user. The web-based design offers a realistic and dynamic environment that addresses an individual's, the system's participants and the hosts security risks. The design has practical applications for improving the security of existing and future security questions implementations. Overall, the dissertation builds on literature to enhance the security domain by mitigating current challenges with security questions.