A Model To Improve Security Questions Through Individualized Assistance

No Thumbnail Available

Links to Files

Author/Creator

Author/Creator ORCID

Date

2014

Type of Work

Department

Business and Management

Program

Doctor of Philosophy

Citation of Original Publication

Rights

This item is made available by Morgan State University for personal, educational, and research purposes in accordance with Title 17 of the U.S. Copyright Law. Other uses may require permission from the copyright owner.

Abstract

Security questions are considered a viable alternative for secondary and supplementary authentication. Security questions can offer a low-cost alternative for password resets as well as an additional layer of security beyond traditional username and passwords, security questions are a human-authentication method leveraging unique private knowledge. Information system security is meant to protect and limit access to select individuals. All access control techniques are susceptible to attackers. Security questions are susceptible to three types of attacks - blind (brute force), focused (statistical) guess, and observation (research/personal). Any proposed solution must address existing and potential threats by balancing usability, privacy, trust and security. This research outlines how informing users of potential security threats through a security meter may improve security with minimal impact to usability, privacy and trust. In order to achieve the goal of the research, a security meter was integrated into a traditional security question framework. Security meter combined individual responses with common responses and social networking information to assess the entropy of the response. Shannon (1948) defined entropy of a system as the amount of uncertainty of the probability of events. In Shannon's (1948) entropy calculation function, entropy is calculated by the inversing the probably of occurrence of an event. Entropy, which is the measure of the security of a response, is determined by evaluating the probability of responses based on the number and type of characters, similar answers, and responses available through various data sources. The security meter incorporated the entropy of the response as well as an assessment of the susceptibility of the response to an attack to provide an accurate assessment of the question and answer pairing. The data sources include public, semi-private and private data (including Facebook and search engine results). The available data sources are analyzed to assess a response's entropy and strength and then inform users of the level of security of their response via a security meter. The security meter also assists participants in recognizing if they are susceptible to guessing or focused attacks and provides suggestions on how to improve the strength of their response. This research makes a contribution to security domain. The empirical reviewed solution's attempts to improve security questions as a form of secondary human authentication as well as other forms of access control that rely on information known to the user. The web-based design offers a realistic and dynamic environment that addresses an individual's, the system's participants and the hosts security risks. The design has practical applications for improving the security of existing and future security questions implementations. Overall, the dissertation builds on literature to enhance the security domain by mitigating current challenges with security questions.