UMD Theses and Dissertations

Permanent URI for this collectionhttp://hdl.handle.net/1903/3

New submissions to the thesis/dissertation collections are added automatically as they are received from the Graduate School. Currently, the Graduate School deposits all theses and dissertations from a given semester after the official graduation date. This means that there may be up to a 4 month delay in the appearance of a given thesis/dissertation in DRUM.

More information is available at Theses and Dissertations at University of Maryland Libraries.

Browse

Filters

2015 - 20202

Settings

Subject: search.filters.subject.Human factors

Search Results

Now showing 1 - 2 of 2
  • Thumbnail Image
    Item
    A Human-Centric Approach to Software Vulnerability Discovery
    (2020) Votipka, Daniel Jared; Mazurek, Michelle L; Computer Science; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)
    Software security bugs | referred to as vulnerabilities | persist as an important and costly challenge. Significant effort has been exerted toward automatic vulnerability discovery, but human intelligence generally remains required and will remain necessary for the foreseeable future. Therefore, many companies have turned to internal and external (e.g., penetration testing, bug bounties) security experts to manually analyze their code for vulnerabilities. Unfortunately, there are a limited number of qualified experts. Therefore, to improve software security, we must understand how experts search for vulnerabilities and how their processes could be made more efficient, by improving tool usability and targeting the most common vulnerabilities. Additionally, we seek to understand how to improve training to increase the number of experts. To answer these questions, I begin with an in-depth qualitative analysis of secure development competition submissions to identify common vulnerabilities developers introduce. I found developers struggle to understand and implement complex security concepts, not recognizing how nuanced development decisions could lead to vulnerabilities. Next, using a cognitive task analysis to investigate experts' and non-experts' vulnerability discovery processes, I observed they use the same process, but dier in the variety of security experiences which inform their searches. Together, these results suggest exposure to an in-depth understanding of potential vulnerabilities as essential for vulnerability discovery. As a first step to leverage both experts and non-experts, I pursued two lines of work: education to support experience development and vulnerability discovery automation interaction improvements. To improve vulnerability discovery tool interaction, I conducted observational interviews of experts' reverse engineering process, an essential and time-consuming component of vulnerability discovery. From this, I provide guidelines for more usable interaction design. For security education, I began with a pedagogical review of security exercises to identify their current strengths and weaknesses. I also developed a psychometric measure for secure software development self-efficacy to support comparisons between educational interventions.
  • Thumbnail Image
    Item
    Securing the Human – Exploring Current Security Awareness among Employees and Finding Ways to Improve it in the Organizational Setting
    (2015) Sebescen, Nina; Vitak, Jessica; Master in Information Management; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)
    As organizational security breaches increase, it becomes imperative to understand the factors that lead to these breaches and take the necessary steps to minimize threats. Since employees are considered the weakest link in ensuring the security of corporate data, this paper evaluates various employee characteristics (demographic, company-specific, and skills-based) to understand their relationship with security knowledge and likelihood of becoming a security breach victim. This paper accounts for four different, yet intertwined, security risk areas: phishing, passwords, BYOD and laptop usage in the organizational setting. Findings from a survey of 250 employees at a medium-sized US consulting firm identify higher-risk employees and evaluate the relationship between employee characteristics, understanding of security policies, and security risks. Based on these findings and separate interviews with security experts, the study concludes with a set of recommendations for companies to improve organizational security and reduce risks caused by human factors in securing organizations’ endpoints.