Security vs Usability • Dr Kate Dingley • Principal lecturer and International Coordinator for the School of Computing • [email protected]
Apr 01, 2015
Security vs Usability
• Dr Kate Dingley• Principal lecturer and International
Coordinator for the School of Computing
What do we know about Usability?
• Human needs and goals• Analysing system requirements• Evaluating prototypes• GUIs (graphic user interfaces)• Group working• Mobile interfaces
What do we know about Usability?The HCI process
• Human needs and goals– Start with what the user actually wants to do
• Analysing system requirements– Then analyse and design system concepts to
support their needs
• Evaluating prototypes– Build a quick prototype and evaluate your
design
HCI aspects continued
• GUIs (graphic user interfaces)– Support recognition so user don’t have to recall
things
• Group working– Modern work is seldom in isolation– Group working is vital
• Mobile interfaces– So much more in so little space
Human Needs and Perception• Usability is based on understanding and
designing for human needs• Recognition is easier than recall
◦ Short term memory is fairly limited◦ We use metaphors to help us learn and
understand◦ Grouping things helps memory◦ We cannot remember and then forget on
command ◦ Language and culture affect understanding and
use
• d
Analysing Needs
• Who is the User?– The person using the system or the one requiring the
security
• Whose needs take priority?• Consider how often you have to verify
some characters• If you dont type these exactly you wont
achieve your goal(task)
What are the consequences of poor security?
Consequences• For the site owner:-
Reduced “information harvesting”More likely to be the correct userUser is not able to use their service
• For the end user:-Feeling of securityFrustration Move to another supplier if available
• If a user is prevented from using the site, how does this fit with Equality Act legislation?
Prototypes and evaluation• Stakeholders are the people who would be
interested in a system or its development– Often appointed at high level
• Testing a prototype with end users is important in ensuring usability– Real users are vital
• Security has traditionally been tested differently – access control, prevention, reset, etc, is quite different to principles of usability– Keyword in security is “prevention”– Keyword in usability is “enable”
Graphic User Interfaces• Evolved with windows, icons, menus, mice to
make interfaces easier to use• Security dialogues are making things hard again• Recall needed, little opportunity to recover from
mistakes – return to command line interface Issues!People write them down!How do you forget an old p/word?
Security and human memory
• Memory is essential for high security– http://www.youtube.com/watch?v=p-j4WWko-4Y&fea
ture=related
• However we remember more in context– http://www.youtube.com/watch?v=BdSBwpqydY8&fe
ature=related
– But things can interrupt memory retrieval
• z
Group Working• Groups present their own problems
– Do all users share a login or have separate IDs?
• If you have assistive technology like speech/voice data entry - how do you enter personal data without it being overheard?– Even if you can enter text data, hearing your private
information read by a computer voice is no fun– http://www.youtube.com/watch?v=XSHmPamLGQA&featu
re=related
– http://www.youtube.com/watch?v=H6y4CWiqCFc&feature=related – using voice verifcation
• d
Mobile interfaces• Usability already harder –
– Nested menus– Readability slower due to short lines– Screen visibility in different light
• However, mobile devices easier to steal – so need more, not less protection
• Mobile devices often store contacts, financial and p/word information
Solutions
• Biometrics– Not as easy as implied– Still have to remember stuff – eg, which
finger to swipe• What problems can you think of?
– http://www.youtube.com/watch?v=RqWx7e8EVOY
• http://zing.ncsl.nist.gov/biousa/docs/Usability_and_Biometrics_final2.pdf -big document!
• http://www.stcsig.org/usability/newsletter/0204-politics.html
Biometrics:- further information
• http://www.youtube.com/watch?v=0o5Uu6H8toc
Ergonomics• Move systems out of an office and there are
more issues• Outside you have heat and cold, dirt, poor light
and glare• There are the dangers of use while walking,
cycling or driving - but add a p/word for real danger– Eg voice dial phone, but 4 digit keycode
must be entered first• People with physical disabilities are barred
from use – eg arthritis would make finger scan hard/painful or impossible
People, again!
• Research has shown that people generally dont appreciate the need for good security when it conflicts with usability
• “We conjecture that this is the case because people prefer convenience over security”. Dhamija & Perrig, 2001 (deja vu) http://people.seas.harvard.edu/~rachna/papers/usenix.pdf
• Behaviour modification may work in the long term
Quick Survey
Summary• Nearly everything we have learned about
usability currently conflicts with security systems as we know them
• Some research is being undertaken• this would make interesting projects and offer
job opportunities
References
• http://www.schneier.com/blog/archives/2009/08/security_vs_usa.html
• http://www.w3.org/2006/WSC/ • http://www.youtube.com/watch?
v=jYWmkcokkjE • http://www.youtube.com/watch?
v=GpQ5ApWpNxo&feature=related • http://people.clarkson.edu/~jsearlem/cs459/
fa10/presentations/platek_presentation.pdf