Security vs Usability Dr Kate Dingley Principal lecturer and International Coordinator for the School of Computing [email protected].

Security vs Usability

• Dr Kate Dingley• Principal lecturer and International

Coordinator for the School of Computing

• [email protected]

What do we know about Usability?

• Human needs and goals• Analysing system requirements• Evaluating prototypes• GUIs (graphic user interfaces)• Group working• Mobile interfaces

What do we know about Usability?The HCI process

• Human needs and goals– Start with what the user actually wants to do

• Analysing system requirements– Then analyse and design system concepts to

support their needs

• Evaluating prototypes– Build a quick prototype and evaluate your

design

HCI aspects continued

• GUIs (graphic user interfaces)– Support recognition so user don’t have to recall

things

• Group working– Modern work is seldom in isolation– Group working is vital

• Mobile interfaces– So much more in so little space

Human Needs and Perception• Usability is based on understanding and

designing for human needs• Recognition is easier than recall

◦ Short term memory is fairly limited◦ We use metaphors to help us learn and

understand◦ Grouping things helps memory◦ We cannot remember and then forget on

command ◦ Language and culture affect understanding and

use

• d

Analysing Needs

• Who is the User?– The person using the system or the one requiring the

security

• Whose needs take priority?• Consider how often you have to verify

some characters• If you dont type these exactly you wont

achieve your goal(task)

What are the consequences of poor security?

Consequences• For the site owner:-

Reduced “information harvesting”More likely to be the correct userUser is not able to use their service

• For the end user:-Feeling of securityFrustration Move to another supplier if available

• If a user is prevented from using the site, how does this fit with Equality Act legislation?

Prototypes and evaluation• Stakeholders are the people who would be

interested in a system or its development– Often appointed at high level

• Testing a prototype with end users is important in ensuring usability– Real users are vital

• Security has traditionally been tested differently – access control, prevention, reset, etc, is quite different to principles of usability– Keyword in security is “prevention”– Keyword in usability is “enable”

Graphic User Interfaces• Evolved with windows, icons, menus, mice to

make interfaces easier to use• Security dialogues are making things hard again• Recall needed, little opportunity to recover from

mistakes – return to command line interface Issues!People write them down!How do you forget an old p/word?

Security and human memory

• Memory is essential for high security– http://www.youtube.com/watch?v=p-j4WWko-4Y&fea

ture=related

• However we remember more in context– http://www.youtube.com/watch?v=BdSBwpqydY8&fe

ature=related

– But things can interrupt memory retrieval

• z

Group Working• Groups present their own problems

– Do all users share a login or have separate IDs?

• If you have assistive technology like speech/voice data entry - how do you enter personal data without it being overheard?– Even if you can enter text data, hearing your private

information read by a computer voice is no fun– http://www.youtube.com/watch?v=XSHmPamLGQA&featu

re=related

– http://www.youtube.com/watch?v=H6y4CWiqCFc&feature=related – using voice verifcation

• d

Mobile interfaces• Usability already harder –

– Nested menus– Readability slower due to short lines– Screen visibility in different light

• However, mobile devices easier to steal – so need more, not less protection

• Mobile devices often store contacts, financial and p/word information

Solutions

• Biometrics– Not as easy as implied– Still have to remember stuff – eg, which

finger to swipe• What problems can you think of?

– http://www.youtube.com/watch?v=RqWx7e8EVOY

• http://zing.ncsl.nist.gov/biousa/docs/Usability_and_Biometrics_final2.pdf -big document!

• http://www.stcsig.org/usability/newsletter/0204-politics.html

Biometrics:- further information

• http://www.youtube.com/watch?v=0o5Uu6H8toc

Ergonomics• Move systems out of an office and there are

more issues• Outside you have heat and cold, dirt, poor light

and glare• There are the dangers of use while walking,

cycling or driving - but add a p/word for real danger– Eg voice dial phone, but 4 digit keycode

must be entered first• People with physical disabilities are barred

from use – eg arthritis would make finger scan hard/painful or impossible

People, again!

• Research has shown that people generally dont appreciate the need for good security when it conflicts with usability

• “We conjecture that this is the case because people prefer convenience over security”. Dhamija & Perrig, 2001 (deja vu) http://people.seas.harvard.edu/~rachna/papers/usenix.pdf

• Behaviour modification may work in the long term

Quick Survey

Summary• Nearly everything we have learned about

usability currently conflicts with security systems as we know them

• Some research is being undertaken• this would make interesting projects and offer

job opportunities

References

• http://www.schneier.com/blog/archives/2009/08/security_vs_usa.html

• http://www.w3.org/2006/WSC/ • http://www.youtube.com/watch?

v=jYWmkcokkjE • http://www.youtube.com/watch?

v=GpQ5ApWpNxo&feature=related • http://people.clarkson.edu/~jsearlem/cs459/

fa10/presentations/platek_presentation.pdf