- Authors:
- Lorrie Cranor,
- Simson Garfinkel
Human factors and usability issues have traditionally played a limited role in security research and secure systems development. Security experts have largely ignored usability issues--both because they often failed to recognize the importance of human factors and because they lacked the expertise to address them. But there is a growing recognition that today's security problems can be solved only by addressing issues of usability and human factors. Increasingly, well-publicized security breaches are attributed to human errors that might have been prevented through more usable software. Indeed, the world's future cyber-security depends upon the deployment of security technology that can be broadly used by untrained computer users. Still, many people believe there is an inherent tradeoff between computer security and usability. It's true that a computer without passwords is usable, but not very secure. A computer that makes you authenticate every five minutes with a password and a fresh drop of blood might be very secure, but nobody would use it. Clearly, people need computers, and if they can't use one that's secure, they'll use one that isn't. Unfortunately, unsecured systems aren't usable for long, either. They get hacked, compromised, and otherwise rendered useless. There is increasing agreement that we need to design secure systems that people can actually use, but less agreement about how to reach this goal. Security & Usability is the first book-length work describing the current state of the art in this emerging field. Edited by security experts Dr. Lorrie Faith Cranor and Dr. Simson Garfinkel, and authored by cutting-edge security and human-computer interaction (HCI) researchers world-wide, this volume is expected to become both a classic reference and an inspiration for future research. Security & Usability groups 34 essays into six parts: Realigning Usability and Security---with careful attention to user-centered design principles, security and usability can be synergistic. Authentication Mechanisms-- techniques for identifying and authenticating computer users. Secure Systems--how system software can deliver or destroy a secure user experience. Privacy and Anonymity Systems--methods for allowing people to control the release of personal information. Commercializing Usability: The Vendor Perspective--specific experiences of security and software vendors (e.g., IBM, Microsoft, Lotus, Firefox, and Zone Labs) in addressing usability. The Classics--groundbreaking papers that sparked the field of security and usability. This book is expected to start an avalanche of discussion, new ideas, and further advances in this important field.
Cited By
Murray H and Malone D (2023). Costs and Benefits of Authentication Advice, ACM Transactions on Privacy and Security, 26:3, (1-35), Online publication date: 30-Aug-2023.- Gandhi S, Patil Y, Netak L and Gaikwad H Usability Analysis for Blockchain-Based Applications Intelligent Human Computer Interaction, (349-360)
- Franz A, Zimmermann V, Albrecht G, Hartwig K, Reuter C, Benlian A and Vogt J SoK Proceedings of the Seventeenth USENIX Conference on Usable Privacy and Security, (339-357)
- Saint-Louis H Machine-Human Interaction: A Paradigm Shift? Human-Computer Interaction. Theory, Methods and Tools, (123-136)
- Feth D Modelling and Presentation of Privacy-Relevant Information for Internet Users HCI for Cybersecurity, Privacy and Trust, (354-366)
- van der Linden D, Anthonysamy P, Nuseibeh B, Tun T, Petre M, Levine M, Towse J and Rashid A Schrödinger's security Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, (149-160)
- Das S, Abbott J, Gopavaram S, Blythe J and Camp L User-Centered Risk Communication for Safer Browsing Financial Cryptography and Data Security, (18-35)
- Gupta B and Gulihar P (2020). Taxonomy of Payment Structures and Economic Incentive Schemes in Internet, Journal of Information Technology Research, 13:1, (150-166), Online publication date: 1-Jan-2020.
- Feth D and Polst S Heuristics and Models for Evaluating the Usability of Security Measures Proceedings of Mensch und Computer 2019, (275-285)
- Naqvi B, Porras J, Oyedeji S and Ullah M Towards Identification of Patterns Aligning Security and Usability Beyond Interactions, (121-132)
- Qin L, Lapets A, Jansen F, Flockhart P, Albab K, Globus-Harris I, Roberts S and Varia M From usability to secure computing and back again Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, (191-210)
- Distler V, Zollinger M, Lallemand C, Roenne P, Ryan P and Koenig V Security - Visible, Yet Unseen? Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, (1-13)
- Jakobi T, Patil S, Randall D, Stevens G and Wulf V (2019). It Is About What They Could Do with the Data, ACM Transactions on Computer-Human Interaction, 26:1, (1-44), Online publication date: 23-Feb-2019.
- Naqvi B, Seffah A and Braz C Adding Measures to Task Models for Usability Inspection of the Cloud Access Control Services Human-Centered Software Engineering, (133-145)
- Padmos A Against Mindset Proceedings of the New Security Paradigms Workshop, (12-27)
- Haney J and Lutters W "It's scary...it's confusing...it's dull" Proceedings of the Fourteenth USENIX Conference on Usable Privacy and Security, (411-425)
- Muaaz M and Mayrhofer R (2017). Smartphone-Based Gait Recognition: From Authentication to Imitation, IEEE Transactions on Mobile Computing, 16:11, (3209-3221), Online publication date: 1-Nov-2017.
- Feth D, Maier A and Polst S A User-Centered Model for Usable Security and Privacy Human Aspects of Information Security, Privacy and Trust, (74-89)
- Findling R, Muaaz M, Hintze D and Mayrhofer R (2017). ShakeUnlock, IEEE Transactions on Mobile Computing, 16:4, (1163-1175), Online publication date: 1-Apr-2017.
- Mare S, Baker M and Gummeson J A study of authentication in daily life Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security, (189-206)
- Such J and Rovatsos M (2016). Privacy Policy Negotiation in Social Media, ACM Transactions on Autonomous and Adaptive Systems, 11:1, (1-29), Online publication date: 20-Apr-2016.
- Boshmaf Y, Ripeanu M, Beznosov K and Santos-Neto E Thwarting Fake OSN Accounts by Predicting their Victims Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security, (81-89)
- Benenson Z, Lenzini G, Oliveira D, Parkin S and Uebelacker S Maybe Poor Johnny Really Cannot Encrypt Proceedings of the 2015 New Security Paradigms Workshop, (85-99)
- Feth D User-centric security: optimization of the security-usability trade-off Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, (1034-1037)
- Singh M Cybersecurity as an Application Domain for Multiagent Systems Proceedings of the 2015 International Conference on Autonomous Agents and Multiagent Systems, (1207-1212)
- Shebaro B, Oluwatimi O and Bertino E (2015). Context-Based Access Control Systems for Mobile Devices, IEEE Transactions on Dependable and Secure Computing, 12:2, (150-163), Online publication date: 1-Mar-2015.
- Denning T, Kramer D, Friedman B, Reynolds M, Gill B and Kohno T CPS: beyond usability Proceedings of the 30th Annual Computer Security Applications Conference, (426-435)
- Bello-Ogunu E and Shehab M PERMITME Proceedings of the 2014 Workshop on Eclipse Technology eXchange, (15-20)
- Dunphy P, Vines J, Coles-Kemp L, Clarke R, Vlachokyriakos V, Wright P, McCarthy J and Olivier P Understanding the Experience-Centeredness of Privacy and Security Technologies Proceedings of the 2014 New Security Paradigms Workshop, (83-94)
- Benenson Z, Girard A, Krontiris I, Liagkou V, Rannenberg K and Stamatiou Y User Acceptance of Privacy-ABCs Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust - Volume 8533, (375-386)
- Hayashi E, Maas M and Hong J Wave to me Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, (3453-3462)
- Shebaro B, Oluwatimi O, Midi D and Bertino E (2014). IdentiDroid, Transactions on Data Privacy, 7:1, (27-50), Online publication date: 1-Apr-2014.
- RØssvoll T and Fritsch L Trustworthy and Inclusive Identity Management for Applications in Social Media Proceedings, Part III, of the 15th International Conference on Human-Computer Interaction. Users and Contexts of Use - Volume 8006, (68-77)
- Heupel M, Bourimi M and Kesdoğan D Trust and Privacy in the di.me Userware Proceedings, Part III, of the 15th International Conference on Human-Computer Interaction. Users and Contexts of Use - Volume 8006, (39-48)
- Karatas F, Bourimi M and Kesdogan D Towards visual configuration support for interdependent security goals Proceedings of the 5th international conference on Online Communities and Social Computing, (375-384)
- Bourimi M and Kesdogan D Experiences by using AFFINE for building collaborative applications for online communities Proceedings of the 5th international conference on Online Communities and Social Computing, (345-354)
- Karlesky M, Melcer E and Isbister K Open sesame CHI '13 Extended Abstracts on Human Factors in Computing Systems, (1167-1172)
- Schreuders Z, McGill T and Payne C (2013). The state of the art of application restrictions and sandboxes, Computers and Security, 32:C, (219-241), Online publication date: 1-Feb-2013.
- Khot R, Kumaraguru P and Srinathan K WYSWYE Proceedings of the 24th Australian Computer-Human Interaction Conference, (285-294)
- Garg V, Camp L, Connelly K and Lorenzen-Huber L Risk communication design Proceedings of the 12th international conference on Privacy Enhancing Technologies, (279-298)
- Sorber J, Shin M, Peterson R and Kotz D Plug-n-trust Proceedings of the 10th international conference on Mobile systems, applications, and services, (309-322)
- Belani H Towards a usability requirements taxonomy for mobile AAC services Proceedings of the First International Workshop on Usability and Accessibility Focused Requirements Engineering, (36-39)
- Tesoriero R, Bourimi M, Karatas F, Barth T, Villanueva P and Schwarte P Model-driven privacy and security in multi-modal social media UIs Proceedings of the 2011th International Conference on Modeling and Mining Ubiquitous Social Media - 2011 International Workshop on Modeling Social Media and 2011 International Workshop on Mining Ubiquitous and Social Environments, (158-181)
- Moeckel C Human-computer interaction for security research Proceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV, (406-409)
- Schreuders Z, McGill T and Payne C (2011). Empowering End Users to Confine Their Own Applications, ACM Transactions on Information and System Security, 14:2, (1-28), Online publication date: 1-Sep-2011.
- Heupel M and Kesdogan D Towards usable interfaces for proof based access rights on mobile devices Proceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network Security, (15-27)
- Khot R, Srinathan K and Kumaraguru P MARASIM Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, (2605-2614)
- Khot R, Srinathan K and Khot R NAPTune Proceedings of the 3rd Indian Conference on Human-Computer Interaction, (47-56)
- Blythe J, Camp J and Garg V Targeted risk communication for computer security Proceedings of the 16th international conference on Intelligent user interfaces, (295-298)
- Jedrzejczyk L, Price B, Bandara A and Nuseibeh B "Privacy-shake", Proceedings of the 12th international conference on Human computer interaction with mobile devices and services, (411-412)
- Jedrzejczyk L, Price B, Bandara A and Nuseibeh B On the impact of real-time feedback on users' behaviour in mobile location-sharing applications Proceedings of the Sixth Symposium on Usable Privacy and Security, (1-12)
- Kumaraguru P, Sheng S, Acquisti A, Cranor L and Hong J (2010). Teaching Johnny not to fall for phish, ACM Transactions on Internet Technology, 10:2, (1-31), Online publication date: 1-May-2010.
- Denning T, Borning A, Friedman B, Gill B, Kohno T and Maisel W Patients, pacemakers, and implantable defibrillators Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, (917-926)
- Stobert E Usability and strength in click-based graphical passwords CHI '10 Extended Abstracts on Human Factors in Computing Systems, (4303-4308)
- Karp A and Stiegler M Making policy decisions disappear into the user's workflow CHI '10 Extended Abstracts on Human Factors in Computing Systems, (3247-3252)
- Singh S and Morley C Young Australians' privacy, security and trust in internet banking Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special Interest Group: Design: Open 24/7, (121-128)
- Chiasson S, Forget A, Stobert E, van Oorschot P and Biddle R Multiple password interference in text passwords and click-based graphical passwords Proceedings of the 16th ACM conference on Computer and communications security, (500-511)
- Stevens G and Wulf V (2009). Computer-supported access control, ACM Transactions on Computer-Human Interaction, 16:3, (1-26), Online publication date: 1-Sep-2009.
- Shirley J and Evans D The user is not the enemy Proceedings of the 2008 New Security Paradigms Workshop, (33-45)
- Belani H, Car Z and Caric A RUP-based process model for security requirements engineering in value-added service development Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, (54-60)
- Chiasson S, Forget A, Biddle R and van Oorschot P Influencing users towards better passwords Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 1, (121-130)
- Nali D, van Oorschot P and Adler A VideoTicket Proceedings of the 2007 Workshop on New Security Paradigms, (89-101)
- Sasamoto H, Christin N and Hayashi E Undercover Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, (183-192)
- Kostakos V Human-in-the-loop CHI '08 Extended Abstracts on Human Factors in Computing Systems, (3075-3080)
- Chiasson S, Van Oorschot P and Biddle R Graphical password authentication using cued click points Proceedings of the 12th European conference on Research in Computer Security, (359-374)
- Anderson R and Moore T Information security economics - and beyond Proceedings of the 27th annual international cryptology conference on Advances in cryptology, (68-91)
- Proctor R, Vu K and Ali M Usability of user agents for privacy-preference specification Proceedings of the 2007 conference on Human interface: Part II, (766-776)
- Brustoloni J and Villamarín-Salomón R Improving security decisions with polymorphic and audited dialogs Proceedings of the 3rd symposium on Usable privacy and security, (76-85)
- Singh S, Cabraal A, Demosthenous C, Astbrink G and Furlong M Password sharing Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, (895-904)
- Herzog A and Shahmehri N User help techniques for usable security Proceedings of the 2007 symposium on Computer human interaction for the management of information technology, (11-es)
- Singh S, Cabraal A and Hermansson G What is your husband's name? Proceedings of the 18th Australia conference on Computer-Human Interaction: Design: Activities, Artefacts and Environments, (237-244)
- Camenisch J, shelat a, Sommer D and Zimmermann R Securing user inputs for the web Proceedings of the second ACM workshop on Digital identity management, (33-44)
- Mehler A and Skiena S Improving usability through password-corrective hashing Proceedings of the 13th international conference on String Processing and Information Retrieval, (193-204)
- Friedman B, Smith I, H. Kahn P, Consolvo S and Selawski J Development of a privacy addendum for open source licenses Proceedings of the 8th international conference on Ubiquitous Computing, (194-211)
- Kostakos V, O'Neill E and Penn A (2006). Designing Urban Pervasive Systems, Computer, 39:9, (52-59), Online publication date: 1-Sep-2006.
- Singh S (2006). The social dimensions of the security of internet banking, Journal of Theoretical and Applied Electronic Commerce Research, 1:2, (72-78), Online publication date: 1-Aug-2006.
- Tari F, Ozok A and Holden S A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords Proceedings of the second symposium on Usable privacy and security, (56-66)
- Whalen T, Smetters D and Churchill E User experiences with sharing and access control CHI '06 Extended Abstracts on Human Factors in Computing Systems, (1517-1522)
- Sampson F (2006). A penny for your thoughts, a latte for your password, Interactions, 13:1, (8-9), Online publication date: 1-Jan-2006.
- Seyed T, Yang X, Tang A, Greenberg S, Gu J, Zhu B and Cao X CipherCard: A Token-Based Approach Against Camera-Based Shoulder Surfing Attacks on Common Touchscreen Devices Human-Computer Interaction – INTERACT 2015, (436-454)
Index Terms
- Security and Usability
Reviews
Srijith KrishnanNair
From previous experience, every time I decide to review a book that is a collection of papers, I am prepared to be disappointed. However, this collection pleasantly surprised me, not just with the quality and the coverage of the papers, but with the way each paper, by different authors, managed to fit in like a chapter of a story, telling the tale about the usability of security software. The editors set the tone early on in the preface, stating that the "goal is to make this book useful first for researchers in the field of security and usability, then for students, and finally for professionals." This should not suggest that this collection of 34 papers will not be useful to students or professionals; that is not the case. The book is presented as six parts: "Realigning Usability and Security," "Authentication Mechanisms," "Secure Systems," "Privacy and Anonymity Systems," "Commercializing Usability: The Vendor Perspective", and "The Classics." It is often stated that security and usability are related to one another in an inverse manner. The first part of the book, consisting of five chapters, argues that "with careful attention to user-centered design principles," the table can be turned on such a relationship and one can make secure and usable systems. As is evident from the title, the next part of the book, "Authentication Mechanisms," looks at the design of authentication systems that are usable, including passwords, biometrics, typing patterns, and security devices. The next six chapters discuss various facets of a secure user experience. They look at common issues of phishing attacks, secure deletion of files, public key infrastructure, and security administration tools and practices. Privacy and anonymity are the central theme of the next eight chapters, which include a paper on Tor and the platform for privacy preferences (P3P). There is an interesting paper on the use of informed content (or the lack of it) in designing Internet-based services. Industry practitioners will find the fifth part of the book interesting as it presents industry case studies of projects involving security usability design in products like Microsoft Windows XP Service Pack 2, ZoneAlarm, IBM Lotus Notes/Domino, and Groove Virtual Office. The book ends with a collection of three classic usability papers, including "Why Johnny Can't Encrypt," which discusses basic problems related to usability in security products. Cranor and Garfinkel have done a great job in putting together this collection that covers a range of issues related to usability in security design. Usability considerations are being recognized as one of the most important design issues to be kept in mind when designing systems that involve security, be it simple authentication or a stand-alone security product like a virus scanner or a firewall. This timely book will hopefully help kick-start more research into issues surrounding usability. I recommend this book to anyone interested in the usability of security systems.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Recommendations
Usability issues in security
SP'12: Proceedings of the 20th international conference on Security ProtocolsUsability issues in security have been discussed such that users could use the security tools easier. On contrary we presume another aspect of usability issues in security; an interface which causes a slight disturbance and discomfort so that a user ...
Security Usability
In the security community, weýve always recognized that our security proposals come with certain costs in terms of usability. Traditionally, thatýs the compromise we make to get security. But the market has ruled against us. Time and time again, our ...
Integrating security and usability into the requirements and design process
According to Ross Anderson, 'Many systems fail because their designers protect the wrong things or protect the right things in the wrong way'. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing ...