research-article

Open access

Heuristics and Models for Evaluating the Usability of Security Measures

Authors:

Svenja PolstAuthors Info & Claims

MuC '19: Proceedings of Mensch und Computer 2019

Pages 275 - 285

https://doi.org/10.1145/3340764.3340789

Published: 08 September 2019 Publication History

Abstract

Security mechanisms are nowadays part of almost every software. At the same time, they are typically sociotechnical and require involvement of end users to be effective. The usability of security measures is thus an essential factor. Despite this importance, this aspect often does not receive the necessary attention, for example due to short resources like time, budget, or usability experts. In the worst-case, users reject or circumvent even strong security measures and technically secure systems become insecure. To tackle the problem of unusable security measures, we developed a heuristics-based usability evaluation and optimization approach for security measures. In order to make heuristics applicable also for non-usability experts, we enrich them with information from a joint model for usability and security. In particular, this approach allows developers and administrators to perform usability evaluations and thus enables an early tailoring to the user, complementary to expert or user reviews. In this paper, we present our approach, including an initial set of heuristics, a joint model for usability and security and a set of mapping rules that combine heuristics and model. We evaluated the applicability of our approach, which we present in this paper.

References

[1]

Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (dec 1999), 40--46.

Digital Library

[2]

Ross J. Anderson. 1994. Why Cryptosystems Fail. Commun. ACM 37, 11 (Nov. 1994), 32--40.

Digital Library

[3]

Jim Blythe, Ross Koppel, and Sean W. Smith. 2013. Circumvention of security: Good users do bad things. IEEE Security and Privacy 11, 5 (sep 2013), 80--83.

Digital Library

[4]

Reinhardt a. Botha, Steven M. Furnell, and Nathan L. Clarke. 2009. From desktop to mobile: Examining the security experience. Computers & Security 28, 3-4 (may 2009), 130--137.

Digital Library

[5]

Yee-Yin Choong and Mary Theofanos. 2015. What 4,500+ People Can Tell You - Employees' Attitudes Toward Organizational Password Policy Do Matter. In Human Aspects of Information Security, Privacy, and Trust, Theo Tryfonas and Ioannis Askoxylakis (Eds.). Springer International Publishing, 299--310.

Digital Library

[6]

Lorrie Cranor and Simson Garfinkel. 2005. Security and Usability. O'Reilly Media, Inc. http://dl.acm.org/citation.cfm?id=1098730

Digital Library

[7]

Lorrie Faith Cranor and Simson Garfinkel. 2004. Secure or usable? IEEE Security and Privacy 2, 5 (2004), 16--18.

Digital Library

[8]

Fred D Davis. 1993. User Acceptance of Information Technology: System Characteristics, User Perceptions and Behavioral Impacts. Int. J. Man-Mach. Stud. 38, 3 (1993), 475--487.

Digital Library

[9]

Ali Mohamed Eljetlawi and Norafida Ithnin. 2008. Graphical password: Comprehensive study of the usability features of the recognition base graphical password methods. Proceedings - 3rd International Conference on Convergence and Hybrid Information Technology, ICCIT 2008 2 (2008), 1137--1143.

Digital Library

[10]

Denis Feth, Andreas Maier, and Svenja Polst. 2017. A User-Centered Model for Usable Security and Privacy. In Human Aspects of Information Security, Privacy and Trust, Theo Tryfonas (Ed.). Springer International Publishing, Cham, 74--89.

[11]

Simone Fischer-Hübner, Luigi Iacono, and Sebastian Möller. 2010. Usable Security und Privacy. Datenschutz und Datensicherheit - DuD 34 (2010), 773--782.

[12]

Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security: History, Themes, and Challenges. Synthesis Lectures on Information Security, Privacy, and Trust 5, 2 (sep 2014), 1--124.

Digital Library

[13]

Simson L Garfinkel. 2005. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. Gene 31 (2005), 234--239. http://dspace.mit.edu/handle/1721.1/33204

[14]

Nathaniel S Good and Aaron Krekelberg. 2003. Usability and Privacy: A Study of Kazaa P2P File-sharing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '03). ACM, New York, NY, USA, 137--144.

Digital Library

[15]

Almut Herzog and Nahid Shahmehri. 2007. Usable set-up of runtime security policies. Inf. Manag. Comput. Security 15 (2007), 394--407.

[16]

Philip G. Inglesant and M. Angela Sasse. 2010. The True Cost of Unusable Password Policies: Password Use in the Wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). ACM, New York, NY, USA, 383--392.

Digital Library

[17]

Philip G. Inglesant and M. Angela Sasse. 2010. The True Cost of Unusable Password Policies: Password Use in the Wild. (2010), 383--392.

Digital Library

[18]

Umar Ismail, Shareeful Islam, Moussa Ouedraogo, and Edgar Weippl. 2016. A Framework for Security Transparency in Cloud Computing. Future Internet 8, 1 (2016), 5.

[19]

ISO 27001:2018. 2018. Information technology - Security techniques -Information security management systems - Overview and vocabulary. Standard. International Organization for Standardization.

[20]

ISO 9241-210:2010. 2010. Ergonomics of Human-System Interaction - Part 210: Human-Centred Design for Interactive Systems. Standard. International Organization for Standardization.

[21]

Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K Reiter, and Aviel D Rubin. 1999. The Design and Analysis of Graphical Passwords. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8 (SSYM'99). USENIX Association, Berkeley, CA, USA, 1. http://dl.acm.org/citation.cfm?id=1251421.1251422

Digital Library

[22]

Christian Jung and Denis Feth. 2016. Context-aware Mobile Security. International Journal on Advances in Software 9, 1 (2016), 80--94.

[23]

Kompetenzzentrum für angewandte Sicherheitstechnologie (KASTEL). 2013. Begriffsdefinitionen in KASTEL.

[24]

Rolf Molich and Jakob Nielsen. 1990. Improving a Human-computer Dialogue. Commun. ACM 33, 3 (1990), 338--348.

Digital Library

[25]

Jakob Nielsen. 1992. Finding usability problems through heuristic evaluation. In Proceedings of the SIGCHI conference on Human factors in computing systems - CHI '92. 373--380.

Digital Library

[26]

Donald A Norman. 2002. The Design of Everyday Things. Basic Books, Inc., New York, NY, USA.

Digital Library

[27]

Hannah Quay-de la Vallee, James M. Walsh, William Zimrin, Kathi Fisler, and Shriram Krishnamurthi. 2013. Usable security as a static-analysis problem. In Proceedings of the 2013 ACM international symposium on New ideas, new paradigms, and reflections on programming & software - Onward! '13. ACM Press, New York, New York, USA, 1--16.

Digital Library

[28]

Paulo C Realpe, Cesar A Collazos, Julio Hurtado, and Antoni Granollers. 2016. A Set of Heuristics for Usable Security and User Authentication. In Proceedings of the XVII International Conference on Human Computer Interaction (Interacción '16). ACM, New York, NY, USA, 21:1-21:8.

Digital Library

[29]

Martin Rost and Kirsten Bock. 2011. Privacy by Design und die Neuen Schutzziele: Grundsätze, Ziele und Anforderungen. DuD - Datenschutz und Datensicherheit 35, 1 (2011), 30--35.

[30]

Manuel Rudolph, Denis Feth, and Svenja Polst. 2018. Why Users Ignore Privacy Policies - A Survey and Intention Model for Explaining User Privacy Behavior. In Human-Computer Interaction. Theories, Methods, and Human Issues, Masaaki Kurosu (Ed.). Springer International Publishing, Cham, 587--598.

[31]

Manuel Rudolph, Svenja Polst, and Joerg Doerr. 2019. Enabling Users to Specify Correct Privacy Requirements. In Requirements Engineering: Foundation for Software Quality, Eric Knauss and Michael Goedicke (Eds.). Springer International Publishing, Cham, 39--54.

[32]

USecured. 2018. Usable Security by Design. https://www.usecured.de

[33]

Alma Whitten. 1999. Why Johnny Can ' t Encrypt: A Usability Evaluation of PGP 5.0 University of California. Science 99, August (aug 1999), 169--184. http://dl.acm.org/citation.cfm?id=1251421.1251435http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.152.6298{&}rep=rep1{&}type=pdf

[34]

Alma Whitten. 2004. Making Security Usable. Computers Security 26, May (2004), 434--443.

Digital Library

[35]

Jeff Yan, Blackwell Alan, Ross Anderson, and Alasdair Grant. 2004. Password memorability and security: Empirical results. IEEE Security and Privacy 2, 5 (2004), 25--31.

Digital Library

[36]

Ka-Ping Yee. 2004. Aligning security and usability. IEEE Security & Privacy Magazine 2, 5 (sep 2004), 48--55.

Digital Library

[37]

Alexandros Yeratziotis, Darelle Greunen, and Dalenca Pottas. 2012. A framework for evaluating usable security: The case of online health social networks. Proceedings of the 6th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2012 (2012), 97--107.

[38]

Mary Ellen Zurko and Richard T. Simon. 1996. User-centered security. In Proceedings of the 1996 workshop on New security paradigms - NSPW '96. ACM Press, New York, New York, USA, 27--33.

Digital Library

Cited By

Sauer MAlpers SBecker C(2023)Comparison of methods for analyzing the correlation of user experience and information securityProceedings of the 2023 5th International Conference on Software Engineering and Development10.1145/3637792.3637794(8-16)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3637792.3637794
Feth D(2023)Usable Implementation of Data Sovereignty in Digital EcosystemsHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-35822-7_10(135-150)Online publication date: 23-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-35822-7_10
Bomfim MWong ELiang PWallace J(2022)Design and Evaluation of Technologies for Informed Food ChoicesACM Transactions on Computer-Human Interaction10.1145/356548230:4(1-46)Online publication date: 4-Oct-2022
https://dl.acm.org/doi/10.1145/3565482
Show More Cited By

Index Terms

Heuristics and Models for Evaluating the Usability of Security Measures
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. HCI design and evaluation methods
      1. Heuristic evaluations
    2. HCI theory, concepts and models
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy

Recommendations

A Set of Heuristics for Usable Security and User Authentication
Interacción '16: Proceedings of the XVII International Conference on Human Computer Interaction

Currently, computer security is one of the most important tasks for supporting critical business process and protecting sensitive information. However, security problems for computer systems include vulnerabilities because they are hard to use and have ...
Detailed Usability Heuristics: A Breakdown of Usability Heuristics to Enhance Comprehension for Novice Evaluators
HCI International 2020 - Late Breaking Papers: User Experience Design and Case Studies
Abstract
Heuristic evaluation (HE) is one of the most commonly used usability evaluation methods. In HE, 3–5 evaluators evaluate a certain system guided by a list of usability heuristics with the goal of detecting usability issues. Although HE is popular ...
Evaluating a Methodology to Establish Usability Heuristics
SCCC '12: Proceedings of the 2012 31st International Conference of the Chilean Computer Science Society

Assessing usability in any software product may be a key factor for predicting its success or fail. Heuristic evaluation is the most commonly used usability evaluation method. It uses a set of recognized usability design principles (heuristics). Until ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

MuC '19: Proceedings of Mensch und Computer 2019

September 2019

863 pages

ISBN:9781450371988

DOI:10.1145/3340764

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 September 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

MuC'19

MuC'19: Mensch-und-Computer

September 8 - 11, 2019

Hamburg, Germany

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
780
Total Downloads

Downloads (Last 12 months)344
Downloads (Last 6 weeks)143

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sauer MAlpers SBecker C(2023)Comparison of methods for analyzing the correlation of user experience and information securityProceedings of the 2023 5th International Conference on Software Engineering and Development10.1145/3637792.3637794(8-16)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3637792.3637794
Feth D(2023)Usable Implementation of Data Sovereignty in Digital EcosystemsHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-35822-7_10(135-150)Online publication date: 23-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-35822-7_10
Bomfim MWong ELiang PWallace J(2022)Design and Evaluation of Technologies for Informed Food ChoicesACM Transactions on Computer-Human Interaction10.1145/356548230:4(1-46)Online publication date: 4-Oct-2022
https://dl.acm.org/doi/10.1145/3565482
Lennartsson MKävrestad JNohlberg M(2020)Exploring the Meaning of “Usable Security”Human Aspects of Information Security and Assurance10.1007/978-3-030-57404-8_19(247-258)Online publication date: 21-Aug-2020
https://doi.org/10.1007/978-3-030-57404-8_19

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents