Usable security – basics

Usable security examines how the security of an information system or application can be made

• effective: users are able to achieve their goals related to the system,
• efficient: the resources used to achieve outputs with the system are in an appropriate proportion to the goals; and
• satisfying: using the system is pleasant.

For example, Whitten and Tygar (1999) define that a security program is usable if its users:

• are clearly aware of the security-related tasks they need to perform;
• are able to determine how these tasks are performed correctly;
• do not make dangerous errors;
• are sufficiently satisfied with the program’s user interface to continue using it.

There is often a trade-off between usability and security. When security is improved, usability may decrease. For example, warnings are intended to draw the user’s attention to a potential threat. However, a warning interrupts the user, even though they may still ignore it without reading it. On the other hand, usability solutions can sometimes also weaken security. For example, shorter encryption keys may be created because it is faster and prevents the user from having to wait for the generation of a longer and more secure key. Building usability and security often requires balancing the two and considering risks. Even the best security solution is wasted if it is so burdensome for users that it remains unused. In such cases, a lighter and more usable solution may be more secure, even if it is weaker when measured purely in terms of security.

One of the core questions of usable security is how to design security so that it is useful and acceptable for different people, such as end users, system administrators, and developers. This also relates to a broader organisational and societal perspective on security. It emphasises trust and cooperation in creating effective cybersecurity. Trust and acceptance can only be achieved when security solutions meet users’ needs.

Answer the questions.

Question 1

Usability should be the primary metric when evaluating the security of a solution.

No, security should be.

Yes, usability first.

This depends on the case.

Question 2

Usable security aims to

ensure confidentiality.

prevent user errors, no matter how difficult it is.

improve the efficiency of resource use in relation to goals.

Question 3

In a broad sense, cybersecurity requires

trust and cooperation that permeate the whole of society.

usefulness and acceptability for different users.

an appropriate balance between usability and security.

Fitting the task to the user

When making security-related tasks usable, the following must be taken into account:

• users’ capabilities and limitations. Things that are obvious to developers are rarely so for users. Some user groups may require more guidance and support than others.
• the actual tasks and goals that users have. Security tasks should interfere with these as little as possible.
• the physical and social context. One may consider whether the task is performed in bright or dim light, outdoors or indoors, alone in a quiet space or in the middle of a crowd, etc. The location may also change during the task.
• the characteristics and limitations of the device used for the work. For example, it makes a difference whether the task is performed on a mobile device or on a desktop computer.

Human capabilities and limitations (advanced)

One security solution that can easily exceed human attention capacity is the flood of warnings and reminders produced by modern programs and applications. The user’s attention is focused on their primary task, and warnings often go unnoticed or are simply dismissed without much thought. If a warning appears only in the background, it may not be noticed, but warnings that require action easily lead to alarm fatigue. This causes the user to click OK or Cancel even without reading the alert.

Human memory is limited, and for example passwords with change requirements can easily exceed it. People have different ways of coping with the “password jungle”, such as traditional sticky notes, management software, or various methods for constructing passwords. Sometimes insecure methods are also used, such as reusing the same password across multiple services or using otherwise weak, overly simple passwords. When designing authentication for a service, it is important to consider how the password burden can be reduced while maintaining security. For example, different multifactor authentication solutions (2FA or MFA, see multi-factor authentication) reduce the need to remember passwords.

Security solutions should take into account human diversity. For example, children and elderly people require different usability than young adults. In addition, people may have physical limitations, such as in hearing, vision, or motor skills. Users’ cultural backgrounds and habits may also affect what is perceived as usable. Usable security aims to understand its users and take these factors into account as well as possible.

Goals and tasks (advanced)

People are task-oriented, and when working we often divide activities into subtasks and intermediate goals. When designing security, it should be integrated into these tasks and goals without significantly disrupting them. To prevent security from being bypassed due to inconvenience, it should be designed to fit the task and to impose as little burden as possible. The burden can be physical (e.g. typing a password) and mental (e.g. remembering a password). Several approaches can be used when fitting security to tasks:

• Automating security, for example single sign-on: authentication is required only once, after which the information is passed on to other systems.
• If security requires actions, their intrusiveness and burden on the employee should be minimised.
• Ensuring that security mechanisms are activated only when truly necessary, i.e. authentication is not required at every step.
• Systems should be designed to be secure by default, so that configuring and adjusting security settings does not become the user’s responsibility.

When designing usable security, the work tasks must be understood. After that, it is useful to consider the following questions:

• What is the physical and mental workload of the actual task, and how does the added security task affect these workloads?
• Are there constraints on the task, for example must it be completed within a certain time?
• Are there constraints on resources, such as mental or physical capabilities or limited access to external resources required for the task?
• What are the consequences and impacts if security fails?

Context of interaction (advanced)

The physical and social environment affects the performance of work tasks and, at the same time, security. Physical environmental factors include, for example, lighting, noise, temperature, and air quality. All of these can interfere, for example, with a touch screen used for authentication that provides audio feedback.

The social environment influences behaviour through values and norms. Values indicate what is important and worth spending time on, and norms reflect rules and assumptions about how one should behave. The social environment can easily affect security. Example: A company has a policy that staff should treat all requests for information as potential social engineering attacks. At the same time, the company values customer satisfaction and encourages staff to always be friendly towards customers. In this case, the security policy conflicts with the company’s values, and it is likely that it will not be followed.

Device characteristics and limitations (advanced)

Device characteristics can make implementing security difficult. For example, entering passwords on a mobile device keyboard may be slow and cumbersome, and the likelihood of errors increases. Similarly, multifactor authentication may slow things down and feel burdensome to the user, even though it helps eliminate the need for passwords. When designing security solutions, it is always important to consider how they function on all devices on which the system may be used.

Posting submission...