Tutorial T8 – An Introduction to Usable Security

Dr. Jeff Yan, Newcastle University, UK
Mary Ellen Zurko, IBM, USA

Tuesday, December 7th, Full Day

For a long time, computer security was mainly concerned with the design of various technical mechanisms for defending against adversaries, as well as with the underlying mathematical foundations such as cryptography primitives. However, the usability of such technical mechanisms was largely ignored, which unfortunately has proved a major cause of many computer security failures. In particular, many technical solutions though theoretically sound were practically insecure because of their poor usability.

In recent years, "usable security" (or "security usability") has attracted fast growing attention in both academia and industry. More and more people agree that we need usable security systems - unusable secure systems are not used properly or at all, and thus only usable systems can provide effective security. However, there is less agreement about how to design systems that are both usable and secure.

Outline

This full-day tutorial will give an overview of the field of usable security with the focus on principles, approaches and research methods of usable security. A large number of real-life examples will be used to illustrate that it is feasible to develop security solutions that are simultaneously secure and usable. With the aim to enable participants to both evaluate and produce high-quality work in usable security, the tutorial is tentatively structured as follows:

  1. Part 1: Fundamentals. How security has failed due to the failure of usability of security technologies. Psychological aspect of computer security, highlighting that what security engineers expect to work and what the user makes to work, can differ greatly. The contrast between theoretical and effective practical security will be highlighted. Examples of how security has failed due to usability will enable the attendee to recognize common mistakes. Early research in the field will be touched on, providing a background on motivations and an historical context for the field.
  2. Part 2: Approaches and methods. Common approaches to usable security and relevant design principles for security usability will be discussed. Methods for improving security usability and methods for empirically establishing such improvement will be discussed in detail. Usability techniques successfully applied to security, including usable design (with an emphasis on error handling and task flow), lab user studies (a field advanced enough that simple and useful guidance is available in book form), field user studies, and techniques for evaluating organizational cultures. The difficulties peculiar to the usability of security will also be discussed.
  3. Part 3: Case studies. Real-life examples illustrating how security and usability can be simultaneously improved, and how the principles and methods introduced in the previous part were applied. Reflections and critiques on the application of the methods. Topics that have received much attention will be highlighted, including authentication (particularly password use and graphical authentication), access control and authorization, phishing defenses, the utility of education of the user, and CAPTCHAs. The impact of organizational culture will receive particular attention, as we expect compliance, education, and organizational rules and guidelines to be of particular interest to ACSAC attendees. Recent usable security and privacy research in social networks will also be included.
  4. Conclusions.

Prerequisites

Basic understanding of computer security. The intended audience are security researchers who want to step into the field of usable security, and security practitioners who wish to understand the impact of usable security on their work and integrate some of its lessons, techniques, and developments. PhD students and new researchers in usable security who want to have a quick start in this field will also benefit. Those who want to teach this topic can also find the tutorial relevant - a set of summary notes and a large number of pointers to further readings will be provided, so that it should be easy for them to extend the tutorial into a full course.

About the Instructors

Dr. Jeff Yan is on the faculty of computer science at Newcastle University, England. He has a PhD in computer security from Cambridge University. The password security and memorability study he carried out with colleagues in 1999 - 2000 was an early influential work in the field of usable security. He is a contributor to the O'Reilly book "Security and Usability: Designing Secure Systems that People Can Use" (2005), the first book on usable security, and was on the program committee for the first Symposium on Usable Privacy and Security (SOUPS) held at Carnegie Mellon in 2005. Recent work on usable security in his team includes 1) a novel graphical password scheme (CCS'07), which was selected by the Royal Society - the UK's national academy - for their 2008 Summer Science Exhibition, and 2) the robustness and usability of CAPTCHAs (CCS'08, SOUPS'08), which has influenced the design of a number of CAPTCHAs including those that have been deployed by Microsoft and Yahoo!

Mary Ellen Zurko is security architect of the collaboration cloud offerings at IBM. She has over two decades of work in user-centered security, in product development, early product prototyping, and research. Her experience spans across the entire lifecycle of software products, from initial product definition and delivery, to mature product maintenance, with an emphasis on distributed middleware and collaboration. She is chair of the steering committee of the International WWW Conference series, on the steering committee of New Security Paradigms Workshop and a senior fellow on ACSA.