Secure or usable computers? Revealing employees' perceptions and trade-offs by means of a discrete choice experiment

Abstract It is often suggested in the literature that employees regard technical security measures (TSMs) as user-unfriendly, indicating a trade-off between security and usability. However, there is little empirical evidence of such a trade-off, nor about the strength of the associated negative correlation and the importance employees attach to both properties. This paper intends to fill these knowledge gaps by studying employees’ trade-offs concerning the usability and security of TSMs within a discrete choice experiment (DCE) framework. In our DCE, employees are asked to indicate the most preferred security packages that describe combinations of TSMs. In addition, security and usability perceptions of the security packages are explicitly measured and modelled. The models estimated from these observed responses indicate how each TSM affects perceived security, perceived usability and preference. The paper further illustrates how the modelling results can be applied to design highly secure packages that are still preferred by employees. The paper also makes a methodological contribution to the literature by introducing discrete choice experiments to the field of information security.

[1]  M. Angela Sasse,et al.  "Shadow security" as a tool for the learning organization , 2015, CSOC.

[2]  Simon Edward Parkin,et al.  The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies , 2008, ISAS.

[3]  Luigi Catuogno,et al.  Analysis of a two-factor graphical password scheme , 2014, International Journal of Information Security.

[4]  Shari Lawrence Pfleeger,et al.  Barriers to Usable Security? Three Organizational Case Studies , 2016, IEEE Security & Privacy.

[5]  Fred D. Davis A technology acceptance model for empirically testing new end-user information systems : theory and results , 1985 .

[6]  Nils Wlömert,et al.  Predicting new service adoption with conjoint analysis: external validity of BDM-based incentive-aligned and dual-response choice designs , 2016 .

[7]  Lorrie Faith Cranor,et al.  Guest Editors' Introduction: Secure or Usable? , 2004, IEEE Secur. Priv..

[8]  William H. Sanders Quantitative Security Metrics: Unattainable Holy Grail or a Vital Breakthrough within Our Reach? , 2014, IEEE Security & Privacy.

[9]  E. Eugene Schultz Research on usability in information security , 2007 .

[10]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[11]  David A. Hensher,et al.  A latent class model for discrete choice analysis: contrasts with mixed logit , 2003 .

[12]  Steven Furnell The usability of security – revisited , 2016 .

[13]  Moshe Ben-Akiva,et al.  Discrete Choice Analysis: Theory and Application to Travel Demand , 1985 .

[14]  Peter Gutmann,et al.  Security Usability , 2005, IEEE Secur. Priv..

[15]  Tiago Oliveira,et al.  Deciding between information security and usability: Developing value based objectives , 2016, Comput. Hum. Behav..

[16]  Steven M. Bellovin,et al.  Laissez-faire file sharing: access control designed for individuals at the endpoints , 2009, NSPW '09.

[17]  C. Manski The structure of random utility models , 1977 .

[18]  Josh Dehlinger,et al.  Trading off usability and security in user interface design through mental models , 2017, Behav. Inf. Technol..

[19]  Michiel C.J. Bliemer,et al.  Constructing Efficient Stated Choice Experimental Designs , 2009 .

[20]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[21]  John M. Rose,et al.  Applied Choice Analysis: A Primer , 2005 .

[22]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[23]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[24]  D. Hensher,et al.  Stated Choice Methods: Analysis and Applications , 2000 .

[25]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[26]  M. Angela Sasse,et al.  Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security , 2008, WEIS.

[27]  Wolter Pieters,et al.  The persuasion and security awareness experiment: reducing the success of social engineering attacks , 2015, Journal of Experimental Criminology.

[28]  A. W. Roscoe,et al.  Security and Usability: Analysis and Evaluation , 2010, 2010 International Conference on Availability, Reliability and Security.

[29]  Sadie Creese,et al.  Guidelines for usable cybersecurity: Past and present , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[30]  Mickael Bech,et al.  Effects coding in discrete choice experiments. , 2005, Health economics.

[31]  M. Angela Sasse,et al.  Evaluating the usability and security of a graphical one-time PIN system , 2010, BCS HCI.