Development of a Model for Security and Usability

This research addressed the development of a consolidated model designed especially to cover the security and usability attributes of a software product. As a starting point, we built a new usability model on the basis of well-known quality standards and models. We then used an existing security model to analyse the relationship between these two approaches. This analysis consisted of a systematic mapping study of the relationship between security and usability as global quality factors. We identified five relationship types: inverse, direct, relative, one-way inverse, and no relationship. Most authors agree that there is an inverse relationship between security and usability. However, this is not a unanimous finding, and this study unveils a number of open questions, like application domain dependency and the need to explore lower-level relationships between attribute subcharacteristics. In order to clarify the questions raised during the research, we conducted a second systematic mapping to further analyse the finer-grained structure of these factors, such as authentication as a subset of security and user efficiency as a subset of usability. The most relevant finding is that efficiency does not depend on the security level during the authentication process. There are other subfactors that require analysis. Accordingly, this research is the first part of a larger project to develop a full-blown consolidated model for security and usability.

[1]  Atul Prakash Security in Practice - Security-Usability Chasm , 2007, ICISS.

[2]  Weili Han,et al.  Using a Smart Phone to Strengthen Password-Based Authentication , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[3]  Yuxin Meng,et al.  Designing Click-Draw Based Graphical Password Scheme for Better Authentication , 2012, 2012 IEEE Seventh International Conference on Networking, Architecture, and Storage.

[4]  Haichang Gao,et al.  Design and Analysis of a Graphical Password Scheme , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[5]  Nigel Bevan,et al.  Extending Quality in Use to Provide a Framework for Usability Measurement , 2009, HCI.

[6]  N. Gupta,et al.  Averting man in the browser attack using user-specific personal images , 2013, 2013 3rd IEEE International Advance Computing Conference (IACC).

[7]  Bogdan Hoanca,et al.  Real-time continuous iris recognition for authentication using an eye tracker , 2012, CCS '12.

[8]  Nigel Bevan Quality in use for all , 1999 .

[9]  Mohamed Abid,et al.  Measuring the Quality of IRIS Segmentation for Improved IRIS Recognition Performance , 2012, 2012 Eighth International Conference on Signal Image Technology and Internet Based Systems.

[10]  Artemios G. Voyiatzis,et al.  When Security Meets Usability: A User-Centric Approach on a Crossroads Priority Problem , 2010, 2010 14th Panhellenic Conference on Informatics.

[11]  Jean-Marc Robert,et al.  Security and usability: the case of the user authentication methods , 2006, IHM '06.

[12]  A. W. Roscoe,et al.  Security and Usability: Analysis and Evaluation , 2010, 2010 International Conference on Availability, Reliability and Security.

[13]  Ion Bucur On Quality and Measures in Software Engineering. , 2006 .

[14]  Jim Basney,et al.  Mechanisms for increasing the usability of grid security , 2005, Int. J. Hum. Comput. Stud..

[15]  Mohammad S. Obaidat,et al.  Biometric Authentication Using Mouse Gesture Dynamics , 2013, IEEE Systems Journal.

[16]  Caroline Mockel Usability and Security in EU E-Banking Systems - Towards an Integrated Evaluation Framework , 2011, SAINT 2011.

[17]  Rex B. Kline,et al.  Usability measurement and metrics: A consolidated model , 2006, Software Quality Journal.

[18]  Roel Wieringa,et al.  Requirements engineering paper classification and evaluation criteria: a proposal and a discussion , 2005, Requirements Engineering.

[19]  Samir Chouali,et al.  A synthesis of existing approaches to specify non-functional properties , 2008 .

[20]  Takashi Okumura,et al.  Security considered harmful a case study of tradeoff between security and usability , 2011, 2011 IEEE Consumer Communications and Networking Conference (CCNC).

[21]  Thomas Kunz,et al.  Vulnerabilities through Usability Pitfalls in Cloud Services: Security Problems due to Unverified Email Addresses , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[22]  Kirsi Helkala Disabilities and Authentication Methods: Usability and Security , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[23]  David M'Raïhi,et al.  Designing a Trade-Off Between Usability and Security: A Metrics Based-Model , 2007, INTERACT.

[24]  Steven Furnell,et al.  Multifactor graphical passwords: An assessment of end-user performance , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[25]  Sebastian Möller,et al.  Security and usability research using a microworld environment , 2009, Mobile HCI.

[26]  Cristian Rusu,et al.  Usability and Security Patterns , 2009, 2009 Second International Conferences on Advances in Computer-Human Interactions.

[27]  Kai Petersen,et al.  Systematic Mapping Studies in Software Engineering , 2008, EASE.

[28]  T. Perkovic,et al.  SSSL: Shoulder Surfing Safe Login , 2009, SoftCOM 2009 - 17th International Conference on Software, Telecommunications & Computer Networks.

[29]  Didar Zowghi,et al.  Constructing a Catalogue of Conflicts among Non-functional Requirements , 2010, ENASE.

[30]  Jasna Kuljis,et al.  Aligning usability and security: a usability study of Polaris , 2006, SOUPS '06.

[31]  Volker Roth,et al.  Security and usability engineering with particular attention to electronic mail , 2005, Int. J. Hum. Comput. Stud..

[32]  Ian Welch,et al.  A hybrid recognition and recall based approach in graphical passwords , 2012, OZCHI.

[33]  Audun Jøsang,et al.  Security Usability Principles for Vulnerability Analysis and Risk Assessment , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[34]  Yao Ma,et al.  Evaluating Usability of Three Authentication Methods in Web-Based Application , 2011, 2011 Ninth International Conference on Software Engineering Research, Management and Applications.

[35]  Haichang Gao,et al.  A Novel Cued-recall Graphical Password Scheme , 2011, 2011 Sixth International Conference on Image and Graphics.

[36]  Alexander Egyed,et al.  Identifying requirements conflicts and cooperation: how quality attributes and automated traceability can help , 2004, IEEE Software.