Maybe Poor Johnny Really Cannot Encrypt: The Case for a Complexity Theory for Usable Security

Psychology and neuroscience literature shows the existance of upper bounds on the human capacity for executing cognitive tasks and for information processing. These bounds are where, demonstrably, people start experiencing cognitive strain and consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically understand such bounds in order to have realistic expectations about what people can or cannot attain when coping with security tasks. This may shed light on whether Johnny will be ever be able to encrypt. We propose a conceptual framework for evaluation of human capacities in security that also assigns systems to complexity categories according to their security and usability. From what we have initiated in this paper, we ultimately aim at providing designers of security mechanisms and policies with the ability to say: "This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond the capacity of its target community".

[1]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[2]  Satya Anasuya Paritala Effects of physical and mental tasks on heart rate variability , 2009 .

[3]  Ronald L. Rivest,et al.  Introduction to Algorithms, third edition , 2009 .

[4]  David Ma,et al.  Does domain highlighting help people identify phishing sites? , 2011, CHI.

[5]  John D. Lee,et al.  The Oxford Handbook of Cognitive Engineering , 2013 .

[6]  Jeremy Clark,et al.  Tapas: design, implementation, and usability evaluation of a password manager , 2012, ACSAC '12.

[7]  I. Pollack The Information of Elementary Auditory Displays , 1952 .

[8]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[9]  Mara Mather,et al.  A Review of Decision-Making Processes: Weighing the Risks and Benefits of Aging , 2006 .

[10]  D. Wegner Transactive Memory: A Contemporary Analysis of the Group Mind , 1987 .

[11]  David A. Wagner,et al.  Conditioned-safe ceremonies and a user study of an application to web authentication , 2009, NDSS.

[12]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[13]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[14]  Mika P. Tarvainen,et al.  An advanced detrending method with application to HRV analysis , 2002, IEEE Transactions on Biomedical Engineering.

[15]  M. Angela Sasse,et al.  Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security , 2008, WEIS.

[16]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[17]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[18]  B. Dietrich Textbook of Work Physiology: Physiological Bases of Exercise , 2004 .

[19]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[20]  J. Shaoul Human Error , 1973, Nature.

[21]  M. Angela Sasse,et al.  Safe and sound: a safety-critical approach to security , 2001, NSPW '01.

[22]  J. G. Hollands,et al.  Engineering Psychology and Human Performance , 1984 .

[23]  Fred G. W. C. Paas,et al.  The Efficiency of Instructional Conditions: An Approach to Combine Mental Effort and Performance Measures , 1992 .

[24]  Ergonomic requirements for office work with visual display terminals ( VDTs ) — Part 11 : Guidance on usability , 1998 .

[25]  Jeremiah Blocki,et al.  Usable Human Authentication: A Quantitative Treatment , 2014 .

[26]  James D. Hollan,et al.  Distributed cognition: toward a new foundation for human-computer interaction research , 2000, TCHI.

[27]  Gene Tsudik,et al.  The Effect of Visual Noise on The Completion of Security Critical Tasks , 2014 .

[28]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[29]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[30]  Kat Krol,et al.  The Great Authentication Fatigue - And How to Overcome It , 2014, HCI.

[31]  G. A. Miller The magical number seven plus or minus two: some limits on our capacity for processing information. , 1956, Psychological review.

[32]  E. Granholm,et al.  Pupillary responses index cognitive resource limitations. , 1996, Psychophysiology.

[33]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[34]  Lorrie Faith Cranor,et al.  Telepathwords: Preventing Weak Passwords by Reading Users' Minds , 2014, USENIX Security Symposium.

[35]  Ana Ferreira,et al.  A Conceptual Framework to Study Socio-Technical Security , 2014, HCI.

[36]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[37]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[38]  Diana K. Smetters,et al.  Moving from the design of usable security technologies to the design of useful secure applications , 2002, NSPW '02.

[39]  Salil P. Vadhan,et al.  Computational Complexity , 2005, Encyclopedia of Cryptography and Security.

[40]  Alfred Kobsa,et al.  An Unattended Study of Users Performing Security Critical Tasks Under Adversarial Noise , 2015 .

[41]  A. Collins,et al.  Situated Cognition and the Culture of Learning , 1989 .

[42]  Gabriele Lenzini,et al.  A Framework for Analyzing Verifiability in Traditional and Electronic Exams , 2015, ISPEC.

[43]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[44]  K. Kuutti Activity theory as a potential framework for human-computer interaction research , 1995 .

[45]  Elizabeth Cooper-Martin,et al.  Measures of cognitive effort , 1994 .

[46]  Yili Liu,et al.  Introduction to Human Factors Engineering (2nd Edition) , 2003 .

[47]  Simson L. Garfinkel,et al.  Usable Security: History, Themes, and Challenges , 2014, Usable Security: History, Themes, and Challenges.

[48]  Adrian Perrig,et al.  Designing an evaluation method for security user interfaces: lessons from studying secure wireless network configuration , 2006, INTR.

[49]  Scott Ruoti,et al.  Confused Johnny: when automatic encryption leads to confusion and mistakes , 2013, SOUPS.

[50]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[51]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[52]  Randolph G. Bias,et al.  Research Methods for Human-Computer Interaction , 2010, J. Assoc. Inf. Sci. Technol..

[53]  Zinaida Benenson,et al.  Susceptibility to URL-based Internet attacks: Facebook vs. email , 2014, 2014 IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM WORKSHOPS).

[54]  Rob Miller,et al.  Johnny 2: a user test of key continuity management with S/MIME and Outlook Express , 2005, SOUPS '05.

[55]  Daniel L. Schacter,et al.  The Seven Sins of Memory: How the Mind Forgets and Remembers , 2001 .

[56]  Oscar Mauricio Serrano Jaimes,et al.  EVALUACION DE LA USABILIDAD EN SITIOS WEB, BASADA EN EL ESTANDAR ISO 9241-11 (International Standard (1998) Ergonomic requirements For office work with visual display terminals (VDTs)-Parts II: Guidance on usability , 2012 .

[57]  Cormac Herley,et al.  More Is Not the Answer , 2014, IEEE Security & Privacy.

[58]  Simon Edward Parkin,et al.  The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies , 2008, ISAS.

[59]  Mary Ellen Zurko User-centered security: stepping up to the grand challenge , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[60]  Jakob Nielsen,et al.  Chapter 4 – The Usability Engineering Lifecycle , 1993 .

[61]  Joseph Bonneau,et al.  Towards Reliable Storage of 56-bit Secrets in Human Memory , 2014, USENIX Security Symposium.

[62]  Shari Lawrence Pfleeger,et al.  Leveraging behavioral science to mitigate cyber security risk , 2012, Comput. Secur..

[63]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[64]  Giampaolo Bella,et al.  Seeing the full picture: the case for extending security ceremony analysis , 2011 .

[65]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[66]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[67]  Paul C. van Oorschot,et al.  Security and usability: the gap in real-world online banking , 2008, NSPW '07.

[68]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[69]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[70]  Margot Brereton,et al.  Ceremony Analysis: Strengths and Weaknesses , 2011, SEC.

[71]  Christopher D. Wickens,et al.  An introduction to human factors engineering , 1997 .

[72]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[73]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[74]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[75]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[76]  Butler W. Lampson,et al.  Usable Security: How to Get It , 2009 .

[77]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[78]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[79]  Carl M. Ellison,et al.  Ceremony Design and Analysis , 2007, IACR Cryptol. ePrint Arch..

[80]  W. Keith Edwards,et al.  Security automation considered harmful? , 2008, NSPW '07.

[81]  Shari Lawrence Pfleeger,et al.  Guest Editors' Introduction: Shouldn't All Security Be Usable? , 2011, IEEE Secur. Priv..

[82]  AvizienisAlgirdas,et al.  Basic Concepts and Taxonomy of Dependable and Secure Computing , 2004 .

[83]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[84]  D. Schacter The seven sins of memory. Insights from psychology and cognitive neuroscience. , 1999, The American psychologist.

[85]  Kat Krol,et al.  Report: Authentication Diary Study , 2014 .

[86]  Melanie Volkamer,et al.  Why Doesn't Jane Protect Her Privacy? , 2014, Privacy Enhancing Technologies.

[87]  V. H. Hildebrandt,et al.  Psychosocial factors at work and musculoskeletal disease. , 1993, Scandinavian journal of work, environment & health.

[88]  A. K. Blangsted,et al.  The effect of mental stress on heart rate variability and blood pressure during computer work , 2004, European Journal of Applied Physiology.

[89]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[90]  Ivan Flechais,et al.  Usable Security: Why Do We Need It? How Do We Get It? , 2005 .

[91]  Gabriele Lenzini,et al.  Socio-technical formal analysis of TLS certificate validation in modern browsers , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[92]  Bernhard Beckert,et al.  A Method for Formalizing, Analyzing, and Verifying Secure User Interfaces , 2006, ICFEM.