Heuristics and Models for Evaluating the Usability of Security Measures

Security mechanisms are nowadays part of almost every software. At the same time, they are typically sociotechnical and require involvement of end users to be effective. The usability of security measures is thus an essential factor. Despite this importance, this aspect often does not receive the necessary attention, for example due to short resources like time, budget, or usability experts. In the worst-case, users reject or circumvent even strong security measures and technically secure systems become insecure. To tackle the problem of unusable security measures, we developed a heuristics-based usability evaluation and optimization approach for security measures. In order to make heuristics applicable also for non-usability experts, we enrich them with information from a joint model for usability and security. In particular, this approach allows developers and administrators to perform usability evaluations and thus enables an early tailoring to the user, complementary to expert or user reviews. In this paper, we present our approach, including an initial set of heuristics, a joint model for usability and security and a set of mapping rules that combine heuristics and model. We evaluated the applicability of our approach, which we present in this paper.

[1]  Nathaniel Good,et al.  Usability and privacy: a study of Kazaa P2P file-sharing , 2003, CHI '03.

[2]  Lorrie Faith Cranor,et al.  Guest Editors' Introduction: Secure or Usable? , 2004, IEEE Secur. Priv..

[3]  Kathi Fisler,et al.  Usable security as a static-analysis problem: modeling and reasoning about user permissions in social-sharing systems , 2013, Onward!.

[4]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[5]  Jakob Nielsen,et al.  Finding usability problems through heuristic evaluation , 1992, CHI.

[6]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[7]  Alma Whitten,et al.  Making Security Usable , 2004 .

[8]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[9]  Svenja Polst,et al.  A User-Centered Model for Usable Security and Privacy , 2017, HCI.

[10]  Ka-Ping Yee,et al.  Aligning Security and Usability , 2004, IEEE Secur. Priv..

[11]  Sean W. Smith,et al.  Circumvention of Security: Good Users Do Bad Things , 2013, IEEE Security & Privacy.

[12]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[13]  Martin Rost,et al.  Privacy By Design und die Neuen Schutzziele , 2011, Datenschutz und Datensicherheit - DuD.

[14]  Fred D. Davis User Acceptance of Information Technology: System Characteristics, User Perceptions and Behavioral Impacts , 1993, Int. J. Man Mach. Stud..

[15]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[16]  Yee-Yin Choong,et al.  What 4, 500+ People Can Tell You - Employees' Attitudes Toward Organizational Password Policy Do Matter , 2015, HCI.

[17]  Jörg Dörr,et al.  Enabling Users to Specify Correct Privacy Requirements , 2019, REFSQ.

[18]  Lorrie Faith,et al.  Secure or Usable , 2004 .

[19]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[20]  César A. Collazos,et al.  A Set of Heuristics for Usable Security and User Authentication , 2016, Interacción.

[21]  Simson L. Garfinkel,et al.  Design principles and patterns for computer systems that are simultaneously secure and usable , 2005 .

[22]  Nahid Shahmehri,et al.  Usable set-up of runtime security policies , 2007, Inf. Manag. Comput. Secur..

[23]  Christian Jung,et al.  Context-Aware, Data-Driven Policy Enforcement for Smart Mobile Devices in Business Environments , 2012, MobiSec.

[24]  Sebastian Möller,et al.  Usable Security und Privacy , 2010, Datenschutz und Datensicherheit - DuD.

[25]  Ali Mohamed Eljetlawi,et al.  Graphical Password: Comprehensive Study of the Usability Features of the Recognition Base Graphical Password Methods , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[26]  Dalenca Pottas,et al.  A Framework for Evaluating Usable Security: The Case of Online Health Social Networks , 2012, HAISA.

[27]  Simson L. Garfinkel,et al.  Usable Security: History, Themes, and Challenges , 2014, Usable Security: History, Themes, and Challenges.

[28]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[29]  Steven Furnell,et al.  From desktop to mobile: Examining the security experience , 2009, Comput. Secur..

[30]  Svenja Polst,et al.  Why Users Ignore Privacy Policies - A Survey and Intention Model for Explaining User Privacy Behavior , 2018, HCI.

[31]  Steven Furnell Making security usable: Are things improving? , 2007, Comput. Secur..

[32]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[33]  Jakob Nielsen,et al.  Improving a human-computer dialogue , 1990, CACM.

[34]  Edgar R. Weippl,et al.  A Framework for Security Transparency in Cloud Computing , 2016, Future Internet.