Usability and Trust in Information Systems

The need for people to protect themselves and their assets is as old as humankind. People's physical safety and their possessions have always been at risk from deliberate attack or accidental damage. The advance of information technology means that many individuals, as well as corporations, have an additional range of physical (equipment) and electronic (data) assets that are at risk. Furthermore, the increased number and types of interactions in cyberspace has enabled new forms of attack on people and their possessions. Consider grooming of minors in chat-rooms, or Nigerian email cons: minors were targeted by paedophiles before the creation of chat-rooms, and Nigerian criminals sent the same letters by physical mail or fax before there was email. But the technology has decreased the cost of many types of attacks, or the degree of risk for the attackers. At the same time, cyberspace is still new to many people, which means they do not understand risks, or recognise the signs of an attack, as readily as they might in the physical world. The IT industry has developed a plethora of security mechanisms, which could be used to mitigate risks or make attacks significantly more difficult. Currently, many people are either not aware of these mechanisms, or are unable or unwilling or to use them. Security experts have taken to portraying people as "the weakest link" in their efforts to deploy effective security [e.g. Schneier, 2000]. However, recent research has revealed at least some of the problem may be that security mechanisms are hard to use, or be ineffective. The review summarises current research on the usability of security mechanisms, and discusses options for increasing their usability and effectiveness.

[1]  R. Axelrod More Effective Choice in the Prisoner's Dilemma , 1980 .

[2]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[3]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[4]  B. J. Fogg,et al.  Persuasive technology: using computers to change what we think and do , 2002, UBIQ.

[5]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[6]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[7]  Daniel L. Schacter,et al.  The Seven Sins of Memory: How the Mind Forgets and Remembers , 2001 .

[8]  Sacha Brostoff,et al.  “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[9]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[10]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[11]  Anne Adams,et al.  Privacy in Multimedia Communications: Protecting Users, Not Just Data , 2001, BCS HCI/IHM.

[12]  Daniel R. Miller,et al.  Final report , 2000 .

[13]  Moshe Zviran,et al.  Cognitive passwords: The key to easy access control , 1990, Comput. Secur..

[14]  A. Stone,et al.  The Seven Sins of Memory: How the Mind Forgets and Remembers , 2001 .

[15]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[16]  Doug Mahar,et al.  Electronic monitoring systems: an examination of physiological activity and task performance within a simulated keystroke security and electronic performance monitoring system , 1998, Int. J. Hum. Comput. Stud..

[17]  Jeff Yan,et al.  A note on proactive password checking , 2001, NSPW '01.

[18]  A. Giddens The consequences of modernity , 1990 .

[19]  Peter Checkland,et al.  Soft Systems Methodology: a 30-year retrospective , 1999 .

[20]  Bruce Schneier,et al.  Beyond fear - thinking sensibly about security in an uncertain world , 2003 .

[21]  J. Shaoul Human Error , 1973, Nature.

[22]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[23]  T. Schelling,et al.  The Strategy of Conflict. , 1961 .

[24]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[25]  M. Angela Sasse,et al.  Bringing security home: a process for developing secure and usable systems , 2003, NSPW '03.

[26]  Susan Davies,et al.  Re-Engineering the Right to Privacy , 1997 .

[27]  Batya Friedman,et al.  Informed consent in the Mozilla browser: implementing value-sensitive design , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[28]  Antonella De Angeli,et al.  Honest, it’s me! Self-service verification , 2003 .

[29]  Norman L. Chervany,et al.  What Trust Means in E-Commerce Customer Relationships: An Interdisciplinary Conceptual Typology , 2001, Int. J. Electron. Commer..

[30]  Mike Just Designing Secure Yet Usable Credential Recovery Systems With Challenge Questions , 2003 .

[31]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[32]  Susan Wiedenbeck,et al.  On-line trust: concepts, evolving themes, a model , 2003, Int. J. Hum. Comput. Stud..

[33]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[34]  Jens Riegelsberger,et al.  Trustbuilders and Trustbusters - The Role of Trust Cues in Interfaces to e-Commerce Applications , 2001, I3E.

[35]  M. Helander,et al.  Affective design of E-commerce user interfaces: how to maximise perceived trustworthiness , 2001 .

[36]  K. Stanoevska-Slabeva,et al.  Towards the E-Society , 2001, IFIP International Federation for Information Processing.

[37]  P. Agre,et al.  Technology and privacy: The new landscape , 1998 .

[38]  Michael J. Burke Applied Ergonomics Handbook , 1992 .

[39]  Michael C. Fairhurst,et al.  Using Biometrics as an Enabling Technology in Balancing Universality and Selectivity for Management of Information Access , 2002, User Interfaces for All.

[40]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..