Design principles and patterns for computer systems that are simultaneously secure and usable

It is widely believed that security and usability are two antagonistic goals in system design. This thesis argues that there are many instances in which security and usability can be synergistically improved by revising the way that specific functionality is implemented in many of today's operating systems and applications. Specific design principles and patterns are presented that can accomplish this goal. Patterns are presented that minimize the release of confidential information through remnant and remanent data left on hard drives, in web browsers, and in documents. These patterns are based on a study involving the purchase of 236 hard drives on the secondary market, interviews conducted with organizations whose drives had been acquired, and through a detailed examination of modern web browsers and reports of information leakage in documents. Patterns are presented that enable secure messaging through the adoption of new key management techniques. These patterns are supported through an analysis of S/MIME handling in modern email clients, a survey of 469 Amazon.com merchants, and a user study of 43 individuals. Patterns are presented for promoting secure operation and for reducing the danger of covert monitoring. These patterns are supported by the literature review and an analysis of current systems. In every case considered, it is shown that the perceived antagonism of security and usability can be scaled back or eliminated by revising the underlying designs on which modern systems are conceived. In many cases these designs can be implemented without significant user interface changes. The patterns described in this thesis can be directly applied by today's software developers and used for educating the next generation of programmers so that longstanding usability problems in computer security can at last be addressed. It is very likely that additional patterns can be identified in other related areas. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

[1]  Arvin W. Hahn REPORT TO THE PRESIDENT , 1964 .

[2]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[3]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[4]  Loren M. Kohnfelder,et al.  Towards a practical public-key cryptosystem. , 1978 .

[5]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[6]  Christopher Alexander,et al.  The Timeless Way of Building , 1979 .

[7]  Robert J. Creasy,et al.  The Origin of the VM/370 Time-Sharing System , 1981, IBM J. Res. Dev..

[8]  L. Niven,et al.  Oath of Fealty , 1981 .

[9]  Ben Shneiderman,et al.  The future of interactive systems and the emergence of direct manipulation , 1982 .

[10]  Donald A. Norman,et al.  Design rules based on analyses of human error , 1983, CACM.

[11]  Ken Thompson,et al.  The UNIX time-sharing system , 1974, CACM.

[12]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[13]  R. Keeney,et al.  Improving risk communication. , 1986, Risk analysis : an official publication of the Society for Risk Analysis.

[14]  Charles Cresson Wood,et al.  Computer Security: A Comprehensive Controls Checklist , 1987 .

[15]  Brian Reid,et al.  Reflections on some recent widespread computer break-ins , 1991 .

[16]  Jakob Nielsen,et al.  Usability engineering at a discount , 1989 .

[17]  Clare-Marie Karat Iterative Usability Testing of a Security Application , 1989 .

[18]  Jonathan Grudin,et al.  The case against user interface consistency , 1989, CACM.

[19]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[20]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[21]  Peter G. Neumann Inside risks: a few old coincidences , 1990, CACM.

[22]  Simson L. Garfinkel,et al.  Practical UNIX Security , 1991 .

[23]  Peter Coad,et al.  Object-oriented patterns , 1992, CACM.

[24]  R. E. Schucker,et al.  More effective nutrition label formats are not necessarily preferred. , 1992, Journal of the American Dietetic Association.

[25]  Jakob Nielsen,et al.  Iterative user-interface design , 1993, Computer.

[26]  Simson L. Garfinkel,et al.  PGP: Pretty Good Privacy , 1994 .

[27]  S L Young,et al.  The effect of alternative product-label design on warning compliance. , 1994, Applied ergonomics.

[28]  Jakob Nielsen,et al.  Guerrilla HCI: using discount usability engineering to penetrate the intimidation barrier , 1994 .

[29]  Janice C. Sipior,et al.  The ethical and legal quandary of email privacy , 1995, CACM.

[30]  M. Slatalla Masters of Deception: The Gang That Ruled Cyberspace , 1995 .

[31]  Bruce A. Reinig,et al.  Managing user perceptions of email privacy , 1995, CACM.

[32]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[33]  Douglas C. Schmidt,et al.  Software patterns , 1996, CACM.

[34]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[35]  Lorraine Borman,et al.  SIGCHI: the early years , 1996, SGCH.

[36]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[37]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[38]  Brad Biddle Misplaced Priorities: The Utah Digital Signature Act and Liability Allocation in a Public Key Infrastructure , 1996 .

[39]  Don Davis Compliance Defects in Public Key Cryptography , 1996, USENIX Security Symposium.

[40]  John C. Tang Eliminating a hardware switch: weighing economics and values in a design decision , 1997 .

[41]  D. Freedman At Large: The Strange Case of the World's Biggest Internet Invasion , 1997 .

[42]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[43]  Perdita Stevens,et al.  Systems reengineering patterns , 1998, SIGSOFT '98/FSE-6.

[44]  Doug Lea Design Patterns for Avionics Control Systems , 1998 .

[45]  J. D. Tygar,et al.  Usability of Security: A Case Study, , 1998 .

[46]  Stephanie Forrest,et al.  Principles of a computer immune system , 1998, NSPW '97.

[47]  William Stallings,et al.  Cryptography and network security , 1998 .

[48]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[49]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[50]  Jun Rekimoto,et al.  Time-machine computing: a time-centric approach for the information environment , 1999, UIST '99.

[51]  C. R. Snow,et al.  A proxy approach to e-mail security , 1999 .

[52]  Jeffrey O. Kephart,et al.  Blueprint for a Computer Immune System , 1999 .

[53]  Eric A. Brewer,et al.  Harvest, yield, and scalable tolerant systems , 1999, Proceedings of the Seventh Workshop on Hot Topics in Operating Systems.

[54]  Nigel Bevan Design for usability , 1999, HCI.

[55]  Markus Jakobsson,et al.  How to Forget a Secret , 1999, STACS.

[56]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[57]  Alan Cooper,et al.  The Inmates are Running the Asylum , 1999, Software-Ergonomie.

[58]  David Mazières,et al.  Self-certifying file system , 2000 .

[59]  Simson Garfinkel,et al.  Database Nation , 2000 .

[60]  Bruce Schneier,et al.  Ten Risks of PKI , 2004 .

[61]  P. Slovic,et al.  Violence Risk Assessment and Risk Communication: The Effects of Using Actual Cases, Providing Instruction, and Employing Probability Versus Frequency Formats , 2000, Law and human behavior.

[62]  Paul Barry,et al.  Programming Perl 3rd Edition , 2000 .

[63]  Jef Raskin The humane interface (book excerpt) , 2000, UBIQ.

[64]  Daniela Gerd tom Markotten,et al.  Usability meets security - the Identity-Manager as your personal security assistant for the Internet , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[65]  Hilary H. Hosmer,et al.  Visualizing Risks: Icons for Information Attack Scenarios , 2000 .

[66]  Eric A. Brewer,et al.  Towards robust distributed systems (abstract) , 2000, PODC '00.

[67]  Sihan Qing,et al.  Proceedings of the 7th international conference on Information and Communications Security , 2001 .

[68]  Stefan Ludwig,et al.  File system encryption with integrated user management , 2001, OPSR.

[69]  R. Power CSI/FBI computer crime and security survey , 2001 .

[70]  Panayiotis Zaphiris,et al.  Website Usability and Content Accessibility of the top USA Universities , 2001, WebNet.

[71]  S. Garfinkel,et al.  Web Security, Privacy & Commerce , 2001 .

[72]  Ronald L. Rivest,et al.  Introduction to Algorithms, Second Edition , 2001 .

[73]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[74]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[75]  Peter Gutmann,et al.  PKI: It's Not Dead, Just Resting , 2002, Computer.

[76]  Carl M. Ellison Improvements on Conventional PKI Wisdom , 2002 .

[77]  Lorrie Faith Cranor,et al.  Use of a P3P user agent by early adopters , 2002, WPES '02.

[78]  Carl A. Waldspurger,et al.  Memory resource management in VMware ESX server , 2002, OSDI '02.

[79]  Eva Söderström,et al.  Standardising the business vocabulary of standards , 2002, SAC '02.

[80]  William L. Simon,et al.  The Art of Deception , 2002 .

[81]  Stephanie Ludi,et al.  Access for everyone: introducing accessibility issues to students in Internet programming courses , 2002, 32nd Annual Frontiers in Education.

[82]  Tonya L Smith-Jackson,et al.  Research-based guidelines for warning design and evaluation. , 2002, Applied ergonomics.

[83]  Sacha Brostoff,et al.  “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[84]  Markus Schumacher,et al.  Security Engineering with Patterns: Origins, Theoretical Models, and New Applications , 2003 .

[85]  Martina Angela Sasse Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery , 2003 .

[86]  Sean W. Smith,et al.  Trusted S/MIME Gateways , 2003 .

[87]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[88]  Peter Gutmann,et al.  Plug-and-Play PKI: A PKI Your Mother Can Use , 2003, USENIX Security Symposium.

[89]  Bruce Schneier,et al.  Practical cryptography , 2003 .

[90]  J. D. Tygar,et al.  Safe Staging for Computer Security , 2003 .

[91]  Melissa L. Finucane,et al.  Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[92]  E. Loiacono Cyberaccess: web accessibility and corporate America , 2004 .

[93]  Alma Whitten,et al.  Making Security Usable , 2004 .

[94]  K. Yee Aligning Security and Usability , 2004, IEEE Secur. Priv..

[95]  Joanna McGrenere,et al.  A comparison of static, adaptive, and adaptable menus , 2004, CHI.

[96]  Mike Just,et al.  Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.

[97]  James A. Landay,et al.  Personal privacy through understanding and action: five pitfalls for designers , 2004, Personal and Ubiquitous Computing.

[98]  John T. Stasko,et al.  An empirical study of the effect of agent competence on user performance and perception , 2004, Proceedings of the Third International Joint Conference on Autonomous Agents and Multiagent Systems, 2004. AAMAS 2004..

[99]  Harald Baier,et al.  A Framework for Evaluating the Usability and the Utility of PKI-enabled Applications , 2004, EuroPKI.

[100]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[101]  Rob Miller,et al.  Views, Reactions and Impact of Digitally-Signed Mail in e-Commerce , 2005, Financial Cryptography.

[102]  Radia Perlman,et al.  The ephemerizer: making data disappear , 2005 .

[103]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[104]  Ka-Ping Yee,et al.  Guidelines and Strategies for Secure Interaction Design , 2005 .

[105]  Simson L. Garfinkel,et al.  How to make secure email easier to use , 2005, CHI.

[106]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[107]  Ma Sasse,et al.  Usability and Trust in Information Systems , 2005 .