Finding Solutions for Bringing Usability to Security Products

Thesis author: Antti Leskelä

Supervisor: Professor Jörg Ott

Presentation outline

Background Thesis objectives Thesis roadmap Quick overview to usability Usable security User study Conclusions

Background

Bad usability is everyday life for people Usability is a major factor of competition nowadays The importance of usable security grows as

network-related and computerised work becomes (/has become) more common

Security business has been one of the last sectors fighting against usability demands

The wrong assumption: ”The more usability, the less security”

Thesis objectives

To study problems with usability in information security emphasising in human aspects and human-centered design

To identify the different aspects of usable security and to create design principles based on the identification

To find out how usability is perceived in general and how the users experience the user-friendliness of security products

Expertise in security

Expertise in usability

Overlap area for usable security

Thesis roadmap

CHAPTER 2 Security

CHAPTER 2 Security

CHAPTER 4 Usable security

CHAPTER 4 Usable security

CHAPTER 5 Method

CHAPTER 5 Method

CHAPTER 3 Usability

CHAPTER 3 Usability

CHAPTER 6 Results

CHAPTER 6 Results

User study

Overview to usability

Usability refers to human-computer interface problems and user-friendliness.

Usability can be seen as the ability of a system to be used easily and efficiently

Takes into account emotions and affect Layered model of usability (next slide) combines

together different definitions of usability

Essential part of usability is paying attention to the user

Layered model of usability

Usable security 1/2

Usable security is a union of usability and security Usable security gives a two-dimensional possibility

of designing user-friendlier security products

Challenges in joining the user’s system image into the system to be designed

Communication with the user and the designer happens only via the system image

Need for user centered-design and design principles!!

Usable security 2/2

Zero impact Zero-click Visibility of actions Reversibility Completion User audit Override-ability No external burden

Design principles for usable security*:

* Based on Simson L. Garfinkel & Ka-Ping Yee

SUMI

Software Usability Measurement Inventory Can be used to surveys and controlled

studies Surveys measure the perceived usability

of software systems already in use Controlled studies measure performance

and identity, and analyse problems Used in the thesis to measure the

perceived usability of security software

User study

User study – Questionnaire

+

Web-based questionnaire for users of security software.

User study – Results 1/2

User study – Results 2/2

Participation was good However, results valid only for intermediate & expert users

• Number of novice users only 3,1 %

Quantitative analysis: SUMI results gave fairly good level of perceived usability to

security software Problem area: efficiency

• Can be seen as a lack of transparency of the system

Qualitative analysis: Most of the responses were negative relating to the problems

the participants had faced with their security software• Configuring, instructions, laziness & lack of interest etc.

General worry about the state of overall security awareness

Conclusions

Design principles for usable security give a good starting point for secure interaction design

Results of the user study indicate that users have problems with security software However it can be seen that security

software are more usable than before There is still a lot to do in order to provide

more usable security products

We demand better

usability!!!

THANKS!