Usable security explained

Usable security is a subfield of computer science, human-computer interaction, and cybersecurity concerned with the user interface design of cybersecurity systems. In particular, usable security focuses on ensuring that the security implications of interacting with computer systems, such as via alert dialog boxes, are accessible and understandable to human users. This differs from the software engineering method of secure by design in that it emphasizes human aspects of cybersecurity rather than the technical. Usable security also sits opposite the idea of security through obscurity by working to ensure that users are aware of the security implications of their decisions.[1]

History

Usable security was first established by Computer Scientists Jerry Saltzer and Michael Schroeder in their 1975 work The Protection of Information in Computer Systems[2] , now colloquially referred to as Saltzer and Schroeder's design principles. The principles draw attention to 'psychological acceptability', stating that the design of an interface should match the user's mental model of the system. The authors note that security errors are likely to occur when the user's mental model and underlying system operation do not match.

Despite Saltzer and Schroeder's work, the widely-held view was, and continued to be, that security and usability were inherently in conflict; being either that security through obscurity was a preferable approach, or that user discomfort and confusion was just a requirement to ensuring good security. One such example is that of user login systems. When the user enters incorrect login details, the system must reply that the username and/or login is incorrect without clarifying which contains the incorrect value. By stating which of the inputs is incorrect (either the username or password), this could be used by an attacker to determine valid users on a system who could then be targeted by password-guessing attacks or similar exploitation.[3] While this may cause some annoyance to the user, the approach does offer a heightened level of security.

It wouldn't be until 1995 with the publication of "User-Centered Security"[4] by Mary Ellen Zurko and Richard T. Simon, that what is now called usable security would become a distinct field of research and design. This shift largely stems from placing greater focus on usability testing, and ensuring that security aspects are understandable during the design and development process, rather than being added as an afterthought.

Scientific conferences

While research on usable security is widely accepted by many HCI and Cyber Security conferences, dedicated venues for such work include:

See also

Notes and References

  1. Yee . Ka-Ping . 2004 . Aligning security and usability . IEEE Security & Privacy . 2 . 5 . 48–55 . 10.1109/MSP.2004.64 . 206485281 . 1558-4046.
  2. A Contemporary Look at Saltzer and Schroeder's 1975 Design Principles . 2023-12-28 . IEEE Security & Privacy Magazine . 10.1109/msp.2012.85 . 2012 . Smith . Richard . 1 . 13371996 .
  3. Book: Nielsen, Jakob . Usability engineering . 1993 . Academic press . 978-0-12-518405-2 . Boston San Diego New York [etc.].
  4. Book: Zurko . Mary Ellen . Simon . Richard T. . User-centered security . 1996 . Proceedings of the 1996 workshop on New security paradigms - NSPW '96 . http://portal.acm.org/citation.cfm?doid=304851.304859 . en . ACM Press . 27–33 . 10.1145/304851.304859 . 978-0-89791-944-9.
  5. Web site: EUROUSEC Conference - Home . 2023-12-28 . ACM Digital Library . en.
  6. Web site: International Conference on Human Aspects of Information Security, Privacy, and Trust . 2023-12-28 . link.springer.com . en.
  7. Web site: IFIP World Conference on Information Security Education . 2023-12-28 . link.springer.com . en.
  8. Web site: International Workshop on Socio-Technical Aspects in Security . 2023-12-28 . link.springer.com . en.
  9. Web site: International Conference on Trust and Privacy in Digital Business . 2023-12-28 . link.springer.com . en.
  10. Web site: SOUPS Symposia USENIX . 2023-12-28 . www.usenix.org.