lecture 10 - security and usability
TRANSCRIPT
-
7/31/2019 Lecture 10 - Security and Usability
1/57
-
7/31/2019 Lecture 10 - Security and Usability
2/57
SECURITY ANDUSABILITY
Prof. Steven FurnellCentre for Security, Communications & Network Research
Plymouth University
United Kingdom
-
7/31/2019 Lecture 10 - Security and Usability
3/57
Overview
Introduction
User perceptions
Common usability problems
Usability impacts
Conclusions
-
7/31/2019 Lecture 10 - Security and Usability
4/57
Introduction
Users often wish to protect their systemsand data
Related features can be found in: Security-specific tools (e.g. AV, firewall)
Security-related options within other software(e.g. the OS and application programs)
However, the usability of the features issometimes a problem issue
-
7/31/2019 Lecture 10 - Security and Usability
5/57
Security - Something we needbutnot something we want
No-one buys a computer in order to use securityfeatures
Security is, at best, a necessary evil and often its just a nuisance 2
Implications: If people think they can manage without security, they
will ignore it If security is too difficult to use, people wont use it
If it gets in the way, people will switch it off
-
7/31/2019 Lecture 10 - Security and Usability
6/57
User perceptions
-
7/31/2019 Lecture 10 - Security and Usability
7/57
0
5
10
15
20
25
30
I don't knowabout the threats
I don'tunderstand the
threats
I don't know howto secure my
computer
I don'tunderstand howto use security
packages
19 19
27
22
%r
espondents
I would use security, but . . .
Various obstacles maystand in the way ofsecurity
In a Plymouth study,415 home users wereasked what preventedthem from dealing with
security 41% said they did it
amongst the rest, therewere various issues . . .
-
7/31/2019 Lecture 10 - Security and Usability
8/57
Views from the trenches
The antivirus programs are really difficult to use, annoying
because you try to access something and you get too manypop up messages, they drive you crazy, with warnings and
warnings and allow or not allow
I used to have one (antispyware)but now I dont. But youknow what was annoying about that? All the time it was like... attempts to access your IP, something like that, deny or
accept, and some of them were useful sites
I am gonna try remember why my firewall is switched off
cause theres a really good reason cause I wouldnt switch
it off for nothing. I cant remember what it was now
-
7/31/2019 Lecture 10 - Security and Usability
9/57
Home users confidence in their
computer security
Not confidentat all7% Worried about
my system22%
Satisfied51%
Very confident20%
Overall response from 415 users
-
7/31/2019 Lecture 10 - Security and Usability
10/57
Home users confidence in their
computer security
Not confidentat all31%
Worried aboutmy system
36%
Satisfied33%
Very confident0%
Responses from novice users
-
7/31/2019 Lecture 10 - Security and Usability
11/57
A false sense of security?
Survey of 378 US homes by McAfee and National CyberSecurity Alliance (2007) asked users about safeguards they believed were on their PCs
accompanied by scanning the devices
92% believed their antivirus was up-to-date Scans revealed that only 51% had received a signature within
the previous week
73% believed that they had firewall protection only 64% had it enabled
Such findings suggest that users do not understand howto use their protection properly
-
7/31/2019 Lecture 10 - Security and Usability
12/57
Common usabilityproblems
-
7/31/2019 Lecture 10 - Security and Usability
13/57
Golden Rules for Interface Design
Strive for consistency
Enable frequent users to use shortcuts
Offer informative feedback Design dialogs to yield closure
Offer simple error handling
Permit easy reversal of actions
Reduce short term memory load
(Ben Shneiderman)
-
7/31/2019 Lecture 10 - Security and Usability
14/57
Security ought to be . . .
Understandable We should be able to determine and select the
protection we require
The technology should not make unrealistic
assumptions about our prior knowledge
Locatable We need to be able to find the features we need
If we have to spend too long looking, we may give upand remain unprotected
-
7/31/2019 Lecture 10 - Security and Usability
15/57
Security ought to be . . .
Visible
We ought to be able to determine whether protection
is being applied and to what level
Appropriate status indicators and warnings will help toremind us if safeguards are not enabled
Convenient
Need to maintain balance - security should not be sovisible that it becomes intrusive
We are likely to disable features that become too
much of an impediment to legitimate use
-
7/31/2019 Lecture 10 - Security and Usability
16/57
The ultimate security hurdle?
-
7/31/2019 Lecture 10 - Security and Usability
17/57
Common Problems
Reliance upon technicalterminology
Unclear and confusing
functionality
Lack of visible andinformative feedback
Forcing uninformed decisions
Lack of integration
-
7/31/2019 Lecture 10 - Security and Usability
18/57
Security usability survey
Online survey of over 340users
Considered security options in
standard end-userapplications: Internet Explorer
Word
Outlook Express
Assessed user interpretationsand/or understanding ofsecurity-related interfaces
-
7/31/2019 Lecture 10 - Security and Usability
19/57
Survey Respondents
Almost 50-50 split between
male and female
Over 80% in the 17-29 age
group
Over 80% have university-level
education
Over 96% regularly use a
computer at home and/or at
work
Almost 90% rate themselves as
intermediate or advanced users
-
7/31/2019 Lecture 10 - Security and Usability
20/57
Reliance upon technical
terminology
A traditional barrier for newcomers to IT
Efforts made to ease the burden
concepts expressed via pictures and plain language
Security is an area where the message may stillbe unclear
technical terms are often an intrinsic part of howfeatures are conveyed
-
7/31/2019 Lecture 10 - Security and Usability
21/57
An example from IE6
IEs default security settingof Medium
Ostensibly simple securitylevel slider
High, Medium, Medium-Low,Low
A third of users do notunderstand what the leveldescription means
A similar proportion werenot clear on the concept ofcontent zones
-
7/31/2019 Lecture 10 - Security and Usability
22/57
An example from IE7
A few things havechanged in IE7 Slider has only 3 positions
Default setting is nowcalled Medium-high (hassame description as oldMedium setting)
Medium setting simplydrops the Appropriate formost websites bullet (i.e.
no tangible indication ofhow security has beenlowered)
Low setting now removed
-
7/31/2019 Lecture 10 - Security and Usability
23/57
IE Custom Security Settings
Only 40% of
respondents claimed
to understand these
optionsA third had not heard
of ActiveX
and only half of those
that had knew what itis
-
7/31/2019 Lecture 10 - Security and Usability
24/57
So, lets get Help . . .
The browser window
offers context-based
help
Lets see what it tellsus . . .
-
7/31/2019 Lecture 10 - Security and Usability
25/57
Solving the problem . . .
Heres how IE7 deals with thisissue . . .
So, users need to resort to themain Help system, where theyfind . . .
Explained: ActiveX Authenticode
Still not explained: IFRAME
META REFRESH
Software Channel Permissions
For the determined, thedescriptions canbe found onMicrosofts website
-
7/31/2019 Lecture 10 - Security and Usability
26/57
Some improved visibility
-
7/31/2019 Lecture 10 - Security and Usability
27/57
Unclear and confusing
functionality
Confronting users with features they do not
understand increases the chance of mistakes
Such mistakes may: put their system or data at risk
impede their own use of the system
Presentation of features can complicate eventhe most familiar security features . . .
-
7/31/2019 Lecture 10 - Security and Usability
28/57
Password protection
Suppose I want to ensure that only Paul canread the document
Which password do I use top, bottom, or both?
A third of the survey respondents did notunderstand the difference between the twooptions
-
7/31/2019 Lecture 10 - Security and Usability
29/57
If youre ever feeling brave . . .
74% of respondents would not know how to
choose an appropriate option
77% would not know how to choose a key length
-
7/31/2019 Lecture 10 - Security and Usability
30/57
Simplified in Word 2007
Simpler, but no longer gives technical users any details ofthe security mechanism beyond being told that the
document is encrypted
Context sensitive help doesnt help, but Office Online
reveals that AES 128-bit encryption is used
-
7/31/2019 Lecture 10 - Security and Usability
31/57
Password protection
The document cannot be openedwithout a password
The document cannot be changedwithout a password
Not sure
A friend emails you a document to look at, butwhen you try to open it you get this . . .
You dont know the password, so what can you
do?
23%
59%
13%
-
7/31/2019 Lecture 10 - Security and Usability
32/57
And just when you thought at least
one bit made sense . . .
Some of the settings that
appear on the Security tab,
including some that soundlikesecurity features, do not actually
secure documents. TheDocument Protection task pane
and Protect Document features
(available in Word) do not
secure your documents against
malicious interference either.They protect the format and
content of your document when
you collaborate with co-workers
-
7/31/2019 Lecture 10 - Security and Usability
33/57
Lack of visible and informative
feedback
Users ought to know: when security is being applied
what level of protection is being provided
Provides a basis for: increasing their confidence when using services
reminding them to configure the system correctly
Users may otherwise: perform sensitive tasks without adequate protection
leave settings at a level that impedes legitimateusage
-
7/31/2019 Lecture 10 - Security and Usability
34/57
What happened to the slider?
Having gone intothe Custom
settings, you nolonger get anyindication ofyour level ofprotection
-
7/31/2019 Lecture 10 - Security and Usability
35/57
Too much security!
This is the result ofgoing to the Hotmailsite with Security set toHigh
If users are concernedabout protection, theirnatural reaction may beto set security to High
BUT
The browser providesno indication that thesecurity setting ispreventing the pagefrom loading properly
-
7/31/2019 Lecture 10 - Security and Usability
36/57
Forcing uninformed decisions
Even if users do not look for security-
related options, they may be required to
make related decisions
So, it is important to convey the
information in a meaningful fashion
minimal assumptions of prior knowledge
maximum help to ease the process
-
7/31/2019 Lecture 10 - Security and Usability
37/57
Unfriendly dialogs?
How does the user make a decision?
Do they even know what a certificate is?
-
7/31/2019 Lecture 10 - Security and Usability
38/57
Same message, new interface
Note:
The More
informationlink does
not work if
browser
security isset to high
-
7/31/2019 Lecture 10 - Security and Usability
39/57
Unfriendly dialogs?
Only 44% of respondents would feel able to
make a decision
-
7/31/2019 Lecture 10 - Security and Usability
40/57
Well-meaning, but confusing
No option to
view what data
has actually
been foundCan only
remove it,
which may
removeneeded
content
-
7/31/2019 Lecture 10 - Security and Usability
41/57
Lack of integration
Users can also be confused when securitysoftware does not work together
Quite easy to find examples ofmisinformation provided to users as aresult
Results in the potential to causeunnecessary concern and confusion forusers
-
7/31/2019 Lecture 10 - Security and Usability
42/57
Integrated or not?The Microsoft Office Trust Center
Accessible from within most Office 2007
applications, and looks similar in each case
Users may assume that changes will apply
across all their Office applications true in some cases (e.g. ActiveX Settings, Message
Bar, and Privacy Options)
others only change the current application (e.g.
Trusted Locations, Add-ins, and Macro Settings)
The scope of settings is not obvious from the
interface and even the Help system does not
provide clarity in some cases
-
7/31/2019 Lecture 10 - Security and Usability
43/57
Trust Center variationsWord, Excel, PowerPoint and Access
-
7/31/2019 Lecture 10 - Security and Usability
44/57
Contradictory information
but McAfeeVirusScan
Enterprise 7 isrunning
Microsoft Wordclaims that thesystem is not
protected from
viruses
-
7/31/2019 Lecture 10 - Security and Usability
45/57
Usability Impacts
Cl it f t i iti t d
-
7/31/2019 Lecture 10 - Security and Usability
46/57
Clarity of system-initiated
security events
22% reported that the occurrence of the eventprevented them from completing the task theywere performing at the time
Totallyclear29%
Mostlyclear32%
Mostlyunclear
23%
Not clear atall
16%
E f l ti
-
7/31/2019 Lecture 10 - Security and Usability
47/57
59% of events required a decision to be made
Participants were able to complete their
intended action in 62% of cases
Totally clear34%
Mostly clear14%
Mostlyunclear
21%
Not clear atall
31%
Ease of completing user-
initiated events
-
7/31/2019 Lecture 10 - Security and Usability
48/57
Hands-on usability trials
Involved use of securityfeatures within a range ofsoftware applications
15 participants:
8 general users, familiarwith using IT on a regularbasis, but no specificknowledge about the detailof the technology
7 advanced users, withacademic qualificationsrelating to IT and someprior knowledge in relationto security
-
7/31/2019 Lecture 10 - Security and Usability
49/57
Hands-on usability trials
Required tasks werepresented in writing andexplained to the participants
told whatthey needed toachieve, but not howto do it
permitted to use help systemand online sources
Trials lasted between oneand two hours
Tasks were judgedsuccessful if completedwithout assistance from thetrial supervisor
-
7/31/2019 Lecture 10 - Security and Usability
50/57
Usability trial in IE6
Determine the current securitysettings level within thebrowser
Determine whethercommunication with a specificwebpage is using a secure
connectionCustomise security settings inorder to permit download of afile
Customise security settings inorder to be prompted before
running ActiveXAdd websites to the trustedand restricted Web contentzones
Explain the purpose of theWeb content zones
General users 50% successful
20 mins 00 secs
Advanced users 69% successful
15 mins 50 secs
Overall 59% successful
18 mins 13 secs
-
7/31/2019 Lecture 10 - Security and Usability
51/57
Password protect a documentto prevent it being read
Understand how theadvanced (encryption-related)options relate to the password
Protect the privacy of thedocument
Password protect a documentto prevent changes
Configure the macro security
settings in order to be warnedwhen opening a document witha potentially unsafe macro
Usability trial in Word
General users 30% successful
11 mins 30 secs
Advanced users 60% successful
11 mins 50 secs
Overall 44% successful
11 mins 39 secs
-
7/31/2019 Lecture 10 - Security and Usability
52/57
Conclusions
-
7/31/2019 Lecture 10 - Security and Usability
53/57
Conclusions
Security does not haveto be difficult to use but poor design and lack of proper consideration
often ensures that it does
Making security-related options available is notenough users have clear problems understanding them
if they cannot use the features, they will remainunprotected
Need good default settings but users still need the option to change things
Need to cater for users at all levels
-
7/31/2019 Lecture 10 - Security and Usability
54/57
A word of warning
Improving usability will help toaddress two of the mainimpediments to security:
I dont know how to secure mycomputer
I dont understand how to usesecurity packages
However, other reasons maycome to replace them . . .
-
7/31/2019 Lecture 10 - Security and Usability
55/57
I would use security, but . . .
0
5
10
15
20
25
30
35
Security packagesand services are too
expensive
Security impedesthe use of my
computer
I don't have the timeto deal with it
Nothing stops me, Ijust don't do it
32
20 19
14
%
respond
ents
-
7/31/2019 Lecture 10 - Security and Usability
56/57
Some relevant reading
A.Whitten and J.D.Tygar. 1999. Why Johnny cant Encrypt: Ausability Evaluation of PGP 5.0, Proceedings of the 8th USENIXSecurity Symposium, Washington, D.C., USA, August 2326,pp169-184.
J.Johnston, J.H.P.Eloff, and L.Labuschagne. 2003. Security andhuman computer interfaces, Computers & Security, vol. 22, no. 8,pp 675-684.
S.M.Furnell, A.Jusoh and D.Katsabas. 2006. The challenges ofunderstanding and using security: A survey of end-users,Computers & Security, vol. 25, no.1, pp27-35.
S.M.Furnell, P.Bryant and A.D.Phippen. 2007. Assessing thesecurity perceptions of personal Internet users, Computers &Security, vol. 26, no. 5, pp410-417.
S.M.Furnell. 2007. Making security usable: Are thingsimproving?, Computers & Security, vol. 26, no. 6, pp 434-443.
-
7/31/2019 Lecture 10 - Security and Usability
57/57
Prof. Steven [email protected]
Centre for Security, Communications& Network Research
www.plymouth.ac.uk/cscan