lecture 10 - security and usability

7/31/2019 Lecture 10 - Security and Usability

1/57


2/57

SECURITY ANDUSABILITY

Prof. Steven FurnellCentre for Security, Communications & Network Research

Plymouth University

United Kingdom


3/57

Overview

Introduction

User perceptions

Common usability problems

Usability impacts

Conclusions


4/57

Introduction

Users often wish to protect their systemsand data

Related features can be found in: Security-specific tools (e.g. AV, firewall)

Security-related options within other software(e.g. the OS and application programs)

However, the usability of the features issometimes a problem issue


5/57

Security - Something we needbutnot something we want

No-one buys a computer in order to use securityfeatures

Security is, at best, a necessary evil and often its just a nuisance 2

Implications: If people think they can manage without security, they

will ignore it If security is too difficult to use, people wont use it

If it gets in the way, people will switch it off


6/57

User perceptions


7/57

0

5

10

15

20

25

30

I don't knowabout the threats

I don'tunderstand the

threats

I don't know howto secure my

computer

I don'tunderstand howto use security

packages

19 19

27

22

%r

espondents

I would use security, but . . .

Various obstacles maystand in the way ofsecurity

In a Plymouth study,415 home users wereasked what preventedthem from dealing with

security 41% said they did it

amongst the rest, therewere various issues . . .


8/57

Views from the trenches

The antivirus programs are really difficult to use, annoying

because you try to access something and you get too manypop up messages, they drive you crazy, with warnings and

warnings and allow or not allow

I used to have one (antispyware)but now I dont. But youknow what was annoying about that? All the time it was like... attempts to access your IP, something like that, deny or

accept, and some of them were useful sites

I am gonna try remember why my firewall is switched off

cause theres a really good reason cause I wouldnt switch

it off for nothing. I cant remember what it was now


9/57

Home users confidence in their

computer security

Not confidentat all7% Worried about

my system22%

Satisfied51%

Very confident20%

Overall response from 415 users


10/57

Home users confidence in their

computer security

Not confidentat all31%

Worried aboutmy system

36%

Satisfied33%

Very confident0%

Responses from novice users


11/57

A false sense of security?

Survey of 378 US homes by McAfee and National CyberSecurity Alliance (2007) asked users about safeguards they believed were on their PCs

accompanied by scanning the devices

92% believed their antivirus was up-to-date Scans revealed that only 51% had received a signature within

the previous week

73% believed that they had firewall protection only 64% had it enabled

Such findings suggest that users do not understand howto use their protection properly


12/57

Common usabilityproblems


13/57

Golden Rules for Interface Design

Strive for consistency

Enable frequent users to use shortcuts

Offer informative feedback Design dialogs to yield closure

Offer simple error handling

Permit easy reversal of actions

Reduce short term memory load

(Ben Shneiderman)


14/57

Security ought to be . . .

Understandable We should be able to determine and select the

protection we require

The technology should not make unrealistic

assumptions about our prior knowledge

Locatable We need to be able to find the features we need

If we have to spend too long looking, we may give upand remain unprotected


15/57

Security ought to be . . .

Visible

We ought to be able to determine whether protection

is being applied and to what level

Appropriate status indicators and warnings will help toremind us if safeguards are not enabled

Convenient

Need to maintain balance - security should not be sovisible that it becomes intrusive

We are likely to disable features that become too

much of an impediment to legitimate use


16/57

The ultimate security hurdle?


17/57

Common Problems

Reliance upon technicalterminology

Unclear and confusing

functionality

Lack of visible andinformative feedback

Forcing uninformed decisions

Lack of integration


18/57

Security usability survey

Online survey of over 340users

Considered security options in

standard end-userapplications: Internet Explorer

Word

Outlook Express

Assessed user interpretationsand/or understanding ofsecurity-related interfaces


19/57

Survey Respondents

Almost 50-50 split between

male and female

Over 80% in the 17-29 age

group

Over 80% have university-level

education

Over 96% regularly use a

computer at home and/or at

work

Almost 90% rate themselves as

intermediate or advanced users


20/57

Reliance upon technical

terminology

A traditional barrier for newcomers to IT

Efforts made to ease the burden

concepts expressed via pictures and plain language

Security is an area where the message may stillbe unclear

technical terms are often an intrinsic part of howfeatures are conveyed


21/57

An example from IE6

IEs default security settingof Medium

Ostensibly simple securitylevel slider

High, Medium, Medium-Low,Low

A third of users do notunderstand what the leveldescription means

A similar proportion werenot clear on the concept ofcontent zones


22/57

An example from IE7

A few things havechanged in IE7 Slider has only 3 positions

Default setting is nowcalled Medium-high (hassame description as oldMedium setting)

Medium setting simplydrops the Appropriate formost websites bullet (i.e.

no tangible indication ofhow security has beenlowered)

Low setting now removed


23/57

IE Custom Security Settings

Only 40% of

respondents claimed

to understand these

optionsA third had not heard

of ActiveX

and only half of those

that had knew what itis


24/57

So, lets get Help . . .

The browser window

offers context-based

help

Lets see what it tellsus . . .


25/57

Solving the problem . . .

Heres how IE7 deals with thisissue . . .

So, users need to resort to themain Help system, where theyfind . . .

Explained: ActiveX Authenticode

Still not explained: IFRAME

META REFRESH

Software Channel Permissions

For the determined, thedescriptions canbe found onMicrosofts website


26/57

Some improved visibility


27/57

Unclear and confusing

functionality

Confronting users with features they do not

understand increases the chance of mistakes

Such mistakes may: put their system or data at risk

impede their own use of the system

Presentation of features can complicate eventhe most familiar security features . . .


28/57

Password protection

Suppose I want to ensure that only Paul canread the document

Which password do I use top, bottom, or both?

A third of the survey respondents did notunderstand the difference between the twooptions


29/57

If youre ever feeling brave . . .

74% of respondents would not know how to

choose an appropriate option

77% would not know how to choose a key length


30/57

Simplified in Word 2007

Simpler, but no longer gives technical users any details ofthe security mechanism beyond being told that the

document is encrypted

Context sensitive help doesnt help, but Office Online

reveals that AES 128-bit encryption is used


31/57

Password protection

The document cannot be openedwithout a password

The document cannot be changedwithout a password

Not sure

A friend emails you a document to look at, butwhen you try to open it you get this . . .

You dont know the password, so what can you

do?

23%

59%

13%


32/57

And just when you thought at least

one bit made sense . . .

Some of the settings that

appear on the Security tab,

including some that soundlikesecurity features, do not actually

secure documents. TheDocument Protection task pane

and Protect Document features

(available in Word) do not

secure your documents against

malicious interference either.They protect the format and

content of your document when

you collaborate with co-workers


33/57

Lack of visible and informative

feedback

Users ought to know: when security is being applied

what level of protection is being provided

Provides a basis for: increasing their confidence when using services

reminding them to configure the system correctly

Users may otherwise: perform sensitive tasks without adequate protection

leave settings at a level that impedes legitimateusage


34/57

What happened to the slider?

Having gone intothe Custom

settings, you nolonger get anyindication ofyour level ofprotection


35/57

Too much security!

This is the result ofgoing to the Hotmailsite with Security set toHigh

If users are concernedabout protection, theirnatural reaction may beto set security to High

BUT

The browser providesno indication that thesecurity setting ispreventing the pagefrom loading properly


36/57

Forcing uninformed decisions

Even if users do not look for security-

related options, they may be required to

make related decisions

So, it is important to convey the

information in a meaningful fashion

minimal assumptions of prior knowledge

maximum help to ease the process


37/57

Unfriendly dialogs?

How does the user make a decision?

Do they even know what a certificate is?


38/57

Same message, new interface

Note:

The More

informationlink does

not work if

browser

security isset to high


39/57

Unfriendly dialogs?

Only 44% of respondents would feel able to

make a decision


40/57

Well-meaning, but confusing

No option to

view what data

has actually

been foundCan only

remove it,

which may

removeneeded

content


41/57

Lack of integration

Users can also be confused when securitysoftware does not work together

Quite easy to find examples ofmisinformation provided to users as aresult

Results in the potential to causeunnecessary concern and confusion forusers


42/57

Integrated or not?The Microsoft Office Trust Center

Accessible from within most Office 2007

applications, and looks similar in each case

Users may assume that changes will apply

across all their Office applications true in some cases (e.g. ActiveX Settings, Message

Bar, and Privacy Options)

others only change the current application (e.g.

Trusted Locations, Add-ins, and Macro Settings)

The scope of settings is not obvious from the

interface and even the Help system does not

provide clarity in some cases


43/57

Trust Center variationsWord, Excel, PowerPoint and Access


44/57

Contradictory information

but McAfeeVirusScan

Enterprise 7 isrunning

Microsoft Wordclaims that thesystem is not

protected from

viruses


45/57

Usability Impacts

Cl it f t i iti t d


46/57

Clarity of system-initiated

security events

22% reported that the occurrence of the eventprevented them from completing the task theywere performing at the time

Totallyclear29%

Mostlyclear32%

Mostlyunclear

23%

Not clear atall

16%

E f l ti


47/57

59% of events required a decision to be made

Participants were able to complete their

intended action in 62% of cases

Totally clear34%

Mostly clear14%

Mostlyunclear

21%

Not clear atall

31%

Ease of completing user-

initiated events


48/57

Hands-on usability trials

Involved use of securityfeatures within a range ofsoftware applications

15 participants:

8 general users, familiarwith using IT on a regularbasis, but no specificknowledge about the detailof the technology

7 advanced users, withacademic qualificationsrelating to IT and someprior knowledge in relationto security


49/57

Hands-on usability trials

Required tasks werepresented in writing andexplained to the participants

told whatthey needed toachieve, but not howto do it

permitted to use help systemand online sources

Trials lasted between oneand two hours

Tasks were judgedsuccessful if completedwithout assistance from thetrial supervisor


50/57

Usability trial in IE6

Determine the current securitysettings level within thebrowser

Determine whethercommunication with a specificwebpage is using a secure

connectionCustomise security settings inorder to permit download of afile

Customise security settings inorder to be prompted before

running ActiveXAdd websites to the trustedand restricted Web contentzones

Explain the purpose of theWeb content zones

General users 50% successful

20 mins 00 secs

Advanced users 69% successful

15 mins 50 secs

Overall 59% successful

18 mins 13 secs


51/57

Password protect a documentto prevent it being read

Understand how theadvanced (encryption-related)options relate to the password

Protect the privacy of thedocument

Password protect a documentto prevent changes

Configure the macro security

settings in order to be warnedwhen opening a document witha potentially unsafe macro

Usability trial in Word

General users 30% successful

11 mins 30 secs

Advanced users 60% successful

11 mins 50 secs

Overall 44% successful

11 mins 39 secs


52/57

Conclusions


53/57

Conclusions

Security does not haveto be difficult to use but poor design and lack of proper consideration

often ensures that it does

Making security-related options available is notenough users have clear problems understanding them

if they cannot use the features, they will remainunprotected

Need good default settings but users still need the option to change things

Need to cater for users at all levels


54/57

A word of warning

Improving usability will help toaddress two of the mainimpediments to security:

I dont know how to secure mycomputer

I dont understand how to usesecurity packages

However, other reasons maycome to replace them . . .


55/57

I would use security, but . . .

0

5

10

15

20

25

30

35

Security packagesand services are too

expensive

Security impedesthe use of my

computer

I don't have the timeto deal with it

Nothing stops me, Ijust don't do it

32

20 19

14

%

respond

ents


56/57

Some relevant reading

A.Whitten and J.D.Tygar. 1999. Why Johnny cant Encrypt: Ausability Evaluation of PGP 5.0, Proceedings of the 8th USENIXSecurity Symposium, Washington, D.C., USA, August 2326,pp169-184.

J.Johnston, J.H.P.Eloff, and L.Labuschagne. 2003. Security andhuman computer interfaces, Computers & Security, vol. 22, no. 8,pp 675-684.

S.M.Furnell, A.Jusoh and D.Katsabas. 2006. The challenges ofunderstanding and using security: A survey of end-users,Computers & Security, vol. 25, no.1, pp27-35.

S.M.Furnell, P.Bryant and A.D.Phippen. 2007. Assessing thesecurity perceptions of personal Internet users, Computers &Security, vol. 26, no. 5, pp410-417.

S.M.Furnell. 2007. Making security usable: Are thingsimproving?, Computers & Security, vol. 26, no. 6, pp 434-443.


57/57

Prof. Steven [email protected]

Centre for Security, Communications& Network Research

www.plymouth.ac.uk/cscan

lecture 10 - security and usability

Documents