Usability issues with security of electronic mail

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.This thesis shows that human factors can have a large and direct impact on security, not only on the user’s satisfaction, but also on the level of security achieved in practice. The usability issues identified are also extended to include mental models and perceptions as well as traditional user interface issues. These findings were accomplished through three studies using various methodologies to best suit their aims. The research community have issued principles to better align security and usability, so it was first necessary to evaluate their effectiveness. The chosen method for achieving this was through a usability study of the most recent software specifically to use these principles. It was found that the goal of being simultaneously usable and secure was not entirely met, partially through problems identified with the software interface, but largely due to the user’s perceptions and actions whilst using the software. This makes it particularly difficult to design usable and secure software without detailed knowledge of the users attitudes and perceptions, especially if we are not to blame the user for security errors as has occurred in the past. Particular focus was given to e-mail security because it is an area in which there is a massive number of vectors for security threats, and in which it is technologically possible to negate most of these threats, yet this is not occurring. Interviews were used to gain in depth information from the user’s point of view. Data was collected from individual e-mail users from the general public, and organisations. It was found that although the literature had identified various problems with the software and process of e-mail encryption, the majority of problems identified in the interviews stemmed once again from user’s perceptions and attitudes. Use of encryption was virtually nil, although the desire to use encryption to protect privacy was strong. Remembering secure passwords was recurrently found to be problematic, so in an effort to propose a specific method of increasing their usability an empirical experiment was used to examine the memorability of passwords. Specially constructed passwords were tested for their ability to improve memorability, and therefore usability. No statistical significance in the construction patterns was found, but a memory phenomenon whereby users tend to forget their password after a specific period of non-use was discovered. The findings are discussed with reference to the fact that they all draw on a theme of responsibility to maintain good security, both from the perspective of the software developer and the end user. The term Personal Liability and General Use Evaluation (PLaGUE) is introduced to highlight the importance of considering these responsibilities and their effect on the use of security

Persistent issues in encryption software: A heuristic and cognitive walkthrough

The support information accompanying security software can be difficult to understand by end-users, who have little knowledge in cyber security. One mechanism for ensuring the integrity and confidentiality of information is encryption software. Unfortunately, software usability issues can hinder an end-user’s capability to properly utilise the security features effectively. To date there has been little research in investigating the usability of encryption software and proposing solutions for improving them. This research paper analysed the usability of encryption software targeting end-users. The research identified several issues that could impede the ability of a novice end-user to adequately utilise the encryption software. A set of proposed recommendations are suggested to improve encryption software which could be empirically verified through further research

Finding and Resolving Security Misusability with Misusability Cases

Although widely used for both security and usability concerns, scenarios used in security design may not necessarily inform the design of usability, and vice- versa. One way of using scenarios to bridge security and usability involves explicitly describing how design deci- sions can lead to users inadvertently exploiting vulnera- bilities to carry out their production tasks. This paper describes how misusability cases, scenarios that describe how design decisions may lead to usability problems sub- sequently leading to system misuse, address this problem. We describe the related work upon which misusability cases are based before presenting the approach, and illus- trating its application using a case study example. Finally, we describe some findings from this approach that further inform the design of usable and secure systems

CAPTCHaStar! A novel CAPTCHA based on interactive shape discovery

Over the last years, most websites on which users can register (e.g., email providers and social networks) adopted CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) as a countermeasure against automated attacks. The battle of wits between designers and attackers of CAPTCHAs led to current ones being annoying and hard to solve for users, while still being vulnerable to automated attacks. In this paper, we propose CAPTCHaStar, a new image-based CAPTCHA that relies on user interaction. This novel CAPTCHA leverages the innate human ability to recognize shapes in a confused environment. We assess the effectiveness of our proposal for the two key aspects for CAPTCHAs, i.e., usability, and resiliency to automated attacks. In particular, we evaluated the usability, carrying out a thorough user study, and we tested the resiliency of our proposal against several types of automated attacks: traditional ones; designed ad-hoc for our proposal; and based on machine learning. Compared to the state of the art, our proposal is more user friendly (e.g., only some 35% of the users prefer current solutions, such as text-based CAPTCHAs) and more resilient to automated attacks.Comment: 15 page

Evaluating usability of cross-platform smartphone applications

The computing power of smartphones is increasing as time goes. However, the proliferation of multiple different types of operating platforms affected interoperable smartphone applications development. Thus, the cross-platform development tools are coined. Literature showed that smartphone applications developed with the native platforms have better user experience than the cross-platform counterparts. However, comparative evaluation of usability of cross-platform applications on the deployment platforms is not studied yet. In this work, we evaluated usability of a crossword puzzle developed with PhoneGap on Android, Windows Phone, and BlackBerry. The evaluation was conducted focusing on the developer's adaptation effort to native platforms and the end users. Thus, we observed that usability of the cross-platform crossword puzzle is unaffected on the respective native platforms and the SDKs require only minimal configuration effort. In addition, we observed the prospect of HTML5 and related web technologies as our future work towards evaluating and enhancing usability in composing REST-based services for smartphone applications