Usable Security. A Systematic Literature Review

Usable security involves designing security measures that accommodate users’ needs and behaviors. Balancing usability and security poses challenges: the more secure the systems, the less usable they will be. On the contrary, more usable systems will be less secure. Numerous studies have addressed this balance. These studies, spanning psychology and computer science/engineering, contribute diverse perspectives, necessitating a systematic review to understand strategies and findings in this area. This systematic literature review examined articles on usable security from 2005 to 2022. A total of 55 research studies were selected after evaluation. The studies have been broadly categorized into four main clusters, each addressing different aspects: (1) usability of authentication methods, (2) helping security developers improve usability, (3) design strategies for influencing user security behavior, and (4) formal models for usable security evaluation. Based on this review, we report that the field’s current state reveals a certain immaturity, with studies tending toward system comparisons rather than establishing robust design guidelines based on a thorough analysis of user behavior. A common theoretical and methodological background is one of the main areas for improvement in this area of research. Moreover, the absence of requirements for Usable security in almost all development contexts greatly discourages implementing good practices since the earlier stages of development

Towards a Heuristic Model for Usable and Secure Online Banking

The main purpose of this paper is to propose a heuristic model for usable and secure online banking. The model is based on identified heuristics that contribute to the design of usable security in the context of online banking security. Little research has focused on the balance between usability and security in online banking authentication mechanisms when evaluating the effectiveness of security systems. Nielsen’s ten usability principles are still fundamentally important in designing usable secure systems, as indicated by the analysis of heuristics developed from recent studies. Online banking users are vulnerable to numerous old and new sophisticated online security threats that are increasingly being developed and targeting this unsuspecting group of users. An investigation into this aspect of security design can certainly benefit both the online banking users and online banking merchants, and foster a secure and usable banking environment. In this paper, a heuristic model for usable online banking security is developed, based on security design principles found in literature. Using data collected from users of online banking in South Africa through a questionnaire and banking security personnel interviews, we envisaged refining the identified heuristics and developing a checklist for each heuristic used, for heuristic evaluation by field experts

A Tool-based Semantic Framework for Security Requirements Specification

Attaining high quality in security requirements specification requires first-rate professional expertise, which is scarce. In fact, most organisations do not include core security experts in their software team. This scenario motivates the need for adequate tool support for security requirements specification so that the human requirements analyst can be assisted to specify security requirements of acceptable quality with minimum effort. This paper presents a tool-based semantic framework that uses ontology and requirements boilerplates to facilitate the formulation and specification of security requirements. A two-phased evaluation of the semantic framework suggests that it is usable, leads to reduction of effort, aids the quick discovery of hidden security threats, and improves the quality of security requirements

Usable Security Evaluation of EasyVote in the Context of Complex Elections

Elections differ not only between, but also within, countries. Some elections have very simple voting rules and ballots. For instance, in the parliamentary elections in Estonia or Germany, voters can select 1-out-of-n candidates. Other elections, like parliamentary elections in Luxembourg and Belgium or local elections in Germany, have very complex voting rules and huge ballots. These elections combine different voting rules, namely select k-out-of-n, weight and rank candidates, and therefore pose a challenge to both voters and electoral officials. Hence, in such elections voters are likely to spoil their vote unintentionally, due to the complex voting rules. In addition, the tallying process is very time intensive and likely to be error prone, because of the combination of complex voting rules and huge ballots. In order to address such challenges and improve the situation for both voters and electoral officials, in particular with respect to the local elections in Hesse/Germany, the EasyVote electronic voting scheme was proposed. EasyVote focuses on polling station elections and its central idea is to use an electronic voting device that does not store votes, but rather prints out a summary of voter's selections on a DIN-A4 paper ballot (a paper audit trail). The ballot consists of a human- and a machine readable (a QR-Code) component. Further, electoral officials tally the ballots semi-automatically by scanning the QR-Code of each ballot and verifying that its content matches the human-readable component. However, before EasyVote can be used in legally binding elections, various open research questions need to be addressed. The goal of this dissertation is to pave the way for the use of EasyVote in legally binding elections. To achieve this goal, this dissertation addresses five open research questions, which are introduced below. While the second and fifth question are EasyVote specific, the remaining ones are relevant to all electronic voting schemes/systems that share similar concepts with EasyVote. 1. Are voters concerned about vote secrecy related to the use of QR-Codes and, if so, how to address such concerns effectively? 2. What is an optimal ballot design that enables voters to understand the impact of their selections and to verify their voting intention easily? 3. What are optimal verification instructions that make voters most likely to verify that their ballot matches their intention? 4. What is an optimal verification setting that makes electoral officials most likely to detect potential discrepancies between the human- and machine-readable ballot components? 5. Are the vote casting and tallying processes usable and, if not, how to improve their usability? The findings indicate that voters do have secrecy concerns in association with the use of QR-Codes. However, the findings suggest that the threat appraisal approach of the protection motivation theory, is a viable approach to address and significantly allay such concerns. Furthermore, the findings reveal that the ballot design, which highlights the voter's direct selections in orange, represents an optimal design for voters to understand the impact of their selections and to verify their intention easily. In addition, the findings show that just in time verification instructions, which are pre-printed on the reverse of the ballot, have a significant effect on voters with respect to verifying their ballot and detecting discrepancies. The findings also indicate a significant increase with respect to detecting discrepancies when electoral officials read voters' direct selections out loud, while verifying that the human-readable ballot component matches the associated QR-Code. Moreover, the findings suggest that the implemented EasyVote prototype has a high perceived usability. In summary, these findings reveal that EasyVote is likely to be recommended and that a malicious or faulty behaviour of an electronic voting device, which might violate the integrity of the election result, would be detected with very high probability

A framework to evaluate usable security in online social networking

It is commonly held in the literature that users find security and privacy difficult to comprehend. It is also acknowledged that most end-user applications and websites have built-in security and privacy features. Users are expected to interact with these in order to protect their personal information. However, security is generally a secondary goal for users. Considering the complexity associated with security in combination with the notion that it is not users’ primary task, it makes sense that users tend to ignore their security responsibilities. As a result, they make poor security-related decisions and, consequently, their personal information is at risk. Usable Security is the field that investigates these types of issue, focusing on the design of security and privacy features that are usable. In order to understand and appreciate the complexities that exist in the field of Usable Security, the research fields of Human-Computer Interaction and Information Security should be examined. Accordingly, the Information Security field is concerned with all aspects pertaining to the security and privacy of information, while the field of Human-Computer Interaction is concerned with the design, evaluation and implementation of interactive computing systems for human use. This research delivers a framework to evaluate Usable Security in online social networks. In this study, online social networks that are particular to the health domain were used as a case study and contributed to the development of a framework consisting of three components: a process, a validation tool and a Usable Security heuristic evaluation. There is no existing qualitative process that describes how one would develop and validate a heuristic evaluation. In this regard a heuristic evaluation is a usability inspection method that is used to evaluate the design of an interface for any usability violations in the field of Human-Computer Interaction. Therefore, firstly, a new process and a validation tool were required to be developed. Once this had been achieved, the process could then be followed to develop a new heuristic evaluation that is specific to Usable Security. In order to assess the validity of a new heuristic evaluation a validation tool is used. The development of tools that can improve the design of security and privacy features on end-user applications and websites in terms of their usability is critical, as this will ensure that the intended users experience them as usable and can utilise them effectively. The framework for evaluating Usable Security contributes to this objective in the context of online social networks

A framework to evaluate usable security in online social networking

It is commonly held in the literature that users find security and privacy difficult to comprehend. It is also acknowledged that most end-user applications and websites have built-in security and privacy features. Users are expected to interact with these in order to protect their personal information. However, security is generally a secondary goal for users. Considering the complexity associated with security in combination with the notion that it is not users’ primary task, it makes sense that users tend to ignore their security responsibilities. As a result, they make poor security-related decisions and, consequently, their personal information is at risk. Usable Security is the field that investigates these types of issue, focusing on the design of security and privacy features that are usable. In order to understand and appreciate the complexities that exist in the field of Usable Security, the research fields of Human-Computer Interaction and Information Security should be examined. Accordingly, the Information Security field is concerned with all aspects pertaining to the security and privacy of information, while the field of Human-Computer Interaction is concerned with the design, evaluation and implementation of interactive computing systems for human use. This research delivers a framework to evaluate Usable Security in online social networks. In this study, online social networks that are particular to the health domain were used as a case study and contributed to the development of a framework consisting of three components: a process, a validation tool and a Usable Security heuristic evaluation. There is no existing qualitative process that describes how one would develop and validate a heuristic evaluation. In this regard a heuristic evaluation is a usability inspection method that is used to evaluate the design of an interface for any usability violations in the field of Human-Computer Interaction. Therefore, firstly, a new process and a validation tool were required to be developed. Once this had been achieved, the process could then be followed to develop a new heuristic evaluation that is specific to Usable Security. In order to assess the validity of a new heuristic evaluation a validation tool is used. The development of tools that can improve the design of security and privacy features on end-user applications and websites in terms of their usability is critical, as this will ensure that the intended users experience them as usable and can utilise them effectively. The framework for evaluating Usable Security contributes to this objective in the context of online social networks