Development and Assessment of User Interface for Security-Critical Systems

In this master's thesis a user interface for a security application was investigated. The thesis work was done at a security company in Sweden. The goal was to find current problems with the user interface and to develop a new prototype with improvements. A user-centered design approach was employed to achieve this. Another goal was to look at how this method works for security-critical systems and how usability affects security. By conducting a usability test, usability errors were found that affected information security. There were also other problems that arose when having to deal with trying to use a user-centered design approach when working for a security company

Users are not the enemy

Many system security departments treat users as a security risk to be controlled. The general consensus is that most users are careless and unmotivated when it comes to system security. In a recent study, we found that users may indeed compromise computer security mechanisms, such as password authentication, both knowing and unknowingly. A closer analysis, however, revealed that such behavior is often caused by the way in which security mechanisms are implemented, and users ’ lack of knowledge. We argue that to change this state of affairs, security departments need to communicate more with users, and adopt a user-centered design approach

Usable Security: Why Do We Need It? How Do We Get It?

Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice

Malicious User Experience Design Research for Cybersecurity

This paper explores the factors and theory behind the user-centered research that is necessary to create a successful game-like prototype, and user experience, for malicious users in a cybersecurity context. We explore what is known about successful addictive design in the fields of video games and gambling to understand the allure of breaking into a system, and the joy of thwarting the security to reach a goal or a reward of data. Based on the malicious user research, game user research, and using the GameFlow framework, we propose a novel malicious user experience design approac

Child-Centered Security

Children are spending more time online through the use of digital toys, games and the internet. These activities make children potentially vulnerable to security threats. This position paper puts forward an argument for and against creating a new research discipline in child-centered security, as a fusion of user-centered security and child computer interaction

Understanding the Experience-Centeredness of Privacy and Security Technologies

The joint study of computer security, privacy and human-computer interaction (HCI) over the last two decades has shaped a research agenda focused upon usable privacy & security. However, in HCI research more generally there has long been an awareness of the need to understand and design for user experience, in recognition of the complex and multi-faceted role that technology now plays in our lives. In this paper we add to the growing discussion by introducing the notion of experience-centered privacy and security. We argue that in order to engage users of technology around issues related to experiences of privacy and security, research methods are required that may be outside of the normal repertoire of methods that we typically call upon. We describe three projects that developed non-typical research methods to reveal experiential insights into user interactions with privacy and security-related technologies. We conclude by proposing a research agenda that begins to illustrate how the discourse and methods of experience-centered design might serve to provide valuable alternative perspectives on new and enduring user-facing privacy and security problems

Security through usability: a user-centered approach for balanced security policy requirements.

Security policy authors face a dilemma. On one hand, policies need to respond to a constantly evolving, well reported threat landscape, the consequences of which have heightened the security awareness of senior managers. On the other hand, the impact of policies extend beyond constraints on desktop computers and laptops; an overly constrained policy may compromise operations or stifle the freedom needed for staff to innovate. Because few people are fired for making a policy too secure, as long as usability continues to be treated as a trade-off quality together with functionality then policies will err on the side of constraint over freedom of action. Existing work argues that balanced security can be achieved using Requirements Engineering best practice. Such approaches, however, treat usability as another class of quality requirement, and prescribed techniques fail to elicit or analyse empirical data with the same richness as those used by usability professionals. There is, therefore, a need to incorporates techniques from HCI into the task of specifying security, but without compromising Requirements Engineering practice. Recent work demonstrated how user-centered design and security requirements engineering techniques can be aligned; this approach was validated using a general system design project, where ample time was available to collect empirical data and run participatory requirements and risk workshops. The question remains whether such an approach scales for eliciting policy requirements where time is an imperative rather than a luxury

Who says personas can't dance?:The use of comic strips to design information security personas

This paper presents comic strips as an approach to align personas and narrative scenarios; the resulting visual artifact was tested with information security practitioners, who often struggle with wider engagement. It offers ways in which different professional roles can work together to share understanding of complex topics such as information security. It also offers user-centered design practitioners a way to reflect on, and participate with, user research data

User-centered information security policy development in a post-Stuxnet world.

A balanced approach is needed for developing information security policies in Critical National Infrastructure (CNI) contexts. Requirements Engineering methods can facilitate such an approach, but these tend to focus on either security at the expense of usability, or vice-versa, it is also uncertain whether existing techniques are useful when the time available for applying them is limited. In this paper, we describe a case study where Usability and Requirements Engineering techniques were used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. We motivate and describe the approach taken while carrying out this case study, and conclude with three lessons informing future efforts to integrate Security, Usability, and Requirements Engineering techniques for secure system design

User-centered information security policy development in a post-Stuxnet world.

A balanced approach is needed for developing information security policies in Critical National Infrastructure (CNI) contexts. Requirements Engineering methods can facilitate such an approach, but these tend to focus on either security at the expense of usability, or vice-versa, it is also uncertain whether existing techniques are useful when the time available for applying them is limited. In this paper, we describe a case study where Usability and Requirements Engineering techniques were used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. We motivate and describe the approach taken while carrying out this case study, and conclude with three lessons informing future efforts to integrate Security, Usability, and Requirements Engineering techniques for secure system design