Usability and Trust in Information Systems

The need for people to protect themselves and their assets is as old as humankind. People's physical safety and their possessions have always been at risk from deliberate attack or accidental damage. The advance of information technology means that many individuals, as well as corporations, have an additional range of physical (equipment) and electronic (data) assets that are at risk. Furthermore, the increased number and types of interactions in cyberspace has enabled new forms of attack on people and their possessions. Consider grooming of minors in chat-rooms, or Nigerian email cons: minors were targeted by paedophiles before the creation of chat-rooms, and Nigerian criminals sent the same letters by physical mail or fax before there was email. But the technology has decreased the cost of many types of attacks, or the degree of risk for the attackers. At the same time, cyberspace is still new to many people, which means they do not understand risks, or recognise the signs of an attack, as readily as they might in the physical world. The IT industry has developed a plethora of security mechanisms, which could be used to mitigate risks or make attacks significantly more difficult. Currently, many people are either not aware of these mechanisms, or are unable or unwilling or to use them. Security experts have taken to portraying people as "the weakest link" in their efforts to deploy effective security [e.g. Schneier, 2000]. However, recent research has revealed at least some of the problem may be that security mechanisms are hard to use, or be ineffective. The review summarises current research on the usability of security mechanisms, and discusses options for increasing their usability and effectiveness

The true cost of unusable password policies: password use in the wild

HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use

The sweet spot: How people trade off size and definition on mobile devices

Mobile TV can deliver up-to-date content to users on the move. But it is currently unclear how to best adapt higher resolution TV content. In this paper, we describe a laboratory study with 35 participants who watched short clips of different content and shot types on a 200ppi PDA display at a resolution of either 120x90 or 168x128. Participants selected their preferred size and rated the acceptability of the visual experience. The preferred viewing ratio depended on the resolution and had to be at least 9.8H. The minimal angular resolution people required and which limited the up-scaling factor was 14 pixels per degree. Extreme long shots were best when depicted actors were at least 0.7° high. A second study researched the ecological validity of previous lab results by comparing them to results from the field. Image size yielded more value for users in the field than was apparent from lab results. In conclusion, current prediction models based on preferred viewing distances for TV and large displays do not predict viewing preferences on mobile devices. Our results will help to further the understanding of multimedia perception and service designers to deliver both economically viable and enjoyable experiences

Usable Security: Why Do We Need It? How Do We Get It?

Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice

Ignore These At Your Peril: Ten principles for trust design

Online trust has been discussed for more than 10 years, yet little practical guidance has emerged that has proven to be applicable across contexts or useful in the long run. 'Trustworthy UI design guidelines' created in the late 90ies to address the then big question of online trust: how to get shoppers online, are now happily employed by people preparing phishing scams. In this paper we summarize, in practical terms, a conceptual framework for online trust we've established in 2005. Because of its abstract nature it is still useful as a lens through which to view the current big questions of the online trust debate - large focused on usable security and phishing attacks. We then deduct practical 10 rules for providing effective trust support to help practitioners and researchers of usable security

Situating the transient user: overcoming challenges in the design of e-government systems

e-Government systems present new challenges for user involvement in the design process. Existing user-centred and participatory design methodologies were mainly developed for situations where a user is in the workplace. In e-government applications the user population is heterogeneous and numerous; the increasing ubiquity of e-government systems also questions the concept of “the interface”. This paper presents the results of a study of discourses of e-government users in two cases studies of interaction with new information systems in transport, which illuminate usability problems arising from a failure to prioritise users’ needs at all stages. An approach is proposed which accounts for the values as well as the goals of users, appropriating stakeholder analysis and ideas from Soft Systems Methodology while recognising that the routine actions of users in the real world are situated and contingent

Human-centred identity - from rhetoric to reality

This paper presents a proposal for human-centred identity management. Even though the term ‘human-centred identity’ has been widely used in the past few years, the solutions either descritbe a technical system for managing identity, or describe an identity management solution that meets a particular administrative need. Our proposal, however, presents a set of propertis that have to be considered, and the choices have to be made for each property must satisfy the needs of both the individual and the organization that owns the identity management system. The properties were identified as a result of reviewing a range of national identity systems, and the problems that arise from them

Users are not the enemy

Many system security departments treat users as a security risk to be controlled. The general consensus is that most users are careless and unmotivated when it comes to system security. In a recent study, we found that users may indeed compromise computer security mechanisms, such as password authentication, both knowing and unknowingly. A closer analysis, however, revealed that such behavior is often caused by the way in which security mechanisms are implemented, and users ’ lack of knowledge. We argue that to change this state of affairs, security departments need to communicate more with users, and adopt a user-centered design approach