Usable Security - Tipniques and Practfalls (Tips and Techniques, Pitfalls and Practices)

For a long time, computer security was mainly concerned with the design of various technical mechanisms for defending against adversaries, as well as with the underlying mathematical foundations such as cryptography primitives. However, the usability of such technical mechanisms was largely ignored, producing technical solutions that were theoretically sound but practically insecure because of their poor usability. More and more people agree that we need usable security systems - unusable secure systems are not used properly or at all, and thus only usable systems can provide effective security. However, there is less agreement about how to design systems that are both usable and secure. This talk will give an overview of the field of usable security with the focus on issues to avoid, techniques to use, and useful case studies. It aims to enable participants to both evaluate and produce high-quality work in usable security. We will start with a definition of usable security, and examples of how security has failed due to usability. We will then outline common approaches to and relevant design principles for security usability. Methods for improving security usability and methods for empirically establishing such improvement will be discussedl. Usability techniques successfully applied to security will be discussed, including usable design (with an emphasis on error handling), lab user studies, field user studies, and techniques for evaluating organizational cultures. Finally, we'll conclude with case studies illustrating how security and usability can be simultaneously improved, and how the principles and methods introduced in the previous part were applied. Topics that have received much attention will be highlighted, including authentication, access control and authorization, phishing defenses, and the utility of education of the user.

Mary Ellen Zurko has over two decades of work in user-centered security, in product development, early product prototyping, and research. Her experience spans across the entire lifecycle of software products, from initial product definition and delivery, to mature product maintenance, with an emphasis on distributed middleware and collaboration. She is chair of the steering committee of the International WWW Conference series, and on the steering committees of Symposium on Usable Privacy and Security and New Security Paradigms Workshop. She is security architect of the collaboration cloud offerings at IBM.