Jun 13, 2012 11:00 PM
For a long time, computer security was mainly concerned with the design of various technical mechanisms for defending against adversaries, as well as with the underlying mathematical foundations such as cryptography primitives. However, the usability of such technical mechanisms was largely ignored, producing technical solutions that were theoretically sound but practically insecure because of their poor usability. More and more people agree that we need usable security systems - unusable secure systems are not used properly or at all, and thus only usable systems can provide effective security. However, there is less agreement about how to design systems that are both usable and secure. This talk will give an overview of the field of usable security with the focus on issues to avoid, techniques to use, and useful case studies. It aims to enable participants to both evaluate and produce high-quality work in usable security. We will start with a definition of usable security, and examples of how security has failed due to usability. We will then outline common approaches to and relevant design principles for security usability. Methods for improving security usability and methods for empirically establishing such improvement will be discussedl. Usability techniques successfully applied to security will be discussed, including usable design (with an emphasis on error handling), lab user studies, field user studies, and techniques for evaluating organizational cultures. Finally, we'll conclude with case studies illustrating how security and usability can be simultaneously improved, and how the principles and methods introduced in the previous part were applied. Topics that have received much attention will be highlighted, including authentication, access control and authorization, phishing defenses, and the utility of education of the user.