Abstract:

Many security researchers and practitioners treat usability of security as a user interface (UI) problem. It is no co-incidence that the most widely known and cited paper on usability and security is Whitten & Tygar's "Why Johnny Can't Encrypt", a study of the user interface to PGP 5.0. Whilst there is no argument that many UIs to security tools are unusable, and that unusable UIs are bad for usability and security, I will argue that there are other pressing usability issues that need to be addressed. For instance:

• Users often bypass security mechanisms because they interfere with production tasks.
• Users often bypass security mechanisms because they behaviour that conflicts with their values and social norms.
• In many organisations, there is a discrepancy between security policies and security behaviour, which leads to a deteriorating security culture.
• The complexity of current security systems creates problems – and fosters bad decisions – not just among end-users, but other – technically able – stakeholders, such system administrators and software developers.

In conclusion, I will put forward a research agenda for usable and effective security.

Speaker:

M. Angela Sasse is the Professor of Human-Centred Technology in the Department of Computer Science at University College London. Since 1996, she has been researching usability issues of security systems in collaboration with a number of Ph.D. students, and published research on effectiveness and usability of authentication mechanisms, user attitudes and perceptions to computer security, and human and financial cost of security mechanisms, and related work on user-centred approaches to trust and privacy.