CYBER SECURITY TECHNOLOGY USABILITY AND MANAGEMENT

DIANA K. SMETTERS

PARC, Palo Alto, California

1 INTRODUCTION

Why does usability matter? Particularly when placed in the context of security, it sounds nice but is not necessary—after all, who would place their systems or data in jeopardy just for a little convenience? In practice, the answer to this question is anyone for whom maintaining system security is not the primary job, or in other words, almost everyone. People use computers to accomplish particular tasks, and anything ancillary to those tasks, and particularly anything that gets in the way of their accomplishment will be worked around, disabled, or avoided [1]. The net result of an unusable security measure is likely to be a system less secure than the one that started out as more insecure in the beginning. Luckily, recent work at the intersection of computer security and human—computer interaction (HCI) has begun to demonstrate that the “human element” is a critical component of security, and that it is possible, with care, to build systems that are both usable and secure.

2 USABILITY AND SECURITY: CURRENT RESEARCH

In their seminal 1974 paper, Salzer and Schroeder listed eight principles for the design of secure systems. The last was “psychological acceptability”—usability, which they saw as critical if mechanisms designed according to the other seven principles were to be applied correctly [2]. After 25 years of relative quiet, there has been an explosion of interest ...