Usable Security and Its Impact on User Experience

Usable Security and Its Impact on User Experience
Slide Note
Embed
Share

The delicate balance between security and usability in software design as discussed by Jeff Offutt in SWE 205. Delve into the consequences of unusable security, debunk myths, and discover the path forward. Learn how prioritizing usability can enhance security measures and save costs. Understand why traditional security thinking may need a paradigm shift to better serve users. Consider the productivity impact of security measures on sales and why usable security is crucial in today's digital landscape. Dive into the complexities of password recovery systems and their significance in user interactions.

  • Usable Security
  • User Experience
  • Software Design
  • Security Measures
  • Password Recovery
zang_ga
zang_ga Follow

Uploaded on Mar 09, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Usable Security (unusable security ain t secure) Jeff Offutt http://www.cs.gmu.edu/~offutt/ SWE 205 Software Usability Analysis and Design Based on slides from Paul Ammann Keynote talk at SECTEST 2014 (with liberal help from Angela Sasse of UCL)

  2. Outline 1. A Poll 2. Consequences of unusable security 3. Myths about usable security 4. The path forward 9 March 2025 2

  3. A Poll In the past decade our community has recognized a tension between security and usability: it is generally easy to provide more of one by offering less of the other. Bonneau et al., Oakland S&P 2012 How many of you : Agree ? Disagree ? I hope you will all disagree by the time I finish today 9 March 2025 3

  4. Outline 1. A Poll 2. Consequences of unusable security 3. Myths about usable security 4. The path forward 9 March 2025 4

  5. Unusable Security Costs Money 9 March 2025 5

  6. Standard Security Thinking: Users Should Make the Effort An hour from each of the US s 180 million online users is worth approximately US$2.5 billion. A major error in security thinking has been to treat users time an extremely valuable resource as free. C. Herley, IEEE S&P Jan/Feb 2014 9 March 2025 6

  7. Does This Really Help Security? 9 March 2025 7

  8. Productivity Impact Lost Sales Not a particularly effective security measure Not usable: failure rate around 40% so customers go elsewhere CAPTCHAs waste 17 years of human effort every day (Pogue, Scientific American March 2012) 9 March 2025 8

  9. Unusable Security is Ridiculous 9 March 2025 9

  10. Password Recovery A significant percentage of users use the password recovery system every time they log in to their bank account Security executive at a major bank 9 March 2025 10

  11. Through 20 years of effort, we've successfully trained everyone to design passwords that are hard for humans to remember, but easy for computers to guess. 9 March 2025 11

  12. Unusable Security Costs Security 1. User errors even when trying to be secure 2. Non-compliance and workarounds to get tasks done 3. Security policies that cannot be followed make effort seem futile: It creates a sense of paranoia and fear, which makes some people throw up their hands and say, `there s nothing to be done about security, and then totally ignore it. Expert Round Table IEEE S&P Jan/Feb 2014 9 March 2025 12

  13. Noncompliance Are these legitimate users? 9 March 2025 13

  14. Classification of Errors (Norman) Slips Goal is correct But execution is flawed Mistakes Goal is wrong Attacks Goal is immoral, anti-social, or illegal User errors security attacks Don t treat legitimate users like criminals 9 March 2025 14

  15. Impact on Security Long-Term 1. Increased likelihood of security breaches 2. Noise created by habitual non-compliance makes malicious behavior harder to detect 3. Lack of appreciation of and respect for security creates a bad security culture 4. Frustration can lead to disgruntlement: intentional malicious behavior insider attacks, sabotage 9 March 2025 15

  16. Outline 1. A Poll 2. Consequences of unusable security 3. Myths about usable security 4. The path forward 9 March 2025 16

  17. Beliefs of Usable Security These are based on a survey of security and usability professionals at several companies Belief 1 Software engineers and security experts understand usability Belief 2 Usability is the same as user interface design Belief 3 Usability is a luxury, not a necessity 9 March 2025 17

  18. Myths of Usable Security These are based on a survey of security and usability professionals at several companies Belief 1 Myth 1 Software engineers and security experts understand usability experts understand usability Software engineers and security Belief 2 Myth 2 Usability is the same as user interface design user interface design Usability is the same as Belief 3 Myth 3 Usability is a luxury, not a necessity necessity Usability is a luxury, not a 9 March 2025 18

  19. Beliefs of Usable Security (2) Belief 4 Making access more difficult for legitimate users also makes access more difficult for illegitimate users Belief 5 Usability and security conflict with each other Belief 6 The right process will lead to usable security 9 March 2025 19

  20. Myths of Usable Security (2) Belief 4 Myth 4 Making access more difficult for legitimate users also makes access more difficult for illegitimate users difficult for illegitimate users Making access more difficult for legitimate users also makes access more Belief 5 Myth 5 Usability and security conflict with each other with each other Usability and security conflict Belief 6 Myth 6 The right process will lead to usable security The right process will lead to usable security 9 March 2025 20

  21. The Cost Confusion Low usable security Death Zone Cost for authorized users Our goal is to drive this down Sweet Spot High usable security Cost for unauthorized users 9 March 2025 21

  22. Outline 1. A Poll 2. Consequences of unusable security 3. Myths about usable security 4. The path forward 9 March 2025 22

  23. Pain and Consequences Executive Programmers ? ? Purchasing ? ? Designers pain Users 9 March 2025 23

  24. Pain and Consequences Executive Programmers Achieving usable security requires a pain-path from the users to the designers Purchasing Designers pain Users 9 March 2025 24

  25. Technology Should be Smarter Move from explicit to implicit authentication: 1. Proximity sensors Car key fobs 2. Bio-metrics Thumbprints, facial recognition, etc. 3. Web fingerprinting 4. Two-factor authentication 9 March 2025 25

  26. Summary Security can only be achieved by designing security systems that are usable Unusable Security Ain t 9 March 2025 26

Related


Maximizing Impact: The Role of Rich Snippets in SERPs

Maximizing Impact: The Role of Rich Snippets in SERPs"User Intent

Himani
KEERTHI SECURITY - Best Security Agencies In Bangalore

KEERTHI SECURITY - Best Security Agencies In Bangalore

KeerthiSecurity
Role of Security Champions in Organizations

Role of Security Champions in Organizations

irvin
Linux User Capabilities and Namespace Management

Linux User Capabilities and Namespace Management

esa
Roles of a Security Partner

Roles of a Security Partner

zaara
Comparison of Android OS and iOS in Development and Security Aspects

Comparison of Android OS and iOS in Development and Security Aspects

hermione
Enhancing User Experience Through Data Trails and Metrics

Enhancing User Experience Through Data Trails and Metrics

vcam
User Identity and Access Tokens in Windows Security

User Identity and Access Tokens in Windows Security

lkyi
User and Group Permissions in Linux Systems

User and Group Permissions in Linux Systems

abel_eah
Evolution of User Authentication Practices: Moving Beyond IP Filtering

Evolution of User Authentication Practices: Moving Beyond IP Filtering

rin_fi
Factors Affecting eProcurement Performance in Indian Scenario

Factors Affecting eProcurement Performance in Indian Scenario

geil
UIC Security Division Overview and International Activities

UIC Security Division Overview and International Activities

hadri
User Interface Design Principles in Human-Computer Interaction

User Interface Design Principles in Human-Computer Interaction

hynleighh
Lawson Security: Basics, Hierarchy, and Administration Tools

Lawson Security: Basics, Hierarchy, and Administration Tools

boy_se
Enhancing User Experience Through EONA Architecture

Enhancing User Experience Through EONA Architecture

deni_9
Administrator Deletes User - User Management System Storyboard

Administrator Deletes User - User Management System Storyboard

kish_2
Comprehensive DevOps Security Training Overview

Comprehensive DevOps Security Training Overview

jahv_808
Risk-Based Permission Model for Smart Homes

Risk-Based Permission Model for Smart Homes

dav_p
User Interface vs User Experience: Understanding the Essentials

User Interface vs User Experience: Understanding the Essentials

dunmire_e
Proximity-Proof: Secure and Usable Mobile Two-Factor Authentication

Proximity-Proof: Secure and Usable Mobile Two-Factor Authentication

jazzlynn
Comprehensive Integrated Security Solution Overview by Microsoft

Comprehensive Integrated Security Solution Overview by Microsoft

wand
Context Switching and User-Kernel Interaction in Operating Systems

Context Switching and User-Kernel Interaction in Operating Systems

lewi_ily

More Related Content