Académique Documents
Professionnel Documents
Culture Documents
Overview
Introduction User perceptions Common usability problems Usability impacts Conclusions
Introduction
Users often wish to protect their systems and data Related features can be found in:
Security-specific tools (e.g. AV, firewall) Security-related options within other software (e.g. the OS and application programs)
Implications:
If people think they can manage without security, they will ignore it If security is too difficult to use, people wont use it If it gets in the way, people will switch it off
User perceptions
22
In a Plymouth study, 15 415 home users were asked what prevented 10 them from dealing with 5 security
0 41% said they did it I don't know I don't
about the threats understand amongst the rest,the threats there were various issues . . . I don't know how to secure my computer I don't understand how to use security packages
I used to have one (antispyware) but now I dont. But you know what was annoying about that? All the time it was like ... attempts to access your IP, something like that, deny or accept, and some of them were useful sites
I am gonna try remember why my firewall is switched off cause theres a really good reason cause I wouldnt switch it off for nothing. I cant remember what it was now
Satisfied 51%
Satisfied 33%
asked users about safeguards they believed were on their PCs accompanied by scanning the devices
Scans revealed that only 51% had received a signature within the previous week
Such findings suggest that users do not understand how to use their protection properly
Strive for consistency Enable frequent users to use shortcuts Offer informative feedback Design dialogs to yield closure Offer simple error handling Permit easy reversal of actions Reduce short term memory load
(Ben Shneiderman)
Security ought to be . . .
Understandable
We should be able to determine and select the protection we require The technology should not make unrealistic assumptions about our prior knowledge
Locatable
We need to be able to find the features we need If we have to spend too long looking, we may give up and remain unprotected
Security ought to be . . .
Visible
We ought to be able to determine whether protection is being applied and to what level Appropriate status indicators and warnings will help to remind us if safeguards are not enabled
Convenient
Need to maintain balance - security should not be so visible that it becomes intrusive We are likely to disable features that become too much of an impediment to legitimate use
Common Problems
Reliance upon technical terminology Unclear and confusing functionality Lack of visible and informative feedback Forcing uninformed decisions Lack of integration
Survey Respondents
Almost 50-50 split between male and female Over 80% in the 17-29 age group Over 80% have university-level education Over 96% regularly use a computer at home and/or at work Almost 90% rate themselves as intermediate or advanced users
technical terms are often an intrinsic part of how features are conveyed
A third of users do not understand what the level description means A similar proportion were not clear on the concept of content zones
Slider has only 3 positions Default setting is now called Medium-high (has same description as old Medium setting) Medium setting simply drops the Appropriate for most websites bullet (i.e. no tangible indication of how security has been lowered) Low setting now removed
put their system or data at risk impede their own use of the system
Presentation of features can complicate even the most familiar security features . . .
Password protection
Suppose I want to ensure that only Paul can A third of the survey respondents did not read the document understand the difference between the two options Which password do I use top, bottom, or both?
74% of respondents would not know how to choose an appropriate option 77% would not know how to choose a key length
Simpler, but no longer gives technical users any details of the security mechanism beyond being told that the document is encrypted Context sensitive help doesnt help, but Office Online reveals that AES 128-bit encryption is used
Password protection
A friend emails you a document to look at, but when you try to open it you get this . . .
The document cannot be opened 23% without a password The document cannot be changed 59% without a password Not sure know the password, so what can you 13% You dont do?
And just when you thought at least one bit made sense . . .
Some of the settings that appear on the Security tab, including some that sound like security features, do not actually secure documents. The Document Protection task pane and Protect Document features (available in Word) do not secure your documents against malicious interference either. They protect the format and content of your document when you collaborate with co-workers
when security is being applied what level of protection is being provided increasing their confidence when using services reminding them to configure the system correctly
perform sensitive tasks without adequate protection leave settings at a level that impedes legitimate usage
This is the result of going to the Hotmail site with Security set to High
The browser provides no indication that the security setting is preventing the page from loading properly
Unfriendly dialogs?
How does the user make a decision? Do they even know what a certificate is?
Unfriendly dialogs?
Lack of integration
Users can also be confused when security software does not work together
Quite easy to find examples of misinformation provided to users as a result
Results in the potential to cause unnecessary concern and confusion for users
Integrated or not?
The Microsoft Office Trust Center
Accessible from within most Office 2007 applications, and looks similar in each case Users may assume that changes will apply across all their Office applications
true in some cases (e.g. ActiveX Settings, Message Bar, and Privacy Options) others only change the current application (e.g. Trusted Locations, Add-ins, and Macro Settings)
The scope of settings is not obvious from the interface and even the Help system does not provide clarity in some cases
Contradictory information
Microsoft Word claims that the system is not protected from viruses
Usability Impacts
22% reported that the occurrence of the event prevented them from completing the task they were performing at the time
8 general users, familiar with using IT on a regular basis, but no specific knowledge about the detail of the technology 7 advanced users, with academic qualifications relating to IT and some prior knowledge in relation to security
told what they needed to achieve, but not how to do it permitted to use help system and online sources
Trials lasted between one and two hours Tasks were judged successful if completed without assistance from the trial supervisor
Conclusions
Conclusions
Security does not have to be difficult to use
but poor design and lack of proper consideration often ensures that it does
users have clear problems understanding them if they cannot use the features, they will remain unprotected
but users still need the option to change things
A word of warning
Improving usability will help to address two of the main impediments to security:
I dont know how to secure my computer I dont understand how to use security packages
% respondents
30
25
20
20
19 14
15
10 5 0
Security packages Security impedes I don't have the time Nothing stops me, I and services are too the use of my to deal with it just don't do it expensive computer
S.M.Furnell, A.Jusoh and D.Katsabas. 2006. The challenges of understanding and using security: A survey of end-users, Computers & Security, vol. 25, no.1, pp27-35.
S.M.Furnell, P.Bryant and A.D.Phippen. 2007. Assessing the security perceptions of personal Internet users, Computers & Security, vol. 26, no. 5, pp410-417. S.M.Furnell. 2007. Making security usable: Are things improving?, Computers & Security, vol. 26, no. 6, pp 434-443.
Prof. Steven Furnell sfurnell@plymouth.ac.uk Centre for Security, Communications & Network Research www.plymouth.ac.uk/cscan