SECURITY AND USABILITY

Prof. Steven Furnell

Centre for Security, Communications & Network Research Plymouth University United Kingdom

Overview
Introduction User perceptions Common usability problems Usability impacts Conclusions

Introduction
Users often wish to protect their systems and data Related features can be found in:

Security-specific tools (e.g. AV, firewall) Security-related options within other software (e.g. the OS and application programs)

However, the usability of the features is sometimes a problem issue

Security - Something we need but not something we want

No-one buys a computer in order to use security features Security is, at best, a necessary evil

and often its just a nuisance

2

Implications:

If people think they can manage without security, they will ignore it If security is too difficult to use, people wont use it If it gets in the way, people will switch it off

User perceptions

I would use security, but . . .

Various 30
% respondents

obstacles may 27 stand in the way of 25 security 19 19

20

22

In a Plymouth study, 15 415 home users were asked what prevented 10 them from dealing with 5 security
0 41% said they did it I don't know I don't
about the threats understand amongst the rest,the threats there were various issues . . . I don't know how to secure my computer I don't understand how to use security packages

Views from the trenches

The antivirus programs are really difficult to use, annoying because you try to access something and you get too many pop up messages, they drive you crazy, with warnings and warnings and allow or not allow

I used to have one (antispyware) but now I dont. But you know what was annoying about that? All the time it was like ... attempts to access your IP, something like that, deny or accept, and some of them were useful sites
I am gonna try remember why my firewall is switched off cause theres a really good reason cause I wouldnt switch it off for nothing. I cant remember what it was now

Home users confidence in their computer security

Very confident 20%

Not confident at all 7%

Worried about my system 22%

Satisfied 51%

Overall response from 415 users

Home users confidence in their computer security

Very confident 0% Not confident at all 31%

Satisfied 33%

Worried about my system 36%

Responses from novice users

A false sense of security?

Survey of 378 US homes by McAfee and National Cyber Security Alliance (2007)

asked users about safeguards they believed were on their PCs accompanied by scanning the devices

92% believed their antivirus was up-to-date

Scans revealed that only 51% had received a signature within the previous week

73% believed that they had firewall protection

only 64% had it enabled

Such findings suggest that users do not understand how to use their protection properly

Common usability problems

Golden Rules for Interface Design

Strive for consistency Enable frequent users to use shortcuts Offer informative feedback Design dialogs to yield closure Offer simple error handling Permit easy reversal of actions Reduce short term memory load

(Ben Shneiderman)

Security ought to be . . .
Understandable

We should be able to determine and select the protection we require The technology should not make unrealistic assumptions about our prior knowledge

Locatable

We need to be able to find the features we need If we have to spend too long looking, we may give up and remain unprotected

Security ought to be . . .
Visible

We ought to be able to determine whether protection is being applied and to what level Appropriate status indicators and warnings will help to remind us if safeguards are not enabled

Convenient

Need to maintain balance - security should not be so visible that it becomes intrusive We are likely to disable features that become too much of an impediment to legitimate use

The ultimate security hurdle?

Common Problems
Reliance upon technical terminology Unclear and confusing functionality Lack of visible and informative feedback Forcing uninformed decisions Lack of integration

Security usability survey

Online survey of over 340 users Considered security options in standard end-user applications:

Internet Explorer Word Outlook Express

Assessed user interpretations and/or understanding of security-related interfaces

Survey Respondents
Almost 50-50 split between male and female Over 80% in the 17-29 age group Over 80% have university-level education Over 96% regularly use a computer at home and/or at work Almost 90% rate themselves as intermediate or advanced users

Reliance upon technical terminology

A traditional barrier for newcomers to IT Efforts made to ease the burden

concepts expressed via pictures and plain language

Security is an area where the message may still be unclear

technical terms are often an intrinsic part of how features are conveyed

An example from IE6

IEs default security setting of Medium Ostensibly simple security level slider

High, Medium, Medium-Low, Low

A third of users do not understand what the level description means A similar proportion were not clear on the concept of content zones

An example from IE7

A few things have changed in IE7

Slider has only 3 positions Default setting is now called Medium-high (has same description as old Medium setting) Medium setting simply drops the Appropriate for most websites bullet (i.e. no tangible indication of how security has been lowered) Low setting now removed

IE Custom Security Settings

Only 40% of respondents claimed to understand these options A third had not heard of ActiveX

and only half of those that had knew what it is

So, lets get Help . . .

The browser window offers context-based help Lets see what it tells us . . .

Solving the problem . . .

Heres how IE7 deals with this issue . . . So, users need to resort to the main Help system, where they find . . . Explained:

ActiveX Authenticode IFRAME META REFRESH Software Channel Permissions

Still not explained:

For the determined, the descriptions can be found on Microsofts website

Some improved visibility

Unclear and confusing functionality

Confronting users with features they do not understand increases the chance of mistakes
Such mistakes may:

put their system or data at risk impede their own use of the system

Presentation of features can complicate even the most familiar security features . . .

Password protection

Suppose I want to ensure that only Paul can A third of the survey respondents did not read the document understand the difference between the two options Which password do I use top, bottom, or both?

If youre ever feeling brave . . .

74% of respondents would not know how to choose an appropriate option 77% would not know how to choose a key length

Simplified in Word 2007

Simpler, but no longer gives technical users any details of the security mechanism beyond being told that the document is encrypted Context sensitive help doesnt help, but Office Online reveals that AES 128-bit encryption is used

Password protection
A friend emails you a document to look at, but when you try to open it you get this . . .

The document cannot be opened 23% without a password The document cannot be changed 59% without a password Not sure know the password, so what can you 13% You dont do?

And just when you thought at least one bit made sense . . .
Some of the settings that appear on the Security tab, including some that sound like security features, do not actually secure documents. The Document Protection task pane and Protect Document features (available in Word) do not secure your documents against malicious interference either. They protect the format and content of your document when you collaborate with co-workers

Lack of visible and informative feedback

Users ought to know:

when security is being applied what level of protection is being provided increasing their confidence when using services reminding them to configure the system correctly

Provides a basis for:

Users may otherwise:

perform sensitive tasks without adequate protection leave settings at a level that impedes legitimate usage

What happened to the slider?

Having gone into the Custom settings, you no longer get any indication of your level of protection

Too much security!

If users are concerned about protection, their natural reaction may be to set security to High BUT

This is the result of going to the Hotmail site with Security set to High
The browser provides no indication that the security setting is preventing the page from loading properly

Forcing uninformed decisions

Even if users do not look for securityrelated options, they may be required to make related decisions
So, it is important to convey the information in a meaningful fashion

minimal assumptions of prior knowledge maximum help to ease the process

Unfriendly dialogs?

How does the user make a decision? Do they even know what a certificate is?

Same message, new interface

Note:
The More information link does not work if browser security is set to high

Unfriendly dialogs?

Only 44% of respondents would feel able to make a decision

Well-meaning, but confusing

No option to view what data has actually been found Can only remove it, which may remove needed content

Lack of integration
Users can also be confused when security software does not work together
Quite easy to find examples of misinformation provided to users as a result

Results in the potential to cause unnecessary concern and confusion for users

Integrated or not?
The Microsoft Office Trust Center
Accessible from within most Office 2007 applications, and looks similar in each case Users may assume that changes will apply across all their Office applications

true in some cases (e.g. ActiveX Settings, Message Bar, and Privacy Options) others only change the current application (e.g. Trusted Locations, Add-ins, and Macro Settings)

The scope of settings is not obvious from the interface and even the Help system does not provide clarity in some cases

Trust Center variations

Word, Excel, PowerPoint and Access

Contradictory information
Microsoft Word claims that the system is not protected from viruses

but McAfee VirusScan Enterprise 7 is running

Usability Impacts

Clarity of system-initiated security events

Not clear at all 16% Mostly unclear 23% Totally clear 29% Mostly clear 32%

22% reported that the occurrence of the event prevented them from completing the task they were performing at the time

Ease of completing userinitiated events

59% of events required a decision to be made
Not clear at all 31%

Totally clear 34%

Mostly unclear 21%

Mostly clear 14%

Participants were able to complete their intended action in 62% of cases

Hands-on usability trials

Involved use of security features within a range of software applications 15 participants:

8 general users, familiar with using IT on a regular basis, but no specific knowledge about the detail of the technology 7 advanced users, with academic qualifications relating to IT and some prior knowledge in relation to security

Hands-on usability trials

Required tasks were presented in writing and explained to the participants

told what they needed to achieve, but not how to do it permitted to use help system and online sources

Trials lasted between one and two hours Tasks were judged successful if completed without assistance from the trial supervisor

Usability trial in IE6

Determine the current security General users settings level within the browser successful 50% Determine whether 20 mins 00 secs communication with a specific webpage is using a secure connection Advanced users Customise security settings in 69% successful order to permit download of a file 15 mins 50 secs Customise security settings in order to be prompted before running ActiveX Overall Add59% successfultrusted websites to the and restricted Web content 18 zones mins 13 secs Explain the purpose of the Web content zones

Usability trial in Word

Password users a document General protect to prevent it being read 30% successful Understand 30 secs 11 mins how the advanced (encryption-related) options relate to the password Protect the privacy of the Advanced users document 60% successful Password protect a document 11 mins 50 secs to prevent changes Configure the macro security settings in order to be warned Overall when opening a document with 44% successful a potentially unsafe macro 11 mins 39 secs

Conclusions

Conclusions
Security does not have to be difficult to use

but poor design and lack of proper consideration often ensures that it does

Making security-related options available is not enough

users have clear problems understanding them if they cannot use the features, they will remain unprotected
but users still need the option to change things

Need good default settings

Need to cater for users at all levels

A word of warning
Improving usability will help to address two of the main impediments to security:

I dont know how to secure my computer I dont understand how to use security packages

However, other reasons may come to replace them . . .

I would use security, but . . .

35 32

% respondents

30

25
20

20

19 14

15
10 5 0
Security packages Security impedes I don't have the time Nothing stops me, I and services are too the use of my to deal with it just don't do it expensive computer

Some relevant reading

A.Whitten and J.D.Tygar. 1999. Why Johnny cant Encrypt: A usability Evaluation of PGP 5.0, Proceedings of the 8th USENIX Security Symposium, Washington, D.C., USA, August 2326, pp169-184. J.Johnston, J.H.P.Eloff, and L.Labuschagne. 2003. Security and human computer interfaces, Computers & Security, vol. 22, no. 8, pp 675-684.

S.M.Furnell, A.Jusoh and D.Katsabas. 2006. The challenges of understanding and using security: A survey of end-users, Computers & Security, vol. 25, no.1, pp27-35.
S.M.Furnell, P.Bryant and A.D.Phippen. 2007. Assessing the security perceptions of personal Internet users, Computers & Security, vol. 26, no. 5, pp410-417. S.M.Furnell. 2007. Making security usable: Are things improving?, Computers & Security, vol. 26, no. 6, pp 434-443.

Prof. Steven Furnell sfurnell@plymouth.ac.uk Centre for Security, Communications & Network Research www.plymouth.ac.uk/cscan