Date/Time: Tuesday, November 10, 1:30-3:00
Duration: 1.5 hours
Title: An introduction to usable security
Presenters: Jeff Yan Newcastle University, England
For a long time, computer security was mainly concerned with the design of various technical mechanisms for defending against adversaries, as well as with the underlying mathematical foundations such as cryptography primitives. However, the usability of such technical mechanisms was largely ignored, which unfortunately has proved a major cause of many computer security failures. In particular, many technical solutions though theoretically sound were practically insecure because of their poor usability. In recent years, “usable security” (or “security usability”) has attracted fast growing attention in both academia and industry. More and more people agree that we need usable security systems - unusable secure systems are not used properly or at all, and thus only usable systems can provide effective security. However, there is less agreement about how to design systems that are both usable and secure. This tutorial will give a quick overview of the field of usable security with the focus on principles, approaches and methods of usable security. A number of real-life examples will be used to illustrate that it is feasible to develop security solutions that are simultaneously secure and usable. With the most important aim being discussing how to produce high-quality research work in usable security.Outline:
The tutorial is structured as follows:
- Part 1: Fundamentals
How security has failed due to the failure of usability of security technologies. Psychological aspect of computer security, highlighting that what security engineers expect to work and what the user makes to work, can differ greatly. The contrast between theoretical and effective practical security will be highlighted.
- Part 2: Approaches and methods
Common approaches to usable security and relevant design principles for security usability will be discussed. Methods for improving security usability and methods for empirically establishing such improvement will be discussed in detail.
- Part 3: Case studies
Real-life examples illustrating how security and usability can be simultaneously improved, and how the principles and methods introduced in the previous part were applied. Reflections and critiques on the application of the methods.
Security researchers who want to step into the field of usable security, and in particular PhD students and new researchers in usable security who want to have a quick start in this field. Those who want to teach this topic can also find the tutorial relevant – a set of summary notes and a large number of pointers to further readings will be provided, so that it should be easy for them to extend the tutorial into a full course.Bio
Jeff Yan is on the faculty of computer science at Newcastle University, England, where he leads research on systems and usable security. He has a PhD in computer security from Cambridge University. The password security and memorability study he carried out with colleagues at Cambridge in 1999 – 2000 was an early influential work in the field of usable security. He is a contributor to the O'Reilly book “Security and Usability: Designing Secure Systems that People Can Use” (2005), the first book on usable security, and was on the program committee for the first Symposium on Usable Privacy and Security (SOUPS) held at Carnegie Mellon in 2005. Recent work on usable security in his team includes 1) a novel graphical password scheme (CCS’07), which was selected by the Royal Society – the UK’s national academy - for their 2008 Summer Science Exhibition, and 2) the robustness and usability of CAPTCHAs (CCS’08, SOUPS’08), which has influenced the design of a number of CAPTCHAs including those that have been widely deployed by Microsoft and Yahoo!.
Last modified: 2009-08-21 17:57:58 EDT