Thursday, September 30, 2010

GHC10: Role of Usability in Security

Heather Richter Lipford, from University of North Carolina (Charlotte) and a high school class mate of mine, started out by surveying the audience to see how many bad habits those of us that should know better have: password reuse, falling for phishing, or getting a virus (lots of hands came up).  This is known as the weakest link property, where the people are the weakest link - but could it be because the systems are too hard to use? (this is a reoccurring theme at this conference, it seems). Ms Lipford asks, how to improve this? Consider ease of learning, ability to perform the task quickly, have a low user error rate and high user retention over time.

Some possible solutions to things like phishing would be to have spoof warnings in browsers, but it needs to be something that users will not only notice, but understand what it means. Unfortunately, people are now thinking that things like seeing the lock icon in the browser means the site is legitimate - when all it means is that the site is secure.  Phishing sites, it turns out, can use encryption, too.  Oops!

Dr. Lipford's research is showing that users greatly underestimate the risks and negative outcomes of their behaviour, particularly when it comes to balancing short term gain vs long term risks.

Mary Ellen Zurko, from IBM, talked to us about her specialty in cloud computing. She noted that she's seen a change in how customers interact with IBM. Years ago, customers trusted that vendors would make the product secure and they simply wanted to know about features. Nowadays, customers want to know how the system will be secured and how their data will be protected. This comes up a lot when it comes to cloud computing, perhaps because the data is no longer centrally located and people feel more vulnerable.

More recently, people have a growing concern about keeping their email address private than a decade ago, this is a strange concept for me, but the thought of no spam is nice ....

What is usable security?  UI designers need to be thinking about this usable security early in the design, make sure it's obvious and available to everyone, and avoiding surprises by anticipating future changes and addressing confusion and make sure you handle user mistakes.

Diana K. Smetters, from PARC/Google, started out by noting that more than 50% of the certificates on the Internet are wrong (this could be because they are expired, site address mismatch, invalid, etc), so all "rational" users who actually want to use the Internet are going to always click through!

You've got to meet the users half way (or more than that). For example, phishing attacks are a mismatch problem.  The browser doesn't know the user's intent, ie they don't know you don't want to go to the evil PayPal imitation site. One approach to this is to not use general purpose browsers for accessing sites like banks, but rather an application - but that only works if you can get the users to use the application! [Side note: not to mention having cross platform support.]

You have no idea what a user will find difficult, unless you do an actual usability study. You have to give up on what you think would be good for the user (no matter how right you know you are) and you have to think about all types of users.

Dr. Lipford came back to expand this to to privacy as well. She talked about photo sharing sites, where other people upload and tag photos of you. The problem is that you may not want to have these photos linked to your profile or online identity. The problem is very complicated, because it may not be that you don't want to share the photo at all, but just not necessarily share it with everyone in your network. It's not just strangers that people don't want to share with - it could be that you don't want people you work with to see you drinking that giant beer at a friend's party.  The thing is, even people who have had problems with photo sharing in the  past, still continue to share photos, because this is something we as humans love to do.

Dr. Lipford is working with her students on coming up with a photo sharing application that allows two-way feedback between the owner of the photo and the person tagged in it. That is, the tagged person could restrict who could see the photo and request to the owner that the photo be removed.

The panel recommends the book Security and Usability, O'Reilly 2005, and the Symposium on Usable Privacy and Security, for further information on this topic, and mostly to keep in mind that usability and security go hand in hand and need to be designed in from the beginning.