USABILITY Ben Aaron

The Relationship Between Usability and Security We have to have both.

TECHNICAL OVERVIEW (But not so technical)

What Is Usability? ■“Usability is a quality attribute that assesses how easy user interfaces are to use.” (Nielson 2012) ■Incorporates elements of Learnability, Efficiency, Memorability, Errors and Satisfaction (Nielson 2012)

Psychological Acceptability ■“It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors” – Saltzer & Schroeder, 1974 (24 Deadly Sins pg 218) ■“Security only works if the secure way also happens to be the easy way” – Culp, 2000 (24 Deadly Sins pg 218)

How Does It Occur ■Tunnel vision of designers/software engineers – “It’s easy for me to use!” ■Not understanding your audience: –Administrators ■Deal with lots of information ■Optimization over security –End users ■Generally not technically literate ■Will find ways to circumvent security if it gets in their way

Where Does It Occur? ■Security messages to users –Too little information – bad for administrators –Too much information – bad for users –Too many messages – users won’t read or will disable them –Inaccurate or generic information – may keep out attackers, but won’t help users –Errors with only error codes – users won’t understand ■Authentication –Password restrictions may be too hard for users

EXAMPLES

Authentication ■Password Trouble at Lowes: –Password must be 8 characters long –Password must contain 1 letter and one number –Can’t be both? ■Security Questions for Online Insurance: –Generic questions –Non-specific answers –Case sensitive

Error Messages BadGood

DETECTION AND AVOIDANCE

Detection Methods ■Code Review –UI code for security options ■Is security on by default? –Look at authentication system ■Option to accept an unauthenticated external connection? ■Obvious way to reset password? Can this be exploited for denial-of-service attack? ■Use/Misuse/Abuse Cases –Essential element of usability testing ■Field Testing

Avoidance of Errors ■Invisibly Strengthen Security (OWASP & 24 Deadly Sins) –Set tighter security features automatically so that user’s are not responsible –Hide security features so that users won’t disable them ■Typical users won’t expend more than three clicks to select an option (24 Deadly Sins pg 226) ■Make Security Understandable (OWASP & 24 Deadly Sins) –Easier to read messages –Positive Reinforcement ■Green browser bar for secure websites ■Train Users (OWASP) –Phishing s as learning tools

Avoidance of Errors ■Make Selective Relaxing of Security Easier, but Inform Users of Consequenses (24 Deadly Sins) –Information bars in browsers –Don’t be too technical! Rule of thumb: go for 8 th grade reading level. ■Make It Actionable (24 Deadly Sins) –Users like to have control over their computing environment, and can sometimes be able to fix a problem on their own if guided to do so ■Provide Central Management (24 Deadly Sins) –Active Directory Group Policy in Windows – everything in one window

CONCLUSION

Conclusion ■Applications must be both secure and usable in order to be either. ■Security engineers and software developers need to work with usability engineers. ■Users aren’t Lusers! ■Don’t lose the forest for the trees.

References ■"Building Usable Security." OWASP. OWASP, 15 Dec Web. 25 July ■Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, Print. ■Nielson, Jakob. "Usability 101: Introduction to Usability." Nielson Norman Group: Evidence-Based User Experience Research, Training, and Consulting. Nielson Norman Group, 4 Jan Web. 25 July 2016.