11:30 AM - 12:25 PM
Oak Room 1, Cinnamon Grand Colombo

Why Johnny still finds usable security and privacy engineering so hard?

Many aspects of cyber security synthesize technical and human factors. If a highly secure system is unusable, users will try to by-pass the system or move entirely to less secure but more usable systems. Problems with usability contribute to many high-profile security failures today in the technology-filled world. Nevertheless, usable security is not well-aligned with traditional usability for some reasons. First, security is not very often the primary task of the user. In most cases, security is not the primary purpose of using a computer. People use computers to shop, socialize, communicate, and be educated and entertained. Many applications handle security issues through security alerts that interrupt users primary task. Therefore, users represent security as a secondary task. Whenever security is secondary, it opposes the usability of the primary task: users find it is distracting and therefore they would rather ignore, circumvent, or even defeat. Second, securing information is about understanding risk and threats. Unlike traditional research in HCI, (usable) security and privacy focuses on the context of an adversary whose goals are to manipulate the user rather than breaking into the system straight away. Therefore, this poses a great challenge for researchers, who need to model and reason about how the adversaries (i.e. bad guys) will make their attacks successful. Of course, it is rather important to understand how the human behaviors can be leveraged to protect themselves from cyber-crimes. Such communication is most often unwelcomed in the HCI community. Increasing unwelcome interaction is not a goal of usable security and privacy design. Third, discrete technical problems are all well-understood under the umbrella of online security and privacy (e.g., attacks such as phishing, malware, spyware, social engineering, Distributed Denial-of-Service or DDoS attack). A broader concept of both security and usability is therefore required for usable security systems. In this talk, my goals are to identify issues in developing usable security and privacy systems in order to design new systems that achieve better security and privacy solutions by taking end users into account. I will also talk about designing serious games for cyber security education.