THE SECURITY–USABILITY TRADEOFF MYTH GUEST EDITORS’ INTRODUCTION

Te Security–Usability Tradeof Myth

M. Angela Sasse | University College London Matthew Smith | University of Bonn and Fraunhofer FKIE

sability problems are the root cause of many of today’s IT security incidents. Security mech- U anisms are ofen too time consuming for people to bother with, or so complex that even those willing to use them make mistakes. For more than a decade, usable security researchers and practitioners have tried to address this problem by creating more usable security solutions. Retail- ers, banks, and providers have learned that security that gets in the way of their customers is bad for business. Some organizations"especially those who were “born digital” and have a large customer base"have managed to increase security without impacting business, for instance, by introducing low-efort two-factor authentication and using the data they have to iden- tify unusual behavior paterns. But researchers still identify a disconcerting number of security mechanisms today that induce mistakes or noncompliance, and ultimately put individuals and organizations at risk"or cause consumers to walk away. Tis not only damages digital business but also fosters the unhelpful perception among non–security experts that online security isn’t worth bothering with. As the value of digital transactions continues to increase, so will the number and sophistication of atacks"if the bank robber Willie Suton Jr. were alive today, he would turn to cybercrime, because “that’s where the money is” now. To successfully defend digital business, we need to engage with consumers and ofer them simple and efective security solutions. Tis special issue of IEEE Security & Privacy features three articles and a roundtable discus- sion that examine the relationship between security and usability in detail to identify the per- ceptions, processes, and practices that underlie these continuing problems and to identify what needs to change to move the feld forward. When we examine published usable security research to date, we fnd that most studies have been performed in laboratories with a limited number of participants (ofen students) who were

2 September/October 2016 Copublished by the IEEE Computer and Reliability Societies 1540-7993/16/$33.00 © 2016 IEEE observed on one occasion using a security mechanism. requirement for security to work in the context of busi- Over the past few years, we’ve seen a growing number of ness tasks upfront. Many security experts and devel- studies in which hundreds or thousands of participants, opers in these studies invoked the security–usability recruited via crowdsourcing platforms. In these studies tradeof, which is insidious because it reinforces the participants receive very small payments in return for perception that it’s not necessary to engage with users interacting with a security mechanism and complet- or to understand the tasks uses are engaged in. As Cor- ing surveys. But they use the security mechanisms only mac Herley points out in the roundtable discussion, once or twice, within a couple of days, in the context “Debunking Security–Usability Tradeof Myths,” this of a fctional task that isn’t is “phon[ing] in” an excuse. their own and where Very few participants their money or data in Caputo and her isn’t at risk. Tere’s Pulll quote is approximately 20–25 words. colleagues’ studies a lack of feld studies Pulll quote is approximately 20–25 words. had engaged suf- in real environments Pulll quote is approximately 20–25 words. ciently with usability to understand the Pulll quote is approximately 20–25 words. to realize it would impact that security increase security" mechanisms have because if the secu- on individuals and rity is usable, users businesses. Te article, “Secure and Usable Enterprise will do the security tasks, rather than ignore or circum- Authentication: Lessons from the Field,” by Mary Teo- vent them. fanos and her colleagues, makes a notable contribution As Herley points out, the insidiousness of the pur- because it surveyed more than 30,000 employees of two ported tradeof is that, in the absence of , US government departments on their day-to-day expe- it’s hard to disprove. Te tendency has been to use any riences with two-factor authentication. Te authors hypothetical reduction in security as an excuse for users found that diferent implementations of the same have to bear the cross of workload and complexity that a two-factor produced signifcantly diferent security mechanism puts on them. Te roundtable dis- experiences"reminding us that sometimes small dif- cussion, which also featured Heather Lipford and Kami ferences in implementation can make a big diference to Vaniea, revealed that this atitude squanders user aten- those who have to use the security. tion and efort that will be needed as the number and “Barriers to Usable Security? Tree Organiza- sophistication of atacks increase. Vaniea points out that tional Case Studies,” by Deanna D. Caputo and her about risks and what consumers need colleagues, reports on three sofware development to do needs improvement"for instance, users aren’t organizations that wanted to provide usable security aware that sofware updates are key to security. solutions. A multidisciplinary team interviewed devel- Although usable security researchers see the value opers, management, and security and usability experts of engaging with end users when designing security who had been involved in the development of a certain mechanisms, many experts do not. It’s common for product from each company. However, the research- experts to believe that they know best and that users ers found no tangible evidence that the products were should invest whatever time and efort they believe is usable. Te companies didn’t perform empirical or ana- necessary. Vaniea ofered this quote from a study con- lytic and had no criteria or measure- cerning the Windows 10’s update process: “the audacity ments. Similarly, there was litle or no formal security of a user to question the opinion of the expert who put evaluation"and certainly no metrics. Te interviews this update in there is shocking.” Tis kind of atitude is showed that many developers and security experts of course harmful and needs to be studied. We must fnd didn’t understand usability and its contribution to the ways to help experts engage with users. business process. In the absence of formal testing and A further and as yet unstudied area of usable security measurements, usability was mostly a grudge sale: it research is the mistakes made by experts. Many of the became a concern only when the company experienced most catastrophic security incidents weren’t caused by signifcant problems, such as a drop in sales or a signif- consumers or employees, but by developers or admin- cant rise in help-desk calls. istrators. Heartbleed and Shellshock were both caused Sofware-engineering research established 20 years by single developers and had global consequences. Te ago that the later in the process you have to “fx” fun- recent Sony hack compromised an entire multinational damental problems, the more expensive it will be to IT infrastructure and misappropriated more than 100 do so. But Caputo and her colleagues’ studies found Tbytes of data"unnoticed. Fundamentally, every sof- that, nevertheless, the companies didn’t consider the ware vulnerability and misconfgured system is caused www.computer.org/security 3 THE SECURITY–USABILITY TRADEOFF MYTH

by developer or administrator mistakes, but very litle research has studied the underlying causalities and pos- sible mitigation strategies. A multitude of factors play into this problem. Te frst is the myth that experts are infallible. Similar to Anne Adams and M. Angela Sasse’s seminal work and call to action, “Users Are Not the Enemy,” we need to rethink our stance concerning Executive Committee (ExCom) Members: Christian experts and recognize that they too are only human and Hansen, President; Dennis Hofman, Jr. Past President; should receive as much if not more assistance than end Jefrey Voas, Sr. Past President; W. Eric Wong, VP users because their mistakes are just as natural but ofen Publications; Carole Graas, VP Meetings and Conferences; more critical. Joe Childs, VP Membership; Shiuhpyng Winston Shieh, Te article “Developers Are Not the Enemy! Te VP Technical Activities; Scott Abrams, Secretary; Robert Need for Usable Security APIs,” by Mathew Green and Loomis, Treasurer; Pradeep Ramuhalli, Secretary Mathew Smith, explores this issue in the context of usability of cryptographic APIs. What makes this area Administrative Committee (AdCom) Members: of research particularly challenging is that it’s far harder Scott Abrams, Evelyn H. Hirt, Charles H. Recchia, Jason W. to recruit experts for usability studies, compared to the Rupe, Alfred M. Stevens, and Jefrey Voas relative ease in recruiting end users. Consequently, we haven’t seen many studies involving experts and this http://rs.ieee.org area remains largely unexplored, leaving many more myths to fnd and bust.

Te IEEE Reliability Society (RS) is a technical society within the IEEE, which is the world’s leading professional his is an exciting time for security research" association for the advancement of technology. Te RS is engaged in the engineering disciplines of hardware, , T a time to examine long-held beliefs about how and human factors. Its focus on the broad aspects of reliability to manage security. We need to use scientifc research allows the RS to be seen as the IEEE Specialty Engineering methods to put countermeasures that pass the test on organization. Te IEEE Reliability Society is concerned with sounder footing, and use measurements to check if we’re attaining and sustaining these design attributes throughout doing beter or worse when we make changes. And of the total life cycle. Te Reliability Society has the management, resources, and administrative and technical course, we need to be prepared to bury the beliefs that structures to develop and to provide technical information turn out to be incorrect. Te security–usability tradeof via publications, training, conferences, and technical myth is only the frst to bite the dust. library (IEEE Xplore) data to its members and the Specialty Engineering community. Te IEEE Reliability Society has 28 M. Angela Sasse is a professor at Uni- chapters and members in 60 countries worldwide. Te Reliability Society is the IEEE professional society versity College London. Contact her at a.sasse@ucl. for , along with other Specialty ac.uk. Engineering disciplines. Tese disciplines are design engineering fields that apply scientific knowledge so that Matthew Smith is a computer science professor at the their specific attributes are designed into the system / University of Bonn and the Fraunhofer FKIE. Con- product / device / process to assure that it will perform its intended function for the required duration within a given tact him at [email protected]. environment, including the ability to test and support it throughout its total life cycle. Tis is accomplished concurrently with other design disciplines by contributing to the planning and selection of the system architecture, Letters for the Editor? design implementation, materials, processes, and Please email your components; followed by verifying the selections made by comments or feedback to thorough analysis and test and then sustainment. editor Christine Anthony Visit the IEEE Reliability Society website as it is the ([email protected]). gateway to the many resources that the RS makes available All letters will be edited to its members and others interested in the broad aspects of Reliability and Specialty Engineering. for brevity, clarity, and language.

Selected CS articles and columns are also available for fee at htp://ComputingNow.computer.org.

4 IEEE Security & Privacy September/October 2016