Section 34.1. Introduction | Security and Usability: Designing Secure Systems That People Can Use

34.1. Introduction

Security mechanisms are effective only when used correctly. Strong cryptography, provably correct protocols, and bug-free code will not provide security if the people who use the software forget to click on the Encrypt button when they need privacy, give up on a communication protocol because they are too confused about which cryptographic keys they need to use, or accidentally configure their access control mechanisms to make their private data world readable. Problems such as these are already quite serious: at least one researcher, Matt Bishop,^[2] has claimed that configuration errors are the probable cause of more than 90% of all computer security failures. Because average citizens are now increasingly encouraged to make use of networked computers for private transactions, the need to make security manageable for even untrained users has become critical.^[3]^, ^[4]

^[2] Matt Bishop, UNIX Security: Threats and Solutions, presentation to SHARE 86.0 (March 1996).

^[3] "The End of Privacy," The Economist (May 1, 1999), 2123.

^[4] Stephen Kent, "Security," More Than Screen Deep: Toward Every-Citizen Interfaces to the Nation's Information Infrastructure (Washington, D.C.: National Academy Press, 1997).

This is inescapably a user interface design problem. Legal remedies, increased automation, and user training provide only limited solutions. Individual users may not have the resources to pursue an attacker legally, and may not even realize that an attack took place. Automation may work for securing a communications channel, but not for setting an access control policy when a user wants to share some files and not others. Employees can be required to attend training sessions, but home computer users cannot.

Why, then, is there such a lack of good user interface design for security? Are existing general user interface design principles adequate for security? To answer these questions, we must first understand what kind of usability security requires in order to be effective. In this chapter, we offer a specific definition of usability for security, and identify several significant properties of security as a problem domain for user interface design. The design priorities required to achieve usable security, and the challenges posed by the properties we discuss, are significantly different from those of general consumer software.We therefore suspect that making security usable will require the development of domain-specific user interface design principles and techniques.

To investigate further, we looked to existing software to find a program that was representative of the best current user interface design for security, an exemplar of general user interface design as applied to security software. By performing a detailed case study of the usability of such a program, focusing on the impact of usability issues on the effectiveness of the security the program provides, we were able to get valuable results on several fronts. First, our case study serves as a test of our hypothesis that user interface design standards appropriate for general consumer software are not sufficient for security. Second, good usability evaluation for security is itself something of an open problem, and our case study discusses and demonstrates the evaluation techniques that we found to be most appropriate. Third, our case study provides real data on which to base our priorities and insights for research into better user interface design solutions, both for the specific program in question and for the domain of security in general.

We chose PGP 5.0 ^[5]^, ^[6]^, ^[7] as the best candidate subject for our case study. Its user interface appears to be reasonably well designed by general consumer software standards, and its marketing literature^[8] indicates that effort was put into the design, stating that the "significantly improved graphical user interface makes complex mathematical cryptography accessible for novice computer users." Furthermore, because public key management is an important component of many security systems being proposed and developed today, the problem of how to make the functionality in PGP usable enough to be effective is widely relevant.

^[5] At the time of this writing, PGP 6.0 has recently been released. Some points raised in our case study may not apply to this newer version; however, this does not significantly diminish the value of PGP 5.0 as a subject for usability analysis. Also, our evaluation was performed using the Apple Macintosh version, but the user interface issues we address are not specific to a particular operating system and are equally applicable to Unix and Windows security software. [Note added in July 2005: Since the original 1999 publication of our paper, PGP has been substantionally modified. The current version of PGP shipping is PGP Desktop 9.0.]

^[6] Simson Garfinkel, PGP: Pretty Good Privacy (Sebastopol, CA: O'Reilly Media, 1995).

^[7] Pretty Good Privacy, Inc., User's Guide for PGP for Personal Privacy, Version 5.0 for the Mac OS. Packaged with software, 1997.

^[8] Jeffrey Rubin, Handbook of Usability Testing: How to Plan, Design, and Conduct Effective Tests (New York: John Wiley & Sons, Inc., 1994).

We began by deriving a specific usability standard for PGP from our general usability standard for security. In evaluating PGP 5.0's usability against that standard, we chose to employ two separate evaluation methods: a direct analysis technique called cognitive walkthrough,^[9] and a laboratory user test.^[10] The two methods have complementary strengths and weaknesses. User testing produces more objective results, but is necessarily limited in scope; direct analysis can consider a wider range of possibilities and factors, but is inherently subjective. The sum of the two methods produces a more exhaustive evaluation than either could alone.

^[9] Cathleen Wharton, John Rieman, Clayton Lewis, and Peter Polson, "The Cognitive Walkthrough Method: A Practioner's Guide," Usability Inspection Methods (New York: John Wiley & Sons, Inc., 1994).

^[10] Rubin.

We present a point-by-point discussion of the results of our direct analysis, followed by a brief description of our user test's purpose, design, and participants, and then a compact discussion of the user test results. A more detailed presentation of this material, including user test transcript summaries, may be found in Whitten and Tygar.^[11]

^[11] Alma Whitten and J. D. Tygar, Usability of Security: A Case Study, Carnegie Mellon University School of Computer Science Technical Report CMU-CS-98-155 (Dec. 1998).

Based on the results of our evaluation, we conclude that PGP 5.0's user interface does not come even reasonably close to achieving our usability standardit does not make public key encryption of electronic mail manageable for average computer users. This, along with much of the detail from our evaluation results, supports our hypothesis that security-specific user interface design principles and techniques are needed. In our continuing work, we are using our usability standard for security, the observations made in our direct analysis, and the detailed findings from our user test as a basis from which to develop and apply appropriate design principles and techniques.