34.2. Understanding the Problem Before describing the user test, we provide a specific definition of usability for security, identify the key properties of security as a problem domain for user interface design, and define a usability standard for PGP. 34.2.1. Defining Usability for Security Usability necessarily has different meanings in different contexts. For some, efficiency may be a priority; for others, learnability; for still others, flexibility. In a security context, our priorities must be whatever is needed in order for the security to be used effectively. We capture that set of priorities in the following definition: Definition: Security software is usable if the people who are expected to use it: Are reliably made aware of the security tasks they need to perform Are able to figure out how to successfully perform those tasks Don't make dangerous errors Are sufficiently comfortable with the interface to continue using it
34.2.2. Problematic Properties of Security Security has some inherent properties that make it a difficult problem domain for user interface design. Design strategies for creating usable security will need to take these properties explicitly into account, and generalized user interface design does not do so. We describe five such properties here; it is possible that there are others that we have not yet identified. The unmotivated user property Security is usually a secondary goal. People do not generally sit down at their computers wanting to manage their security; rather, they want to send email, browse web pages, or download software, and they want security in place to protect them while they do those things. It is easy for people to put off learning about security, or to optimistically assume that their security is working, while they focus on their primary goals. Designers of user interfaces for security should not assume that users will be motivated to read manuals or go looking for security controls that are designed to be unobtrusive. Furthermore, if security is too difficult or annoying, users may give up on it altogether. The abstraction property Computer security management often involves security policies, which are systems of abstract rules for deciding whether to grant access to resources. The creation and management of such rules is an activity that programmers take for granted, but that may be alien and unintuitive to many members of the wider user population. User interface design for security will need to take this into account. The lack of feedback property The need to prevent dangerous errors makes it imperative to provide good feedback to the user, but providing good feedback for security management is a difficult problem. The state of a security configuration is usually complex, and attempts to summarize it are not adequate. Furthermore, the correct security configuration is the one that does what the user "really wants," and because only the user knows what that is, it is hard for security software to perform much useful error checking. The barn door property The proverb about the futility of locking the barn door after the horse is gone is descriptive of an important property of computer security: once a secret has been left accidentally unprotected, even for a short time, there is no way to be sure that it has not already been read by an attacker. Because of this, user interface design for security needs to place a very high priority on making sure users understand their security well enough to keep from making potentially high-cost mistakes. The weakest link property It is well known that the security of a networked computer is only as strong as its weakest component. If a cracker can exploit a single error, the game is up. This means that users need to be guided to attend to all aspects of their security, not left to proceed through random exploration as they might with a word processor or a spreadsheet.
34.2.3. A Usability Standard for PGP People who use email to communicate over the Internet need security software that allows them to do so with privacy and authentication. The documentation and marketing literature for PGP presents it as a tool intended for that use by this large, diverse group of people, the majority of whom are not computer professionals. Referring back to our general definition of usability for security, we derived the following question on which to focus our evaluation: Stating the question in more detail, we want to know whether that person will, at minimum: Understand that privacy is achieved by encryption, and figure out how to encrypt email and how to decrypt email received from other people Understand that authentication is achieved through digital signatures, and figure out how to sign email and how to verify signatures on email from other people Understand that in order to sign email and allow other people to send him encrypted email, a key pair must be generated, and figure out how to do so Understand that in order to allow other people to verify his signature and to send him encrypted email, he must publish his public key, and figure out some way to do so Understand that in order to verify signatures on email from other people and send encrypted email to other people, he must acquire those people's public keys, and figure out some way to do so Manage to avoid such dangerous errors as accidentally failing to encrypt, trusting the wrong public keys, failing to back up his private keys, and forgetting his passphrases Be able to succeed at all of this within a few hours of reasonably motivated effort
This is a minimal list of items that are essential for correct use of PGP. It does not include such important tasks as having other people sign the public key, signing other people's public keys, revoking the public key and publicizing the revocation, or evaluating the authenticity of a public key based on accompanying signatures and making use of PGP's built-in mechanisms for such evaluation. |
