Section 34.7. Related Work | Security and Usability: Designing Secure Systems That People Can Use

34.7. Related Work

We have found very little published research to date on the problem of usability for security. Of what does exist, the most prominent example is the Adage project ,^[21]^, ^[22] which is described as a system designed to handle authorization policies for distributed applications and groups. Usability was a major design goal in Adage, but it is intended for use by professional system administrators who already possess a high level of expertise, and as such it does not address the problems posed in making security effectively usable by a more general population. Work has also been done on the related issue of usability for safety-critical systems,^[23] like those that control aircraft or manufacturing plants, but we may hope that unlike the users of personal computer security, users of those systems will be carefully selected and trained.

^[21] The Open Group Research Institute, Adage System Overview; published on the Web in July 1998.

^[22] Mary Ellen Zurko and Richard T. Simon, User-Centered Security, New Security Paradigms Workshop (1996).

^[23] Nancy G. Leveson, Safeware: System Safety and Computers (Reading, MA: Addison Wesley, 1995).

Ross Anderson discusses the effects of user noncompliance on security,^[24] and Don Davis analyzes the unrealistic expectations that public key-based security systems often place on users.^[25] Beyond that, we know of only one paper on usability testing of a database authentication routine,^[26] and some brief discussion of the security and privacy issues inherent in computer-supported collaborative work.^[27] John Howard's thesis^[28] provides interesting analyses of the security incidents reported to CERT^[29] between 1989 and 1995, but focuses more on the types of attacks than on the causes of the vulnerabilities that those attacks exploited, and represents only incidents experienced by entities sophisticated enough to report them to CERT.

^[24] Ross Anderson, "Why Cryptosystems Fail," Communications of the ACM 37:11, 1994.

^[25] Don Davis, "Compliance Defects in Public-Key Cryptography," Proceedings of the 6th USENIX Security Symposium (1996).

^[26] Clare-Marie Karat, "Iterative Usability Testing of a Security Application," Proceedings of the Human Factors Society 33rd Annual Meeting (1989).

^[27] HongHai Shen and Prasun Dewan, "Access Control for Collaborative Environments," Proceedings of CSCW '92.

^[28] John D. Howard, An Analysis of Security Incidents on the Internet 1989-1995, Ph.D. Thesis, Carnegie Mellon University (1997).

^[29] CERT is the Computer Emergency Response Team formed by the Defense Advanced Research Projects Agency, located at Carnegie Mellon University.