Usable Security
We see so often in security that the person who designs it sits in their office, comes up with how it probably should work and what they think is secure. They don't give any consideration to human workflows, tasks, or usability, and they impose this on people and expect them to conform. When people are reasonably trying to get their work done, and the security system gets in their way, people try to get around it because it's stopping them from doing their job. And what we need to do is make sure that human workflows, capabilities, and tasks are incorporated into the security side, to make things actually work.
What usablility security covers? the aspects of human computer interaction.
- How do we understand people's cognitive and psychological abilities?
- How do we understand their tasks and
- What they're trying to do,
- Look at methods of designing that into systems and evaluating how well the systems do?
- How a designer can build in understandings of humans, to make systems that are ultimately more secure.
What human-computer interaction is?
HCI is the study of how people interact with technology.
- the people: we want to understand both the psychological and cognitive abilities of users.
- the technology: both design and evaluation of technology
- the two fit together.
We use what we know about people, the tasks, and the way they're interacting with systems to design technology that will work well for them and we also evaluate how well that technology works to make sure we've done it right.
Overall, the goal is to make sure that people aren't working any harder than necessary to use the designed technology. So it is necessary to evaluate systems, to make sure that they're easy for people to use. This is how HCI applies to usable security.
Usability
Usability is a way that we can measure and understand, how easy it is for people to use a system. When measuring Usability, there are five main factors to consider,
- Speed: a way of measuring how quickly a user can accomplish the task. It is generally measured in time. How long it takes to complete the task?, and we ignore mistakes in this. So we assume the users are acting in an optimal way, and not making a lot of mistakes.
- Efficiency: a way of measuring how many mistakes are made in accomplishing the task. So, someone might be able to accomplish a task very quickly, but also make a lot of mistakes along the way. A simple typo may be a less severe error, then something a user does that causes the whole program to shut down, losing their work and forcing them to start over.
- Learnability: a way of measuring how easy it is for a user to learn to use the system. This let's us know how well someone can come into the system for the first time, and get up and running with it. Ideally, they would need very little instruction. And, be able to find the features they need quite quickly.
- Memorability: It extends Learnability. Once a user has learned how to use the system, Memorability tells us how easy it is for them to remember how to use it. So if they've stopped using the system for awhile, and they come back, is it likely that they quickly remember how to use it. Or do they need to practice and relearn some of the features.
- User Preference: User Preference which is what the users like most. Ideally, users will prefer a system that's faster, easier to learn, and that allows them to make fewer mistakes. This is something that we do either with, questionnaires and surveys.
No comments:
Post a Comment