Building Usable Security - Revision history

Simran bakshi at 09:23, 15 December 2014

2014-12-15T09:23:24Z

Simran bakshi at 18:07, 14 December 2014

2014-12-14T18:07:17Z

Simran bakshi: Added more about making security usable.

2014-12-14T18:06:45Z

Added more about making security usable.

Zaldwaik at 18:52, 21 July 2008

2008-07-21T18:52:56Z

Zaldwaik: New page: One the most overlooked aspects of application security is usability. Users are often the weakest link in a software system. If security controls embedded in software systems hinder users...

2008-07-21T18:29:18Z

New page: One the most overlooked aspects of application security is usability. Users are often the weakest link in a software system. If security controls embedded in software systems hinder users...

New page

One the most overlooked aspects of application security is usability. Users are often the weakest link in a software system. If security controls embedded in software systems hinder users’ ability to accomplish their tasks, users will ignore or try to bypass such controls. Building usable security functions is a significant component of building secure systems.

Security engineers generally lack experience in usability engineering. One of the main reasons why application security violations continue to rise, is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. Unless engineers start thinking more about how to make security more usable, progress in securing systems will be limited.

Many people believe that there is an inherent tradeoff between security and usability. However, that does not have to be the case. This talk will expand on the link between security and usability, and provide guidance on how to build security functions and controls that will facilitate their adoption and reduce users’ resistance to such controls.

← Older revision		Revision as of 09:23, 15 December 2014
Line 13:		Line 13:

	•Training the user- Various web and mobile applications today aim to train the user to make them realize what an actual threat looks like and how to cope with it. A system generated phishing email could be sent to users who on clicking the link, reach a page which educates them about the consequences if the email had really been a phishing link is an example.		•Training the user- Various web and mobile applications today aim to train the user to make them realize what an actual threat looks like and how to cope with it. A system generated phishing email could be sent to users who on clicking the link, reach a page which educates them about the consequences if the email had really been a phishing link is an example.
		+
		+	The challenge to security tools, applications and services can be dealt with by giving the user the control to privacy and security of their systems i.e User Controllable Privacy and Security.
		+	This can only be done in an effective way if the security measures implemented are understandable and easy to maneuver for a lay user and instance of which could be- instead of having 13 different screens as in Windows to change file permissions, have a single, comprehensible one.
		+	New user interfaces need to be developed effectively and efficiently to support users in managing the privacy and security policies that they themselves implement and also the ones implemented by their system.

@@ Line 7: / Line 7: @@
 Since today most security pop-ups are overlooked, most scan reminders are ignored and most updates are automated or not taken care of.
 In such a situation, it becomes important for the developers to come up with workable solutions. These could be by making security more understandable and usable through the following ways:
 •Invisibly strengthening security i.e working behind the scenes- Strengthening the spam filters and various algorithms used to scan attachments, emails and downloads i.e strengthening the anti-virus software algorithms and training them to work better.
 •Making security understandable- Various tools like Spoofguard and others may be helpful in making the user realize when he/she faces a threat. Security pop-ups when a malicious script is executed or the browser address bar turning red incase of an insecure website being accessed are some possible ways.
 •Training the user- Various web and mobile applications today aim to train the user to make them realize what an actual threat looks like and how to cope with it. A system generated phishing email could be sent to users who on clicking the link, reach a page which educates them about the consequences if the email had really been a phishing link is an example.

← Older revision		Revision as of 18:06, 14 December 2014
Line 3:		Line 3:
	Security engineers generally lack experience in usability engineering. One of the main reasons why application security violations continue to rise, is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. Unless engineers start thinking more about how to make security more usable, progress in securing systems will be limited.		Security engineers generally lack experience in usability engineering. One of the main reasons why application security violations continue to rise, is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. Unless engineers start thinking more about how to make security more usable, progress in securing systems will be limited.

−	Many people believe that there is an inherent tradeoff between security and usability. However, that does not have to be the case. ~~This talk will expand on~~ the ~~link between~~ security and ~~usability~~, and ~~provide guidance on how~~ to ~~build~~ security ~~functions~~ and ~~controls that will facilitate their adoption~~ and ~~reduce users’ resistance~~ to ~~such controls~~.	+	Many people believe that there is an inherent tradeoff between security and usability. However, that does not have to be the case.
		+
		+	Since today most security pop-ups are overlooked, most scan reminders are ignored and most updates are automated or not taken care of.
		+	In such a situation, it becomes important for the developers to come up with workable solutions. These could be by making security more understandable and usable through the following ways:
		+	•Invisibly strengthening security i.e working behind the scenes- Strengthening the spam filters and various algorithms used to scan attachments, emails and downloads i.e strengthening the anti-virus software algorithms and training them to work better.
		+	•Making security understandable- Various tools like Spoofguard and others may be helpful in making the user realize when he/she faces a threat. Security pop-ups when a malicious script is executed or the browser address bar turning red incase of an insecure website being accessed are some possible ways.
		+	•Training the user- Various web and mobile applications today aim to train the user to make them realize what an actual threat looks like and how to cope with it. A system generated phishing email could be sent to users who on clicking the link, reach a page which educates them about the consequences if the email had really been a phishing link is an example.

@@ Line 1: / Line 1: @@
-One the most overlooked aspects of application security is usability. Users are often the weakest link in a software system. If security controls embedded in software systems hinder users’ ability to accomplish their tasks, users will ignore or try to bypass such controls. Building usable security functions is a significant component of building secure systems.
+One the most overlooked aspects of application security is usability. Users are often the weakest link in a software system. If security controls embedded in software systems hinder users’ ability to accomplish their tasks, users will ignore or try to bypass such controls, a common occurrence in today's systems. Building usable security functions is a significant component of building secure systems.
 Security engineers generally lack experience in usability engineering. One of the main reasons why application security violations continue to rise, is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. Unless engineers start thinking more about how to make security more usable, progress in securing systems will be limited.
 Many people believe that there is an inherent tradeoff between security and usability. However, that does not have to be the case. This talk will expand on the link between security and usability, and provide guidance on how to build security functions and controls that will facilitate their adoption and reduce users’ resistance to such controls.