Professional Documents
Culture Documents
Better Together:
at humancomputer interaction
conferences as well as user stud
ies published at security and pri
vacy conferences. In addition,
new conferences and workshops
have emerged that focus explic
itly on usable privacy and secu
rity, including the Symposium
on Usable Privacy and Security,
which held its 10th annual con
ference in July 2014 (http://cups
.cs.cmu.edu/soups).
Researchers who have ventured
into this fundamentally multi
disciplinary area have found that
advancing usable security often
requires simultaneous consider
ation of knowledge from multiple
fields. Furthermore, usable secu
rity research frequently benefits
from studying user behavior in the
presence of an adversary. Thus,
usable security researchers often
use deception to study how users
behave during a (simulated) cyber
attack. For example, when studying
a computer security warning, it isnt
sufficient to observe users respond
ing to a warning under normal
conditions. To understand the
warnings effectiveness, researchers
must develop simulated cyberattack
scenarios and observe users whove
been led to believe theyre actually
at risk.46 This approach is effective
for not only studying users but also
creating teachable moments that
motivate users to pay attention to
security training.7
An important goal in usable
privacy and security research is
Usability Research
j6sys.indd 89
November/December 2014
89
11/13/14 2:57 PM
SYSTEMS SECURITY
j6sys.indd 90
11/13/14 2:57 PM
However, some password alternatives might be well-suited to particular applications with a more
limited set of constraints or as a factor in a multifactor authentication
scheme. Multifactor authentication
schemes that combine passwords
with hardware tokens, biometrics, or
smartphone-based authentication
can provide significant security benefits and are commonly required for
high-security applications or made
available to users who are willing to
put up with some inconvenience for
added security.
Going beyond
j6sys.indd 91
91
11/13/14 2:57 PM
SYSTEMS SECURITY
Solutions
j6sys.indd 92
References
1. Grand Challenges for Engineering, National Academy Eng., 2008;
www.engineeringchallenges.org.
2. G. Gay, Activity-Centered Design:
An Ecological Approach to Designing Smart Tools and Usable Systems,
MIT Press, 2004.
3. L. Cranor and S. Garfinkel, Security and Usability, OReilly Media,
2005.
4. S. Egelman, L. Cranor, and J. Hong,
Youve Been Warned: An Empirical Study of the Effectiveness of
Web Browser Phishing Warnings,
Proc. SIGCHI Conf. Human Factors in Computing Systems, 2008, pp.
10651074.
5. J. Sunshine et al., Crying Wolf:
An Empirical Study of SSL Warning Effectiveness, Proc. 18th Conf.
Usenix Security Symp., 2009, pp.
399416.
6. C. Bravo-Lillo et al., Your Attention Please: Designing SecurityDecision UIs to Make Genuine
Risks Harder to Ignore, Proc. 8th
Symp. Usable Privacy and Security
(SOUPS 13), 2013, article 6.
7. P. Kumaraguru et al., Teaching
Johnny Not to Fall for Phish, ACM
Trans. Internet Technology, vol. 10,
no. 2, 2010, pp. 131.
8. L. Cranor, A Framework for Reasoning about the Human in the
Loop, Proc. Usability, Psychology,
and Security, 2008, article 1.
9. R.W. Reeder et al., Expandable
Grids for Visualizing and Authoring Computer Security Policies,
Proc. SIGCHI Conf. Human Factors
in Computing Systems, 2008, pp.
14731482.
10. R.W. Reeder et al., More than
Skin Deep: Measuring Effects of
the Underlying Model on Access-
Control System Usability, Proc.
SIGCHI Conf. Human Factors in Computing Systems, 2011, pp. 20652074;
doi:10.1145/1978942.1979243.
11. P.G. Kelley et al., Guess Again
(and Again and Again): Measuring
Password Strength by Simulating
Password-Cracking Algorithms,
November/December 2014
11/13/14 2:57 PM
NEW
STORE
Find the latest trends
and insights for your
presentations
research
events
webstore.computer.org
7/2/14 10:47 AM
Newsletters
of computer science and of engineering and public policy at Carnegie Mellon University. Contact
her at lorrie@acm.org.
computer.org/newsletters
j6sys.indd 93
93
11/13/14 2:58 PM