Usability Flashcards
Usability definition-Iso 9241-11
The extent of which a product can can be use by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use
Integrated Iterative Design for Usability & Security
Integrated: security and usability experts working together in the project development team since the beginning
Iterative: user-centered development cycle
Holy grails pf usable security since 1999
- Users are not the enemy
- Why johnny cant encrypt
E2E secure communication
Communication is often called secure even though is not e2e secure
E2E goal- authenticity of sender- integrity of message- confidentiality
Attacker-man in the middle-impersonation of the trusted sender.
Protection in e2e means:
Integrity-digital signatures
Confidentiality-asymmetric encryption
How it works: message is first hashed, then the shorter hash is digitally signed.
Or hybrid encryption:sender generates a random key, then encodes the message.
Key Continuity Management KCM
S/MIME uses public key certificates that are issued by a central authority which needs to be trusted by both the sender and receiver. Trusted means that root certificates of the CA are integrated into the respective email clients.
Kcm extends the S/MIME functionality but elimimates the dependency on a central agency. Instead of relying on a CA, each user generates their own S/MIME certificate and attaches it to all outgoing messages. Trust creation in the basis of trust on first use, the recipient assumes the senders key and email are genuine the first time. Then encrypted convos follow.
KCM displays a warning if the public key of the communication partner has changed. This model is also used by whatsapp, signal
Issues with Iso usability definition
Product- security is often integrated in products(part of them)
Specified users-most users are not security experts- no training, knowledge or experience can be assumed
User goals- security is a second goal/task. Tasks should concern primary goals
Effectiveness- how can users notice that security is reached? Security is often not visible.
Teachers definition
Usability of a secure system or policy, is the extent to which this system or policy can be used by specified users to achieve primary goals and the specified security goals( some of these goals being invisible to users) with effectiveness, efficency and satisfaction(or at least low dissatisfaction) during the execution of the specified primary user tasks, in a specified context of use, including the specified attacks.
Approaches to usable security
Invisible security- make it just work- automated security
Understandable security- make it visible and intuitive
Awareness, education, training-user effort should match the benefit, most difficult to achieve
Values in security design for password policies
Security experts: confidentiality and integrity:dont let bad guys in, should be difficult to guess
Users- availability- dont lock me out, pass should be memorable
Finger print : social acceptability
Hygiene
Being associated with criminals
Fear of attack-having finger chopped off
Relation between usability and security
Long random passwords
Usability:low
Security against offline guessing-high
Single pass per account , not written down
Usability-low
Security against pass reuse and theft:high
Usability vs security
Security- prohibits or restricts
Usability-enables
Usable security
-security measures should not restrict functionality, performance and usability in an non-attack state
Systems should work properly even under attacks