It is increasingly recognized that a major weakness in existing computer and network security schemes is that they are not sufficiently easy to use. Many users configure and use security features incorrectly or not at all. In practice, poor usability is often more detrimental to system security than are weaknesses in underlying cryptographic algorithms.

Three main approaches have been proposed for making security more usable: making security transparent to users, making security interfaces easier to use, or better training users. This page gives an overview of my research on each of these approaches.

Transparent security

The ideal way to make security more usable would be to design schemes that are transparently secure, i.e., do not require any special user awareness or action in order to be secure.

I investigated how to design such a scheme for securing access Wi-Fi networks. These networks are used to provide Internet access in public venues, such as hotels, airports, and cafés. Because clients typically use their own computers without any onsite technical help, it is very important that the service provider secure the network in a way that interoperates readily and intuitively with client equipment. In the following paper, I showed that the scheme normally used (captive portals) is vulnerable to attacks, and I described two novel schemes (session id checking and MAC sequence number tracking) that thwart those attacks and are transparent to users:

• Detecting and Blocking Unauthorized Access in Wi-Fi Networks (with H. Xia), in Proceedings of the Networking'2004 Conference, IFIP, Athens, Greece, Lecture Notes in Computer Science, 3042:795-806, Springer-Verlag, May 2004 (copyright notice). (slides)

User interfaces for security

In many cases, it does not appear possible to secure a system in a way that is totally transparent to users. Existing security schemes often encounter exceptions that cannot be resolved automatically. In such cases, the user may need to provide an input or perform some action. Ideally, the user interface for handling such an exception would be intuitive and enable even untrained users to resolve the problem. In practice, however, applications often simply warn the user and ask whether the user wishes to cancel or continue. Most users do not understand the warning and blindly continue.

I have investigated how to design interfaces that better guide the user in resolving such exceptions. In the following paper, I characterized a class of interfaces that provide guidance without override (GWO). GWO interfaces tell the user how to resolve an exception securely and do not allow the user to proceed otherwise. I applied GWO to certificate verification. Certificate verification is crucial for security in many Internet protocols, such as SSL. However, users studies show that most users accept certificates that cannot be verified. Consequently, even protocols that are theoretically very secure, such as SSL, in practice provide little security to most users. GWO prevents acceptance of unverified certificates, upholding SSL's security. It also guides the user in solving the verification problem, thus also preserving usability:

• Hardening Web Browsers Against Man-in-the-Middle and Eavesdropping Attacks (with H. Xia), in Proceedings of the 14th International World Wide Web Conference (WWW2005), ACM, Chiba, Japan, pp. 489-498, May 2005. (slides)

The above paper also characterizes guidance with override (G+O). G+O interfaces suggest but do not enforce how to resolve a security exception. Therefore, G+O is easier to apply than is GWO. I applied G+O to the problem of whether to allow a user to send a password unencrypted. Many Web sites and Internet protocols invite the user to send unencrypted passwords, but this is dangerous because attackers can eavesdrop and later impersonate the user. User studies reported in the above paper suggest that G+O significantly enhances user security decisions, although not as much as does GWO.

User studies also show that users will often provide false answers to security dialogs if necessary to get an application to perform actions users want. Why users would behave in such a counter-productive manner is a puzzling and poorly understood problem in usable security.

I model this behavior according to operant conditioning theory. The user learns behaviors (user answers) that cause rewarding consequences (system actions the user wants). The user also associates antecedents (fixed security dialog prompts) to the behaviors that bring about those rewarding consequences. Reinforced by the latter, the user's behavior becomes habitual. Dialog prompts automatically trigger rewarding but possibly false user answers.

In the following paper, I proposed two novel user interface techniques, polymorphic dialogs and audited dialogs, inspired by this operant conditioning model. They attempt to improve user behavior by manipulating the behavior's antecedents and consequences, respectively. Polymorphic dialogs deliberately vary the form of user input, so as to avoid triggering users' habitual answers. Audited dialogs send user answers and their context to auditors. Auditors may impose various penalties, such as suspension, fines, or required training, if they find a user's answers unjustified.

I applied these techniques to the problem of whether to allow a user to open a potentially infected email attachment. Email attachments are a primary transmission vector for computer viruses and other malware. Anti-virus software is ineffective against recent or targeted viruses; consequently, users should open an attachment only when it is a justifiable risk (e.g., user knows sender and was expecting the attachment from her). User studies show that most users open attachments that are unjustified risks, and that polymorphic and audited dialogs greatly reduce user acceptance of such risks. Security benefits are not due to indiscriminate risk aversion; there is negligible impact on acceptance of justified risks:

• Improving Security Decisions with Polymorphic and Audited Dialogs (with R. Villamarín-Salomón), in Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS'2007), ACM, Pittsburgh, PA, pp. 76-87, July 2007. (slides)

Security training

In cases where no transparent security solution is known and it is not feasible to improve the user interface, another way to make security more usable is to train users better.

I have investigated how to teach basic cryptographic and other security concepts in a hands-on fashion. As described in the following paper, I've designed experiments that teach users how to use open-source tools such as OpenSSH, OpenSSL, IPsec, and firewalls to solve problems that users are likely to encounter when performing the roles of computer user, programmer, or administrator:

• Laboratory Experiments for Network Security Instruction, in Journal on Educational Resources in Computing, vol. 6, no. 4, Association for Computing Machinery (ACM), Dec. 2006.

This training gives statistically significant and large benefits and can be expected to prepare users to tackle a wide variety of security problems. However, experiments described in my above-mentioned WWW'2005 paper suggest that, when applicable, GWO interfaces are more effective than is previous security training. I believe the reason for this result is that security usability problems are partly behavioral. Many users behave insecurely even when they know they shouldn't, out of habit or because they find heeding security less rewarding than ignoring it. User interfaces that force compliance to security policies, e.g. GWO or audited dialogs, may be more effective because they do not ignore these behavioral factors.

Back to José Brustoloni's home page.