Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 1
1 Overview of Security, Privacy, and Usability This overview briefly discusses computer system security and pri ­ vacy, their relationship to usability, and research at their intersection. The chapter is drawn from remarks made at the National Research Council’s (NRC’s) July 2009 Workshop on Usability, Security, and Privacy of Com ­ puter Systems as well as recent reports from the NRC’s Computer Science and Telecommunications Board (CSTB) on security and privacy.1 SECuRITy Society’s reliance on information technology (IT) has been increasing simultaneously with the ability of individuals, organizations, and state actors to conduct attacks on computer systems and networks. IT has become essential to the day­to­day operations of companies, organiza­ tions, and government. People’s personal lives also involve computing in areas ranging from communication with family and friends to online banking and other household and financial management activities. Com ­ panies large and small are ever more reliant on information systems to support diverse business processes, including payroll and accounting, the tracking of inventory, the operation of sales, manufacturing, and research 1National Research Council, Toward a Safer and More Secure Cyberspace, Seymour E. Good­ man and Herbert S. Lin, eds., The National Academies Press, Washington, D.C., 2007; and National Research Council, Engaging Priacy and Information Technology in a Digital Age, James Waldo, Herbert S. Lin, and Lynette I. Millett, eds., The National Academies Press, Washington, D.C., 2007. 

OCR for page 1
 TOWARD BETTER USABILITY, SECURIY, AND PRIVACY OF IT and development—that is, computer systems are increasingly needed for organizations to be able to operate at all. Critical national infrastructures— such as those associated with energy, banking and finance, defense, law enforcement, transportation, water systems, and government and private emergency services—also depend on information systems and networks. The telecommunications system itself and the Internet running on top of it are critical infrastructure for the nation. Information systems play a critical role in many governmental functions, including national security and homeland and border security. The conventional definition of computer security relates to the follow­ ing attributes of a computer system: confidentiality (the system prevents unauthorized access to information), integrity (information in the system cannot be altered without authorization), and availability (the system is available for authorized use). Authentication—the verification of identity using some combination of something that one knows (such as a pass ­ word), something that one has (such as a hardware token), and something that one is (such as a fingerprint)—is often thought of as an additional essential security capability. Reliability is a closely related concept—a reliable system performs and maintains its functions even in hostile cir­ cumstances, including but not limited to threats from adversaries. Nearly all indications of the severity of the security threat to com ­ puter systems, whether associated with losses or damage, type of attack, or presence of vulnerability, indicate a continuously worsening problem. 2 The potential consequences fall into three broad categories: • Economic drag—To counter security problems, organizations are forced to spend in order to defend and strengthen insecure IT systems. • Aoidance—Because of the perceived security risks of computing, individuals or organizations avoid using IT systems, thereby missing the potential benefit of their use. • Catastrophe—Failure of an IT system causes major economic loss and perhaps even loss of life. A catastrophe could be the result of a cyberattack, a serious software design or implementation flaw, or system misuse. Despite advances that have been made in both practice and technol ­ ogy, cybersecurity will be a concern into the foreseeable future. More and more sensitive information will be stored in systems whose security does not necessarily increase in proportion to the value of the assets they con ­ tain. The threats will continue to evolve both on their own and as defenses against them are discovered and implemented. New vulnerabilities will emerge as previously unknown weaknesses are uncovered and as innova­ 2 NRC, Toward a Safer and More Secure Cyberspace, 2007, p. 2.

OCR for page 1
 OVERVIEW OF SECURITY, PRIVACY, AND USABILITY tion leads to the use of IT in new applications and the deployment of new technologies. The growing complexity of IT systems and the fast­growing importance of network access and network­intermediated computing are likely to increase the emergence of new vulnerabilities. PRIvACy Information privacy concerns the protection of information about individuals and other entities. The environment for privacy is dynamic, reflecting societal shifts (e.g., increases in electronic communication), varying and evolving attitudes (e.g., across generations or cultures), and discontinuities (e.g., events and emerging conditions that rapidly trans ­ form the national debate, such as the September 11, 2001, attacks and the global response to them) as well as technological change. The decreasing cost of storage combined with the increase in communications devices, including, and especially, mobile ones, has led to remarkable impacts on personal privacy within a very short period of time. Private information can be compromised by attacking networks and computers directly or by tricking users into revealing the information or the credentials required to access it.3 Protecting privacy often occurs in the face of competing inter­ ests in the collection or use of particular information, and addressing pri ­ vacy issues thus involves understanding and balancing these interests. uSAbILITy Usability may be thought of narrowly in terms of the quality of a system’s interfaces, but the concept applies more broadly to how well a system supports user needs and expectations. The International Organiza­ tion for Standardization (ISO) 9241­11 standard defines usability as “the extent to which a product can be used by specified users to achieve speci­ fied goals with effectiveness, efficiency and satisfaction in a specified con­ text of use.”4 A framework attributed to both Nielsen5 and Shneiderman6 describes usability in terms of learnability, efficiency of use, memorabil ­ ity, few and noncatastrophic errors, and subjective satisfaction. Usability relates not only to understanding what taking a particular action means in 3 One example of the latter is phishing, which refers to attempts to acquire sensitive in ­ formation such as passwords by pretending in an e­mail or other communication to be a trustworthy entity. 4 International Organization for Standardization (ISO), Ergonomics of Human System Interac- tions: Guidance on Usability (Part 11), ISO, Geneva, 1998. 5 Jakob Nielsen, Usability Engineering, Academic Press, San Diego, Calif., 1993, p. 26. 6 Ben Shneiderman, Designing the User Interface: Strategies for Effectie Human-Computer- Interaction, Addison­Wesley, Reading, Mass., 1992.

OCR for page 1
 TOWARD BETTER USABILITY, SECURIY, AND PRIVACY OF IT the context of a particular interaction, but also to whether the user under­ stands the implications of his or her choices in a broader context. Informa­ tion system design and development inevitably embed assumptions and values, both implicit and explicit, that have impacts on a system’s users; these considerations may be thought of as another aspect of usability. uSAbILITy, SECuRITy, AND PRIvACy Despite many advances, security and privacy often remain too com ­ plex for individuals or enterprises to manage effectively or to use con ­ veniently. Security is hard for users, administrators, and developers to understand, making it all too easy to use, configure, or operate systems in ways that are inadvertently insecure. Moreover, security and privacy technologies originally were developed in a context in which system administrators had primary responsibility for security and privacy protec ­ tions and in which the users tended to be sophisticated. Today, the user base is much wider—including the vast majority of employees in many organizations and a large fraction of households—but the basic models for security and privacy are essentially unchanged. Security features can be clumsy and awkward to use and can pres ­ ent significant obstacles to getting work done. As a result, cybersecurity measures are all too often disabled or bypassed by the users they are intended to protect.7 Similarly, when security gets in the way of function­ ality, designers and administrators deemphasize it. Workshop participant Don Norman quipped, “The more secure a system, the less secure the system”—that is, when users find that security gets in their way, they figure out ways to bypass it.8 Indeed, some participants suggested, it may be the dedicated workers who are most highly motivated to defeat security measures. The result is that end users often engage in actions, knowingly or unknowingly, that compromise the security of computer systems or con ­ tribute to the unwanted release of personal or other confidential informa ­ tion. For example, industry reports, such as the one issued in 2008 by the 7 A recent paper by Herley explains that “security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually.” C. Herley, “So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users,” New Security Paradigms Workshop 2009, Oxford. 8 This observation was published following the workshop in D.A. Norman, “When Secu ­ rity Gets in the Way,” Interactions 16(6): 60­63, 2009; a similar observation (“More onerous security requirements can lead to less secure situations”) appears in D.A. Norman, Liing with Complexity, MIT Press, Cambridge, Mass., 2010, Chapter 3, in press.

OCR for page 1
 OVERVIEW OF SECURITY, PRIVACY, AND USABILITY Verizon Business RISk Team, have highlighted the impact that end users have on system security. As the Verizon report observed: [L]oosely defined, error is a contributing factor in nearly all data breach ­ es. Poor decisions, misconfigurations, omissions, non­compliance, pro­ cess breakdowns, and the like undoubtedly occur somewhere in the chain of events leading to the incident.9 Usability and security are thus attributes that can trade off against each other. For example, requiring users to change their passwords peri­ odically may improve security but places a greater burden on users. (Poor usability may also reduce security by driving users to workarounds, such as when users tape hard­to­remember passwords to their workstations.) Or, a password may be replaced by a hardware token; this relieves the user of having to remember a password but imposes a new burden on the user to carry the token wherever that access is required. Poor usability is also an impediment to privacy protection. For exam ­ ple, a privacy policy or privacy settings that are difficult to understand or navigate make it difficult for users to know what privacy choices they have made or to change the settings to best reflect their preferences. Usability, security, and privacy are all especially challenging aspects of system design. For example, although well­established techniques exist for testing the usability of a system, at least in the narrow sense of the quality of the system’s interface, much less is known about how to effec ­ tively embed usability considerations in a specification. Better user mod ­ els might help in the identification of usability requirements and more generally speed development. More sophisticated models might make it easier to strike the right balance between usability and risk mitigation. Moreover, usability, security, and privacy have all come to be understood as attributes that must be addressed throughout a system’s development life cycle. Early decisions about architecture, data structures, and so forth can have a large impact on what sorts of usability aspects are even fea­ sible. Finally, both usability and security/privacy considerations are not finished once a product or system is released, but need to be kept in mind through the life cycle of use—assumptions, norms, and expectations may change over time. Data about these factors can be gathered and taken into account during system updates and revisions. 9 Verizon Business RISk Team, 009 Data Breach Inestigations Report, Verizon business. Available at http://www.verizonbusiness.com/products/security/risk/databreach; accessed February 16, 2010.

OCR for page 1
 TOWARD BETTER USABILITY, SECURIY, AND PRIVACY OF IT uSAbILITy, SECuRITy, AND PRIvACy: AN EMERGING DISCIPLINE A small but growing research community has been working at the intersection of usability, security, and privacy—one that draws on exper­ tise from multiple disciplines including computer security, human­com­ puter interaction, and psychology. Participants noted that as an emerging and multidisciplinary discipline, it is sometimes viewed as too “soft” by some engineers and scientists and that it does not always have buy­in from those responsible for managing the development and operation of computer systems. There has, however, been growing interest in the field from the more traditional disciplines. Papers at the intersection have appeared occasionally at traditional security conferences for many years, but until recently there have been few sustained research efforts in this area. Exploratory workshops held in 2003 and 2004 led to the organiza­ tion in 2005 of the first formal conference on this topic, the Symposium on Usable Privacy and Security (SOUPS), which has been held annually since then. Increasingly, usable security and privacy papers are also appear­ ing at traditional security conferences and human­computer interaction conferences, more academic and industry researchers are focusing their research in this area, several universities now offer courses in this area,10 and the National Science Foundation’s Trustworthy Computing program highlights usability as an important research area. 10 For example, courses have been offered by Carnegie Mellon University (“Usable Privacy and Security”; see http://cups.cs.cmu.edu/courses/ups.html), and Harvard University (“Security and Privacy Usability”; see http://www.seas.harvard.edu/courses/cs279/ syllabus.html).