session in some form, leading the committee to identify the need for better agreement on terminology and definitions as one of the four overarching research challenges at the intersection of usability, security, and privacy (see Chapter 5).
Although usability is often equated with the experience of end users of IT systems—and this was indeed the focus of many presentations and discussions at the workshop—usability concerns for other groups were also discussed. Notably, administrators of IT systems also contend with systems that are difficult to understand and configure. The security or privacy consequences of a misconfiguration or other error by a system administrator can, of course, be much more serious and wider in scope than the consequences of an error of a single user. However, the line between administrator and end user is somewhat blurry because every home user is in effect the administrator of his or her own home network and the computers and other devices attached to it, which suggests that both system administrators and home users stand to benefit from improvements aimed at either group.
Usability also matters for system developers. More usable tools would make it easier for them to avoid or detect design and coding errors that affect security and privacy. Moreover, there is an opportunity to improve the usability and security of systems by introducing better usable security and privacy features to development environments and libraries.
To what extent do demographic and cultural differences affect usability, security, and privacy? One particular question that came up repeatedly during the workshop was whether it was true that younger generations are more security-savvy and less privacy-sensitive. A related question, assuming that younger users are less privacy-sensitive, was whether they would retain that perspective as they grew older.
Finally, participants cautioned that academic studies of usability are not necessarily representative of the user population. They typically employ small groups of college students, which reflects poor experimental design for two reasons: the group sizes are too small, and they are not drawn from a group that is representative of the broader population. Companies can also make the same mistake with respect to usability studies used to test new services.
How might usability for security and privacy be distinct from the broader topic of usability of information technology? One difference of