possible significance is that security inherently involves an actor other than the user—the active adversary who will try to take advantage of usability flaws and may also attempt to mislead the user through “social engineering.” Another is that security involves focusing the user’s attention not only on the task at hand but also on the future consequences and aftereffects of the task. Yet another is that security is generally not the end user’s primary concern. Further investigation of the similarities and differences might yield insights as to what lessons can be transferred directly from other usability work and where the issues are in fact different.
Related to metrics is the question of what criteria should be used in evaluating and accepting the usability and security of an IT system and how one might go about certifying a system as aligning security, privacy, and usability. How might such criteria be instantiated as future guidelines? Are there exemplar software applications that could be identified as benchmarks for security and usability and therefore serve as a source for creating a set of criteria for usable, yet secure, systems? Several discussions considered how such criteria might vary accordingly to application, context, or perspective. For example, how might one divide applications into categories in which similar weights would be given to security and usability? Despite the likely differences among the categories, might it be possible to develop a common checklist that contains a core set of usability and security criteria that would cover 80 percent of all applications?