Jump to content

Human–computer interaction (security)

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by A.inae4 (talk | contribs) at 01:16, 6 February 2020 (Added more information on the reason HCISec came into prominence and addressing the matter from an HCI perspective.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

HCISec is the study of interaction between humans and computers, or human–computer interaction, specifically as it pertains to information security. Its aim, in plain terms, is to improve the usability of security features in end user applications.

Unlike HCI, which has roots in the early days of Xerox PARC during the 1970s, HCISec is a nascent field of study by comparison. Interest in this topic tracks with that of Internet security, which has become an area of broad public concern only in very recent years.

When security features exhibit poor usability, the following are common reasons:

  • they were added in casual afterthought
  • they were hastily patched in to address newly discovered security bugs
  • they address very complex use cases without the benefit of a software wizard
  • their interface designers lacked understanding of related security concepts
  • their interface designers were not usability experts (often meaning they were the application developers themselves)

The Rise of HCISec

In regards to HCISec, security and privacy are two primary factors related to the usability and effective functionality of an interface [2]. The rise of network systems such as eCommerce and other online databases storing sensitive personal information brings forward a greater demand for HCISec [2]. With privacy provisions being implemented into websites, comes the need for the increased usability of these networked systems and applications to effectively provide both service and security [1]. A few of these problems include, but are not limited to, ambushing, conflicting goals, and requested disclosure [1].

Ambushing describes the user’s tendency to choose easier passwords due to system log-out constraints [5]. Conflicting goals describes when the number of passwords and security combinations outweighs what the user is capable of memorizing and must then turn to compromising their own security by documenting the information [5]. Requested disclosure is specific to a company’s IT support not having all of the required programs properly installed and compromising their security by having to request disclosure of passwords from their employees [5]. This leaves space for hackers to gain access to employee information [5].

One prominent issue in HCISec is password storage and a user’s ability to remember their own passwords. With the rise of hacking and other forms of password compromise, the complexity needed for a secure password was found to begin surpassing one’s ability to store such variations and information in their memory [1]. Considerations for the feasibility of user security and privacy matters may carry a direct impact to the overall success of the security and privacy elements in the networked system or application itself [1].

In 2017, the National Institute of Standards and Technology released Special Publication 800-63B on Digital Identity Guidelines, offering advice for password complexity and memorability. Digital Identity describes the creation of a “unique representation” of an individual and is used for authentication purposes during online transactions [8]. However, when generating passwords associated with one’s digital identity, comes the risk of impersonation and fraudulent activity that can compromise one’s security [8].

Addressing HCISec

One major theme in addressing HCISec is the focus on a user group. Designing systems that are standardized for a specific target group or intended purpose can extend the system's ability to be successful in that specific context [6]. When security is placed in context of a specific intention, the user also becomes aware of the risks and consequences associated with their security by not abiding by the specific system’s constraints [6].

Another crucial theme in addressing HCISec involves implementation of an “adjustment process” [6]. An “adjustment process” describes the curation of a security measure in relation to changing usability demands and goals [6]. There are several factors that may need to be changed on both the provider and user ends of an interface. Continuously changing legal regulations and standards may also have a direct impact on the security requirements of an interaction [6]. Leaving adjustability of a system to curate itself to different demands in regards to both current and future expectations, can augment its ability to successfully provide up-to-date security provisions [6].

Analyzing HCISec

There are five main criteria involved in the analysis of HCISec usability. These factors are, learn-ability, efficiency, errors, memorability, and subjective satisfaction [7].

Learn-ability describes the time variable involved in the user’s ability to learn a system process [7]. Efficiency describes the time variable involved in the performance of a task [7]. Errors involve the error rate associated with the performance of that task [7]. Memorability describes user’s security knowledge retainment [7]. Subjective satisfaction describes the user’s overall satisfaction specific to the system interaction that is being analyzed [7].

Citations

[1] Grinter, Rebecca E., and D. K. Smetters. "Three challenges for embedding security into applications." Proceedings of CHI 2003 Workshop on HCI and Security Systems. 2003.

[2] Katsabas, Dimitris, S. M. Furnell, and P. S. Dowland. "Using human computer interaction principles to promote usable security." Proceedings of the Fifth International Network Conference (INC 2005), Samos, Greece. 2005.

[3] Sasse, Martina Angela, Sacha Brostoff, and Dirk Weirich. "Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security." BT technology journal 19.3 (2001): 122-131.

[4] Yue, Chuan. "The devil is phishing: Rethinking web single sign-on systems security." Presented as part of the 6th {USENIX} Workshop on Large-Scale Exploits and Emergent Threats. 2013.

[5] Agathonos, Christiana. "Human-Computer Interaction And Security." (2016).

[6] National Research Council. Toward Better Usability, Security, and Privacy of Information Technology: Report of a Workshop. National Academies Press, 2010.

[7] Garfinkel, Simson, and Heather Richter Lipford. "Usable security: History, themes, and challenges." Synthesis Lectures on Information Security, Privacy, and Trust 5.2 (2014): 1-124.

[8] “NIST Special Publication 800-63B.” NIST Special Publication 800-63B, pages.nist.gov/800-63-3/sp800-63b.html.

Further reading

Retrieved from "https://en.wikipedia.org/w/index.php?title=Human–computer_interaction_(security)&oldid=939368692"