{"id":3981,"date":"2018-08-16T18:26:53","date_gmt":"2018-08-16T16:26:53","guid":{"rendered":"https:\/\/blog.mi.hdm-stuttgart.de\/?p=3981"},"modified":"2023-08-06T21:48:00","modified_gmt":"2023-08-06T19:48:00","slug":"usability-and-security","status":"publish","type":"post","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/08\/16\/usability-and-security\/","title":{"rendered":"Usability and Security"},"content":{"rendered":"

\"\"<\/a><\/h1>\n

Usability and Security – Is a tradeoff necessary?<\/span><\/h1>\n

Usability is one of the main reasons for a successful software with user interaction. But often it is worsened by high security standards. Furthermore many use cases need authentication, authorisation and system access where high damage is risked when security possibilities get reduced. In this article the dependence of these two areas as  well as typical mistakes with their possible solutions are shown to bury a fallacy in IT: \u201cThere needs to be a tradeoff between security and usability\u201d.<\/span><\/p>\n

<\/p>\n

\u201cToo secure\u201d services<\/b><\/h2>\n

\u201c… security is only as good as it\u2019s weakest link, and people are the weakest link in the chain.\u2019\u201d – Bruce Schneier<\/span><\/i><\/p>\n

Security can depend on usability. Especially in enterprise context. To make an environment as secure as possible very strict guidelines are introduced: e.g. at least 13 characters, two special characters, three numbers, large and lower case characters, password needs to be changed every month, every access needs different passwords, new passwords may not be too similar to old one etc. Sure, no bruteforce attack could never crack such passwords and hackers will also have their difficulties but what most admins establishing these rules are not aware of, are users trying to bypass these security measurements. <\/span><\/p>\n

The typical non-IT user  is not aware of security threats and tries to get his work done as easy and fast as possible. Such high password guidelines will not just make users angry, they could start writing their passwords on notes that are on their monitors due to difficulties to remember these informations. When passwords need to be changed every month users start using patterns not to forget their passwords. A friend who was system administrator told me of employees talking about such patterns. They had to change their password every quarter and used the season with year: Spring2017, Summer2017, etc. to remember them.<\/span><\/p>\n

Fortunately there are solutions to compensate the balance of usability and security:<\/span><\/p>\n

Single-Sign-On:<\/b> One secure password for all services prevent users making notes.<\/span><\/p>\n

Reducing forced changes:<\/b> Changing a password only once a year demands less from an user.<\/span><\/p>\n

User motivation: <\/b>When users decide for their own sake to improve security, they are more likely to cooperate. A great possibility for consumer software is a password strength bar. The user can use a pretty simple password but then he or she is pointed to its weakness and gets proposals to improve it. With positive feedback (like green colors, animations and icons) the motivation can be increased too.<\/span><\/p>\n

\"\"<\/a><\/span><\/p>\n

Password Manager: <\/b>Password manager are generating very secury, dissimilar, cryptic passwords that can be requested by one master password.<\/span><\/p>\n

Fingerprints: <\/b>A hardware solution where instant auth   entication and authorisation is possible without remembering a password. But partial fingerprint-based systems can be cracked.<\/a><\/span><\/p>\n

YubiKey<\/b><\/a>:<\/b> Two-factor authentication through a physical device that is plugged into a usb slot. For every service a public-private-key-pair is generated, the service only has access to the public key. Supports One-Time-Passwords where every new log-in uses another passcode and it is phishing resistant because key pairs are generated on base of domain (e.g. <\/span>https:\/\/facbook.com<\/span><\/a> is not valid due to missing e). By clicking on the \u201cy\u201d-button before logging in, it is verified that the user tries to authenticate with this device. That prevents man-in-the-middle attacks. Stolen YubiKeys can be disabled when using the YubiCloud-service.\"\"<\/a><\/span> <\/span><\/p>\n

Using alternative software<\/b><\/h3>\n

Secure services must be as easy to use as insecure services or users will tend to use insecure alternatives. We are used to great consumer products of big companies like Google or Apple but business solutions are often not that easy to work with, especially old systems. So employees could use simpler file sharing services (like Google Drive or Dropbox), private mail-services (Hillary\u2019s mistake) and office software (like Google presentation). Thereby the uploaded data can be on servers of potential competitors. <\/span><\/p>\n

Usability wins<\/b><\/h3>\n

Consumer software does not get successful when it is incredibly secure, it gets successful when customers like to use it. For Example WhatsApp and Facebook were without encryption for a long time and many people do not know how to securely send their mails, even when highly sensitive data is shared. Personally, I had this experience with a bank that sent account data without encrypting it (though we requested it) because the contact person was not that familiar with this \u201ccomputer stuff\u201d.<\/span><\/p>\n

Typical errors and their solutions<\/b><\/h2>\n

Not always security depends on usability but there are some use cases where usability can be increased without unstabilizing the system.<\/span><\/p>\n

Validation<\/b><\/h3>\n

Validation is important to prevent user from adding wrong input or execute sql injection and cross site scripting attacks. Backend validation is absolutely necessary for a reliable system, frontend validation should be used to show instant feedback. But it should not be too strict or imprecise. <\/span><\/p>\n

Xi Wu wants to register with her real name though her fore- and lastname contain less than three characters. Ren\u00e9 and S\u00f8ren want to use their special characters too. Just code relevant characters like <\/span>< > & \u201c<\/b> could inject attacks. Furthermore error messages should be precise and help inserting the input correctly. Hints like \u201cinput not valid\u201d will not make users happy. And of course: DO NOT delete the form if one or more inputs are incorrect when using backend validation only.<\/span><\/p>\n

To provide instant feedback, frontend validation is very pleasant for users. Thereby the location of the error is easier, the context of the input field is fresh in mind, it is less likely to unintentionally skip required fields, it satisfies the user (keyword gamification) and improves efficiency.<\/span><\/p>\n

\"\"<\/a><\/span><\/p>\n

There are also some common errors when developing live inline validation. The error should not be shown when users write into the input the first time. The same applies to messages after the submit button has been pressed. Only when the field loses focus the first time a hint should be shown that fades out as soon as the input is correct.<\/span><\/p>\n

Updates<\/b><\/h3>\n

Updates are fundamental for security. New security breaches need to be fixed and deployed on every device, but most IoT-appliances and routers have no automatic update function. It needs to be done by the user itself which is rarely carried out.<\/span><\/p>\n

Even IT-experts have problems to do these necessary actions privately:<\/span><\/p>\n

\"\"<\/a>
Source: http:\/\/www.properaccess.com\/docs\/Tripwire_SOHO_Router_Insecurity_white_paper.pdf<\/a><\/figcaption><\/figure>\n

 <\/p>\n

Performance<\/b><\/h3>\n

Performance is one of the most crucial usability parameters but security can decline it. Especially encrypting large amounts of data is bad for runtime. A tradeoff should be made: Decide which impact the leak of data could have and use encryption just for critical information. When performance is bad users will tend to use insecure alternatives for every data.<\/span><\/p>\n

Security Messages<\/b><\/h2>\n

They are ignored, they seem annoying but are very important. Before installing apps with access to sensible parts like camera, data system or microphone, the user should be aware of that, though he or she does not want to read the warnings. But the good thing is: Users can be manipulated to pay more attention to messages, thanks to neuroscience. Bonnie Anderson defines in a <\/span>talk for security specialists<\/span><\/a> three parameters that affect perception of such dialogs: Dual-task interference (DTI), Habituation and Generalisation.<\/span><\/p>\n

Dual-task interference (DTI)<\/b><\/h3>\n

Users will ignore warnings when they are doing something \u201cmore important\u201d. Brains have problems doing several tasks at one time. When showing a security message (like \u201cbrowser detected unusual behaviour\u201d, etc.) a suitable time slot should be used to maximize the user\u2019s attention. Ideally before or after a task is done, for example during loading time or after a video is watched.<\/span><\/p>\n

Habituation<\/b><\/h3>\n

The brain links a new visual input to an older, similar looking one, comparable to cache. When showing users same looking messages he or she is more likely to click them away or ignore them. When using different designs and animations, they are more likely to pay attention. Due to Bonnie Anderson\u2019s studies even four alternating message designs or animations decline the ignoring rate.<\/span><\/p>\n

\"\"<\/a><\/span><\/p>\n

Generalisation<\/b><\/h3>\n

Due to generalising between similar looking dialogs, a warning message should look different in comparison to an ordinary info message. Also frequent notifications decrease the attention to security messages.<\/span><\/p>\n

Team structure and Management<\/b><\/h2>\n

One of the most important and effective options to combine great usability and high security standards in software is communication. Cross functional teams where an usability specialists works in the same team as a security expert tend to much better harmony between these two IT areas than separating teams into special disciplines. The following image visualizes cross functional teams:<\/span><\/p>\n

\"\"<\/a><\/span><\/p>\n

Another important point regarding management, is \u201csecurity by design\u201d. Security needs to be embedded into sprints in planning, design and implementation phases from beginning.<\/span><\/p>\n

Final thoughts and research questions<\/b><\/h2>\n

Security and usability are both fundamentally important to develop great software and can even depend on each other, when users start to circumvent impractical safety guidelines. The tradeoff of these two subjects can be minimized when circumventing the shown errors, using alternatives and experts of both subjects work together. This does mean larger effort and costs but ends up in better, more successful software and secure digital company environments.<\/span><\/p>\n

Build Bridges!<\/span><\/i><\/p>\n

\"\"<\/a><\/span><\/p>\n

The fusion of these two areas is still not completed and there are some research questions for coming investigations:<\/span><\/p>\n

Are there possibilities to simplify user interactions regarding security we do not know yet?<\/b><\/p>\n

With studies examining user behaviour, creating personas, interviewing people and research in cognitive psychology entirely new possibilities could be possible.<\/span><\/p>\n

Can we increase safety awareness in our society?<\/b><\/p>\n

Should \u201cbehaving secure with software systems\u201d be integrated to IT curricula in schools? And how do we teach people more efficiently to create such awareness?<\/span><\/p>\n

Is it possible to make maximum secure systems without any limitations regarding usability?<\/b><\/p>\n

Authorization and authentication processes still reduce usable system due to users must enter id and password. Can this step be simplified by using external hardware? Especially smartphones have great potential to be used as key for PC applications. Unfortunately it needs a lot of adaption to make this possibility common in IT world.<\/span><\/p>\n

Can we make software management more effective using new methods?<\/b><\/p>\n

Traditionally, software development, security and usability have been studied separately, and each has evolved special development processes. Few development cycles for one address the interests and concerns of the other two. In order to design truly usable and secure systems we must integrate these three disciplines and examine more efficient management methods.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Usability and Security – Is a tradeoff necessary? Usability is one of the main reasons for a successful software with user interaction. But often it is worsened by high security standards. Furthermore many use cases need authentication, authorisation and system access where high damage is risked when security possibilities get reduced. In this article the […]<\/p>\n","protected":false},"author":187,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,26,651,657],"tags":[],"ppma_author":[761],"class_list":["post-3981","post","type-post","status-publish","format-standard","hentry","category-allgemein","category-secure-systems","category-system-designs","category-teaching-and-learning"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":3232,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2017\/10\/06\/usable-security-users-are-not-your-enemy\/","url_meta":{"origin":3981,"position":0},"title":"Usable Security – Users are not your enemy","author":"mw195","date":"6. October 2017","format":false,"excerpt":"Introduction Often overlooked, usability turned out to be one of the most important aspects of security. Usable systems enable users to accomplish their goals with increased productivity, less errors and security incidents. And It stills seems to be the exception rather than the rule. When it comes to software, many\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/10\/windows-uac.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":8704,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2019\/09\/03\/security-and-usability-how-to-design-secure-systems-people-can-use\/","url_meta":{"origin":3981,"position":1},"title":"Security and Usability: How to design secure systems people can use.","author":"Svenja Bussinger","date":"3. September 2019","format":false,"excerpt":"Security hit a high level of importance due to rising technological standards. Unfortunately it leads to a conflict with Usability as Security makes operations harder whereas Usability is supposed to make it easier. Many people are convinced that there is a tradeoff between them. This results in either secure systems\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2019\/09\/ucd.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2019\/09\/ucd.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2019\/09\/ucd.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2019\/09\/ucd.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2019\/09\/ucd.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2019\/09\/ucd.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":603,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/05\/25\/603\/","url_meta":{"origin":3981,"position":2},"title":"A Rant about Smart Home Security Usability","author":"Tobias Schneider","date":"25. May 2016","format":false,"excerpt":"(written by Lena Kr\u00e4chan & Tobias Schneider) Introduction Living in today\u2019s age of mobility and internet of things, residents of modern houses can easily interact with their smart homes. A smart home system is the thing to have. You can dim the lights, regulate the temperature, automatically open windows and\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/05\/smart-home-security.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/05\/smart-home-security.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/05\/smart-home-security.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/05\/smart-home-security.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":3910,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/08\/14\/beyond-corp-a-new-approach-to-enterprise-security\/","url_meta":{"origin":3981,"position":3},"title":"Beyond Corp – Google’s approach to enterprise security","author":"Domenik Jockers","date":"14. August 2018","format":false,"excerpt":"What is Beyond Corp? Beyond corp is a concept which was developed and is used by Google and is by now adopted by some other companies. The idea behind it was to get away from the intranet and its perimeter defense, where, if you breach the perimeter you can access\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/08\/pipeline.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":661,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/06\/22\/keyless-gone-vulnerabilities-in-keyless-car-systems\/","url_meta":{"origin":3981,"position":4},"title":"Keyless Gone – Vulnerabilities in keyless car systems","author":"Antonia B\u00f6ttinger","date":"22. June 2016","format":false,"excerpt":"(written by Antonia B\u00f6ttinger and Andreas Gold) Introduction Modern cars embed complex technologies to improve the drivers comfort and safety. In 1999 the automobil industry introduced the smart key system that more and more cars use. Even if manufacturers make use of various designations like Keyless Go, KeyFree Power or\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":10555,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2020\/08\/19\/iot-security-the-current-situation-best-practices-and-how-these-should-be-applied\/","url_meta":{"origin":3981,"position":5},"title":"IoT security \u2013 The current situation, \u201cbest practices\u201d and how these should be applied","author":"lh133","date":"19. August 2020","format":false,"excerpt":"Smart thermostats, lamps, sockets, and many other devices are no longer part of any futuristic movies. These items can be found in most households, at least in parts, whether in Europe, America, or Asia. A trend that affects the entire globe and is currently gaining ground, especially in industrialized countries.\u2026","rel":"","context":"In "Internet of Things"","block_context":{"text":"Internet of Things","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/internet-of-things\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/PaperClasses.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/PaperClasses.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/PaperClasses.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/PaperClasses.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"jetpack_sharing_enabled":true,"authors":[{"term_id":761,"user_id":187,"is_guest":0,"slug":"ck154","display_name":"Christof Kost","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/2ee06e05a3ea918f8818990d90f425bf38b8a480a2b0de1b747f12e1919dda38?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/3981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/users\/187"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/comments?post=3981"}],"version-history":[{"count":9,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/3981\/revisions"}],"predecessor-version":[{"id":24770,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/3981\/revisions\/24770"}],"wp:attachment":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/media?parent=3981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/categories?post=3981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/tags?post=3981"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/ppma_author?post=3981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}