An annotated bibliography is a bibliography that gives a summary of a body of work such as an article, research or thesis. The purpose of annotations is to provide the reader with a summary and an evaluation of the source. Each summary should be a concise exposition of the source’s central idea and give the reader a general idea of the source’s content.
HCISec is the study of interaction between humans and computers, or human–computer interaction, specifically as it pertains to information security. Its aim, in plain terms, is to improve the usability of security features in end user applications.
An annotated bibliography was conducted on 5 bodies of work focused on HCISec and Usability Security.
Kluever, K. (2008). Evaluating the Usability and Security of a Video CAPTCHA. Rochester Institute of Technology. Master of Science Thesis
The thesis discusses the security and usability of a Completely Automated Public Turning Test to Tell Computers and Humans Apart (CAPTCHA), which is a variation of the turning testing, used to determine humans from computers. The author provides a new approach in which the users provide three words that describe a video. The author states, many users find the traditional form frustrating and carry a break rate of approximately 6o percent.
The author explains, in order to evaluate the success of a CAPTCHA, a list of desirable properties must first be established. The following sets of properties include, automation, in which the machine can generate and grade challenges on its own. The second property is “Open” which pertains to the algorithm be publicly available. “Usable” is the third property and it pertains to challenges should be easily and quickly solved the humans and lastly, it should be secure. The author performed an experiment in which 184 participants where used on over 20 videos. The author was able to increase humans pass rates of the CAPTCHA video from 69.7% to 90.2%.
The author does state limitations and assumptions in the experiment. For example, it is language dependent with English tags needed to determine the human subjects. In addition, the video from the online database exposes the ID of the video and lastly, the usability and security analyses are preliminary assumptions.
The author concluded only 20% of the participant preferred text-based CAPTCHA while 58% preferred the video-based alternative. The author also presented how extending the ground truth tags allowed for different usability and security trade-offs.
Patrick, A., Long, A. and Flinn, S. (2003). HCI and Security Systems. CHI 2003, April 5-10. ACM 1-58113-630-7/03/0004
The authors explain, the human factor is often the weakest part of a security system and users are often thought of the weakest link in the security chain. The goal is to provide other researchers and software developers with an understanding of the roles and demands place on users as well as provide design solutions to assist with the creation of secure and usable system.
The authors state, three areas of interest includes authentication, security operations and developing secure systems for security. The authors stated, authentication, the most common form of security consisting of using username and password is the weakest link due to the human factor. Users tend to use guessable passwords, write them down or even forget them. In security operations, the human factor is not just focused on the end-user; system operators can also improperly implement solution to open security flaws. Lastly, developing security systems is critical. If developers do not create user-friendly systems, it will not sell. However, if developers create a secure system, user may try to circumvent to increase usability. The authors states, usability and security are often thought to be contrary to each other is not the case by recent research from Yee (2002). In Yee (2002), he provided ten HCI design principles that can be used to improve the usability of security.
The authors concluded the goal is to build a cohesive and activate the HCISEC community researchers and practitioners. The authors further states, security is a large topic so there are many areas where Chisel in important.
Flechais, I. (2005). Designing Security and Usable System. PhD. Dissertation. University of London
The thesis aimed to investigate the process of designing secure systems and how developers can ensure security controls are effective and usable at the same time. The article reiterate a common notation that users are the weakest link within information security and the result of an unusable user interface with result in ineffective security. The author explained, while HCISec had identified the need to improve usability in computer systems, most of the research is this area are addressing the issue by improving user interface to security tools. The thesis provides an interesting insight into the cause of data breach by suggesting, research efforts to address human factors in security have concluded that security mechanisms are too difficult to use, and that most users do not maliciously break security policies, but do so as a result of bad design.
The author states, the thesis does not seek to evaluate security system design, instead it plan to evaluate the Appropriate and Effective Guidance for Information Security (AEGIS). AEGIS is a secure system design technique that actively adopts a socio-technical approach in order to assist developers in designing secure systems. Thus, any research that will affect design methods are difficult in the empirical form. The author conducted the research in two parts, first, he identified the issues in the development process of the secure systems and secondly, the presentation and evaluation of a socio-technical design method for secure systems.
The results from the research identified important factors for usable security; the model provides insight into real-world issues and will be useful into improving current and future secure system design methodologies.