An annotated bibliography is a bibliography that gives a summary of a body of work such as an article, research or thesis. The purpose of annotations is to provide the reader with a summary and an evaluation of the source. Each summary should be a concise exposition of the source’s central idea and give the reader a general idea of the source’s content.
HCISec is the study of interaction between humans and computers, or human–computer interaction, specifically as it pertains to information security. Its aim, in plain terms, is to improve the usability of security features in end user applications.
An annotated bibliography was conducted on 5 bodies of work focused on HCISec and Usability Security.
Sasse, M. and Flechais, I. (2005). Usable Security: Why do we need it? How do we get it?. O’Reilly Media Inc.
This article begin with a common theme used in many HCISec and Usability Security literature by stating users are the weakest link in the chain of system security. The authors further explained how the famous hacker Kevin Mitnick hardly ever had to crack a password, since it was easier to trick users to tell him with the use of social engineering. The author also explained as the system become more complex, they become harder to configure, manage and maintain. The errors become issues; increasing the chance of poorly configured systems and improper management, therefore reducing the security of the system.
The author introduces the principle of psychological acceptability that states security controls should not make accessing the resources more difficult than it would be if the security control were not present. The author also provides various examples, for example, passwords add minimal overhead for the user, providing it is easy to remember. To allow for effective security, the password must be difficult. Therefore, a balance must be in place. If a password is too long and hard, the user will resort to writing it down, if a password is too simple a hacker can guess it and compromise the system. The author also discusses the process in patching a system should be transparent to the user. That is not always the case on system with custom code or when system reacts adversely to the patch.
The article concludes by stating, the information from the examples provided are key to implementing the principle of psychological acceptability based systems.
Greiter, F. (2011). Situated Usability Testing for Security Systems. Pacific Northwest National Laboratory. PNNL-2-201
The article explains usable security is a concept that has emerged to ensure the security and privacy of computer systems while usability refers to how well a system supports the user’s needs and its ability to accomplish a task. The author acknowledge, while usability testing is a common practice, usability of security software needs more consideration.
The author examines why the common computer user may lack confidence in the security system they use or why they often circumvent the security mechanisms in places. He describes the concept of primary goal and secondary goal into the discussion. Primary goal pertains to completing a task, for example, sending an email or producing a document. The secondary goal pertains to adding the layer of security needed for the primary functions. Often the user may not be focused on the secondary goal even though it may be just as important as the primary goal. Recent research depicts users forced to implement security task, but the authors concludes the introduction of bias is added. The author states the security issues must be concealed behind the primary goal, thus making the software more acceptable to the user. Differing setups between the real-world environment and the testing environment will conclude conflicting data.
The author provided an example using online banking requiring different security controls. The primary task is the completion of the transaction, but the secondary task is the authentication that must occur beforehand. In the study, the author depicted an online banking scenario were security was employed, but the primary focus was not security. In other environments, the more difficult the secondary task, the less likely it will be implemented.
Ackerman, S. and Mainwaring, S. (2005). Privacy Issues and Human-Computer Interaction. O’Reilly and Associates.
The paper reviews privacy being a key aspect of the user experience when online as well as on computing devices by examining how users view computer system to aid in improving privacy through Human-Computer Interaction (HCI).
The authors explain, privacy is the process in which users can effectively control personal data and like security, it contains risk. To build a system that takes user’s privacy into consideration, the core HCI rules must be examined. For example, basic design consideration, reviewing how users interact with and through the system, how users differ in their capabilities and lastly, the role of HCI in next generation architecture.
The authors surveyed current computer-supported cooperative work (CSCW) literature related to privacy and discovered as people interested in privacy area aware, people have very nuanced views of their interactions with other people and find it problematic when those social interactions are constrained.
Other applications have cause concerns in CSCW privacy such as, shared calendar. Users may access a manager’s calendar to conclude information about a company’s hiring or lay off status. These privacy concerns are being research to understand the balance between information awareness and information privacy. It was stated in the article, awareness requires the release of personal information, thus conflicting with privacy.
The authors concluded there are a number of research areas in the field of HCI that can help design better privacy mechanisms such as usable evaluations and requirements gathering.
Schultz, E. (2006). Research on Usability in Information Security.
The article states, usability engineering focuses on optimizing the interaction between humans and the tasks they perform. The author explains, even though authors in the field argue for the need to consider usability when applied to software, in actuality, there are very few papers displaying results to the fact.
The author, examines research in the area of usability and discusses their findings. For example, a review conducted on Whitten and Tygar (1999) looked into the usability problems within PGP 5.0. This is one of the first researches that incorporated the balance between usability and security. PGP is email encryption software and in the test, users were allotted 90 minutes to digitally sign and encrypt an email. A majority of the test subject failed to do so. It was concluded, even though PGP had an attractive graphical user interface, there were a number of user design weaknesses.
The author also examined the usability problems in firewalls. Configuring a firewall is often a resource intensive task. Rules in the firewall determine what various systems and network in an organization interact with the outside world. Using a graphical user interface can ease the process and provide a more usable implementation.
The author concludes, the review he examined is but a subset of the total research conducted in the usability security space, but notes the total amount of research is still not enough. All is the above reviews point to the need for attention in the human-factors in information security related task.