Skip to main content

From Paternalistic to User Centred Security – Putting Users First with Value-Sensitive Design

Citation

AU - Dodier-Lazaro, Steve AU - Abu-Salma, Ruba AU - Becker, Ingolf AU - Sasse, Angela PY - 2017/05/07

T1 - From Paternalistic to User-Centred Security: Putting Users First with Value-Sensitive Design

Security experts and users typically have different priorities and value security differently.

However, security experts set usable security goals without first understanding and identifying user values.

Paper argues that this paternalistic approach undermines secure system adoption.

It argues that:

  1. Adherence to security is mediated by user values
  2. By modelling user values, better security adoption is likely

Introduction

Conflicts within usability of security interaction. Due to:

  1. unusable user interfaces – sometimes
  2. productivity
  3. cost
  4. utility Some believe in a trade off between security and usability. Results in users disengaging.

Issues

Focus on ‘fixing’ users so that they use security systems.

Examples

  1. Fix user compliance to warnings by making users retype warning content Showing different warnings each time However, no evidence of warnings providing any security benefit. (Cormac Herley. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. InProceedings of the 2009 workshop on New security paradigms workshop (NSPW ’09). ACM, New York, NY, USA, 133–144)
  2. Password research: Bonneau et al argue for training users to remember 15 character random passwords. However, in the ‘real world’ user concerns are “ will I be able to remember it? Will I be able to enter it correctly the first time?, How secure is it? Is 3rd.

Value-Sensitive Design is proposed to understand user priorities and how to get there securely.

Case Studies:

Why Secure Communication Tools don’t get adopted.

Usability key challenge especially encryption. Why don’t users use PGP correctly? (Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.) Typically lack of adoption is blamed on user interface design flaws. However, questioning users on their experience of different communication tools yields the following:

  1. Concern about fragmentation of user bases if using different tools i.e. users need to use the same communication tool or tools needs to be interoperable.
  2. Users valued spontaneous communication, convenience and direct availability rather than security. Hence they don’t adopt secure communication tools.

A Value-Sensitive Analysis of Application Appropriation

Interviewed Linux users about how they adopt and abandon apps.

  1. Utility – they use an app because it has specific features or content
  2. Reliability – they abandon an app if it is too slow, unstable or heavy.
  3. Productivity – adopt app plugins because they help users perform tasks or access resources quicker
  4. Security was minor – app developers on platforms where sandboxing is available often refuse to support it. They fear losing users due to sandboxing restrictions on features and app plugins.

However sandboxes are a main driver of app adoption and retainment. (In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.[1]

A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.

In the sense of providing a highly controlled environment, sandboxes may be seen as a specific example of virtualization. Sandboxing is frequently used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device.[2])

Case Study in Organisational Security

118 employees of a trans-national company interviewed on their compliance to access control.

  1. Conflict between security and productivity
  2. Role of social values highlighted
  3. Employees would grant access to other employees to escape emotional cost of denied access
  4. Provide another team with access as a bargaining chip for future relations

General Problem in Usable Security

Users value – productivity, utility, ease of use. If a secure system reduces utility and usability then users disengage.

Passive Security Notifications

Competition for attention reduces productivity e.g. if users pay attention to passive security notifications like phishing bars – productivity would decrease drastically in return for negligible security benefits. Lack of attention could be due to:

  1. Habituation effects – provide only salient visual cues
  2. Insufficient visual cues
  3. Value conflict with productivity – more tricky

Authentication Systems

  1. Users bypass authentication systems to maximise productivity.
  2. Users share authentication credentials as a form of trust signalling or to avoid excessive delays in authorising newcomers
  3. Users do not trust providers of password managers and want to ensure they can always access their passwords
  4. Reputation – users may refuse to perform security actions to avoid embarassment should they fail

Dealing with Users’ Misconceptions about Security

Users often don’t know if a computer system provides security.

  1. Users rely on incorrect heuristics to determine if it is secure.
  2. They have misconceptions on the nature of threats they face
  3. Conception of security value differs from that imagined by security engineers who design security technologies. i.e. security designers must design visual and interactional cues to signal the security value of target users.

Value Sensitive Design and Security Research

Why are Value Conflicts so important?

  1. VSD forces security researchers to document users behaviour drivers
  2. Patterns of value conflicts may emerge for families of security mechanisms or user populations

For example: Delegated authentication might conflict with privacy oriented users. Workers who frequently hire interns might always attempt to bypass centralised access control systems.

  1. Service providers can tailor security propositions to harmonise with user expectations. Researchers can identify which types of technologies can be fixed and which ditched.
  2. Fully designing, evaluating and deploying a security artefact is costly. By anticipating failure in the wild – unsuitable artefacts can be eliminated earlier in the design cycle.
  3. VSD and security non-compliance. Focus on lab interactions can identify why users fail to use a security mechanism and improve this. However, this only occurs if user is already accepting of security mechanism benefits. Need to understand root cause of disengagement by studying users rationales for not using a security mechanism.

Conclusion

Usable security experts must heed user preferences and priorities to create usable, effective and real life deployments of security mechanisms.