Home > Uncategorized > Human Factors Engineering in Information Security – Part 1

Human Factors Engineering in Information Security – Part 1

Human factors engineering, often also called usability engineering, focuses on optimizing the interaction between humans and the tasks they perform. Starting in 1999, several information security professionals, myself included, have argued that much greater attention to usability considerations in information security is needed. Two of the first such individuals were Whitten and Tygar, who in 1999 published results of a usability analysis of and user testing on version 5.0 of PGP (Pretty Good Privacy), a program used to encrypt and digitally sign e-mail messages. Only users who were inexperienced in using cryptography were allowed to participate in this study. They were told to use PGP to encrypt, digitally sign, and send e-mail messages. An evaluation of users’ attempts to use this tool in this manner uncovered user interface design flaws that greatly increased the likelihood of user errors in interaction steps. When given 90 minutes to sign and encrypt an email message using PGP 5.0, most users could not successfully complete this assignment. Whitten and Tygar concluded that even though PGP 5.0 has an attractive graphical user interface and superficially appears to be user friendly, for most users this tool is not sufficiently usable to be effective from an information security perspective.

Usability flaws in the PGP tool are not the only usability engineering problem in the information security arena. A team of researchers from Purdue University examined how user friendly interaction with some commonly used authentication methods was. Password entry was the easiest from the standpoint of the number and difficulty level of user interaction steps. Biometric authentication devices were second best; they generally required only eight task steps, none of which was excessively difficult for users. Smart cards, on the other hand, did not fare well; the smart card authentication user task sequences tested in this study required up to 14 additional steps compared to biometric authentication, and some of these steps significantly elevated the probability of user error. Token-based authentication was somewhat better than smart cards in terms of the number and difficulty level of interaction steps, but this type of authentication was not as good as either password-based or biometric authentication. This research demonstrated that usability engineering design in numerous user authentication tasks needs to be improved, and also provided empirical evidence concerning why users prefer password-based authentication, as dreadful as it might be from a security point of view.

I could describe more studies on usability engineering problems in information security-related user interaction tasks, but by now the point should be clear. Usability problems are ubiquitous in information security, yet little is being done to address them. Usability should be a major criterion in the selection of information security technology, but it is generally not. Instead we expect users to adjust to interfacing with this technology under the assumption that interaction with this technology may be difficult, but it is worth it because of its security benefits. We usually also do not perform adequate usability testing and user acceptance testing when we are choosing and implementing information security products, even though this is one of the most important things we should do. Indeed, we have a long way to go when it comes to understanding and applying the principles of human factors engineering.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.