Human Factors in Information Security – Part 5
I’ve written quite a few blog entries on human factors in information security because this highly important area is paradoxically one of the most overlooked ones in the entire information security arena. I’ve described many of the problems that lack of attention to usability engineering has caused and have called for a much greater emphasis on usability considerations in information security technology and procedures. I’d like to close this series with a discussion of the some of the most important basic principles of human factors/usability engineering.
- Make interaction sequences as simple and intuitive as possible. Users should not need training to be able to correctly perform most interaction sequences.
- Provide meaningful and simply-worded prompts that make it clear what each user should do next. If users are not sure to do next, they should be able to readily figure out what to do because of the ready availability of to-the-point, easy-to-comprehend prompts that point to the correct next step.
- Ensure that each interaction step does not require actions that exceed users’ physical and mental limitations. Short-term memory limitations are particularly important, in that when humans are presented with too much information at once, short-term memory breaks down, resulting in poor task performance (including a much elevated error rate). Human factors experts tells us that although in theory short-term memory is limited to seven plus or minus two chunks of information, recent empirical evidence suggests that the real limitation is more like four or five plus or minus two chunks.
- For complex and/or very redundant data, display patterns (not details) by default. Users should then be able to drill down to details at will. Pattern perception is much easier for humans than is ability to keep track of many details because of short-term memory limitations as well as the proficiency of humans’ visual pattern recognition.
- Ensure that widely accepted conventions for displaying colors and symbols are used. For example, red should be reserved for indicating danger or emergency conditions; this convention is universally accepted. Green should indicate normal or safe conditions.
- Provide meaningful and rapid feedback for each step of user interaction sequences. Users need to know with certainty that each task step they have performed was correct or incorrect. Research shows that receiving such feedback promptly greatly facilitates task performance, whereas delayed feedback does not help or may in fact actually degrade performance.
- Avoid cluttered displays, or at least give users the ability to easily declutter them. Empirical studies show that cluttered displays not only slow task performance, but also produce an increased number of errors due to overlooking critical display elements.
- Keep menu levels shallow, not deep. To put it simply, deep menus result in users getting lost in the menu structure.
- Provide different interaction sequences for users with different levels of knowledge/experience/ability. More novice users benefit greatly from graphical user interfaces because of their intuitiveness. More experienced users benefit more from quick and efficient interaction sequences that require higher levels of expertise, such as entering commands in command line interfaces.
- Offer intuitive and simple recoverability from user errors. When users make errors, they should be provided with simple and courteously-worded messages that help them understand what they did wrong and what they should do to get on the right track again.
By presenting these fundamental human factors/usability engineering principles, I have only scratched the surface. If you want to learn more about them (and I very much hope you do), you might want to start by reading ISO standard 9241. In closing, suffice it to say that there is much to gain and little to lose in learning about, considering and applying these principles in the information security arena as well as in others.