Search results

The purpose of this paper is to present an integrative framework for handling the security and usability conflicts during the system development lifecycle. The framework has been formulated while considering key concerns raised after conducting a series of interviews with practitioners from the industry. The framework is aimed at assisting system designers and developers in making reasonably accurate choices when it comes to the trade-offs between security and usability. The outcomes of using the framework are documented as design patterns, which are disseminated among the community of system designers and developers for use in other but similar contexts.

A design science research approach was used to develop the integrative framework for usable security. Interviews were conducted for identification of the key concerns; however, the framework was validated during a workshop. Moreover, to validate the patterns’ template and the usable security pattern identified after instantiating the framework, a survey instrument was used.

It is important to consider the usability aspect in the development of security systems; otherwise, the systems, despite being secure against attacks, would be susceptible to user mistakes leading to compromises. It is worthwhile to handle usable security concerns right from the start of system development life cycle. Design patterns can help the developers in assessing the usability of their security options.

The framework would assist the designers and developers in handling the security and usability conflicts right from the start of the system development life cycle. The patterns documented after using the framework would help not only the designers and developers working in the industry but also freelancers.

The authors present a novel framework to handle the security and usability conflicts during the system development life cycle. The development process of the framework was driven by the concerns raised after a series of interviews with the practitioners from industry. The framework presented in this paper was validated during a workshop in which it was exposed for review and comments by the participants from the industry. To demonstrate the use of patterns in general and the framework in particular, a case study featuring smart grids from the domain of cyber-physical systems is presented, which (to the best of the authors’ knowledge) features the first work relevant to usable security in the domain of cyber-physical systems.

Despite the widespread use of authentication schemes and the rapid emergence of novel authentication schemes, a general set of domain-specific guidelines has not yet been developed. This paper aims to present and explain a list of human-centered guidelines for developing usable authentication schemes.

The guidelines stem from research findings within the fields of psychology, human–computer interaction and information/computer science.

Instead of viewing users as the inevitable weak point in the authentication process, this study proposes that authentication interfaces be designed to take advantage of users’ natural abilities. This approach requires that one understands how interactions with authentication interfaces can be improved and what human capabilities can be exploited. A list of six guidelines that designers ought to consider when developing a new usable authentication scheme has been presented.

This consolidated list of usable authentication guidelines provides system developers with immediate access to common design issues impacting usability. These guidelines ought to assist designers in producing more secure products in fewer costly development cycles.

Cybersecurity research and development has mainly focused on technical solutions to increase security. However, the greatest weakness of many systems is the user. It is argued that authentication schemes with poor usability are inherently insecure, as users will inadvertently weaken the security in their efforts to use the system. The study proposes that designers need to consider the human factors that impact end-user behavior. Development from this perspective will address the greatest weakness in most security systems by increasing end-user compliance.

For decades, literature has reported on the perceived conflict between usability and security. This mutual trade-off needs to be considered and addressed whenever security products are developed. Achieving well-balanced levels of both is a precondition for sufficient security as users tend to reject unusable solutions. To assess it correctly, usability should be evaluated in the context of security. This paper aims to identify and describe universally applicable and solution-independent factors that affect the perceived usability of security mechanisms.

The selected methodology was a systematic literature review during which multiple database resources were queried. Application of predefined selection criteria led to the creation of a bibliography before backward snowballing was applied to minimize the risk of missing material of importance. All 70 included publications were then analyzed through thematic analysis.

The study resulted in the identification of 14 themes and 30 associated subthemes representing aspects with reported influence on perceived usability in the context of security. While some of them were only mentioned sparsely, the most prominent and thus presumably most significant ones were: simplicity, information and support, task completion time, error rates and error management.

The identified novel themes can increase knowledge about factors that influence usability. This can be useful for different groups: end users may be empowered to choose appropriate solutions more consciously, developers may be able to avoid common usability pitfalls when designing new products and system administrators may benefit from a better understanding of how to configure solutions and how to educate users efficiently.

Email communication has been used for many years, and has begun to replace traditional, physical correspondence more and more. Compared to a traditional postal service, email services are easier, faster, and free of charge. Standard email, however, is, from a security point of view, more comparable to post cards than letters. Some security techniques and services exist, but few people use them due to lack of awareness, low usability, and a lack of understanding of Public Key Infrastructures (PKIs). A comprehensive comparison is missing, which makes it difficult for users to decide which email service to use. The purpose of this paper is to identify evaluation criteria covering security, usability, and interoperability aspects of email, and to apply them to existing email services.

The authors first define criteria based on literature review, threat analysis and expert consultation. These criteria are then applied, when applicable, to existing approaches including DKIM, SPF, PGP, S/MIME and Opportunistic Encryption, and to common secure email providers including Gmail, Hushmail, and De‐Mail.

None of the existing analysed services meets all the derived criteria. Based on the result of the application of these criteria and the corresponding comparison, the authors propose future directions for usable secure email communication.

The criteria proposed are original and allow an evaluation and a comparison of different email systems that not only considers security aspects, but also the relation and trade‐offs between security, usability and interoperability. Moreover, the trust assumptions involved are also considered.

This paper aims to present concrete and verified guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these user decisions as a security policy.

This work is an exploratory study. The authors hypothesised that existing tools for runtime set‐up of security policies are not sufficient. As this proved true, as shown in earlier work, they apply usability engineering with user studies to advance the state‐of‐the‐art.

Little effort has been spent on how security policies can be set up by the lay users for whom they are intended. This work identifies what users want and need for a successful runtime set‐up of security policies.

Concrete and verified guidelines are provided for designers who are faced with the task of delegating security decisions to lay users.

The devised guidelines focus specifically on the set‐up of runtime security policies and therefore on the design of alert windows.

The purpose of this study is to examine the effects of culture on the cross-cultural design of the recognition-based graphical password (RBG-P) interface as inferred from Chinese and Saudi subjects’ image selections.

The authors use a between-group design adopted using two groups of participants from China and the Kingdom of Saudi Arabia to measure the differences caused by the effects of cultures on graphical password image selections. Three hypotheses have been tested in a four-week long study carried out using two questionnaires and an RBG-P webtool designed for images selection.

The results have indicated that participants are equally biased not only toward their own culture but also depending on their opinions about other cultures. In addition, when creating the password, it has been observed that culture not only influenced the image selection to create the password but also have an effect on the sequence of the images forming the password.

Appropriately used image selection differences can be used appropriately in cross-cultural designs that will lead to better development of culturally adaptive interfaces that will boost the security posture of RBG-P authentication.

Some RBG-P interfaces that are produced outside the designer’s culture may suffer the effects of cultural differences. Hence, to incorporate culture in the interface, authentication systems within applications should be flexible by designing images that fit the culture in which the software will be used. To this end, access control interface testing should also be carried out in the environmental and cultural context in which it is will be used.

This paper provides useful information for international developers who develop cross-cultural usable secure designs. In such environments, the cross-culturally designs may have significant effects on the acceptability and adoption adaptation of the interface to multi-cultural settings.

By reviewing different information visualization techniques for securing web information systems, this paper aims to provide a foundation for further studies of the same topic. Another purpose of the paper is to discover directions in which there is a lack of extensive research, thereby encouraging more investigations.

The related techniques are classified first by their locations in the web information systems architecture: client side, server side, and application side. Then the techniques in each category are further classified based on attributes specific to that category.

Although there is much research on information visualization for securing web browser user interface and server side systems, there are very few studies about the same techniques on web application side.

This paper is the first published paper reviewing extensively information visualization techniques for securing web information systems. The classification used here offers a framework for further studies as well as in‐depth investigations.

The technology used by an organization is significantly influenced by the organization’s preferred competitive capabilities. The Internet of things (IoT) is an important technology, which is implemented by most prominent business organizations. The purpose of this paper is to investigate the relationship between an organization’s strategies and the IoT architectures implemented by the organization.

This study has been carried out on primary data collected with the help of a structured questionnaire. The data have been analyzed by statistical techniques like cluster analysis and discriminant analysis through SPSS.

The empirical investigation of data revealed that there is a relationship between organizational strategy and IoT architectures. The three-layered architecture of the IoT is most suitable for caretakers; the three-, four- or five- layered architectures are suitable for marketeers; whereas innovators find it more suitable to use five- or more-layered architecture of the IoT. This paper draws the conclusion based on maximum likelihood rather than using statistical analyses like ANOVA. The idea behind using the maximum likelihood estimate is that there are many subjective parameters in deciding the architectures of the IoT. These subjective parameters are difficult to quantify, so it is not possible to apply ANOVA on these parameters.

This study considers three organizational strategies; the relationship between other organizational strategies and IoT architecture will be studied in future.

This study offers multiple opportunities to practitioners and consulting firms of the IoT to adopt a suitable IoT architecture according to the organizational strategy. This study equips IoT development engineers to select suitable technology for data capturing, data transmission, and data management and access for an IoT architecture.

Although a lot of work has already been done on the architecture of IoT for different industries and businesses, to the best of our knowledge, this is the first study that relates organizational strategies to IoT architectures. This study applies to all the major industry types.

The purpose of this paper is to examine security incident response practices of information technology (IT) security practitioners as a diagnostic work process, including the preparation phase, detection, and analysis of anomalies.

The data set consisted of 16 semi‐structured interviews with IT security practitioners from seven organizational types (e.g. academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to analyze diagnostic work during security incident response.

The analysis shows that security incident response is a highly collaborative activity, which may involve practitioners developing their own tools to perform specific tasks. The results also show that diagnosis during incident response is complicated by practitioners' need to rely on tacit knowledge, as well as usability issues with security tools.

Owing to the nature of semi‐structured interviews, not all participants discussed security incident response at the same level of detail. More data are required to generalize and refine the findings.

The contribution of the work is twofold. First, using empirical data, the paper analyzes and describes the tasks, skills, strategies, and tools that security practitioners use to diagnose security incidents. The findings enhance the research community's understanding of the diagnostic work during security incident response. Second, the paper identifies opportunities for future research directions related to improving security tools.