This Paper Will Explore the Requirements and Development Methods for User-Centered Security

Applying Usability Testing And Techniques

To Develop User-Centered Security

By

Robert Stocker

CIS 732 - Fall, 2000

Design of Interactive Systems

Dr. Murray Turoff

December 18, 2000

Applying Usability Testing And Techniques

To Develop User-Centered Security

Robert Stocker

12/18/00

Table of Contents:

1. Introduction

Figure 1: Growth of On-Line Business

2. Business applications and increased risk

Business Paradox:

Privacy and Social Issues:

Internal Users

3. User-Centered Security

Techniques for enhancing User-Centered Security:

4. Alternative Interface Methods for Security

Shared Secret

Public Key Infrastructure

Biometric Authentication:

Next Generation User Interfaces

Figure 2: Architecture of fingerprint user interface

Figure 3: Use of Fingerprint user interface on network environment

Figure 4: Technology Radar Screen

5. Security Design in the Development Framework

System Development Methodology

Figure 5: Summit D methodology Overview: Controlled Iteration:

Table 1: System Development Lifecycle

6. Conclusions

7. References

1. Introduction

This paper explores the requirements and development methods for user-centered security and it’s impact on the human computer interface. It is no secret that e-Commerce has been in the center of an explosion of new users onto the Internet. According to Forrester Research, global e-Commerce will approach $6.9 Trillion by 2004 (NUA, 2000) which translates into millions of additional users being added to the Internet and using on-line systems each year. Figure 1 illustrates the $1.4 Trillion share relating the growth in the US alone.

Figure 1: Growth of On-Line Business

Digital signature laws, which were primarily governed by the individual states, have now been standardized by a new federal regulation, which promises to encourage new business opportunities. Organizations now have the opportunity to exploit another marketing channel for financial transactions (such as purchasing life insurance on-line) but there are additional risks that come with on-line authentication.

With such growth in the number of casual users on the Internet (and other applications), access security is clearly becoming a more important part of application development, and it is important that more effective user interface designs be developed to improve user satisfaction and to ensure compliance. Usability testing and security must be merged in order to produce designs that will be accepted and not circumvented by the user. Alternative user interfaces, including biometric interfaces need to be adopted, both for stronger security and to improve functionality.

2. Business applications and increased risk

Business Paradox:

On October 26, 2000 Microsoft disclosed that computer hackers had managed to obtain the plans and blueprints for future Microsoft products still in development. Also during the last year, the Meta Group reports that 9 out of 10 companies and government organizations have reported security breaches. “For 42% of the companies who were willing (or able) to quantify the damages and financial losses, the total ran to $265M” (Passori, 2000).

And yet, a different Meta Group article stated that organizations that are able to provide an “infrastructure for employees, partners, and clients to find the concise relevant information they require to make decisions, with a minimum of effort, will have a significant competitive advantage in terms of efficiencies, service and satisfaction.” (Barnes, 2000).

These two statements illustrate a paradox in industry and government where the need to meet tight deadlines, to compete effectively and to disseminate timely information usually outweighs any desire to mitigate the potential risks to availability, data integrity and accuracy of a computer system. Articles on improving the usability of high volume applications such as Internet based e-Commerce sites often do not mention security and if they do, it is to warn against it’s ‘overuse’. For example in a 1998 article on “Creating Usable e-Commerce sites”, Janice Rohn writes the following: “Do not require a login and password unless necessary. Customers are in the difficult situation of not wanting to use the same password everywhere, yet having too many passwords for different purposes to remember them all” (Rohn, 1998). And yet, all e-commerce sites collect private customer data; including address, birth date, credit card numbers and other information in a database accessible from the web and prone to be stored outside of the protection of the company firewall. The Gartner Group states that: “Security is essentially an economic proposition: If an asset is worth more than it costs to steal, it is insecure. Legitimate owners must understand the street value of their information resources or risk applying the wrong level of security to the wrong resources, with potentially disastrous results” (Hunter, 2000).

Identification of the user and access control lists (ACL) manage the actual processes that the user will gain access to. Id and password authentication are typically the primary method of verification by attempting to determine that the user is the actual owner of an id. There has been considerable research in role-based access controls, password construction analysis, security directories such as the lightweight directory access protocol (LDAP), digital signatures, as well as hardware-based methods such as tokens or smartcards. However, while most of the research in the past has centered on controlling access to systems, the “usability of these mechanisms has rarely been investigated” (Adams, 1999).

“Considerations for users’ natural working patterns can strengthen the security of the system” (Zurko, 1996). Typically the security paradigm may take one of two directions: The oldest security model is based on security classifications and on the concept of least privilege or “need to know” (Zurko, 1996). The very nature of securing systems this way creates a challenge to usability. The other paradigm of little or ineffective security policies has come about along with the advent of eCommerce and on-line financial transactions. A stated privacy policy and the use of a browser-to-server secure sockets layer (SSL) is recommended on page 114 of the Rohn article, but it may provide a misleading and false confidence to the user. Using SSL may protect individual transactions, but many organizations do not take into consideration the risks to their data, systems or business reputations and implement weak or ineffective policies in order minimize the convenience to the customer. But, if the user’s id and password becomes compromised or forgotten, they must typically call customer service to have it reset. This creates even more frustration and an environment where the user can be impersonated in order to gain unauthorized access to the system. It is much more effective, and would give a better sense of confidence to the user to have a well designed user security interface as well as strong security policies in place.

Privacy and Social Issues:

Users have a strong motivation to protect their privacy, and security designers must balance the need to share information with the need for privacy of confidential data, particularly in the case of medical information. It is a paradox where medical data is the most personal and sensitive of all information, and yet provides maximum value to the user only if it is shared with healthcare providers or emergency room personnel (Rindfleisch, 1997).

Tessa Lau, et al. proposes developing a privacy interface to “provide users with a means of specifying their own individual privacy policies” (Lau et al., 1999). These interfaces should aid the user in selecting their own policy parameters, to be able to monitor and modify these policies as needed, and for the policies to be extensible to new objects as they are encountered (Lau et al., 1999). And yet, the design should not prevent an emergency room doctor to gain access to information in the case of an unconscious or critically ill patient.

No one security policy or architecture can be made to fit all application designs. This realization makes it that much more important to incorporate risk assessment, analysis, and design directly into the development methodology taking into account the need for privacy, confidentiality and security. “As we move toward the era of computerized medical record systems, we must design the systems from the start to accommodate evolving policies and security management technologies and develop standards to integrate and administer computerized health information systems prudently” (Rindfleisch, 1997).

Internal Users

Internally, an organization may have been adding new systems and infrastructures, all of which require distinct and unique passwords. Unfortunately, many users now need to remember multiple passwords for the various networks and applications that they use on a daily basis. Corporate password policies are inconsistent, and some passwords may need to be changed more frequently than others. Having more than just a few passwords reduces their memorability and increases insecure work practices, such as poor password design (for example selecting ‘password’ as the password) or simply writing passwords down in an open place, often as a note on the computer terminal. Users will use the shortest and easiest passwords that they can get away with as limited by policy (if any exist). These are the types of passwords that are quickly compromised by someone hacking into the computer system, removing the entire password file and decrypting it with software freely available on the Internet, such as ‘cracker’. (Adams, 1999).

3. User-Centered Security

According to the Meta Group, only 5% of the 2000 largest global companies have linked IT security policies with business policies. They have also observed that only the most effective organizations have created polices and based them on the results of a comprehensive risk assessment. (Passori, 2000). However while the assessment does much to identify sensitive information and critical systems, define appropriate security objectives, and “set a course for accomplishing those goals and objectives” (Passori, 2000) they do not describe the need to develop systems and policies with usability in mind.

Any good system development life cycle methodology will require active and ongoing participation of the users in the development process, and yet when it comes to security, there is often an inadequate amount of communication with the user during the design of the security mechanisms. As Adams stated: “ Many of these mechanisms create overheads for users, or require unworkable user behavior. It is therefore hardly surprising to find that many users try to circumvent such mechanisms” (Adams, 1999). It is also important for interface designers to realize that user behavior is affected by the number of passwords a person has, whether it was selected by them, or for them and the frequency with which it must be changed. They will in all likelihood also have multiple ids and passwords outside of the work environment, “increasing the cognitive load of users” (Adams, 1999).

“User-centered security refers to security models, mechanisms, systems, or software that has usability as a primary motivation or goal. Most work on usability emphases design process and testing.” (Zurko,1996). Particular attention must be paid to User Interface design dimensions such as using simple and natural dialogue as well as minimizing the user's memory load among others (Molich & Nielson, 1990) (Turoff et al., draft book). Unfortunately, since the technology is constantly changing and the user needs are so varied, it is difficult to develop an architecture that will always apply. However, the system development life cycle methodology can be modified to include security-usability testing and review several times throughout the design process beginning in the systems requirements analysis stage. (Zurko & Simon, 1996) define three categories of work in enhancing the user friendliness of security:

Techniques for enhancing User-Centered Security:

Applying usability testing and techniques to secure systems: Zurko et al. recommend using low-tech methods such as design mock-ups on paper. However, a “Protocol Analysis is one of the most effective methods for assessing the usability of an information system, and for targeting aspects of the system that should be changed to improve usability” (Turoff et al., draft book). This category would be best served by performing a limited protocol analyses earlier in the life cycle and iteratively throughout the development of the system.

Developing security models and mechanisms for user-friendly systems (such as groupware). Technical and computer-aided support for any sort of collaborative effort can generically be referred to as Groupware, which reflects a change in importance from "using the computer to solve problems to using the computer to assist in human interaction" (Ellis et al. 1991). Groupware has a unique set of circumstances, which require users to work together in the same environment and utilize the same resources. Traditionally, many such systems rely on database or operating system methods for controlling access among multiple users. Operating systems can restrict access to directories, files and applications, but cannot support group-level activities. Using programmatic interfaces, unique and customized desktop user interfaces can be built for multiple users, even on the same desktop computer (Cowart, 1995). However, operating system access controls alone are not sufficient for sharing applications among multiple users.

Database access controls allow a higher level of granular access to database filespaces, tables, columns or data elements for multiple users. With modern relational database management systems, multiple users may be provided access to the data via group-level authority, through an application, or as an individual. However it is only after the user has attempted to invoke a function such as read, write or update that authentication occurs.

The majority of research by the Computer Human Interface community has been in the groupware area because of the need to add appropriate controls between the simultaneous users in simultaneous multi-user systems. Dewan et al. has written about the need to control higher level logical operations such as window position and resizing or scrollbar controls which can only be restricted via user protected interface objects, inheritance based on include and imply relationships, and interactions and coupling rights. (Dewan, 1998).

Considering user needs as a primary design goal at the start of secure system development. When following the system development life cycle (SDLC), the risk to the business should be assessed in terms of confidentiality, integrity and availability during the system requirements analysis phase of the life-cycle (PWC, 1997):

• Confidentiality is keeping information secret or private within a pre-determined group. The loss of confidential information may be a factor in loosing competitive advantage or being held liable for the loss of legal or ethical information.
• Integrity is the confidence that the quality of the data is accurate and complete.
• Availability refers to the accessibility and usability of the application and data.
• User-Centered Security requirements should then be derived from the risk analysis and the framework for implementation developed.

4. Alternative Interface Methods for Security

Shared Secret

In order to motivate people to use passwords properly, several factors must be addressed. The concept of the user as the enemy by the security forces is very counterproductive, and much in the same way that an application is developed by enlisting and involving motivated users, security development must follow the same methods. Involving the user in the design process will help gain understanding and buy-in and many user-centric design issues will have a better chance of being addressed. The users should be involved in setting the security policies, such as password length and time to expiration; should it be computer-generated or input by the user; should the application ‘coach’ the user if the selection is too weak to be secure; what the procedure is after three incorrect tries, or if the user forgets their password. All of these policy issues need to be addressed during the analysis and design phase of the user interface (Cobit, 2000).

Of course, with the new technology options available, passwords may not be the only solution to the security challenges. During the requirements analyses phase, the risk assessment may indicate that stronger authentication is necessary. Also, the results of an early usability test may indicate that users will need an alternative to password controls. Other options include hard-tokens, public key encryption or biometric authentication.

Authentication is usually a combination of: 1) What you know, 2) Who you are, 3) What you have. A reasonable security architecture can be any combination of these three forms, with a minimum of two recommended (Cobit, 2000). Id and password are a form of a ‘shared secret’ between a user and the computer, e-commerce web-site or ATM. This requires trust on both sides, and anyone compromising a password may be granted ultimate authority over the system. (Corcoran, 1999) If designed well, interfaces adhering to the shared secret can be made to conform with the design dimensions as listed in the draft book (Turoff et al., draft book)

Public Key Infrastructure

Some individuals and companies are now turning to Public Key Infrastructure (PKI) and replacing the shared secret method of security. As defined by Corcoran: “PKI uses a standardized set of transactions using asymmetric public key cryptography, a more secure and potentially much more functional mechanism for access to digital resources. The same system could also be used for securing physical access to controlled environments, such as your home or office” (Corcoran, 1999).