TY - GEN
T1 - An experimental system for studying the tradeoff between usability and security
AU - Ben-Asher, Noam
AU - Meyer, Joachim
AU - Möller, Sebastian
AU - Englert, Roman
PY - 2009/10/12
Y1 - 2009/10/12
N2 - An ideal system should be usable and secure. However, increasing the security of a system often makes its use more cumbersome and less efficient. This tradeoff between usability and security poses major challenges for system designers. System security may be impaired when users override or ignore security features to facilitate the use of the system. Little empirical data are available on user behavior regarding the tradeoff between security and usability. To obtain such data we developed a controlled research environment (i.e., a microworld) for studying users' tendency to take precautionary actions as a function of the tradeoff between a system's usability and the level of security the system provides. It is a modified version of a "Tetris" game and includes an alert system that warns about possible virus attacks, which, if not prevented, can cause losses of monetary earnings. Users could alter the threshold settings of the security system. The system allows us to manipulate the usability cost of using a security feature, the severity of the consequences of an attack, the likelihood that a threat will occur, and the statistical properties of the security system. In a preliminary experiment two groups of 10 participants each used the system for three 20-minutes sessions. The likelihood for an attack was 4 times higher for one group than for the other group. The likelihood of an attack clearly affected participants' behavior. When attacks were more likely, participants altered thresholds more frequently, selected more cautious thresholds, and tended to respond more to security system alerts. This microworld is a step towards the development of quantitative predictive models of user interactions with security features while using a system.
AB - An ideal system should be usable and secure. However, increasing the security of a system often makes its use more cumbersome and less efficient. This tradeoff between usability and security poses major challenges for system designers. System security may be impaired when users override or ignore security features to facilitate the use of the system. Little empirical data are available on user behavior regarding the tradeoff between security and usability. To obtain such data we developed a controlled research environment (i.e., a microworld) for studying users' tendency to take precautionary actions as a function of the tradeoff between a system's usability and the level of security the system provides. It is a modified version of a "Tetris" game and includes an alert system that warns about possible virus attacks, which, if not prevented, can cause losses of monetary earnings. Users could alter the threshold settings of the security system. The system allows us to manipulate the usability cost of using a security feature, the severity of the consequences of an attack, the likelihood that a threat will occur, and the statistical properties of the security system. In a preliminary experiment two groups of 10 participants each used the system for three 20-minutes sessions. The likelihood for an attack was 4 times higher for one group than for the other group. The likelihood of an attack clearly affected participants' behavior. When attacks were more likely, participants altered thresholds more frequently, selected more cautious thresholds, and tended to respond more to security system alerts. This microworld is a step towards the development of quantitative predictive models of user interactions with security features while using a system.
KW - Alerts
KW - Experimental system
KW - Security
KW - Security settings
KW - Usability
UR - http://www.scopus.com/inward/record.url?scp=70349694534&partnerID=8YFLogxK
U2 - 10.1109/ARES.2009.174
DO - 10.1109/ARES.2009.174
M3 - Conference contribution
AN - SCOPUS:70349694534
SN - 9780769535647
T3 - Proceedings - International Conference on Availability, Reliability and Security, ARES 2009
SP - 882
EP - 887
BT - Proceedings - International Conference on Availability, Reliability and Security, ARES 2009
T2 - International Conference on Availability, Reliability and Security, ARES 2009
Y2 - 16 March 2009 through 19 March 2009
ER -