Usability and Security

More documents

Recommendations

Info

To answer our main research question: "To what extent is it possible to have a sufficient level of security,without losing usability?We have performed literary studies and analyzed case studies of tradeoffs between usability and securityfor various authentication mechanisms. We can conclude that a balanced level of usability and securitycan be obtained for each authentication mechanism and that security is not at the expense of usability orvice versa. Usability and security can co-exist and the extent to which an optimal balance between thesetwo aspects can be achieved is particularly determined by the following factors:• type of organization;• type of process;• the importance and sensitivity of the information that needs to be protected;• target audience.7 ReflectionTerren ChongI have always been very interested in doing business online (e-commerce) and have been involved (andstill is) in various website projects. Already familiar with the term web usability and research papers ofJacob Nielsen (some say, the ‘usability guru’), I knew I had to do something with usability. In thebeginning, I wasn’t sure how to incorporate the subject so it would relate to the postgraduate IT auditprogram, but found out soon that this would not be an issue.The idea to investigate the relationship between usability and security started when a client told me thattheir employees were writing their passwords down because they could not remember it. I was actually abit surprised, because the password policy at that time was not in line with best practice.The ‘real work’ started for me in January when I came back from my holidays. We had handed over ourplan of approach the month before and the actual work was ahead of us. Not sure what we would find onliterature, we kicked-off our literary study mid-January. The initial plan was to write the thesis in Dutch,but after a few days searching on the Internet, including electronic book repositories (e-books), I realizedthat there wasn’t sufficient material available or studies conducted in Dutch that would support theresearch question and overall topic. One-fourth of the thesis was already written in Dutch and with a busyperiod at work and overseeing that the actual time left to work on the thesis was limited, Andrew and Idecided to ‘switch’ to English. In my opinion it was the right choice to make. The risk of a possible delaywas accepted, but could not be avoided as the pressure was clearly felt in the last two weeks. Sundaysbecame a typical ‘thesis day’ were I would meet with Andrew for the day.The financial statement audit is important in meeting investor expectations. As an IT-auditor and havingkey-role in the financial statement audit, I feel that we need to pay more attention when writing ourrecommendations and not only recommend because it is considered to be a best practice, but to make therecommendation a piece of advise that the company would actually use or at least consider to implement.A good example is e.g. our advice on password policies. This not only concerns our role in financialstatement audits, but any audit and assurance related assignments where we are involved in.26
I would concentrate future research on creating a framework for usability and security. A framework thatwould take the following elements into consideration:- Type of organization/ industry;- The information being protected;- Authentication mechanism;- Component;- Usability level;- Security level;- Overall rating.Furthermore I have gained more interest in learning about RFID, single sign on implementations and thepossibilities of three-factor authentication mechanisms.Andrew CheungI have experienced a lot of times at client’s site during financial audits that we only focus on the securitypart and make recommendations which are actually justifiable but it does not take into account the actualusability of the specific process would drop dramatically. That’s why I wanted to focus on this subject, tobe able to make an initial discussion to determine the relationship between usability and security.During the studies period, I was sent to Germany for a project, so every week I fly off and on, which wasnot that beneficial to the thesis and also the time I could spend on my studies. That’s why Sundays becamea typical ‘thesis day’ were we would meet with each other for the whole day. We also found out there wasquite limited information (or hard to find) to be able to understand the relationship between usability andsecurity.For further research I would recommend is to focus on the actual types of two or three way factorauthentication and performing an inquiry, more interviews and performing field researches to investigateand actually measure the tradeoff between usability and security in practice. Furthermore I would alsofocus on the possibility to use two of three way factor authentication with single sign on. Another researchwhich we think is also of great value is to develop a framework to assess both usability and security27
Page 1 and 2: Usability and SecurityUniversity: V
Page 3 and 4: ACKNOWLEDGMENTSThis thesis covers t
Page 5 and 6: IntroductionThe developments in Inf
Page 7 and 8: idging the gap between theory and p
Page 9 and 10: 2.1.3 Usability componentsIn order
Page 11 and 12: custom approach 12 . An example of
Page 13: put usability and security amongst
Page 16 and 17: Security aspects:• Confidentialit
Page 18 and 19: ambiguous. Controlled answers offer
Page 20 and 21: 3.3.3 TokensIn this paragraph the t
Page 22 and 23: Security aspects:• Confidentialit
Page 24 and 25: The strengths, weaknesses and usabi
Page 26 and 27: conclude that the most efficient bi
Page 28 and 29: e guessed, which results in a low s
Page 32 and 33: AppendixInterview with Martin Wijnm
Page 34 and 35: Sources1 ISO 9241-11, Part 11: Guid

Usability and Security

Create successful ePaper yourself

Delete template?

Save as template?