Usability and Security

More documents

Recommendations

Info

AppendixInterview with Martin WijnmaalenAfgestemd op 25 Maart 2008Each year we see the business environment become more complex and the scope of information securityexpand. New technologies, global connectivity and increased regulatory requirements continue to pushinformation security to new levels. When asked about the different authentication mechanisms discussedin this thesis, Martin says that identity and access management are one of the most important and mosttime consuming activities to address within organizations. Furthermore he says that security functionswithin companies spent a lot of time improving IT and operational efficiencies (e.g. password resets).Martin feels that the level of security depends on how important the data or object is that users, thusorganizations want to protect. A good example is the four-digit pin code used by the bank industry onATM cards. “No one wants unauthorized people to withdraw cash from the ATM using their ATM card.Keeping the four-digit pin code a secret is therefore not a problem for most users and the level of securityis considered to be sufficient, even if it’s not in line with ‘best practices’ when talking about passwordrequirements. Another example he gives is his own Blackberry. “The current pin code settings are so strictthat it has become in such a way ‘unusable’ and that easy to guess combinations are used, as a resultmaking the level of security lower”.Using physical access devices for information systems authentication such as biometrics is one activitywithin organizations he hasn’t come across so often. “Biometrics has been an active research field for thelast five years or so, stating that it could replace the use of passwords in the future but to my surprise it’sstill low on the agenda within many organizations” says Martin. On good reason might be the IT supportorganization that is required when implementing the use of biometrics in organizations. The type oforganizations is also a key factor when deciding on the type of measures to implement. An atomic powerplant e.g. would put more emphasis on adequate physical controls, than e.g. a bank, that would stress moreon adequate logical access controls.One access control method that could improve usability is Single Sign On (SSO) says Martin. Thetechnical complexity and the use of legacy systems within organizations can however make it difficult,time-consuming, and expensive to retrofit to existing applications.The ‘security function’ perspective also needs to be considered when talking about the relationshipbetween usability and security. Audit trail e.g. can be a very useful detective measure to implement but,needs to be setup in such a way that it can be used; “if not, what’s the use?”.According to Martin the starting point is identifying the risks and implementing appropriate measures thatare efficient and thus easy to use. The use of RFID (Radio-frequency identification) is a development wewant to keep a close watch on says Martin as he expects the use to increase rapidly in the coming years.28
Interview with Eric Velleman“The Bartiméus Accessibility Foundation was founded in 2001 and provides education and outreach in theform of information and training to businesses, (local) governments and other organizations concerningthe accessibility of the Internet for the elderly and people with disabilities” says Eric. The foundation isaccredited for performing accessibility and usability inspections on websites based on multimedia formatsused by the World Wide Web Consortium (W3C) and other consortia, such as the Web ContentAccessibility Guidelines (WCAG). In addition the foundation is involved in various projects.When asked about the relationship between usability and security Eric gives an example of the Cito exam,an end of primary school test in the Netherlands, which is taken using a personal computer. He says thatfrom a security perspective they’ve decided to enforce the computer to run only one application (the Citoexam application) at a time to prevent students from using a dictionary. This however, was making itimpossible to run other applications at the same time that would allow e.g. visibly impaired students totake the test. “This results in a less accessible and user-friendly system” he says.Furthermore he says that an important factor is creating awareness amongst suppliers, emphasizing theimportance of accessibility and usability.Eric doesn’t feel that there is a negative relationship between usability and security. “If usability is takeninto consideration from the start of the design phase neither usability or security would be an issue” hesays. A good example is ‘the talking digipass’ introduced by the SNS Bank to make online banking forvisually impaired possible. “SNS Bank was keen on making online banking accessible for everyone. Ifsecurity was a major issue, another solution would be required, but apparently it was not”.He supports the use of biometrics as an authentication mechanism and feels will help increase the level ofboth usability and security. “I know a lot of people that have their PIN code written down on a piece ofpaper or scratched on their ATM card” he says. This especially concerns elderly people. “The group ofelderly people will grow extensively in the next few years. This is almost 25% of the entire population” hesays. Authentication mechanisms are therefore required to be made more usable so we can servicedifferent target groups.Another example he gave was about the use of credit cards. He has been a victim of credit card fraud threetimes, where he was charged on his company credit card unwillingly. “This can be done very easily” hesays. “When you use your credit card at e.g. a restaurant, your credit card details can easily be copied29
Page 1 and 2: Usability and SecurityUniversity: V
Page 3 and 4: ACKNOWLEDGMENTSThis thesis covers t
Page 5 and 6: IntroductionThe developments in Inf
Page 7 and 8: idging the gap between theory and p
Page 9 and 10: 2.1.3 Usability componentsIn order
Page 11 and 12: custom approach 12 . An example of
Page 13: put usability and security amongst
Page 16 and 17: Security aspects:• Confidentialit
Page 18 and 19: ambiguous. Controlled answers offer
Page 20 and 21: 3.3.3 TokensIn this paragraph the t
Page 22 and 23: Security aspects:• Confidentialit
Page 24 and 25: The strengths, weaknesses and usabi
Page 26 and 27: conclude that the most efficient bi
Page 28 and 29: e guessed, which results in a low s
Page 30 and 31: To answer our main research questio
Page 34 and 35: Sources1 ISO 9241-11, Part 11: Guid

Usability and Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?