Security Usability

Auguste Kerckhoffs - the father of security usability

Security Usability
by Audun Jøsang
The importance of security usability was pointed out as early as 1883 by the Belgian cryptographer and linguist Auguste Kerckhoffs in two articles on cryptography. Kerckhoffs is most famous for establishing the principle that security should not be based on obscurity, or in his own words that "the system must not require secrecy and can be stolen by the enemy without causing trouble". One of the other security principles that Kerckhoffs established specifically relates to usability: "The system must be easy to use and must neither require stress of mind nor the knowledge of a long series of rules". Kerckhoffs' articles can be accessed at Fabien Petitcolas' website.
The characteristics of security usability are quite different from those of traditional usability. For example, if a computer has poor usability, then people will have trouble getting any useful function out of it. On the other hand, if security protection of the computer has poor usability, then it doesn't necessarily stop people from using and from getting useful functions out of it. Another interesting difference is in the reactions people can be met with. At worst, people with trouble using a computer could be ridiculed, whereas people with trouble protecting their computer could be swindled. Jøsang's security usability principles below can be used to test the usability of security systems. Principles A3 and C3 are directly derived from Kerckhoffs' principle.

Security Action Usability Principles:

A1. Users must understand which security actions are required of them.

A2. Users must have sufficient knowledge and the ability to take the correct security action.

A3. The mental and physical load of a security action must be tolerable.

A4. The mental and physical load of making repeated security actions for any practical number of instances must be tolerable.

Security Conclusion Usability Principles:

C1. Users must understand the security conclusion that is required for making an informed decision.

C2. The system must provide the user with sufficient information for deriving the security conclusion.

C3. The mental load of deriving the security conclusion must be tolerable.

C4. The mental load of deriving security conclusions for any practical number of instances must be tolerable.

Poor usability of security directly leads to security vulnerabilities that can be exploited by hackers and criminals. People are often the weakest link in the security chain of systems and applications. This serious problem is amplified by poor security usability. Although the problem of poor security usability was already pointed out by Kerckhoffs, it currently receives very little attention by researchers and developers.
Back to Homepage.
Last Updated 24 MArch 2011.