Chamila Wijayarathna,Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1805.09487

2018-05-24

Abstract:Lack of usability of security Application Programming In- terfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that pro- vide cryptographic functionalities such as password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API to identify usabil- ity issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution us- ing Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experi- ence for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.

Cryptography and Security

Hans-Joachim Hof

DOI: https://doi.org/10.48550/arXiv.1506.07167

2015-06-23

Abstract:Nowadays, advanced security mechanisms exist to protect data, systems, and networks. Most of these mechanisms are effective, and security experts can handle them to achieve a sufficient level of security for any given system. However, most of these systems have not been designed with focus on good usability for the average end user. Today, the average end user often struggles with understanding and using security mechanisms. Other security mechanisms are simply annoying for end users. As the overall security of any system is only as strong as the weakest link in this system, bad usability of IT security mechanisms may result in operating errors, resulting in insecure systems. Buying decisions of end users may be affected by the usability of security mechanisms. Hence software providers may decide to better have no security mechanism then one with a bad usability. Usability of IT security mechanisms is one of the most underestimated properties of applications and systems. Even IT security itself is often only an afterthought. Hence, usability of security mechanisms is often the afterthought of an afterthought. Software developers are missing guidelines on how to build security mechanisms with good usability for end users. This paper presents some guidelines that should help software developers to improve end user usability of security-related mechanisms, and analyzes common applications based on these guidelines.

Cryptography and Security

Brain Glass,Graeme Jenkinson,Yuqi Liu,M. Angela Sasse,Frank Stajano

DOI: https://doi.org/10.48550/arXiv.1607.03417

IF: 6.4588

2016-07-12

Human-Computer Interaction

Abstract:Over the past 15 years, researchers have identified an increasing number of security mechanisms that are so unusable that the intended users either circumvent them or give up on a service rather than suffer the security. With hindsight, the reasons can be identified easily enough: either the security task itself is too cumbersome and/or time-consuming, or it creates high friction with the users` primary task. The aim of the research presented here is to equip designers who select and implement security mechanisms with a method for identifying the ``best fit`` security mechanism at the design stage. Since many usability problems have been identified with authentication, we focus on ``best fit`` authentication, and present a framework that allows security designers not only to model the workload associated with a particular authentication method, but more importantly to model it in the context of the user`s primary task. We draw on results from cognitive psychology to create a method that allows a designer to understand the impact of a particular authentication method on user productivity and satisfaction. In a validation study using a physical mockup of an airline check-in kiosk, we demonstrate that the model can predict user performance and satisfaction. Furthermore, design experts suggested personalized order recommendations which were similar to our model`s predictions. Our model is the first that supports identification of a holistic fit between the task of user authentication and the context in which it is performed. When applied to new systems, we believe it will help designers understand the usability impact of their security choices and thus develop solutions that maximize both.

Michael D. Iannacone,Robert A. Bridges

DOI: https://doi.org/10.48550/arXiv.1902.00053

2019-10-25

Abstract:Metrics and frameworks to quantifiably assess security measures have arisen from needs of three distinct research communities - statistical measures from the intrusion detection and prevention literature, evaluation of cyber exercises, e.g.,red-team and capture-the-flag competitions, and economic analyses addressing cost-versus-security tradeoffs. In this paper we provide two primary contributions to the security evaluation literature - a representative survey, and a novel framework for evaluating security that is flexible, applicable to all three use cases, and readily interpretable. In our survey of the literature we identify the distinct themes from each community's evaluation procedures side by side and flesh out the drawbacks and benefits of each. The evaluation framework we propose includes comprehensively modeling the resource, labor, and attack costs in dollars incurred based on expected resource usage, accuracy metrics, and time. This framework provides a unified approach in that it incorporates the accuracy and performance metrics, which dominate intrusion detection evaluation, the time to detection and impact to data and resources of an attack, favored by educational competitions' metrics, and the monetary cost of many essential security components used in financial analysis. Moreover, it is flexible enough to accommodate each use case, easily interpretable and comparable, and comprehensive in terms of costs <a class="link-external link-http" href="http://considered.Finally" rel="external noopener nofollow">this http URL</a>, we provide two examples of the framework applied to real-world use cases. Overall, we provide a survey and a grounded, flexible framework with multiple concrete examples for evaluating security which can address the needs of three currently distinct communities.

Cryptography and Security

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Helen Jiang,Erwen Senge

DOI: https://doi.org/10.48550/arXiv.2008.07738

2020-08-18

Computers and Society

Abstract:While the applications and demands of Machine learning (ML) systems in mental health are growing, there is little discussion nor consensus regarding a uniquely challenging aspect: building security methods and requirements into these ML systems, and keep the ML system usable for end-users. This question of usable security is very important, because the lack of consideration in either security or usability would hinder large-scale user adoption and active usage of ML systems in mental health applications. In this short paper, we introduce a framework of four pillars, and a set of desired properties which can be used to systematically guide and evaluate security-related designs, implementations, and deployments of ML systems for mental health. We aim to weave together threads from different domains, incorporate existing views, and propose new principles and requirements, in an effort to lay out a clear framework where criteria and expectations are established, and are used to make security mechanisms usable for end-users of those ML systems in mental health. Together with this framework, we present several concrete scenarios where different usable security cases and profiles in ML-systems in mental health applications are examined and evaluated.

Steven Furnell

DOI: https://doi.org/10.1093/iwc/iwad035

2024-01-23

Interacting with Computers

Abstract:Abstract Encounters and interactions with cybersecurity are now regular and routine experiences for information technology users across a variety of devices, systems and services. Unfortunately, however, despite long-term recognition of the importance of usability in the technology context, the user experience of cybersecurity and privacy is by no means guaranteed to address this criterion. This paper presents an outline of usability issues and challenges in the cybersecurity context, with examples of how it has (or indeed has not) evolved in some established contexts (looking in particular at web browsing and user authentication), as well as consideration of the extent to which any better attention is apparent within more recent and emerging technology contexts (considering the presentation of related features in scenarios including app stores and smart devices). Based on the evidence, cybersecurity is clearly yet to reach a stage where its mention would naturally imply usability, but at the same time the two concepts do not have to represent a contradiction in terms. The resulting requirement is for the increasing recognition of the issue to translate into a greater level of resulting attention and action.

computer science, cybernetics,ergonomics

Farwa Taqi,Syeda Hina Batool,Alia Arshad

DOI: https://doi.org/10.1080/10447318.2024.2351715

IF: 4.92

2024-05-25

International Journal of Human-Computer Interaction

Abstract:Cloud computing has revolutionized technology and education by providing scalable virtual resources accessible via the internet. This study emphasizes the importance of usability in cloud services, discussing various scales and metrics while highlighting their strengths and weaknesses. It underscores the necessity for a comprehensive usability scale that integrates both subjective and objective measures to suit diverse user scenarios and populations. The article introduces the Cloud Applications/Services Usability Development Scale, comprising five usability dimensions: Capable, Personal, Reliable, Valuable, and Secure. To validate the instrument, factor analysis was performed on 28 items for each construct, utilizing Principal Component Analysis and Varimax Rotation. The Kaiser-Meyer-Olkin (KMO) and Bartlett's Test were applied to assess sampling adequacy. Construct validity and reliability were scrutinized using AMOS 21, a statistical analysis software for structural equation modeling (SEM). A confirmation factor analysis was employed to assess both converging and discriminating validity. A survey conducted among actual cloud application users, specifically Google Drive users in Lahore's public libraries, demonstrated the strong construct validity and reliability of the developed instrument. The Cloud Applications/Services Usability Development Scale proved effective in evaluating the usability of cloud-based applications. This study not only contributes valuable insights to the development and validation of usability measurement tools for cloud applications but also addresses a significant gap in local and international literature. Furthermore, it serves as a model for creating and validating measurement tools for cloud services, offering practical implications for usability testing and methodological advancements in the field of cloud computing.

computer science, cybernetics,ergonomics

Santiago Criollo-C,Andrea Guerrero-Arias,Diego Buenaño-Fernández,Sergio Luján-Mora

DOI: https://doi.org/10.1109/access.2024.3352589

IF: 3.9

2024-01-01

IEEE Access

Abstract:Currently, social networks and Internet access have become a place that fosters risky experiences for their users, who are vulnerable and can become victims of violence, online abuse, extortion, etc. Therefore, it is considered necessary to make people aware of the appropriate use of information and communication technologies (ICTs) and Internet access, to minimize the risks and vulnerabilities associated with these practices. This research analyzes the use of a game-like mobile application called CiberSecApp, which was designed to support the teaching of basic cybersecurity. This application was designed as a game because gamification has been shown to generate motivation and keep users interested in long periods of time. In addition, the new generation of students perceives educational mobile apps as an innovative way to access educational content in a simple, ubiquitous, and portable way Unlike other similar initiatives in the existing literature, this research did not focus solely on the game design aspects, but also on evaluating the user experience. For this purpose, the IBM Computer Usability Satisfaction Questionnaires (CSUQ) and the NASA Task Load Index (TLX) were used to evaluate the usability of the mobile application and the mental workload generated by the participants. A total of 60 engineering students participated voluntarily in this research. The results obtained show that the use of gamification of educational content can support the teaching of cybersecurity by creating an intention of use and with a low mental workload for its users.

computer science, information systems,telecommunications,engineering, electrical & electronic

Urvashi Kishnani,Isabella Cardenas,Jailene Castillo,Rosalyn Conry,Lukas Rodwin,Rika Ruiz,Matthew Walther,Sanchari Das

2024-07-08

Abstract:With the growth of digital monetary transactions and cashless payments, encouraged by the COVID-19 pandemic, use of e-payment applications is on the rise. It is thus imperative to understand and evaluate the current posture of e-payment applications from three major user-facing angles: security, privacy, and usability. To this, we created a high-fidelity prototype of an e-payment application that encompassed features that we wanted to test with users. We then conducted a pilot study where we recruited 12 participants who tested our prototype. We find that both security and privacy are important for users of e-payment applications. Additionally, some participants perceive the strength of security and privacy based on the usability of the application. We provide recommendations such as universal design of e-payment applications.

Human-Computer Interaction,Cryptography and Security

Sean Oesch,Robert Bridges,Jared Smith,Justin Beaver,John Goodall,Kelly Huffer,Craig Miles,Dan Scofield

DOI: https://doi.org/10.48550/arXiv.2012.09013

2020-12-16

Abstract:Gartner, a large research and advisory company, anticipates that by 2024 80% of security operation centers (SOCs) will use machine learning (ML) based solutions to enhance their operations. In light of such widespread adoption, it is vital for the research community to identify and address usability concerns. This work presents the results of the first in situ usability assessment of ML-based tools. With the support of the US Navy, we leveraged the national cyber range, a large, air-gapped cyber testbed equipped with state-of-the-art network and user emulation capabilities, to study six US Naval SOC analysts' usage of two tools. Our analysis identified several serious usability issues, including multiple violations of established usability heuristics form user interface design. We also discovered that analysts lacked a clear mental model of how these tools generate scores, resulting in mistrust and/or misuse of the tools themselves. Surprisingly, we found no correlation between analysts' level of education or years of experience and their performance with either tool, suggesting that other factors such as prior background knowledge or personality play a significant role in ML-based tool usage. Our findings demonstrate that ML-based security tool vendors must put a renewed focus on working with analysts, both experienced and inexperienced, to ensure that their systems are usable and useful in real-world security operations settings.

Human-Computer Interaction,Cryptography and Security,Machine Learning

Abdullah M. Albarrak

DOI: https://doi.org/10.3390/su16188144

IF: 3.9

2024-09-19

Sustainability

Abstract:The energy sector is a critical contributor to the growth and development of any country's economy. However, ensuring robust cybersecurity within the context of smart energy services presents persistent usability challenges in an increasingly digital environment. This study explores the intersection of human-computer interaction (HCI), cybersecurity, and usability to identify and address issues that impact the overall security of smart energy management systems. By analyzing the complex relationships between users and security protocols, this research aims to enhance the security framework, promote better user adherence, and improve system usability. The study focuses on three primary objectives: (1) identifying the most prevalent usability issues in current cybersecurity practices; (2) examining the relationship between HCI and user compliance with security measures; and (3) proposing strategies to improve cybersecurity usability by leveraging HCI principles. Hybrid approaches utilizing artificial intelligence facilitate empirical analysis and framework evaluation. Additionally, a comparative study with six existing models has been conducted. By envisioning a future where security measures not only ensure enhanced protection but also integrate seamlessly into user experiences, this approach seeks to provide valuable insights into ongoing cybersecurity discussions and contribute to a more resilient security landscape against evolving digital threats.

environmental sciences,environmental studies,green & sustainable science & technology

Chamila Wijayarathna,Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1808.01481

2018-08-04

Abstract:Previous research has pointed that software applications should not depend on programmers to provide security for end-users as majority of programmers are not experts of computer security. On the other hand, some studies have revealed that security experts believe programmers have a major role to play in ensuring the end-users' security. However, there has been no investigation on what programmers perceive about their responsibility for the end-users' security of applications they develop. In this work, by conducting a qualitative experimental study with 40 software developers, we attempted to understand the programmer's perception on who is responsible for ensuring end-users' security of the applications they develop. Results revealed majority of programmers perceive that they are responsible for the end-users' security of applications they develop. Furthermore, results showed that even though programmers aware of things they need to do to ensure end-users' security, they do not often follow them. We believe these results would change the current view on the role that different stakeholders of the software development process (i.e. researchers, security experts, programmers and Application Programming Interface (API) developers) have to play in order to ensure the security of software applications.

Cryptography and Security,Computers and Society

Steven Moore,Eamon Costello,Huy A. Nguyen,John Stamper

2024-05-31

Abstract:Evaluating multiple-choice questions (MCQs) involves either labor intensive human assessments or automated methods that prioritize readability, often overlooking deeper question design flaws. To address this issue, we introduce the Scalable Automatic Question Usability Evaluation Toolkit (SAQUET), an open-source tool that leverages the Item-Writing Flaws (IWF) rubric for a comprehensive and automated quality evaluation of MCQs. By harnessing the latest in large language models such as GPT-4, advanced word embeddings, and Transformers designed to analyze textual complexity, SAQUET effectively pinpoints and assesses a wide array of flaws in MCQs. We first demonstrate the discrepancy between commonly used automated evaluation metrics and the human assessment of MCQ quality. Then we evaluate SAQUET on a diverse dataset of MCQs across the five domains of Chemistry, Statistics, Computer Science, Humanities, and Healthcare, showing how it effectively distinguishes between flawed and flawless questions, providing a level of analysis beyond what is achievable with traditional metrics. With an accuracy rate of over 94% in detecting the presence of flaws identified by human evaluators, our findings emphasize the limitations of existing evaluation methods and showcase potential in improving the quality of educational assessments.

Artificial Intelligence,Computation and Language

Imranur Rahman,Ranidya Paramitha,Henrik Plate,Dominik Wermke,Laurie Williams

2024-08-06

Abstract:Security sensitive APIs provide access to security-sensitive resources, e.g., the filesystem or network resources. Including such API calls -- directly or through dependencies -- increases the application's attack surface. An example of such a phenomenon is Log4Shell, which rendered many applications vulnerable due to network-related capabilities (JNDI lookup) in log4j package. Before the Log4Shell incident, alternate logging libraries to log4j were available that do not make JNDI lookup calls. The impact of such an incident would be minimal if information about network-related API calls by logging libraries were available to the developers. And so the lack of visibility into the calls to these security sensitive APIs by functionally similar open-source packages makes it difficult for developers to use them as a dependency selection criterion. The goal of this study is to aid developers in selecting their dependency by understanding security sensitive APIs in their dependency through call graph analysis. We conducted a mixed-methods study with 45 Java packages and defined a list of 219 security sensitive APIs. We then used call graph analysis to analyze the prevalence of these APIs in our selected package versions, with and without their dependencies. Finally, we conducted a survey with open-source developers (110 respondents) showing the comparison of functionally similar packages w.r.t. Security sensitive API calls to understand the usefulness of this API information in the dependency selection process. The number of Security sensitive API calls of functionally similar packages can vary from 0 to 368 in one API category and 0 to 429 in total. Our survey results show that 73% developers agree that information about the number and type of security-sensitive API calls of functionally similar packages would have been useful in their dependency selection.

Cryptography and Security,Software Engineering

Ali Darejeh,Nadine Marcusa,Gelareh Mohammadi,John Sweller

DOI: https://doi.org/10.48550/arXiv.2402.11820

IF: 6.4588

2024-02-19

Human-Computer Interaction

Abstract:Usability testing is an essential part of product design, particularly for user interfaces. To enhance the reliability of usability evaluations, employing cognitive load measurement methods can be highly effective in assessing the mental effort required to complete tasks during user testing. This review aims to provide an overview of the most suitable cognitive load measurement methods for evaluating various types of user interfaces, serving as a valuable resource for guiding usability assessments. To bridge the existing gap in the literature, a systematic review was conducted, analyzing 76 articles with experimental study designs that met the eligibility criteria. The review encompasses different methods of measuring cognitive load applicable to assessing the usability of diverse user interfaces, including computer software, information systems, video games, web and mobile applications, robotics, and virtual reality applications. The results highlight the most widely utilized cognitive load measurement methods in software usability, their respective usage percentages, and their application in evaluating the usability of each user interface type. Additionally, the advantages and disadvantages of each method are discussed. Furthermore, the review proposes a framework to assist usability testers in selecting an appropriate cognitive load measurement method for conducting accurate usability evaluations.

Christian X. Navarro-Cota,Ana I. Molina,Miguel A. Redondo,Carmen Lacave

DOI: https://doi.org/10.1109/te.2023.3347191

2024-01-01

IEEE Transactions on Education

Abstract:Contribution: This article describes the process used to create a questionnaire to evaluate the usability of mobile learning applications (CECAM). The questionnaire includes specific questions to assess user interface usability and pedagogical usability. Background: Nowadays, mobile applications are expanding rapidly and are commonly used in educational institutions to support the learning and teaching process. But the possible deficient usability could decrease the utility of learning activities and the student’s motivation. Therefore, careful planning and design by the developer are required, along with a usability evaluation of the applications. Research Questions: How could an instrument be developed to evaluate the usability of m-learning applications that combine technical and pedagogical aspects? How can the quality of the developed instrument be determined? Methodology: A structured questionnaire was created like a measuring tool to evaluate and design m-learning applications. Different statistical techniques, including reliability and validity assessments, were employed to evaluate the quality of the instrument, which is determined through the calibration of the CECAM survey. Findings: After the validity analysis of the questionnaire, a scale with 56 items was obtained, with an alpha reliability coefficient of 0.911 (an excellent measuring scale). It pretends to be used by teachers to design or evaluate m-learning applications, improve their usability, and enhance the students’ learning experience.

engineering, electrical & electronic,education, scientific disciplines

Zahra Mousavi,Chadni Islam,M. Ali Babar,Alsharif Abuadbba,Kristen Moore

2024-06-25

Abstract:Security Application Programming Interfaces (APIs) are crucial for ensuring software security. However, their misuse introduces vulnerabilities, potentially leading to severe data breaches and substantial financial loss. Complex API design, inadequate documentation, and insufficient security training often lead to unintentional misuse by developers. The software security community has devised and evaluated several approaches to detecting security API misuse to help developers and organizations. This study rigorously reviews the literature on detecting misuse of security APIs to gain a comprehensive understanding of this critical domain. Our goal is to identify and analyze security API misuses, the detection approaches developed, and the evaluation methodologies employed along with the open research avenues to advance the state-of-the-art in this area. Employing the systematic literature review (SLR) methodology, we analyzed 69 research papers. Our review has yielded (a) identification of 6 security API types; (b) classification of 30 distinct misuses; (c) categorization of detection techniques into heuristic-based and ML-based approaches; and (d) identification of 10 performance measures and 9 evaluation benchmarks. The review reveals a lack of coverage of detection approaches in several areas. We recommend that future efforts focus on aligning security API development with developers' needs and advancing standardized evaluation methods for detection technologies.

Cryptography and Security,Software Engineering

Jongkil Jay Jeong,Syed Wajid Ali Shah,Ashish Nanda,Robin Doss,Mohammad Nosouhi,Jeb Webb

DOI: https://doi.org/10.1109/thms.2024.3421538

2024-09-21

IEEE Transactions on Human-Machine Systems

Abstract:Physical authentication devices (PADs) offer a higher level of security than other authentication technologies commonly used in multifactor authentication (MFA) schemes because they are much less vulnerable to attack. However, PAD uptake remains significantly lower than that for SMS and app-based approaches, accounting for only 10% of all authentication technologies currently being utilized in MFA. Prior studies indicate that the primary reason for this low adoption rate is due to negative users' perceptions and attitudes toward the usability of PADs; many of these studies often skew toward a particular set of users (e.g., young university students, etc.), often creating a bias toward what usable security entails. To address this limitation, we have formulated an original research methodology that segments users into specific groups based on their user characteristics (i.e., age, education, and experience) and examines how each group defines usability and ranks their preferences regarding certain security features. Based on a survey of 410 participants, our results indicate that there are indeed different usable security preferences for each user group, and we, therefore, provide recommendations on how existing PADs might be enhanced to support usability and improve adoption rates.

computer science, cybernetics, artificial intelligence

Bryce Allen Bagley

2024-04-20

Abstract:The rapid advancement in neurotechnology in recent years has created an emerging critical intersection between neurotechnology and security. Implantable devices, non-invasive monitoring, and non-invasive therapies all carry with them the prospect of violating the privacy and autonomy of individuals' cognition. A growing number of scientists and physicians have made calls to address this issue, but applied efforts have been relatively limited. A major barrier hampering scientific and engineering efforts to address Cognitive Security is the lack of a clear means of describing and analyzing relevant problems. In this paper we develop Cognitive Security, a mathematical framework which enables such description and analysis by drawing on methods and results from multiple fields. We demonstrate certain statistical properties which have significant implications for Cognitive Security, and then present descriptions of the algorithmic problems faced by attackers attempting to violate privacy and autonomy, and defenders attempting to obstruct such attempts.

Cryptography and Security,Computers and Society,Emerging Technologies,Machine Learning,Neurons and Cognition