Professor Angela Sasse, director of the research institute for the science of cyber security at University College London, was talking on “What's wrong with Usable security” at an event at the University of Surrey on Tuesday.
Sasse, one of the authors of the acclaimed ‘Users are not the enemy' research paper published back in 1999, said that there has been widespread awareness for some time that security needs to be usable. She cited Dutch linguist and cryptographer Auguste Kerckhoffs' 1883 'La cryptographie militaire' as having a big focus on usable security in three of its six modules (the key should be memorable; the system should be easy and the apparatus or documents should be portable and operable by a single person), as well as the 1975 paper by Jerome Saltzer and MD Schroeder describing the seven criteria for building secure computer systems.
“We need to get back to that,” stressed Sasse.
The professor did, however, point to a lot of activity, at least on the research side, on improving usable security. She noted Cambridge University professor Ross Anderson and cryptography expert Bruce Schneier, formerly of BT but now CTO of Co3, as having formed the invite-only workshops, and added that the ACM Symposium on Usable Privacy and Security (SOUPS) has been running since 2005 and that the Security and Human Behaviour (SHB) conference has been an annual event since 2008. There are now even university modules on usable security, said Masse.
But the professor was keen to stress that many facets of security remain bewitching to the end user, and said that that was particularly true of authentication, where a flurry of password alternatives have been suggested since the early 1990s.
At the conference, she cited numerous examples include Passfaces – a “very memorable” face recognition version of authentication that was ‘useless' if you had more than one password, Draw a Secret and BDAS – both of which were hampered by similar drawing patterns and easy 'guess-ability'.
“Blokes often go for the one that most looks like a female model,” said Masse on the Passfaces flaw.
Slightly zanier alternatives, proposed by researchers over the years, have included singing your password (Reynaud et al NSPW 2007), thinking your passwords and biometrics. Even single-sign on (SSO), as used by a number of companies, is restricted because the number of emerging technologies mean that users are still going to have six to eight passwords anyway, Masse said.
The trouble for authentication, she added, is that there's only so much time end-users are willing to spend on it before they give up in the interests of preserving their productivity.
Using a simple time and motion study, Masse and other researchers found that security is a “significant drain on productivity” and said that PC users can expect to spend three weeks a year logging in, and or maintaining or failing authentication.
“That is just unacceptable,” said the professor. “People are willing and able to spend a certain amount of time on a non-productive task, like security, but they have a built-in meter [for tolerance].”
She said that this threshold was around three percent of time in most organisations, or five percent in companies with a higher focus on security.