Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security

This paper discusses whether usable security is unattainable
for some security tasks due to intrinsic bounds of human cognitive
capacities. Will Johnny ever be able to encrypt? Psychology
and neuroscience literature shows that there are upper bounds on
the human capacity for executing cognitive tasks and for information
processing. We argue that the usable security discipline should
scientifically understand human capacities for security tasks, i.e.,
what we can realistically expect from people. We propose a framework
for evaluation of human capacities in security that assigns
socio-technical systems to complexity classes according to their
security and usability. The upper bound of human capacity is considered
the point at which people start experiencing cognitive strain
while performing a task, because cognitive strain demonstrably leads
to errors in the task execution. The ultimate goal of the work we
initiate in this paper is to provide designers of security mechanisms
or policies with the ability to say:“This feature of the security mechanism
X or this security policy element Y is inappropriate, because
this evidence shows that it is beyond people’s capacity.