[en] This paper discusses whether usable security is unattainable
for some security tasks due to intrinsic bounds of human cognitive
capacities. Will Johnny ever be able to encrypt? Psychology
and neuroscience literature shows that there are upper bounds on
the human capacity for executing cognitive tasks and for information
processing. We argue that the usable security discipline should
scientifically understand human capacities for security tasks, i.e.,
what we can realistically expect from people. We propose a framework
for evaluation of human capacities in security that assigns
socio-technical systems to complexity classes according to their
security and usability. The upper bound of human capacity is considered
the point at which people start experiencing cognitive strain
while performing a task, because cognitive strain demonstrably leads
to errors in the task execution. The ultimate goal of the work we
initiate in this paper is to provide designers of security mechanisms
or policies with the ability to say:“This feature of the security mechanism
X or this security policy element Y is inappropriate, because
this evidence shows that it is beyond people’s capacity.
Research center :
SnT
Disciplines :
Computer science
Author, co-author :
Beneson, Zinaida; University of Erlangen-Nuremberg > IT Security Infrastructures > Lecturer
LENZINI, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Oliveira, Daniela; University of Florida > Department of Electrical and Computer Engineering > Associate Professor
Parkin, Simon; University College London - UCL > Department of Computer Science > Research Associate
Uebelacker, Sven; TUHH > SVA > Research Associate
External co-authors :
yes
Language :
English
Title :
Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security
Publication date :
2015
Event name :
New Security Paradigms Workshop
Event place :
Enschede, Netherlands
Event date :
from 08-09-2015 to 11-09-2015
Audience :
International
Main work title :
Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security
Publisher :
ACM
ISBN/EAN :
978-1-4503-3754-0
Collection name :
Proceedings of the 2015 New Security Paradigms Workshop