Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security

Beneson, Zinaida; Lenzini, Gabriele; Oliveira, Daniela; Parkin, Simon; Uebelacker, Sven

doi:10.1145/2841113.2841120

Reference : Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable...


	Document type :	Scientific congresses, symposiums and conference proceedings : Paper published in a book
	Discipline(s) :	Engineering, computing & technology : Computer science
	To cite this reference:	http://hdl.handle.net/10993/23567

Title :	Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security
Language :	English
Author, co-author :	Beneson, Zinaida [University of Erlangen-Nuremberg > IT Security Infrastructures > > Lecturer]
	Lenzini, Gabriele [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Oliveira, Daniela [University of Florida > Department of Electrical and Computer Engineering > > Associate Professor]
	Parkin, Simon [University College London - UCL > Department of Computer Science > > Research Associate]
	Uebelacker, Sven [TUHH > SVA > > Research Associate]
Publication date :	2015
Main document title :	Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security
Publisher :	ACM
Collection and collection volume :	Proceedings of the 2015 New Security Paradigms Workshop
Pages :	85-99
Peer reviewed :	Yes
On invitation :	No
Audience :	International
ISBN :	978-1-4503-3754-0
Event name :	New Security Paradigms Workshop
Event date :	from 08-09-2015 to 11-09-2015
Event place (city) :	Enschede
Event country :	The Netherlands
Keywords :	[en] Socio-Technical Security ; Usable Security
Abstract :	[en] This paper discusses whether usable security is unattainable for some security tasks due to intrinsic bounds of human cognitive capacities. Will Johnny ever be able to encrypt? Psychology and neuroscience literature shows that there are upper bounds on the human capacity for executing cognitive tasks and for information processing. We argue that the usable security discipline should scientifically understand human capacities for security tasks, i.e., what we can realistically expect from people. We propose a framework for evaluation of human capacities in security that assigns socio-technical systems to complexity classes according to their security and usability. The upper bound of human capacity is considered the point at which people start experiencing cognitive strain while performing a task, because cognitive strain demonstrably leads to errors in the task execution. The ultimate goal of the work we initiate in this paper is to provide designers of security mechanisms or policies with the ability to say:“This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond people’s capacity.
Research centres :	SnT
Funders :	Fonds National de la Recherche - FnR
Name of the research project :	STAST
Target :	Researchers
Permalink :	http://hdl.handle.net/10993/23567
DOI :	10.1145/2841113.2841120
Other URL :	http://dl.acm.org/citation.cfm?id=2841120
FnR project :	FnR ; FNR1183245 > Gabriele Lenzini > STAST > Socio-Technical Analysis of Security and Trust > 01/05/2012 > 30/04/2015 > 2011

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Limited access	nspw15-usasec-complexity-PREPROCEEDINGS.pdf		Author preprint	2.19 MB	Request a copy

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices