Usability issues with security of electronic mail

Abstract

This thesis shows that human factors can have a large and direct impact on security, not only on the user’s satisfaction, but also on the level of security achieved in practice. The usability issues identified are also extended to include mental models and perceptions as well as traditional user interface issues. These findings were accomplished through three studies using various methodologies to best suit their aims. The research community have issued principles to better align security and usability, so it was first necessary to evaluate their effectiveness. The chosen method for achieving this was through a usability study of the most recent software specifically to use these principles. It was found that the goal of being simultaneously usable and secure was not entirely met, partially through problems identified with the software interface, but largely due to the user’s perceptions and actions whilst using the software. This makes it particularly difficult to design usable and secure software without detailed knowledge of the users attitudes and perceptions, especially if we are not to blame the user for security errors as has occurred in the past. Particular focus was given to e-mail security because it is an area in which there is a massive number of vectors for security threats, and in which it is technologically possible to negate most of these threats, yet this is not occurring. Interviews were used to gain in depth information from the user’s point of view. Data was collected from individual e-mail users from the general public, and organisations. It was found that although the literature had identified various problems with the software and process of e-mail encryption, the majority of problems identified in the interviews stemmed once again from user’s perceptions and attitudes. Use of encryption was virtually nil, although the desire to use encryption to protect privacy was strong. Remembering secure passwords was recurrently found to be problematic, so in an effort to propose a specific method of increasing their usability an empirical experiment was used to examine the memorability of passwords. Specially constructed passwords were tested for their ability to improve memorability, and therefore usability. No statistical significance in the construction patterns was found, but a memory phenomenon whereby users tend to forget their password after a specific period of non-use was discovered. The findings are discussed with reference to the fact that they all draw on a theme of responsibility to maintain good security, both from the perspective of the software developer and the end user. The term Personal Liability and General Use Evaluation (PLaGUE) is introduced to highlight the importance of considering these responsibilities and their effect on the use of security.