Maybe poor johnny really cannot encrypt - the case for a complexity theory for usable security

Start Page
85
End Page
99
Citation
New Security Paradigms Workshop, NSPW 2015: 85-99
Contribution to Conference
New Security Paradigms Workshop, NSPW 2015  
Publisher DOI
10.1145/2841113.2841120
Scopus ID
2-s2.0-84959257468
Publisher
ACM
ISBN
978-1-4503-3754-0
Psychology and neuroscience literature shows the existance of upper bounds on the human capacity for executing cognitive tasks and for information processing. These bounds are where, demonstrably, people start experiencing cognitive strain and consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically understand such bounds in order to have realistic expectations about what people can or cannot attain when coping with security tasks. This may shed light on whether Johnny will be ever be able to encrypt. We propose a conceptual framework for evaluation of human capacities in security that also assigns systems to complexity categories according to their security and usability. From what we have initiated in this paper, we ultimately aim at providing designers of security mechanisms and policies with the ability to say: "This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond the capacity of its target community".
Subjects
Human capacities
Usable security models
DDC Class
004: Informatik
510: Mathematik
530: Physik
600: Technik
Funding(s)
Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security  
More Funding Information
Zinaida Benenson is supported by the Bavarian State Ministry of Education, Science and the Arts as part of the FORSEC research association. Gabriele Lenzini is supported by FNR, CORE project C11/IS/1183245 “Socio-Technical Analysis of Security and Trust”, and by the European Union 7th Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TRESPASS). Daniela Oliveira is supported by the National Science Foundation grants CNS-1464801 and SES-1450624. Simon Parkin is supported by UK EPSRC, grant nr. EP/K006517/1 (“Productive Security”). Sven Uebelacker is supported by the European Union 7th Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TRESPASS).