USABILITY VS SECURITY: A CASE STUDY OF ANDROID,
IOS AND WINDOWS
Rajiv Ranjan Singh
Department of Computer Science
Shyam Lal College (Evening)
University of Delhi
Shaurye Aggawal
Amity International School
Saket, Delhi, INDIA
2
THE PRESENTATION OUTLINE
Introduction
Research Questions
Experimental Design Participants Materials and Apparatus Results Summary and Discussion
Future Scope and Suggestions Conclusion
3
INTRODUCTION Many mobile phones OS
Many apps added daily
Lots of Security features
Financial Transactions on Mobile
Different design environment
Computer systems must employ mechanisms that are difficult to use!
Convenience is the Antithesis to Security
4
ANDROID OS
5
APPLE IOS
6
WINDOWS
7
LATEST FROM THE SECURITY DOMAIN
8
CHALLENGES
Security features usually complex
Make Security Usable
Balance Security vs Usability
“Don't make me think” - Steve Krug's first law of usability
Intuitive navigation
Conformity to user expectations
9
CHALLENGES
Attackers know that your efforts to enhance usability utilize accepted conventions
Attackers will exploit these conventions to their advantage
Complex mechanisms hard to configure
Hard to implement correctly
This weakens security
10
PSYCHOLOGICAL ACCEPTABILITY
Saltzer & Schroeder 1975 The Protection of Information in Computer Systems
Examined several 'design principles' associated with security
Psychological acceptability is the principle that the closer security conforms to user expectations the better
PRINCIPLE OF PSYCHOLOGY ACCEPTABILITY “It is essential that the human interface be
designed for ease of use, so that users routinely and automatically apply the protection mechanism correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanism he must use, mistakes will be minimized. If he must translate his image of his protection into a radically different specification language, he will make errors.”
Jerome Saltzer & Michael Schroeder (1975)
PRINCIPLE OF PSYCHOLOGY ACCEPTABILITY
Complex configurations lead to errors, and the less tech-savvy the users are, the worse the security problems will be.
“How can one create mechanisms that are easy to use, provide the protection mechanism necessary, and are unobtrusive to use, for mobile users ranging from novice users to app develpoers?” – an open question
HUMANS & SECURITY
Are usability and security competing goals?
Humans are the weakest link in the security chain.
Security systems are social as well as technical.
Security mechanisms require extra work. Humans find shortcuts and workarounds.
Users will find ways to evade security demands that are considered unreasonable or burdensome.
14
RESEARCH QUESTIONS
Can usability and security co-exist?
Does increased security reduce usability?
Does increased usability reduce security?
15
RESEARCH QUESTIONS
To understand whether security features of a smartphone improves its usability or reduces it
Null Hypothesis H0 : Security features of a
smartphone has no relation with its usability features.
Alternate Hypothesis H1 : Security features of a smartphone shares a relation with its usability features.
16
EXPERIMENTAL DESIGN
Questionnaire to study the impact of factors governing security and usability in smart phones running various OS such as Android, iOS, Windows etc.
Questions selected on the basis of their relevance to two factors i.e. Security and Usability.
Questionnaire included questions related to : Operating Systems on their smartphone User’s technical expertise Locking mechanism used Features enabled on phone such as
antivirus, anti-theft feature etc.
17
PARTICIPANTS
All the participants smartphone users
e-mailed the survey form
Respondents are from all categories of users. As young as school students to professionals From very little tech-savvy to app developers. School students as well as Doctoral degree
holders.
18
QUESTIONNAIRE Survey on Usability vs Security
Your Name……………………………….
Age 15-20 years 21-25 years 26-30 years 31 and above Other: ……………………
Your Qualification School Student College Student Post Graduate PhD and above Other: ………………………………..
What is the OS used in your smartphone? Android IOS Windows Symbian
19
QUESTIONNAIRE What kind of security do you use for your smartphon
Pattern Lock Number Code Lock No Locking mechanism Other: ………………………………….
Do you have antivirus installed on your smartphone? Installed but not enabled Not installed but I would like one I dont need it Installed and enabled
Are you aware of anti-theft features available on your smartphone? Yes, but I haven’t enabled Yes and enabled My phone dose not have this feature I am not aware if there is any such feature
20
QUESTIONNAIRE Are you aware of email encryption features
available on your smartphone? Yes, but I haven’t enabled Yes and enabled My phone dose not have this feature I am not aware if there is any such feature
Do you fear that losing your phone may lead to Identity theft? Yes and I have taken enough precautions Yes but I don’t know how to deal with it No I don’t care I don’t know about Identity theft
How would you describe yourself With little techno Knowledge Tech Savvy App Developer
21
QUESTIONNAIRE Would you prefer a phone which is easy to use or one
which has more security feature? One with more security One which is easy to use
What is your opinion about security features adding hassle to your smartphone experience? I subscribe to the view I don’t think so I am OK with it
If you are to suggest one feature for your smartphone what would it be?
…………………………………………………………..
22
QUESTIONNAIRE What rating would you give to the security features on your phone?
1 being least secure and 5 being most secure
1 2 3 4 5
Least a b c d e Most Secure
What rating would you give to the usability (ease of use) of your phone?
1 being difficult to use and 5 being easy to use
1 2 3 4 5
Difficult to use
a b c d e Easy to use
23
MATERIALS AND APPARATUS
Experiment started with the task of data collection for the study.
Questionnaire was prepared using Google forms Participants were sent this form on their e-mail. Participants not paid for the responses. Study confirmed to the requirements for ethical
and safe research as the responses voluntary Identity of the respondents was never revealed to
other respondents Responses were collected in the spreadsheet (.csv
file). More than 120 responses used R used for statistical functions and plotting etc.
24
RESULTS Pearson’s correlation coefficient between security rating and
usability rating : +0.38.
p-value much less than significance level of 1%, null hypothesis can be rejected and alternate hypothesis can be
accepted.
A positive correlation between the usability conformance and security conformance of the smartphones as per user’s expectation.
This is contrary to established belief that enhanced security affects usability and vice-versa
One possible explanation can be that the modern day smartphones have been able to satisfy their users both in terms of security as well as usability because of their versatility.
25
SUMMARY
26
SUMMARY
27
SUMMARY
28
SUMMARY
29
SUMMARY
30
SUMMARY
31
SUMMARY
32
SUMMARY
33
SUMMARY
34
SUMMARY
35
SUMMARY
36
SUMMARY
37
SUMMARY
38
COMPARISON OF USABILITY RATINGS(ALMOST SAME)
39
COMPARISON OF SECURITY RATINGS(IOS BETTER)
40
FUTURE SCOPE AND SUGGESTIONS
Mobile platforms becoming packed with features New mobile devices run different OS, have
powerful libraries, boast of UI features and provide multi-protocol networking stack.
The threat becomes more severe as mobile devices store sensitive personal and financial data
Need to improve the user interface that could warn the user’s about all categories of unsecured information.
A lot of users want to use various security features such as e-mail encryption etc., however they are unable to locate these functionalities on their phones.
41
FUTURE SCOPE AND SUGGESTIONS
So, user interface provided needs improvement.
There must be a common UI framework for all the smartphones.
Authentication problem provides a challenge to balance high level of security with appropriate level of usability.
Present work can also be used to design authentication process that is both secure and simple.
A future wok can be to understand the user’s knowledge about the apps they are installing and risks associated with them.
42
CONCLUSION
Users are satisfied with both the security as well as usability features of the modern smartphones.
Though usability got more rating points than security, users prefer a phone with more security features rather than a phone that is easier to use.
Both Android and iOS got almost same points for usability, but for security iOS better than Android.
Our results are not in conformity with the existing norm that increasing security takes a toll at the usability.
Results indicate a positive correlation among the security and usability feature of smartphone. Present day smartphones are versatile enough to satisfy both the
security as well as usability requirements of the users. Many smartphone users hesitate to migrate to another
platform simply for the fear of portability issues. Need of the hour : A common user interface framework to be
adopted by all smartphone developers.
43
ACKNOWLEDGEMENTS Sincere thanks to :
All the respondents
All the faculty members of :Department of Computer ScienceShyam Lal College (Evening) University of Delhi
44
THANK YOU !!!
Questions ???
Comments !!!
45
REFERENCES Just, M. (2010). Security and Usability.
Braz, C., & Robert, J. M. (2006, April). Security and usability: the case of the user authentication methods. In Proceedings of the 18th International Conferenceof the Association Francophone d'Interaction Homme-Machine (pp. 199-203). ACM.
Flechais, I., Mascolo, C., & Sasse, M. A. (2007). Integrating security and usability into the requirements and design process. International Journal of Electronic Security and Digital Forensics, 1(1), 12-26.
Braz, C., Seffah, A., & M’Raihi, D. (2007). Designing a trade-off between usability and security: a metrics based-model. In Human-Computer Interaction–INTERACT 2007 (pp. 114-126). Springer Berlin Heidelberg.
Kainda, R., Flechais, I., & Roscoe, A. W. (2010, July). Two heads are better than one: security and usability of device associations in group scenarios. InProceedings of the Sixth Symposium on Usable Privacy and Security (p. 5). ACM.
Cranor, L. F., & Garfinkel, S. (2004). Guest Editors' Introduction: Secure or Usable?.Security & Privacy, IEEE, 2(5), 16-18.
Kaiser, J., & Reichenbach, M. (2002). Evaluating security tools towards usable security. In Usability (pp. 247-256). Springer US.
Johnson, M., & Stajano, F. (2009, January). Usability of security management: Defining the permissions of guests. In Security Protocols (pp. 276-283). Springer Berlin Heidelberg.
Oberheide, J., & Jahanian, F. (2010, February). When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications (pp. 43-48). ACM.
https://docs.google.com/forms/d/1jqNYs1k0XlFZ_Pm5c16iYT9w37VZI9sHELZXxNC93z4/viewform?c=0&w=1&usp=mail_form_link