Security, Privacy and Usability – can we have them all?

RomyGeneral News

20 January 2020

Security, Privacy and Usability – can we have them all?

Even the best security and privacy solutions will be effective only if they can be used by end users correctly and without undue hindrance to the main tasks at hand. Thus, it is important to see what effective measures there are to improve the usability of security and privacy technologies and what security and privacy technologies have (and have not) gained user adoption.

In CyberSec4Europe we have collected a variety of different methods and lessons learned into a report that considers the problems related to combining security, privacy and usability. There are still many open research questions and even trade-offs between these three features that seem necessary today. We hope that in the future we can solve many of these and that usability will be taken more into account when developing new technologies and digital services.

Here are four recommendations that we found in our research. Adopting these measures should improve the security, privacy and usability of products and services.

  1. Use of authenticated encryption in application layer or network layer communications whenever possible

The use of authenticated encryption protects both the integrity of the communications as well as the privacy of the content. There are many available tools for developers and website administrators to achieve this. The impact to end users is minimal when this is done right.

  1. Early user involvement should be ensured for new security and privacy features

User-centered design (UCD) approaches advocate the involvement of end users in the early stages of the development process (e.g. via brainstorming sessions and work analysis). User interfaces and user interactions that are the front end of security and privacy mechanisms should follow UCD processes to ensure that usability is considered from the very beginning and not ‘too little, too late’.

  1. User modeling and/or user tests should be conducted for new security and privacy features

Collecting the information on users is not a straightforward task and both automated and other approaches have their shortcomings. However, it is not possible to improve the usability of new privacy and security technologies, if no effort to that end is made. Thus, there should be some way to test and/or model users and their behaviour in the security and privacy systems.

  1. Provide users with authentication methods that are both secure and privacy-friendly

User authentication is a security measure that is most visible to users in many cases. There are many options to do this and, at the moment, convenience and user experience seem to push towards the use of biometrics. It should be possible to conduct user authentication in a usable way while meeting security objectives and respecting users‘ privacy.

Even if all the above recommendations are adopted, there are still many peculiarities in each use case and scenario, where security and privacy need to be protected. Furthermore, the way people use their devices and digital services and conduct their lives both online and offline is changing at a rapid pace. This means that solutions applicable today might be obsolete tomorrow. Re-evaluation of different methods and their impact on usability is therefore a must.

Future research at the crossroads of security, privacy and usability needs to consider many questions. What are the best ways to bring new security and privacy features more easily to developers of new technologies and services? How to solve user authentication and digital identity problems in a way that is usable and also provides the necessary levels of security and privacy? We hope that activities through pro-active collaboration between researchers from different backgrounds will provide solutions to these and even more. An open networking approach as exemplified by CyberSec4Europe is an excellent way to work towards these.

Kimmo Halunen, VTT