Usable Security

One of the sessions I attended on Wednesday at GHC was a PhD forum. In this special type of session, three PhD students present their research in an hour, and the audience fills in feedback forms to give them suggestions and/or praise. It's a great opportunity.

The first presentation in this particular session was given by Laurian Vega, studying HCI at Virginia Tech. Her research is all about usable security, with a focus on day cares and doctor's offices. Although I'm not a security person by any stretch of the imagination, I found the topic quite interesting. (My friend Terri is also looking at usable security in her PhD research.)

Laurian is doing a qualitative study of security in the aforementioned settings by being an active observer of their everyday practices. One of the keys here in terms of security is that the users are members of communities, not individuals. And while it has been traditionally held that humans are the weakest link in security technology, neither Laurian and Terri buy it. Instead, they say that security is just not designed with user's mental models in mind.

One of the most interesting findings from the study was the reliance the practitioners have on paper records. They like the fact that the information is physically nearby. Some like that they can put more sensitive information near the back of a file where it's unlikely anyone else would look. The files can be closed and shredded. The downsides, however, include the fact that, according to some research whose source I can't remember, 41% of the time somebody is distracted they don't return to their task. This makes files left open vulnerable when whoever is reading them is interrupted.

Laurian's work will end before a concrete design is actually proposed. I am very interested in seeing what kind of technology would work well in these kinds of settings yet still be secure. I hope more security researchers become more willing to consider the human side of the security equation.

Terri also wrote about this session.