Skip to main content
SpringerLink
Log in

Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security

  • Published:
BT Technology Journal

Abstract

The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the ‘weakest link in the security chain’. We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing human/computer interaction knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Schneier B: ‘Secrets and Lies’, John Wiley and Sons (2000).

  2. Poulsen K: ‘Mitnick to lawmakers: People, phones and weakest links’, (March 2000)-http://www.politechbot.com/p-00969.html

  3. Reason J: ‘Human Error’, Cambridge University Press, Cambridge, UK (1990).

    Google Scholar 

  4. Adams A and Sasse M A: ‘Users are not the enemy’, Communications of the ACM, 42, No 12 (December 1999).

  5. Brostoff S and Sasse M A: ‘Are Passfaces more usable than passwords? A field trial investigation’, in McDonald S et al (Eds): ‘People and Computers XIV-Usability or Else’, Proceedings of HCI, Sunderland, UK, pp 405–424, Springer (September 2000).

  6. Rejman-Greene M: ‘Biometrics-real identities for a virtual world’, BT Technol J, 19, No 3, pp 115–121 (July 2001).

    Google Scholar 

  7. FIPS: ‘Password Usage’, Federal Information Processing Standards Publication (May 1985).

  8. Adams A, Sasse M A and Lunt P: ‘Making passwords secure and usable’, in Thimbleby H et al (Eds): ‘People and Computers XII’, Proceedings of HCI'97, Bristol, Springer (August 1997).

    Google Scholar 

  9. Nielsen J: ‘Security and Human Factors’, Alertbox (November 2000)-http://www.useit.com/alertbox/20001126.html

  10. Haskett J A: ‘Pass-algorithms: a user validation scheme based on knowledge of secret algorithms’, Communications of the ACM, 27, No 8, pp 777–781 (1984).

    Google Scholar 

  11. Zviran M and Haga W J: ‘A comparison of password techniques for multilevel authentication mechanisms’, The Computer Journal, 36, No 3, pp 227–237 (1993).

    Google Scholar 

  12. Zviran M and Haga W J: ‘Cognitive passwords: the key to easy access control’, Computers and Security, 9, No 8, pp 723–736 (1990).

    Google Scholar 

  13. Ellison C, Hall C, Milbert R and Schneier B: ‘Protecting secret keys with personal entropy’,-http://www.counterpane.com/personalentropy. pdf

  14. Spector Y and Ginzberg J: ‘Pass sentence-a new approach to computer code’, Computers and Security, 13, No 2, pp 145–160 (1994).

    Google Scholar 

  15. Passlogix® Inc-http://www.v-go.com/nav.asp?sec=company &loc=who

  16. Dhamija R, Perrig A and Deja V: ‘A User Study-Using Images for Authentication’, Proceedings of the 9th USENIX Security Symposium, Denver, Colorado (2000).

  17. PassfacesTM-http://www.idarts.com/

  18. Valentine T: ‘An evaluation of the PassfaceTM personal authentication system’, (Technical Report) Goldmsiths College, University of London (1998).

  19. Valentine T: ‘Memory for PassfacesTM after a long delay’, (Technical Report) Goldsmiths College, University of London (1999).

  20. Whitten A and Tygar J D: ‘Why Johnny can't encrypt: A usability evaluation of PGP 5.0’, Proceedings of the 8th USENIX security composium, Washington (August 1999).

  21. Beyer H and Holtzblatt K: ‘Contextual design’, Morgan Kauffmann (1997).

  22. Rogers R W: ‘A protection motivation theory of fear appeals and 22 change’, The Journal of Psychology, 91, pp 93–114 (1975).

    Google Scholar 

  23. Brostoff S and Sasse MA: ‘Safe and sound: a safety-critical design approach to security’, to be presented at the 10th ACM/SIGSAC New Security Paradigms Workshop, Cloudcroft, New Mexico (September 2001) (in press).

  24. Weirich D and Sasse M A: ‘Pretty good persuasion: a first step towards effective password security for the real world’, to be presented at the 10th ACM/SIGSAC New Security Paradigms Workshop, Cloudcroft, New Mexico (September 2001) (in press).

Download references

Authors
  1. M A Sasse
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. S Brostoff
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. D Weirich
    View author publications

    You can also search for this author in PubMed Google Scholar

About this article

Cite this article

Sasse, M.A., Brostoff, S. & Weirich, D. Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security. BT Technology Journal 19, 122–131 (2001). https://doi.org/10.1023/A:1011902718709

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1011902718709

Keywords

Search

Navigation