Title: Usable Security - A Personal Perspective

Speaker: Jeff Yan, Lancaster University, UK

Abstract:

My first usable security paper was written with Cambridge colleagues in 1999-2000, and it became publically available in 2000 [1]. It took about five years to get the paper published in a peer-reviewed venue, but virtually no revision was made. The paper has been highly cited, and it is still cited each year. Nowadays, usable security papers are readily published at top venues such as Oakland, CCS and Usenix Security. The change is simple: usable security is no longer an ignored area, but has become mainstream. In this keynote, I will briefly talk about my involvement in this exciting development.

I will begin with how we started to work on usable security long before it is so called.

Security and usability are often competing requirements, and it's considered inherently hard to create solutions that are both secure and usable. However, with a number of exemplary results taken from my own work (on passwords, graphical passwords and Captchas), I'll show that it is feasible to develop novel, well-engineered and scientifically evaluated solutions which achieve security and usability simultaneously, rather than at each other's expense.

As a more recent development, usable security has been evolving into security psychology, a discipline that is much broader and deeper. Along this line, my recent joint project with Cambridge has yielded interesting results in the understanding of deception, which is not only the basic problem underlying security and cybercrime, but is central to human behaviour.

[1] J. Yan, A. Blackwell, R. Anderson and A. Grant. "The memorability and security of passwords -- some empirical results". University of Cambridge, Computer Laboratory Technical Report No. 500, 2000.