Secure Interaction Design

Ka-Ping Yee

Usability and security aren't contrary goals; don't assume that you must sacrifice one for the sake of the other. In fact, a system that's hard to understand and use will almost certainly have security problems in practice.

A more secure system is a more reliable, more effective system: hence, a more usable system. Here's a definition from Garfinkel and Spafford's book, Practical UNIX and Internet Security:

"A computer is secure if you can depend on it and its software to behave as you expect."

Doesn't that look like it would be good for usability, too?

User Interaction Design for Secure Systems

This paper sets out an argument that security goals and usability goals can be aligned rather than in opposition, and suggests ten principles for designing systems that are both usable and secure.

The abridged version of this paper was published at the International Conference on Information and Communications Security.

The full version of the paper is available here.

Design Principles

Here are the ten suggested principles for secure interaction design:

Path of Least Resistance Match the most comfortable way to do tasks with the least granting of authority.
Active Authorization Grant authority to others in accordance with user actions indicating consent.
Revocability Offer the user ways to reduce others' authority to access the user's resources.
Visibility Maintain accurate awareness of others' authority as relevant to user decisions.
Self-Awareness Maintain accurate awareness of the user's own authority to access resources.
Trusted Path Protect the user's channels to agents that manipulate authority on the user's behalf.
Expressiveness Enable the user to express safe security policies in terms that fit the user's task.
Relevant Boundaries Draw distinctions among objects and actions along boundaries relevant to the task.
Identifiability Present objects and actions using distinguishable, truthful appearances.
Foresight Indicate clearly the consequences of decisions that the user is expected to make.