Refining the Understanding of Usable Security

Abstract

Cybersecurity technologies and processes must be usable if users are to make effective use of protection. Many security practitioners accept the value of usable security, but few can precisely define it in practice and in terms of how it influences users’ security behaviour and the wider security culture in organisations. This paper investigates how different sources characterise usability and usable security to identify the key aspects that affect usability and determine the degree to which usability aspects are relevant in cybersecurity. This has resulted in a definition of usable security and a framework that supports the cybersecurity community’s efforts to make security more usable. The motivation for examining the definitions of usable security in detail is to characterise the potential linkage between usable security and the wider security culture within an organization (with the usability of the technology being a factor that could clearly help or impede the acceptance and operation of security, and therefore impact the related culture). The study suggests that, to some degree, the cybersecurity community is catching up with notions that the HCI field has understood for longer. The lack of consistency in defining usable security motivates the proposal of a working definition. Furthermore, a primary outcome of assessing the usability and usable security studies is establishing a framework of usable security, integrating the key aspects identified in the literature. The proposed framework offers a mechanism for operationalising usable security by incorporating principles from both IT/HCI and cybersecurity perspectives.