Abstract
Security has evolved into an essential quality factor of software systems. However, security features in software applications are often time-consuming, error-prone and too complicated for common users. This is mainly due to a limited consideration and integration of usability. As a consequence, users either circumvent security features or do not utilize them at all. Usable security is an advanced quality topic and an important research area of software systems. This area combines usability and security with the objective of making the use of security features in software effective, efficient and satisfying. In order to meet this challenge, the research project USecureD aims at supporting small and medium-sized enterprises (SMEs) in facilitating the selection and incorporation of usable security by developing, evaluating and collecting principles, guidelines, patterns and tools for merging usability and security engineering. During the initiation phase of the USecureD project, an online study (N = 118) in conjunction with 10 interviews and 2 workshops have been conducted in order to identify the relevance and requirements of usability, security and usable security with a specific focus on SMEs. The obtained results are presented and derived implications are discussed in this paper.
1 Introduction
Usability and security have established themselves as two vital quality factors in contemporary software systems. However, developing applications, which are usable and simultaneously secure, remains a neglected topic in many software products. This is mainly because both quality factors are most commonly understood as being contrary to each other. Thus, software engineers presume having to compromise between implementing strong security and designing software focusing on the ease of use [11]. Consequences arising from this view induce the loss of software quality, e. g. designing usable software, which lacks on security causing the disclosure and manipulation of sensitive information or building security components without the consideration of usability triggering users’ frustration and misuse due to too time-consuming, error-prone and too complicated protection means.
Usable security defines a research area and interdisciplinary approach targeting to resolve this trade-off by bridging usability and security [1, 11]. Secure and usable applications can support the execution of business processes in an effective, efficient, satisfying and secure manner. Thus, they are particularly important in enterprise software. However, realizing software systems containing both quality factors requires a high expenditure including the rearrangement of the software development process, employment of usability and security experts and setup of a usability lab as well as additional security audits. Due to the involved efforts and costs many SMEs are not able to address this topic.
The USecureD (Usable Security by Design, https://www.usecured.de/) research project develops, evaluates and collects principles, guidelines, patterns and tools for a lightweight combination of usability and security engineering. The goal is to incorporate usable security as an integral part of enterprises’ and in particular SMEs’ software engineering process. During the initiation phase of the project an online study (N = 118) as well as 10 interviews and 2 expert workshops have been conducted, in order to identify the relevance and requirements of usability, security and usable security in enterprises. Moreover, by means of the online study a comparison between participants of software developing companies and companies making use of software only as well as SMEs and LSEs (large-scale enterprises) can be made. This paper presents an excerpt of the distinct studies providing the main findings and results. A more detailed report (in German) is available online at Nguyen and Lo Iacono [5] and Schmitt [6] respectively.
2 Requirements Analysis
2.1 Procedure
2.1.1 Online Study
The online study has been conducted from October 30th to December 20th 2015. Participants were asked to answer a structured questionnaire containing 42 questions. The four main topics of the questionnaire were usability and security in general (e. g., “Do you know what usability is?”), the personal opinion of the participants regarding usable security and the assessed relevance of usable security, the current integration of usability and security in the business processes of the participants’ enterprises (e. g., certifications, usage of usability and / or security guidelines and checklists) and the willingness of the participants and the related enterprises to invenst in usability and security (e. g., trainings, third party services and specialized tools).
2.1.2 Interviews and Workshops
Complementary to the online study, interviews with stakeholders and end users in several SMEs have been conducted. Two expert workshops have been realized in addition. The workshops were conducted as discussion sessions with the total of six participants. The guideline for conducting the interviews and expert workshops is partially based on the online study.
The interviews have been held at the workplace of the companies. Thus, observations could be made at participants’ company and familiar workplace, which are relevant for the study. The duration of each half-structured interview has been between 30 to 50 minutes. Each workshop was approximately 2.5 hours in duration.
The main objective of the interviews and expert workshops was to enrich the requirement analysis with experiences from various SMEs as well as projects with SMEs and to compare the results with the findings of the online study.
2.2 Participants
2.2.1 Online Study
During the study 118 completely answered surveys have been collected in total. The participants can be divided into two main groups where 56 % (66 participants) of them work at an SME and the remaining 44 % (52 participants) at a LSE. Note, that this paper considers the number of employees for distinguishing an SME (< 250 employees) from an LSE (≥ 250 employees) only. Regarding the business value creation, 71 % (84 participants) of the participants work at organizations which develop software. The other 29 % (34 participants) are employed at companies that make use of software. In terms of work experience 53 % of the participants have at least ten years of professional experience. Four to ten years of working practice have been reported by 33 %. The remaining 14 % of the participants possess less than 3 years of professional work experience.
2.2.2 Interviews and Workshops
Ten participants from four SMEs have taken part in the interviews. The interviewees are employed in different departments including management, accounting, order management and transportation. The average professional work experience of the participants in their current position is 15 years (min = 0.5, max = 40). The participating SMEs are companies that only use software.
Three employees from saarland.innovation&standort e. V. (saar.is) respectively Fraunhofer Institute for Experimental Software Engineering IESE participated in each workshop. saar.is is an organization which advises and supports SMEs with technology-transfers. Fraunhofer IESE is one of the 67 institutes and research units of the Fraunhofer society. As the institutes of the Fraunhofer society focus on research in applied science, IESE also cooperates with SMEs.
2.3 Results
Main results from the online study, the interviews and the workshops are presented in the subsequent sections. The results from the online study have been analyzed in general as well as from a viewpoint of each distinct class of participants (see Section 2.2). Here, no major differences could have been identified, meaning that the relevance and requirements of usability, security and usable security are similar across software developing companies and enterprises making use of software only as well as SMEs and LSEs.
2.3.1 Comprehension and Relevance
According to the obtained study results over 85 % of the participants understand and are able to describe the quality properties of usability and security properly. This indicates that both quality topics are well known within organizations. Also, over 85 % of the participants assess usability and security as two essential quality factors in software systems, as they consider the relevance of them as high or very high.
In line with the results of the online study, the majority of the interviewees are familiar with usability and security and assess the relevance of both quality factors as high or very high (“Security is important because you rely on the systems”, “… one of the most important things, for example, concerning customer data”) . All participants regard the relevance of usability as “high” (seven participants) or “very high” (three participants) and justify it with a better acceptance of the products or a higher work efficiency (“The easier programs are to use the more likely they are accepted by the users”, “It is important to be able to work quickly and easily”).
An interesting aspect is, that when the interview participants from SMEs have been asked about used security mechanisms, some employees assume that well-known security mechanisms like e-mail encryption are utilized by their company. The chief executive officers (CEO), however, deny that corresponding security mechanisms are used. This impression has been reinforced by the expert workshops. According to the saar.is experts, one reason for this misconception is the missing in-depth understanding about security technology of the employees.
2.3.2 Current Demand
The online study also reveals many domains, in which the participants demand for more usable security development and research activities (see Figure 1). This is especially true for e-mail and mobile security. Even though much research about evaluating and improving the usability of secure e-mail communication has been published in the past [2, 3, 10], still, 70 % demand for further reaching activities in this area. For example, so far no email security solution exists that potentially enables users to protect all of their email conversations across all possessed accounts and devices.
Usable security areas requiring more development and research.
A similar percentage demands for improvements in mobile security. The high demand for usable security in this area may relate to the fact that the utilization of mobile devices such as smart phones, tablets and wearables is increasing rapidly in sensitive environments including everyday life, business processes and government agencies [1, 4].
One main reason for the high demand for development and research in usable security may refer to the obtained finding that 77 participants (65 %) spend up to one hour per day for the utilization of security mechanism. 4 % require even up to two hours per day. The latter percentage of participants from enterprises, which use software only, is even higher. Here, 9 % spend up to two hours per day for the usage of security mechanisms.
2.3.3 General Requirements
The participants have also been asked about the requirements for designing usable security mechanisms in general, and what they consider as the most important aspects usable security mechanisms should have (see Figure 2). Here, 83 % demand for usable security that is easy to use, 75 % require it to be comprehensible (concerning the functionality) and 65 % express that it needs to be transparent (concerning data processing). Interestingly, only over a third of the participants (35 %) require usable security mechanisms to be invisible. Thus, the frequently expressed argument that security can only be realized in a usable manner if it can be completely hidden from the user is not true in general. Apparently users are willing to interact with security features if they are easy to use, comprehensible and transparent. Those are all clear goals of the usable security domain. Under the headline “Miscellaneous” some of the participants added aspects such as automated and context-adequate. The latter listed requirement is especially noteworthy, since it provides some motivation for research activities applying context-awareness for example to authentication. If the context provides evidence that in a trustworthy location a legitimated user is nearby, the required authentication procedure could be loosened slightly.
Requirements on usable security mechanisms.
2.3.4 Required Tools and Support
Over 90 % of the participants from software development enterprises state that usability and security engineering are integrated in the software development process of their respective company. This further underlines the derived results on the relevance of both quality factors. In this context, participants have been asked for appropriate methods and instruments for conducting usability and security engineering (see Figure 3). Over 50 % stated models, patterns (e. g., user interface design patterns [7], interaction design patterns [9]), guidelines (e. g., usability guidelines [8]), checklists and tools as appropriate methods. This reveals a clear preference for light-weighted mechanisms providing the required support at minimal burden. In the free text answer field “Miscellaneous” 12 % of the participants expressed additional instruments including user studies and penetration tests. Both are common methods in the usability and security engineering domain respectively. This result indicates that standard tools from the respective field are still considered necessary and that it might be necessary to have combined approaches integrating, e. g., real attacks in usability tests.
Methods and tools considered as appropriate for supporting usability and security engineering.
2.3.5 Selection Criteria
Even though the majority of the participants consider usability and security as crucial factors to ensure high quality standards of software systems, both quality factors are not amongst the most important selection criteria for software. The functionality provided by a software application is declared as the main selection criteria by 74 % of the participants. Note, that this question has only been asked to those study participants that are part of a company which only makes use of software. Barely 3 % select usability or security as the first and most important aspect. Still, the relevance increases significantly shortly after. Already 26 % vote for usability and 21 % for security as the second most important criterion. The highest percentage for choosing usability is at the third position with 32 %. The quality factor security reaches its highest ranking as the fourth criterion with 41 %. These results support and underline the prior findings on the relevance of both quality factors. Comprehensibly, as non-functional aspects of software systems they do not bypass functional ones. Still, both quality factors are recognized as the most meaningful ones amongst the non-functional aspects.
Similar to the online study, the interview- and expert workshop-participants state that functionality is one of the most crucial criteria for choosing software. For 50 % of the employees from SMEs, functionality has the highest priority when it comes to selecting software (“Employees must have suitable tools”). Usability and security are important as well for some interviewees. 40 % prefer usability as the first and second criterion respectively (“Software has to be useful and to simplify”). Security is selected by 30 % as the first criterion (“particularly important”) and 20 % as the second. The experts of saar.is consider functionality, manufacturer, performance, security and usability as important and relevant, but do not state any order of priority. Furthermore, the customers of saar.is complain about insufficient usability in software products, but this quality factor is not an argument for buying software. The IESE employees can not commit any statements about the order of priority, as the criteria for choosing software vary depending on the customer and the scenario. The experts of saar.is name a few examples for important criteria, e. g. reliability (if the software is used in the production area) or support of common standards (for the exchange of business documents).
2.3.6 Willingness to Invest
The willingness to invest in usability and security is high. Around 71 % of the participants of the online study state that their organizations are willing to train their employees in usability or security. Moreover, 45 % are even ready to train them in both quality topics. This is similar to the results of the question on the willingness in utilizing specialized tools for usability or security. Here, 76 % of the participants declare that their company is open to use specialized tools for usability or security. 54 % are even willing to make use of specialized tools for both quality factors. The readiness to use third party services is, however, lower as the two aforementioned areas. At this question, 54 % of the participants state, that their company agrees to consume third party services for usability and / or security. Merely 33 % are willing to use third party services for both quality factors. This reluctant attitude to invest in third party services compared to the willingness to invest in trainings and specialized tools may relate to the question on appropriate methods for conducting usability and security engineering. Here, only 23 % consider third party services as an appropriate approach (see Figure 3). Nevertheless, the findings show that the majority is willing to apply as well as invest in methods and instruments for usability and / or security.
Six out of ten interviewees from the SMEs state that their company is open to train and hire third party services for security topics. However, only two participants declare the willingness in using specialized tools for security (“Our CEO keeps an eye on it. If something is missing we can talk to him anytime”). For the customers of IESE, trainings, the utilizations of specialized tools and employment of third party services are often required due to legal regulations and are not initiated proactively by companies. According to the experts of saar.is, large companies are willing to train their own employees in security topics, whereas smaller enterprises are interested in using third party services for security. Also, they declare that many companies are afraid of making larger investments in specialized tools for security and acquire cheaper solutions instead. However, those low-cost mechanisms often cause security issues.
2.3.7 Decision Support
The participants of interviews with the SMEs and the experts from the workshops have additionally been asked about desired auxiliaries, which help them in choosing usable and secure business software. The employees of the SMEs cite product presentation, demo versions, guidelines and good consultation respectively as appropriate auxiliaries for selecting usable and secure business applications. According to an assessment of the IESE researchers, more knowledge and awareness could aid users in choosing usable security software. Both factors are very important, as no standards as well as prominent good ratings (e. g. from the German consumer organization Stiftung Warentest) for usable security are available so far. Also, the IESE researchers state that a usability / security matrix would be a desirable guidance for selecting software with the quality factor usable security. According to the experts of saar.is, usability in software systems is considered by their customers. However, in many companies, usability does not play a major role when it comes to choosing software.
3 Discussion and Further Research
The statements of the participants of the interviews and the expert workshops substantiate the need for further research and development in security and usable security in particular, as security measures are often too time-consuming, error-prone and complex. The IESE customers spend a lot of time for typing passwords or attending trainings with mandatory participation. Moreover, many companies believe that their current protection means are sufficient, but are still afraid of prospective threats. One reason for this is the digital connectivity with associated partners and competitors, which has been established as a vital requirement in contemporary business communities. Consequently, enterprises are increasingly interested in opening up distinct business processes and information in order to enhance the collaboration with partners and other organizations. Here, the disclosure of sensitive business information to competitors and other unauthorized organizations must not happen and must be prevented. Thus, data security and privacy means are gaining significance.
The expert workshops also reinforce the need for more research and development in usable security for the mobile security domain, as the employees of IESE and saar.is notice an increased incorporation of mobile devices in many business domains such as construction and machine control. This finding supports the demand on more usable security research and development activities in mobile security which has been revealed by the online study as well.
Another interesting finding is that many customers of saar.is and IESE as well as some interviewees of SMEs perceive an antipathy against security mechanisms. One possible reason for this could be that information technologies are becoming more and more complex and burden many companies, especially very small enterprises without a dedicated information technology department. Therefore, the IESE customers consider security mechanisms as burdensome and the employees of saar.is declare that their customers consider security as the necessary evil. Hence, many people tend to evade security or neglect policies in order to accomplish their task. For instance, one saar.is employee mentions a physician uploading high-resolution images of patients to a public cloud service to make them easily accessible for another physician. Also, a participant of the interviews at the SME admits the deactivation of an active anti-virus software to update a certain program. The researchers of IESE even notice that some of their customers assist each other in circumventing security mechanisms.
All these findings indicate that security components are often considered as an obstacle and hence are avoided or not used at all. The reasons behind this problem may relate to the assessment of the saar.is employees, who declare that many companies consider security as technical issue only and do not take organizational and human factors into account. Further examples of the consequences of this omission are password notes beneath the keyboard and unlocked offices during lunch break.
The two most desired features of employees from SMEs for good security mechanisms are similar to the two most required traits for usable security mechanisms of the online study. Security mechanisms should be comprehensible and easy to use Only four participants require good security mechanisms to be transparent. In many cases, distinct usable security features such as transparency are, however, not desired by the companies due to the business model, as some enterprises, such as app providers, do not want users to know what happens with the users’ data. These findings may answer the question why transparency is less chosen as property for a good security mechanism than comprehensibility and ease of use.
4 Conclusion
The results of the online study provide a general perspective on the relevance and requirements of usability, security and usable security. The interviews at the SMEs and expert workshops confirm and concretize these findings. The majority of the participants of the online study, interviews at the SMEs and many customers of IESE and saar.is are familiar with the quality factors usability and security. Likewise, the relevance of both quality factors in software is assessed mostly as high or very high. Many companies are open to invest in usability and security as well. This image is similar across all kinds of enterprises including software developing companies and enterprises making use of software only as well as SMEs and LSEs.
Even though the relevance of usability as well as security is considered as high and a lot of research concerning usable security has been published, many domains of this field still require further research and development, e. g. e-mail and mobile security. In general, the participants of SME’s interviews and expert workshops often complain about the usability of security components and many consider them as obstructive or burdensome. This emphasizes that a bunch of development and research challenges in usable security still exist. For the time being, the mobile security domain is of paramount importance as mobile devices in conjunction with the Internet of Things (IoT) are increasingly integrated in business processes.
Understandably enough the functionality remains the most relevant criterion for choosing software, while usability and security are still important, but are in many cases not the first or second argument for purchasing software products.
Nevertheless, the majority of the online study’s and SME interviews’ participants choose comprehensibility and ease of use as two required features in usable security mechanisms. The other properties invisibility and transparency are less chosen by the participants. One reason why the latter property is less chosen may relate to the statements of IESE researchers, who declare that some companies do not want users to know what happens with their data. For conducting usability and security engineering most of the online study’s participants from software developing companies mentioned guidelines, models, patterns, checklist and tools as appropriate methods and instruments. In the interviews at the SMEs, which only make use of software, two participants also refer to guidelines as desired auxiliaries for helping users in choosing usable security software as well.
All these findings meet the objectives of USecureD, as it intends to integrate usable security as a vital quality factor in enterprises and SMEs in particular, in order to enhance the efficiency, effectivity, satisfaction and security of using and building business software. To do so, USecureD evaluates, develops and collects patterns, principles, guidelines and tools for combining them in a comprehensive platform. Software development enterprises can henceforth use the USecureD platform as an instrument for combining usability and security engineering with the aim of developing comprehensible, easy to use and secure software systems. With a newly developed approach to link principles, guidelines and patterns developers obtain distinct ways to access the available domain knowledge in a condensed and modest manner, as required by non-specialized engineers. Companies, which use software only, can utilize the USecureD platform as a guidance to choose and purchase usable and secure applications. The integrated tools support the users in specifying requirements in terms of usable security features in order to guide the selection of adequate software products and services.
About the authors
Luigi Lo Iacono studied computer science with a major in systems and security engineering and received the PhD degree from the University of Siegen (Germany) in 2005. He has previously worked in academic and industry research labs including Siemens Corporate Technology and NEC Laboratories Europe and is currently a full professor at the Cologne University of Applied Sciences, Germany. His research interests are focused on the security of distributed systems and the usability of those security mechanisms.
Hoai Viet Nguyen received his Master of Science in Media Technology at University of Applied Science, Cologne, Germany. Since 2013, he has been a Research Assistant at the Data and Application Security Group of the University of Applied Sciences, Cologne, Germany. His research interests include Service Security and usable security.
Hartmut Schmitt is a research project coordinator at HK Business Solutions GmbH (Sulzbach/Saar, Germany), a provider of business software and hardware solutions for SMEs. Since 2006 he has been working on research projects in the fields of human-computer interaction, usability, user experience, and requirements engineering, including project supervision for several joint projects. At present, he is leading and participating in the research project “USecureD – Usable Security by Design”.
Acknowledgment
The USecureD project is funded by the Federal Ministry for Economic Affairs and Energy (BMWi) under project number 01MU14002. The authors would like to thank Jasmin Niess for her constructive comments which helped a lot to improve the readability of the paper.
References
[1] Garfinkel, S. L.; Lipford, H. R.: Usable Security: History, Themes, and Challenges. Synthesis Lectures on Information Security, Morgan & Claypool Publishers, 2014.10.2200/S00594ED1V01Y201408SPT011Search in Google Scholar
[2] Garfinkel, S. L.; Margrave, D.: Schiller, J. I.; Nordlander, E.; Miller, R. C.: How to make secure email easier to use. Conference on Human Factors in Computing Systems (SIGCHI), 2005.10.1145/1054972.1055069Search in Google Scholar
[3] Kapadia, A.: A Case (Study) For Usability in Secure Email Communication. IEEE Security & Privacy, Volume 5, 2007.10.1109/MSP.2007.25Search in Google Scholar
[4] Li, Q.; Clark C.: Mobile Security: A Look Ahead. IEEE Security & Privacy, Volume 11, 2013.10.1109/MSP.2013.15Search in Google Scholar
[5] Nguyen, H. V.; Lo Iacono, L.: Auswertung der Online-Studie. USecureD-Deliverable, 2016. Online available at: https://www.usecured.de/UseWP/wp-content/uploads/2015/04/USecureD-Anforderungsanalyse-Online-Studienergebnisse-V.1.pdf.Search in Google Scholar
[6] Schmitt, H.: Anforderungsanalyse (Interviewergebnisse). USecureD-Deliverable, 2016. Online available at: https://www.usecured.de/UseWP/wp-content/uploads/2016/02/USecureD-Anforderungsanalyse-Interviewergebnisse-V.1.pdf.Search in Google Scholar
[7] Toxboe, A.: User Interface Design patterns, 2016. Online available at: http://ui-patterns.com.Search in Google Scholar
[8] U. S. Department of Health & Human Services: HHS Web Standards and Usability Guidelines, 2016. Online available at: http://webstandards.hhs.gov.Search in Google Scholar
[9] van Welie, M.: A Pattern Library for Interaction Design, 2008. Online available at: http://www.welie.com.Search in Google Scholar
[10] Whitten, A.; Tygar, J. D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. 8th Usenix Security Symposium, 1999.Search in Google Scholar
[11] Yee, K.-P.: Aligning security and usability. IEEE Security & Privacy, Volume 2, 2004.10.1109/MSP.2004.64Search in Google Scholar
© 2016 Walter de Gruyter GmbH, Berlin/Boston
