[tor-dev] Human factors of security software
Bernard Tyers - ei8fdb
ei8fdb at ei8fdb.org
Tue Apr 9 11:44:26 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hello nice Tor people,
[I've spoken with Runa about this and she suggested me to send this to the dev list. If it should belong somewhere else, just let me know. Thanks Runa.]
Tl;dr: 6 months worth of a reasonably security/privacy/encryption savvy HCI researchers time to carry out a MSc dissertation about usability of security software, and the effect their UIs have on peoples idea of how they work.
(You may see this e-mail on a number of lists,I'm mailing each list individually.)
Seeing as I am going to be asking for a favour, I should give some information about me.
My background is: electronics engineering, network and systems admin, then telecoms engineer (mobile networks). I'm not a coding/security/crypto bod, but security has been part of the past 10 years+ of my work that I can understand some and know where to find/who to ask for the answers for the other.
My interest is: HCISEC - Human Computer Interaction in security technology. Security, privacy, encryption tools and why people, who should use them, do not use them.
I define a "people who should use them" as human rights activists, investigative journalists, people in countries whose government are oppressive.
I define "security, privacy, encryption tools" as "Tor, TBB, Orweb, Orbot, PGP, Redphone, TextSecure, Pixelknot, Silent Circle, Tails, and other tools I don't yet know about.
My focus is not with security professionals/experts, technical people who can understand the limitations of these tools, threats they defend against. These users have the technical knowledge and understanding of computing concepts, and threat models, etc which allow them to make a more educated decision.
I am doing a masters in human computer systems, and it's coming to the time to start planning my dissertation. My chosen topic (very generally) is: "Usable security and its impact on mental models and trust." Over the next few weeks I want to focus this better.
(If you're familiar with the concept, or are not interested, just skip this.)
A mental model is a "small scale model of reality" humans create to use to reason, to anticipate events, and to reenforce explanation. Based on the users understanding of a software interface, they will construct an idea of what is happening in an application.
If a user creates a number of mental models because a software interface gives different/wrong/conflicting information, this causes the user to be confused, as as result, they will make incorrect decisions, and possibly stop using the software. Given the scenarios where these tools are used, making mistakes, having a false sense of security, or not using them, can be dangerous.
There is a lot of research in trust and confidence in recommender systems, transparency in system status, credibility of information provided in user interface, but (from what I've found so far) not much specifically to do with security and privacy tools.
So to my request: I have 6 months (beginning from May) to carry out a hcisec human factors focused project. There have been usability evaluations of Tor carried out already, and I was looking for other areas to focus on.
I can find a subject myself, but I would like to do some work on an area that could lead to some useful research/provide input to making these tools better, from a user point of view. Is there a question you'd love to see answered? Is there some area of a tool that needs some research?
I will also be looking for participants to take part in research - again I am very conscience of the scenarios where these tools are used, and the need to maintain anonymity and privacy. I will be anonymising all research, asking for the minimum information and am happy to carry out communications via secure communications tools. I would appreciate support from users of security and privacy tools.
At the end, all research will be released and available for use by the security community if required.
At the risk of teaching you to suck eggs, if you are interested in learning more, I can recommend the "Security and Usability: Designing Secure Systems that People Can Use" book by Lorrie Faith Crannor and also the SOUPS Conference (http://cups.cs.cmu.edu/soups/2013/).
I look forward to some feedback (on or off list).
Bernard / bluboxthief / ei8fdb
IO91XM / www.ei8fdb.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the tor-dev