[tor-dev] Human factors of security software

Bernard Tyers - ei8fdb ei8fdb at ei8fdb.org
Tue Apr 9 11:44:26 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello nice Tor people,

[I've spoken with Runa about this and she suggested me to send this to the dev list. If it should belong somewhere else, just let me know. Thanks Runa.]

Tl;dr: 6 months worth of a reasonably security/privacy/encryption savvy HCI researchers time to carry out a MSc dissertation about usability of security software, and the effect their UIs have on peoples idea of how they work.

(You may see this e-mail on a number of lists,I'm mailing each list individually.)

Seeing as I am going to be asking for a favour, I should give some information about me.

My background is: electronics engineering, network and systems admin, then telecoms engineer (mobile networks). I'm not a coding/security/crypto bod, but security has been part of the past 10 years+ of my work that I can understand some and know where to find/who to ask for the answers for the other.

My interest is: HCISEC - Human Computer Interaction in security technology. Security, privacy, encryption tools and why people, who should use them, do not use them. 

I define a "people who should use them" as human rights activists, investigative journalists, people in countries whose government are oppressive. 

I define "security, privacy, encryption tools" as "Tor, TBB, Orweb, Orbot, PGP, Redphone, TextSecure, Pixelknot, Silent Circle, Tails, and other tools I don't yet know about.


My focus is not  with security professionals/experts, technical people who can understand the limitations of these tools, threats they defend against. These users have the technical knowledge and understanding of computing concepts, and threat models, etc which allow them to make a more educated decision.


I am doing a masters in human computer systems, and it's coming to the time to start planning my dissertation. My chosen topic (very generally) is: "Usable security and its impact on mental models and trust." Over the next few weeks I want to focus this better.

(If you're familiar with the concept, or are not interested, just skip this.)

A mental model is a "small scale model of reality" humans create to use to reason, to anticipate events, and to reenforce explanation. Based on the users understanding of a software interface, they will construct an idea of what is happening in an application. 
If a user creates a number of mental models because a software interface gives different/wrong/conflicting information, this causes the user to be confused, as as result, they will make incorrect decisions, and possibly stop using the software. Given the scenarios where these tools are used, making mistakes, having a false sense of security, or not using them, can be dangerous.

There is a lot of research in trust and confidence in recommender systems, transparency in system status, credibility of information provided in user interface, but (from what I've found so far) not much specifically to do with security and privacy tools.


So to my request: I have 6 months (beginning from May) to carry out a hcisec human factors focused project. There have been usability evaluations of Tor carried out already, and I was looking for other areas to focus on. 

I can find a subject myself, but I would like to do some work on an area that could lead to some useful research/provide input to making these tools better, from a user point of view. Is there a question you'd love to see answered? Is there some area of a tool that needs some research?

I will also be looking for participants to take part in research - again I am very conscience of the scenarios where these tools are used, and the need to maintain anonymity and privacy. I will be anonymising all research, asking for the minimum information and am happy to carry out communications via secure communications tools. I would appreciate support from users of security and privacy tools.

At the end, all research will be released and available for use by the security community if required.

At the risk of teaching you to suck eggs, if you are interested in learning more, I can recommend the "Security and Usability: Designing Secure Systems that People Can Use" book by Lorrie Faith Crannor and also the SOUPS Conference (http://cups.cs.cmu.edu/soups/2013/).

I look forward to some feedback (on or off list).

thanks,
Bernard


- --------------------------------------
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJRY/8bAAoJENsz1IO7MIrrM4AIALW27F757Fn4Jgy3pk0ZX4PQ
yl4ToEyJcFmZcKNjlejuTAeeVc00UGLlJRNTPuGT1WAUwt7JhgCYX8p9/YwgA4Pm
1AU6tCHcg9LBpc8ca+0lqBvCh/ZmVf5zTTEVjlXyylrUpqdlR67QemkpyjN0sUJW
V7PGPxig2Y3opdVzWZRrmvhLsJf7qN2mAxLUyzSS44nInqpS9+Db1MsDLpI5mof5
ze/FUKV3eTiTzJJ1qLMXbo8VbJvpZO3HgeUFwZH7btbUZQszwrifWupuZefqtro5
nyCNFnUcQ6fyxMOnRLPAji2eAe/fBasQ9h5pCiYVScclddWe1VWhf4poyjVHv9U=
=Sak4
-----END PGP SIGNATURE-----

More information about the tor-dev mailing list