Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security

Zinaida Benenson, Gabriele Lenzini, Daniela Oliveira, Simon Parkin, Sven Uebelacker

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    11 Citations (Scopus)
    6 Downloads (Pure)


    Psychology and neuroscience literature shows the existance of upper bounds on the human capacity for executing cognitive tasks and for information processing. These bounds are where, demonstrably, people start experiencing cognitive strain and consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically understand such bounds in order to have realistic expectations about what people can or cannot attain when coping with security tasks. This may shed light on whether Johnny will be ever be able to encrypt. We propose a conceptual framework for evaluation of human capacities in security that also assigns systems to complexity categories according to their security and usability. From what we have initiated in this paper, we ultimately aim at providing designers of security mechanisms and policies with the ability to say: “This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond the capacity of its target community".
    Original languageEnglish
    Title of host publicationNSPW '15
    Subtitle of host publicationProceedings of the 2015 New Security Paradigms Workshop
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery
    Number of pages15
    ISBN (Print)978-1-4503-3754-0
    Publication statusPublished - Sept 2015
    Event2015 New Security Paradigms Workshop, NSPW 2015 - Twente, Netherlands
    Duration: 8 Sept 201511 Sept 2015


    Workshop2015 New Security Paradigms Workshop, NSPW 2015
    Abbreviated titleNSPW


    • EC Grant Agreement nr.: FP7/318003
    • EC Grant Agreement nr.: FP7/2007-2013


    Dive into the research topics of 'Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security'. Together they form a unique fingerprint.

    Cite this