Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security

Zinaida Benenson, Gabriele Lenzini, Daniela Oliveira, Simon Parkin, Sven Uebelacker

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

1 Citation (Scopus)

Abstract

Psychology and neuroscience literature shows the existance of upper bounds on the human capacity for executing cognitive tasks and for information processing. These bounds are where, demonstrably, people start experiencing cognitive strain and consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically understand such bounds in order to have realistic expectations about what people can or cannot attain when coping with security tasks. This may shed light on whether Johnny will be ever be able to encrypt. We propose a conceptual framework for evaluation of human capacities in security that also assigns systems to complexity categories according to their security and usability. From what we have initiated in this paper, we ultimately aim at providing designers of security mechanisms and policies with the ability to say: “This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond the capacity of its target community".
Original languageEnglish
Title of host publicationNSPW '15
Subtitle of host publicationProceedings of the 2015 New Security Paradigms Workshop
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages85-99
Number of pages15
ISBN (Print)978-1-4503-3754-0
DOIs
Publication statusPublished - Sep 2015
Event2015 New Security Paradigms Workshop, NSPW 2015 - Twente, Netherlands
Duration: 8 Sep 201511 Sep 2015

Workshop

Workshop2015 New Security Paradigms Workshop, NSPW 2015
Abbreviated titleNSPW
CountryNetherlands
CityTwente
Period8/09/1511/09/15

Keywords

  • EC Grant Agreement nr.: FP7/318003
  • EC Grant Agreement nr.: FP7/2007-2013

Cite this

Benenson, Z., Lenzini, G., Oliveira, D., Parkin, S., & Uebelacker, S. (2015). Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security. In NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop (pp. 85-99). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2841113.2841120
Benenson, Zinaida ; Lenzini, Gabriele ; Oliveira, Daniela ; Parkin, Simon ; Uebelacker, Sven. / Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security. NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop. New York : Association for Computing Machinery (ACM), 2015. pp. 85-99
@inproceedings{242a214c6b424675a11c552cb10b02e8,
title = "Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security",
abstract = "Psychology and neuroscience literature shows the existance of upper bounds on the human capacity for executing cognitive tasks and for information processing. These bounds are where, demonstrably, people start experiencing cognitive strain and consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically understand such bounds in order to have realistic expectations about what people can or cannot attain when coping with security tasks. This may shed light on whether Johnny will be ever be able to encrypt. We propose a conceptual framework for evaluation of human capacities in security that also assigns systems to complexity categories according to their security and usability. From what we have initiated in this paper, we ultimately aim at providing designers of security mechanisms and policies with the ability to say: “This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond the capacity of its target community{"}.",
keywords = "EC Grant Agreement nr.: FP7/318003, EC Grant Agreement nr.: FP7/2007-2013",
author = "Zinaida Benenson and Gabriele Lenzini and Daniela Oliveira and Simon Parkin and Sven Uebelacker",
year = "2015",
month = "9",
doi = "10.1145/2841113.2841120",
language = "English",
isbn = "978-1-4503-3754-0",
pages = "85--99",
booktitle = "NSPW '15",
publisher = "Association for Computing Machinery (ACM)",
address = "United States",

}

Benenson, Z, Lenzini, G, Oliveira, D, Parkin, S & Uebelacker, S 2015, Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security. in NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop. Association for Computing Machinery (ACM), New York, pp. 85-99, 2015 New Security Paradigms Workshop, NSPW 2015, Twente, Netherlands, 8/09/15. https://doi.org/10.1145/2841113.2841120

Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security. / Benenson, Zinaida; Lenzini, Gabriele; Oliveira, Daniela; Parkin, Simon; Uebelacker, Sven.

NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop. New York : Association for Computing Machinery (ACM), 2015. p. 85-99.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security

AU - Benenson, Zinaida

AU - Lenzini, Gabriele

AU - Oliveira, Daniela

AU - Parkin, Simon

AU - Uebelacker, Sven

PY - 2015/9

Y1 - 2015/9

N2 - Psychology and neuroscience literature shows the existance of upper bounds on the human capacity for executing cognitive tasks and for information processing. These bounds are where, demonstrably, people start experiencing cognitive strain and consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically understand such bounds in order to have realistic expectations about what people can or cannot attain when coping with security tasks. This may shed light on whether Johnny will be ever be able to encrypt. We propose a conceptual framework for evaluation of human capacities in security that also assigns systems to complexity categories according to their security and usability. From what we have initiated in this paper, we ultimately aim at providing designers of security mechanisms and policies with the ability to say: “This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond the capacity of its target community".

AB - Psychology and neuroscience literature shows the existance of upper bounds on the human capacity for executing cognitive tasks and for information processing. These bounds are where, demonstrably, people start experiencing cognitive strain and consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically understand such bounds in order to have realistic expectations about what people can or cannot attain when coping with security tasks. This may shed light on whether Johnny will be ever be able to encrypt. We propose a conceptual framework for evaluation of human capacities in security that also assigns systems to complexity categories according to their security and usability. From what we have initiated in this paper, we ultimately aim at providing designers of security mechanisms and policies with the ability to say: “This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond the capacity of its target community".

KW - EC Grant Agreement nr.: FP7/318003

KW - EC Grant Agreement nr.: FP7/2007-2013

U2 - 10.1145/2841113.2841120

DO - 10.1145/2841113.2841120

M3 - Conference contribution

SN - 978-1-4503-3754-0

SP - 85

EP - 99

BT - NSPW '15

PB - Association for Computing Machinery (ACM)

CY - New York

ER -

Benenson Z, Lenzini G, Oliveira D, Parkin S, Uebelacker S. Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security. In NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop. New York: Association for Computing Machinery (ACM). 2015. p. 85-99 https://doi.org/10.1145/2841113.2841120