Effective computer security: the human-centred approach
Research by Professor Angela Sasse of University College London
Note from PaCCS: This case study was first published by University College London. Professor Angela Sasse has been accredited to PaCCS.
The human-centred approach to computer security developed at UCL has transformed the delivery of effective security by UK government and industry, forming the cornerstone of security practices in corporations around the world. It prioritises the design of usable security that works with and for, rather than against, users and their organisations.
The approach was first formulated by Professor Sasse, whose work unpicked how security policies and mechanisms that are too difficult to use lead to productivity losses, non-compliance and errors, and a negative security culture. Security policies and mechanisms implemented without considering the users consume considerable organisational resources, but do not deliver effective security. By helping to improve the design of security systems used by millions of people each day, Professor Sasse’s work has helped make such systems easier to use while reducing the risk of security breaches.
Today, technology allows for virtually all government services to be made available online in a secure and effective way with simple, user-friendly ways for citizens to assert their identity. This access needs to be consistent across government services, while also being highly secure and able to preserve users’ privacy. Between 2008 and 2011, Professor Sasse advised the government on e-government security, helping to define and implement the federated identity solution developed by the Cabinet Office Identity Assurance Programme to ensure a low-cost, low-effort and privacy-respecting way for authenticating UK citizens. This will enable the government to provide more of its services online, for example universal credit, accessing benefits and pensions, passport and driving licence renewal and many more.
In the commercial sector, Professor Sasse’s work has also been of widespread benefit, with the production of improved security products and greater organisational efficiency stemming from more usable and cost-effective systems.
Through consultancy with a number of small and medium-size enterprises, Professor Sasse helped them deliver usable authentication products. Most notably, her work with First Cyber Security led to a redesign of their anti-phishing tool SOLID. One of the biggest difficulties with anti-phishing software is users’ failure to notice indicators from the software while on web pages. Professor Sasse helped the company to identify which software design elements to adapt to increase the product’s intuitiveness and perceived speed, alongside a review of the human interaction with the software. Her guidance on minimising user effort and giving them value inspired the company to create a new integrated product: the Safe Shop Window, which provides shopping search results that filter out suspicious sites, saving users time as they no longer need to evaluate each site individually. This launched in 2012 and now protects the customers of sites that generate 70% of the UK online retail turnover.
Professor Sasse is also Chief Scientific Advisor of iProov, a security startup company that delivers her concept of “0 Effort, 1 Step, 2 Factor” authentication. The company provides an off-the-shelf biometric authentication service for companies, so they do not have to invest in costly and inefficient in-house services. Her work improved the biometric by increasing the usability of feedback given to users.
Since collaborating on a three-year project with Professor Sasse, HP Labs has exported her user-centred approach in their consultancy to other companies through its Security Analytics service. This calculates the cost to a business of using particular security approaches and draws on her expertise in calculating how much employee time is spent dealing with a given mechanism. This enables HP, and by extension its clients, to work out the costs of this silent waste of productivity.