usabiltyvs security case study of smartphone os

USABILITY VS SECURITY: A CASE STUDY OF ANDROID,

IOS AND WINDOWS

Rajiv Ranjan Singh

Department of Computer Science

Shyam Lal College (Evening)

University of Delhi

Shaurye Aggawal

Amity International School

Saket, Delhi, INDIA

2

THE PRESENTATION OUTLINE

Introduction

Research Questions

Experimental Design Participants Materials and Apparatus Results Summary and Discussion

Future Scope and Suggestions Conclusion

3

INTRODUCTION Many mobile phones OS

Many apps added daily

Lots of Security features

Financial Transactions on Mobile

Different design environment

Computer systems must employ mechanisms that are difficult to use!

Convenience is the Antithesis to Security

4

ANDROID OS

5

APPLE IOS

6

WINDOWS

7

LATEST FROM THE SECURITY DOMAIN

8

CHALLENGES

Security features usually complex

Make Security Usable

Balance Security vs Usability

“Don't make me think” - Steve Krug's first law of usability

Intuitive navigation

Conformity to user expectations

9

CHALLENGES

Attackers know that your efforts to enhance usability utilize accepted conventions

Attackers will exploit these conventions to their advantage

Complex mechanisms hard to configure

Hard to implement correctly

This weakens security

10

PSYCHOLOGICAL ACCEPTABILITY

Saltzer & Schroeder 1975 The Protection of Information in Computer Systems

Examined several 'design principles' associated with security

Psychological acceptability is the principle that the closer security conforms to user expectations the better

PRINCIPLE OF PSYCHOLOGY ACCEPTABILITY “It is essential that the human interface be

designed for ease of use, so that users routinely and automatically apply the protection mechanism correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanism he must use, mistakes will be minimized. If he must translate his image of his protection into a radically different specification language, he will make errors.”

Jerome Saltzer & Michael Schroeder (1975)

PRINCIPLE OF PSYCHOLOGY ACCEPTABILITY

Complex configurations lead to errors, and the less tech-savvy the users are, the worse the security problems will be.

“How can one create mechanisms that are easy to use, provide the protection mechanism necessary, and are unobtrusive to use, for mobile users ranging from novice users to app develpoers?” – an open question

HUMANS & SECURITY

Are usability and security competing goals?

Humans are the weakest link in the security chain.

Security systems are social as well as technical.

Security mechanisms require extra work. Humans find shortcuts and workarounds.

Users will find ways to evade security demands that are considered unreasonable or burdensome.

14

RESEARCH QUESTIONS

Can usability and security co-exist?

Does increased security reduce usability?

Does increased usability reduce security?

15

RESEARCH QUESTIONS

To understand whether security features of a smartphone improves its usability or reduces it

  Null Hypothesis H0 : Security features of a

smartphone has no relation with its usability features.

Alternate Hypothesis H1 : Security features of a smartphone shares a relation with its usability features.

16

EXPERIMENTAL DESIGN

Questionnaire to study the impact of factors governing security and usability in smart phones running various OS such as Android, iOS, Windows etc.

Questions selected on the basis of their relevance to two factors i.e. Security and Usability.

Questionnaire included questions related to : Operating Systems on their smartphone User’s technical expertise Locking mechanism used Features enabled on phone such as

antivirus, anti-theft feature etc.

17

PARTICIPANTS

All the participants smartphone users

e-mailed the survey form

Respondents are from all categories of users. As young as school students to professionals From very little tech-savvy to app developers. School students as well as Doctoral degree

holders.

18

QUESTIONNAIRE Survey on Usability vs Security

Your Name……………………………….

Age 15-20 years 21-25 years 26-30 years 31 and above Other: ……………………

Your Qualification School Student College Student Post Graduate PhD and above Other: ………………………………..

What is the OS used in your smartphone? Android IOS Windows Symbian

19

QUESTIONNAIRE What kind of security do you use for your smartphon

Pattern Lock Number Code Lock No Locking mechanism Other: ………………………………….

Do you have antivirus installed on your smartphone? Installed but not enabled Not installed but I would like one I dont need it Installed and enabled

Are you aware of anti-theft features available on your smartphone? Yes, but I haven’t enabled Yes and enabled My phone dose not have this feature I am not aware if there is any such feature

20

QUESTIONNAIRE Are you aware of email encryption features

available on your smartphone? Yes, but I haven’t enabled Yes and enabled My phone dose not have this feature I am not aware if there is any such feature

Do you fear that losing your phone may lead to Identity theft? Yes and I have taken enough precautions Yes but I don’t know how to deal with it No I don’t care I don’t know about Identity theft

How would you describe yourself With little techno Knowledge Tech Savvy App Developer

21

QUESTIONNAIRE Would you prefer a phone which is easy to use or one

which has more security feature? One with more security One which is easy to use

What is your opinion about security features adding hassle to your smartphone experience? I subscribe to the view I don’t think so I am OK with it

If you are to suggest one feature for your smartphone what would it be?

…………………………………………………………..

22

QUESTIONNAIRE   What rating would you give to the security features on your phone?

1 being least secure and 5 being most secure

1 2 3 4 5

Least a b c d e Most Secure

What rating would you give to the usability (ease of use) of your phone?

1 being difficult to use and 5 being easy to use

1 2 3 4 5

Difficult to use

a b c d e Easy to use

23

MATERIALS AND APPARATUS

Experiment started with the task of data collection for the study.

Questionnaire was prepared using Google forms Participants were sent this form on their e-mail. Participants not paid for the responses. Study confirmed to the requirements for ethical

and safe research as the responses voluntary Identity of the respondents was never revealed to

other respondents Responses were collected in the spreadsheet (.csv

file). More than 120 responses used R used for statistical functions and plotting etc.

24

RESULTS Pearson’s correlation coefficient between security rating and

usability rating : +0.38.

p-value much less than significance level of 1%, null hypothesis can be rejected and alternate hypothesis can be

accepted.

A positive correlation between the usability conformance and security conformance of the smartphones as per user’s expectation.

This is contrary to established belief that enhanced security affects usability and vice-versa

One possible explanation can be that the modern day smartphones have been able to satisfy their users both in terms of security as well as usability because of their versatility.

25

SUMMARY

26

SUMMARY

27

SUMMARY

28

SUMMARY

29

SUMMARY

30

SUMMARY

31

SUMMARY

32

SUMMARY

33

SUMMARY

34

SUMMARY

35

SUMMARY

36

SUMMARY

37

SUMMARY

38

COMPARISON OF USABILITY RATINGS(ALMOST SAME)

39

COMPARISON OF SECURITY RATINGS(IOS BETTER)

40

FUTURE SCOPE AND SUGGESTIONS

Mobile platforms becoming packed with features New mobile devices run different OS, have

powerful libraries, boast of UI features and provide multi-protocol networking stack.

The threat becomes more severe as mobile devices store sensitive personal and financial data

Need to improve the user interface that could warn the user’s about all categories of unsecured information.

A lot of users want to use various security features such as e-mail encryption etc., however they are unable to locate these functionalities on their phones.

41

FUTURE SCOPE AND SUGGESTIONS

So, user interface provided needs improvement.

There must be a common UI framework for all the smartphones.

Authentication problem provides a challenge to balance high level of security with appropriate level of usability.

Present work can also be used to design authentication process that is both secure and simple.

A future wok can be to understand the user’s knowledge about the apps they are installing and risks associated with them.

42

CONCLUSION

Users are satisfied with both the security as well as usability features of the modern smartphones.

Though usability got more rating points than security, users prefer a phone with more security features rather than a phone that is easier to use.

Both Android and iOS got almost same points for usability, but for security iOS better than Android.

Our results are not in conformity with the existing norm that increasing security takes a toll at the usability.

Results indicate a positive correlation among the security and usability feature of smartphone. Present day smartphones are versatile enough to satisfy both the

security as well as usability requirements of the users. Many smartphone users hesitate to migrate to another

platform simply for the fear of portability issues. Need of the hour : A common user interface framework to be

adopted by all smartphone developers.

43

ACKNOWLEDGEMENTS Sincere thanks to :

All the respondents

All the faculty members of :Department of Computer ScienceShyam Lal College (Evening) University of Delhi

44

THANK YOU !!!

Questions ???

Comments !!!

45

REFERENCES Just, M. (2010). Security and Usability.

Braz, C., & Robert, J. M. (2006, April). Security and usability: the case of the user authentication methods. In Proceedings of the 18th International Conferenceof the Association Francophone d'Interaction Homme-Machine (pp. 199-203). ACM.

Flechais, I., Mascolo, C., & Sasse, M. A. (2007). Integrating security and usability into the requirements and design process. International Journal of Electronic Security and Digital Forensics, 1(1), 12-26.

Braz, C., Seffah, A., & M’Raihi, D. (2007). Designing a trade-off between usability and security: a metrics based-model. In Human-Computer Interaction–INTERACT 2007 (pp. 114-126). Springer Berlin Heidelberg.

Kainda, R., Flechais, I., & Roscoe, A. W. (2010, July). Two heads are better than one: security and usability of device associations in group scenarios. InProceedings of the Sixth Symposium on Usable Privacy and Security (p. 5). ACM.

Cranor, L. F., & Garfinkel, S. (2004). Guest Editors' Introduction: Secure or Usable?.Security & Privacy, IEEE, 2(5), 16-18.

Kaiser, J., & Reichenbach, M. (2002). Evaluating security tools towards usable security. In Usability (pp. 247-256). Springer US.

Johnson, M., & Stajano, F. (2009, January). Usability of security management: Defining the permissions of guests. In Security Protocols (pp. 276-283). Springer Berlin Heidelberg.

Oberheide, J., & Jahanian, F. (2010, February). When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications (pp. 43-48). ACM.

https://docs.google.com/forms/d/1jqNYs1k0XlFZ_Pm5c16iYT9w37VZI9sHELZXxNC93z4/viewform?c=0&w=1&usp=mail_form_link