Publications (Online Library)
Events organized by the Network
Information for members only
Instructions for Membership (Join Us)
Welcome to the GCC-European Network of Research Excellence in
User Experience and Usable Security Systems and Services (UX-SECURE)
The Network for Designing and Engineering Security Technologies, Services and Systems for Users, with Users and by Users
The fundamental questions addressed by this Network are: At the Cloud services and IoT services, how often usability quantities are in conflict with security attributes?
- What are the industry practices of developing, using and managing usable, yet secure services, for example authentication and identity management services?
- What are the measures of the security and usability conflicts?
- How to capture and disseminate these practices and measures to the benefits of the software development and security management industry and their users from private corporations, public and governmental agencies?
The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, digital software services, sensors, actuators, and network connectivity which enable these objects to connect and exchange data. The IoT provide a new vehicle with interacting with digital objects and the huge among of data being created. An interactive service can be defines as “The capability provided to the consumers and stakeholders to remotely manage and use data available on the IoT. Interactive services features various user interfaces including Web browsers and smartphones, as well as emerging ones such wearable and tangible UI”.
It’s widely recognized that developing secure cloud services is not enough, they should be easy to use for their end users in order to allow them to accomplish their tasks in an effective and appropriate manner (Schneier, 2017). The International Organization for Standardization (ISO) has largely discussed both security and usability factors through its standards. ISO 25010 standard (ISO, 2011) defines usability as “The degree to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use”. Whereas ISO 27000 standard (ISO/IEC, 2014) has been specifically dedicated to information security matters. This series defines security as “The degree to which a product or system protects information and data so that persons or other products or systems have the degree of data access appropriate to their types and levels of authorization”. Unfortunately, security and usability goals are often in conflict (Jøsang et al., 2007; Nielsen, 2017). Such conflict has not been considered in ISO standards. It can be resolved to the mutual benefit of both parties, resulting in a usability and security trade-off as early as possible, for example in the design process (Yee, 2016).
The overall research objective can be stated as follow:
Identify and model the intimate relationships between usability and security characteristics in Web and cloud services, and develop concepts, metrics, patterns, methods and tools all embedded into an integrative human-centric design framework to supporting rich user experience and usability without compromising the security of the overall services system.
Our position is that we should consider this intrinsic conflict between creating, for example Web and cloud services that are usable and designing underlying systems and cloud computing platforms that are secure. We aim to make usability and security synergistic by providing a new generation of design and engineering tools with specific usability and security principles, measures and heuristics. We will investigate avenues to concurrently increase usability and security by revisiting projects and situations where the interplay between usability and security can be observed. We also try to align security and usability by promoting policies and design standards. The main focus is on early design phases to make the security and usability interplay an outcome of the requirements definition and concept design phase
The network is a capacity building projects aiming at supporting the design of interactive, Web and cloud service-oriented systems as well as the evaluation of the interrelated usability and security quality attributes. This overall goal can be depicted in the following specific objectives addressed by the different work packages:
- Setting concrete targets for the user/stakeholder experiences with services,
- Detailing and modeling the related user activities and tasks, services and the usability/security symmetry
- Discovering and documenting design solutions and patterns that mitigate the usability security problem identified, a proven solution and the different user-service interactions in which the problem occurs
- Providing metrics and tools to assess objectively the level of security and usability as quality factors
- Integrating all these four objectives above into an integrative human-centric framework
- Instantiating this framework to different case studies
- Ensuring the standardization and the long term sustainability in industry of the integrative framework as well as the avenues of its integration into industry design methods and tools
- Building a common framework for joint PhD supervision, exchange and program
- Enhancing the existing research infrastructure and tools for security and usability research
The practical measurable consequences of the Network include:
- Develop robust design tools and methods. Security and usability requirements and design (R&D) phase is an important prelude to extracting and gathering the user requirements and especially because R&D defines the problem that the stakeholder is trying to solve, no matter what model of software development process is adopted (e.g., waterfall, iterative, agile, model-driven, service-oriented, etc.). It is broadly held that gathering and agreeing on requirements and design is crucial in the whole development and also important to any successful project. We aim at developing robust design tools that influence the whole development processes and bring security and usability together earlier in these processes.
- Provide proven solutions as practical and standardized patterns and measures for the design and evaluation of usable secure services. Even if the HCI and security engineering research community has been gradually developing a good body of work in usable security, most of them are general guidelines which are not easy to apply for specific problems. Contrary to general usability design guidelines, which are mostly descriptive, and simply specify “nice to have” general design features, this project will develop a design patterns enriched with measures, user experiences and task models that together will provide proven solutions on how a problem can be solved.
- Establish a solid theoretical ground for characterizing the usability security symmetry. The research work in this project represents exactly what should be done when following best practices, industry cases studies and active involvement of stakeholders for software development. This should start with a robust and well defined specification of security usability symmetry, proven solutions, task and service models then their usage as driving artifacts from which the implementation of the service is generated, the way it is deployed and tested
- Find the right trade-off between security and usability as early as possible in the design and engineering lifecycle. Usability problems in secure Web systems can lead to security vulnerabilities which can consequently impact a company's bottom line. One of the difficulties in developing human interfaces to security systems is anticipating the response of users to the huge space of possible system states and design options. Representation of user activities and tasks with related user experience targets will allow the designer to simulate user responses to a diversity of situations and design options.
- Integrate the measures, patterns, models, tools and methods into human-centric design and engineering framework as well as an open platform for supporting the standardization, integration and sustainability. The tools will be available on an open platform for collaboration and open source dissemination. A user club will be developed including the project partners as well the service development community. The standardization action and the open source platform are two ingredients for ensuring the sustainability and evolution of the proposed framework.