Masdar Wireless Businessman, Computer Scientist, Blogger

Usable Security by University of Maryland on Coursera

This post is to record the learning progress of Usable Security on

Week 1

  • Human-Computer Interaction, or HCI is the study of how people interact with technology.
  • Make sure that people are not working any harder than necessary.
  • Users, Tasks and Context.
  • And do not forget the evaluation.
  • Tasks are goals users set out to accomplish in a system.


  • Speed.
  • Efficiency.
  • Learnability.
  • Memorability.
  • User Preference.

Mental Models

  • Labels
  • Affordances.
  • Constraints.
  • Mappings.
  • Conventions.

Week 2

  • To have a usable system, you must design it. Software engineers will be familiar with a process of identifying system requirements and incrementally building a system with intermediate steps of evaluation and revision. To create a usable system, the users’ requirements, tasks, needs, and preferences also need to be accounted for and addressed at every step of the process.

Design Methodologies

  • Different design processes help us develop ideas in different ways.
  • Iterative Design.
    • Requirements. Design. Development. Testing.
  • System Centered Design.
  • User Centered Design.
    • Abilities and their needs. Context. Work. Tasks.
  • Participatory Design.
    • Should have access to the pool of representative users. That is the END USERS, not their managers or union representatives.
  • Designer Centered Designe.
    • It isn’t the consumers’ job to know what they want.
  • Users can give a lot of valueable information for the degisn.
  • Support degisners coming up with new ideas.
  • Iterate to build better systems.
  • Different interfaces can have major impacts on the security behavior of users.
  • What do we want users to do?
  • WHat do they need to understand to do that?
  • How can we make it more natural for users to do the “right” thing?

Quiz for Week 2

  • When designing error messages, which are important factors to keep in mind for usability?
  • Which of these are advantages of low-fidelity (e.g. paper) prototypes
  • In participatory design and co-design, which of the following is true

Week 3

This week, we begin to look at how to evaluate the usability of systems. This is a critical component of building usable systems for security (and more generally). Evaluation allows you to learn exactly how usable your system is and to identify specific problems with the usability. Indeed, without proper evaluation, there is no way to know you have a usable system or to improve it.

  • Security is almost never a task.

A/B Testing

  • Starts with a small percentage of visitors trying the experimental conditions.
  • Automatically stop testing if any condition has very bad performance.
  • Let people consistently see the same variation so they do not get confused.
  • Small tweaks in the interface can lead to big differences in user behavior.
  • A/B testing allows you to check that by showing different versions of the site to people.
  • No explanation, but useful.

Case Study

  • The interface can have measurable impacts on the usability of security features.
  • Better interfaces = more secure behavior
  • Mental models: active warnings capture and hold more attention than passive ones, and yield better results.
  • Users don’t think the way you do.

Weel 4 Guidelines for Usable Security

  • The more security can be integrated into the normal workflow of the user, the more usable the security mechanisms will be.
  • Authority is someone who has the power to access something regardless of the permissions.
  • Try to make the natural easiest way also the most secure one.
  • Follow the principle of least privilege.
  • Make the easiest way to compelte a task the most secure.
  • Make sure the user consents to the access they allow.
  • Make it easy to reduce others’ access.
  • Make sure that users know what authority they have granted and what the means for security decisions.
  • Make sure users know what authority they hold.
  • Create interfaces that make it clear what agent (software) the user is interacting with and providing information to.
  • Enable the user to express safe security policies that fit the user’s task.
  • Make it easy for users to control access to their resources.
  • Show a level of detail that’s informative and useful to the user, and no more than that.
  • Make it easy to see the difference between objects and actions that could be confusing.
  • Automated security controls are good, but not the only solution.
  • Giving users control can be more secure.
  • Assist them in the process.

Week 5 Usable Authentication

Authentication is often the first part of a security system that users encounter. Typically, systems have relied on passwords for authentication, and our password rules and requirements have become more draconian with each passing year. But it turns out they aren’t really that secure and they are remarkably unusable. This week, we look at usable authentication - how can we make it easier for users to access a secure system?

We will look at alternatives to typical password systems and analyze them for both security and usability. It is not uncommon to hear critiques of usability experts when authentication comes up, because security experts often believe that the security of a system is sacrificed to improve usability. This is not the case, and this week we will see examples of different types of passwords and alternative authentication systems that are both usable and secure.

  • Particularly we are talking about, PASSWORDS.
  • Password system would be more secure if passwords were more usable, both for human reasons and computational reasons.
  • Two factor authentication: more secure, less efficient(usable).
  • Biometrics are easy and relatively secure.
  • Common on mobile devices.
  • Compare usability.
  • Gesture users enjoy tend to be more secure.
  • Users prefer gestures to password.

Week 6

Privacy really is a type of security. When we talk about security, we tend to have more absolutes. A person should or should not have access to a system. Access is authorized or not. Users have permission to access certain data or they do not. Privacy is a fuzzier concept. Users may choose to share information with categories of people they know (though they may not know exactly falls into a group), and they share it with systems that can be vague about how that data will be shared. But it can be just as important for a person to protect their privacy as it is to protect their devices or files. Indeed, some people would rather have their work computer hacked than have their personal social media photos shared in ways they did not intend.

  • Privacy is a kind of security.
  • Privacy policies are boring and hard to read. (POOR USABILITY!!!)
  • Privacy policies are really important.
  • Analyzing usability is done the same way with privacy.
  • Are there better ways to convey the information in pricavy policy.
  • Users understand what data is being collected and shared and they consent to how it is used.
  • Disclosure. Comprehension. Voluntariness. Competence. Agreement. Minimal Distraction.
  • Usable pricavy requires informed consent from users.
  • They must understand how their data is used and agree to it being used that way.
  • These six components can help you analyze system for security.
  • Make it clear how information is being shared.
  • Make it easy and natural for users to control privacy.
  • Make the default practice match users’ expectations.

Misses: Which of these is not a guideline for usable privacy? If a company has collected an American user’s personal data without their consent, how can the user respond? Which of the following describes informed consent? A website provides an extensive 50-printed-page privacy policy written in common language that describes every detail of how users’ data is collected, used, and shared. Which of the following is true of informed consent?

Week 7