Usable Security by University of Maryland on Coursera

This post is to record the learning progress of Usable Security on

Week 1

  • Human-Computer Interaction, or HCI is the study of how people
    interact with technology.
  • Make sure that people are not working any harder than necessary.
  • Users, Tasks and Context.
  • And do not forget the evaluation.
  • Tasks are goals users set out to accomplish in a system.


  • Speed.
  • Efficiency.
  • Learnability.
  • Memorability.
  • User Preference.

Mental Models

  • Labels
  • Affordances.
  • Constraints.
  • Mappings.
  • Conventions.

Week 2

  • To have a usable system, you must design it. Software engineers
    will be familiar with a process of identifying system requirements
    and incrementally building a system with intermediate steps of
    evaluation and revision. To create a usable system, the users’
    requirements, tasks, needs, and preferences also need to be
    accounted for and addressed at every step of the process.

Design Methodologies

  • Different design processes help us develop ideas in different
  • Iterative Design.
    • Requirements. Design. Development. Testing.
  • System Centered Design.
  • User Centered Design.
    • Abilities and their needs. Context. Work. Tasks.
  • Participatory Design.
    • Should have access to the pool of representative users. That is
      the END USERS, not their managers or union representatives.
  • Designer Centered Designe.
    • It isn’t the consumers’ job to know what they want.
  • Users can give a lot of valueable information for the degisn.
  • Support degisners coming up with new ideas.
  • Iterate to build better systems.
  • Different interfaces can have major impacts on the security
    behavior of users.
  • What do we want users to do?
  • WHat do they need to understand to do that?
  • How can we make it more natural for users to do the “right” thing?

Quiz for Week 2

  • When designing error messages, which are important factors to keep
    in mind for usability?
  • Which of these are advantages of low-fidelity (e.g. paper)
  • In participatory design and co-design, which of the following is true

Week 3

This week, we begin to look at how to evaluate the usability of
systems. This is a critical component of building usable systems for
security (and more generally). Evaluation allows you to learn exactly
how usable your system is and to identify specific problems with the
usability. Indeed, without proper evaluation, there is no way to know
you have a usable system or to improve it.

  • Security is almost never a task.

A/B Testing

  • Starts with a small percentage of visitors trying the experimental
  • Automatically stop testing if any condition has very bad
  • Let people consistently see the same variation so they do not get
  • Small tweaks in the interface can lead to big differences in user
  • A/B testing allows you to check that by showing different versions
    of the site to people.
  • No explanation, but useful.

Case Study

  • The interface can have measurable impacts on the usability of
    security features.
  • Better interfaces = more secure behavior
  • Mental models: active warnings capture and hold more attention
    than passive ones, and yield better results.
  • Users don’t think the way you do.

Weel 4 Guidelines for Usable Security

  • The more security can be integrated into the normal workflow of
    the user, the more usable the security mechanisms will be.
  • Authority is someone who has the power to access something
    regardless of the permissions.
  • Try to make the natural easiest way also the most secure one.
  • Follow the principle of least privilege.
  • Make the easiest way to compelte a task the most secure.
  • Make sure the user consents to the access they allow.
  • Make it easy to reduce others’ access.
  • Make sure that users know what authority they have granted and
    what the means for security decisions.
  • Make sure users know what authority they hold.
  • Create interfaces that make it clear what agent (software) the
    user is interacting with and providing information to.
  • Enable the user to express safe security policies that fit the
    user’s task.
  • Make it easy for users to control access to their resources.
  • Show a level of detail that’s informative and useful to the user,
    and no more than that.
  • Make it easy to see the difference between objects and actions
    that could be confusing.
  • Automated security controls are good, but not the only solution.
  • Giving users control can be more secure.
  • Assist them in the process.

Week 5 Usable Authentication

Authentication is often the first part of a security system that users
encounter. Typically, systems have relied on passwords for
authentication, and our password rules and requirements have become
more draconian with each passing year. But it turns out they aren’t
really that secure and they are remarkably unusable. This week, we
look at usable authentication - how can we make it easier for users to
access a secure system?

We will look at alternatives to typical password systems and analyze
them for both security and usability. It is not uncommon to hear
critiques of usability experts when authentication comes up, because
security experts often believe that the security of a system is
sacrificed to improve usability. This is not the case, and this week
we will see examples of different types of passwords and alternative
authentication systems that are both usable and secure.

  • Particularly we are talking about, PASSWORDS.
  • Password system would be more secure if passwords were more
    usable, both for human reasons and computational reasons.
  • Two factor authentication: more secure, less efficient(usable).
  • Biometrics are easy and relatively secure.
  • Common on mobile devices.
  • Compare usability.
  • Gesture users enjoy tend to be more secure.
  • Users prefer gestures to password.

Week 6

Privacy really is a type of security. When we talk about security, we
tend to have more absolutes. A person should or should not have access
to a system. Access is authorized or not. Users have permission to
access certain data or they do not. Privacy is a fuzzier
concept. Users may choose to share information with categories of
people they know (though they may not know exactly falls into a
group), and they share it with systems that can be vague about how
that data will be shared. But it can be just as important for a person
to protect their privacy as it is to protect their devices or
files. Indeed, some people would rather have their work computer
hacked than have their personal social media photos shared in ways
they did not intend.

  • Privacy is a kind of security.
  • Privacy policies are boring and hard to read. (POOR USABILITY!!!)
  • Privacy policies are really important.
  • Analyzing usability is done the same way with privacy.
  • Are there better ways to convey the information in pricavy policy.
  • Users understand what data is being collected and shared and they
    consent to how it is used.
  • Disclosure. Comprehension. Voluntariness. Competence. Agreement. Minimal
  • Usable pricavy requires informed consent from users.
  • They must understand how their data is used and agree to it being
    used that way.
  • These six components can help you analyze system for security.
  • Make it clear how information is being shared.
  • Make it easy and natural for users to control privacy.
  • Make the default practice match users’ expectations.

Misses: Which of these is not a guideline for usable privacy? If a
company has collected an American user’s personal data without their
consent, how can the user respond? Which of the following describes
informed consent? A website provides an extensive 50-printed-page
privacy policy written in common language that describes every detail
of how users’ data is collected, used, and shared. Which of the
following is true of informed consent?

Week 7