Usable Privacy and Security is an emerging field that lies at the intersection of human-computer interaction and computer security. The main observation here is that we are facing an increasing number of security failures, not because of problems with encryption algorithms, network protocols, or system implementations (which are all important), but rather due to problems with the user interfaces of computer systems and the people that use those systems.
Examples of such security failures include misconfigured file servers and firewalls, difficult to use software for encryption or ecommerce, lost laptops that contain sensitive corporate information, and social engineering attacks by malicious criminals intended to steal sensitive information.
The design and analysis of secure systems must consider people as an integral part of the system under consideration, rather than a secondary constraint.
However, people have strengths and weaknesses that are considerably different from those of computer systems. Mismatches between what people can actually be expected to do and what the rest of the system assumes they will (and can) do is one of the main causes of security failures.
While the above may seem obvious, the core issue here is how to effectively design systems to do this in practice. It is also an open question as to how much computer systems should try to automate, how we can design better interactions so that people can make better decisions, and how much training end-users should have, if any at all.
I am a faculty member at Carnegie Mellon University's Human-Computer Interaction Institute, studying these issues of usable privacy and security. I am also a co-founder of Wombat Security Technologies, a company commercializing our research in protecting people from online phishing scams. (I will make disclosures clear when there is any potential for conflict of interest.)
In future blog entries, I will be discussing ongoing topics in usable privacy and security, ranging from risks, trends, best practices, and ongoing research. I look forward to engaging with all of you.
— Jason I. Hong, Asst. Prof.
HCI Institute, School of Computer Science, Carnegie Mellon University