Usable Security Principles for Developers and their End-Users
If you don't care about the security of your end-users, who will?
8 Lightweight Usable Security Principles for Developers
#1 Bake it in
Try to integrate security so that your users don't have to interact with or put effort into it.
#2 Don't maximise security at the cost of usability
The best security is of no use if people do not use it.
#3 Offer more security to those who want it
Enable power-users without burdening everyone else.
#4 Protect the needs of the many with the expertise of the few
Enabling experts to detect attacks might be able to deter attacks in general.
#5 Make the language simpler than you think necessary
Many words and concepts that are well known to you are not well understood by your end-users.
#6 Use personal examples
It makes otherwise abstract concepts much more tangible
#7 Be mindful when delegating decisions to your user
If it's too hard for you to automate, it's probably too hard to decide for many of your users.
#8 Gather users' mental models and build your system to address their misconception
Talk to your users about their understanding of a system or concept; you'll be surprised.
Article
P. L. Gorski, L. Lo Iacono, M. Smith: Eight Lightweight Usable Security Principles for
Developers.
IEEE Security & Privacy Magazin, pp. 2-8, 2022.
Abstract
We propose eight usable security principles that provide software developers with a lightweight framework to help them integrate security in a user-friendly way. These principles should help developers who must weigh usability and security tradeoffs to facilitate adoption.
BibTeX
@ARTICLE{9915009,
author={Gorski, Peter Leo and Lo Iacono, Luigi and Smith, Matthew},
journal={IEEE Security & Privacy},
title={Eight Lightweight Usable Security Principles for Developers},
year={2022},
volume={},
number={},
pages={2-8},
doi={10.1109/MSEC.2022.3205484}}
Principles aggregate the experience of experts into guiding rules of thumb.
They have proven helpful in many different domains, e.g. software engineering, security and
usability.
Principles can guide the design and contribute to an implementation with fewer flaws.
"Principles should be common sense and serve best as warnings. If any part of a design violates a principle, that violation is a symptom of a potential problem, and the design should be carefully reviewed to ensure that the problem has been corrected or is unimportant."
(Saltzer & Schröder, 1975)
Usable Security Principles guide you in developing security that works for your end users. There are major challenges in designing and integrating security measures into software systems so that they are used correctly - or at all - by the target user group. The field of usable security has offered many important insights into how security features can be aligned with users' needs, abilities and expectations. To fascilitate the transition of these findings into practice, usable security principles are a proven means. This site collects the available usable security principles.
Other Published Usable Security Principles
There are other sources that list usable security principles published in literature. In future work, we will challenge them with ours in order to have a workable list of handy principles for developers. We are happy to collaborate on this.
We hope you find the resources useful. If you have any feedback or questions, we'd be happy to hear from you. If you have a principle to add, please contribute it on our GitHub.
Usable security principles are licensed under a Creative Commons Attribution license.
Contribute on GitHub.
