Stealth Approach to Usable Security: Helping IT Security Managers to Identify Workable Security Solutions

摘要

Recent strides in usability research have produced various solutions to assist computer users during interactions with IT security mechanisms. However, the usability concerns of users within organisations are not considered or simply not apparent to the one individual who can effect change, the IT security manager. Ideally these concerns would resonate with the IT security manager, and here we explore how that can be realised, through the design of a password policy decision-support tool. During two 2-hour sessions, 3 IT security managers discussed with us our mock-up prototypes and a range of potential usage scenarios (e.g. cloud-based password-cracking attacks and hot desking initiatives). We find that the experience of the end-user is currently not appropriately represented within the IT security managers decision-making process, where the financial costs/benefits and business impacts of information security controls are foremost. Our tool design process elicits findings to help develop mechanisms to visualise these tradeoffs.