Human-Computer Interaction And Security

Christiana Agathonos Department of Computer Science

University of Birmingham Birmingham, United Kingdom cxa530@student.bham.ac.uk

Abstract— Usability, as the major element of Human-Computer Interaction, can be described as the efficiency of a system, the effectiveness, the satisfaction of the user, the memorability. Nowadays, security is a part of our lives in a lot of different ways. We are concerned about our personal safety as well as about our personal data especially when technology is involving. The usability of a secure system is a huge concern and later in this paper I will discuss that most of the times they seem to be at odds. This study involves literature review about security and HCI (HCISec), how security coexists with HCI and the ways that we can make a secure system as much as usable it can be. However, security is not only focusing on software systems but also in events of our every day lives that require privacy and safety. This study also includes literature review about these events like money withdrawals form ATM machines and security alerts in our houses.

I. INTRODUCTION Human–computer interaction (HCI) researches the design and use of computer technology, focusing on the interfaces between people, the end users, and computers. In the field of HCI the research observes the ways in which humans interact with computers and design technologies that allow humans to interact with computers in different ways. As a field of research, HCI is situated at the intersection of computer science, behavioral sciences, design, media studies, and several other fields of study. A computer has many uses and in

this case is a dialog between the user and the computer. Humans interact with computers in many ways and the interface between humans and the computers they use is crucial in order to achieve the interaction. “Desktop applications, internet browsers, and so on, make use of the graphical user interfaces (GUI), voice user interfaces (VUI) which are used for speech recognition, and the emerging multi-modal and gestalt User Interfaces (GUI) which allow humans to engage with embodied character agents in a way that cannot be achieved with other interface paradigms” [1]. The growth in Human-Computer Interaction field has also involved security in a lot of different ways. The improvement of the usability of secure systems was a need that HCI researchers discovered, and this is the main reason for the beginning of HCISec. This led to the examination of the design and the implementation of the existing secure systems by the research community. HCISec is the study of interaction between humans and computers relative to information security. Its aim, is to improve the usability of security features in end-user applications. HCISec is a field of study by comparison. Internet security has become an area of broad public concern and combined to usability they seem to be at odds. “It is a view of some that improving one affects the other in a negative way” [2]. As usability increases, security decreases. When a system is usable and suitable for people to handle (high

usability), the security of the system seems to be very low. Security and usability are in conflict for many reasons. According to Yee (Yee in User Interaction Design for Secure Systems) [5], system developers think that security is an extra part of a finished system, as well as usability. The needs of the system owners seem to be opposed to the users needs. However, considering each one’s aims, we can assume that improving the one may result in improving the other. Security is aimed to prevent actions that are not desirable to a system, while at the same time usability’s goal is to make actions that are desired easier to the users. A system with high usability minimises errors that users do not do on purpose whereas, a high security system prevents or minimises undesirable actions for happening.

Figure 1: Usability vs Security. Source: https://www.google.co.uk/search?q=usability+vs+security&client=safari&rls=en&biw=1182&bih=655&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjbyvvsiqrLAhVLVRQKHQFcAN4Q_AUIBygB

According to Balfanz et al. [11], unfortunately, there is not enough and sufficient work regarding the usability of secure systems. Users come up with different ways of interacting with a system or even avoid to do so and this is due to the poor design of secure systems. As a result, the need of designing usable secure systems has grown

rapidly and a lot of “usability studies conducted on authentication systems, email encryptions, security tools and secure device pairing. These studies included some HCI methodologies and procedures which were invented for evaluating the usability of software systems in general” [2]. However, evaluating secure software systems is different and more difficult than the normal ones. This kind of evaluation requires procedures that are not included in the standard HCI procedures.

II. SECURITY AND USABILITY The HCI procedures for usability evaluation include techniques for improving the effectiveness, the efficiency and satisfaction of a user. Unfortunately, they don't include ways for the limitation of threats and vulnerabilities that may occur in a system. Researchers from the Oxford University proposed a “security and usability threat model” which defines different components that are relevant to the security and usability of secure systems. Simultaneously with the model, they also proposed a procedure for evaluating these components. According to the ISO (International Standard Organisation), usability is “the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use” [2]. The effectiveness is described as the users’ goals, the efficiency as the minimum amount of time that a goal needs to achieved, and the satisfaction as the satisfaction of a user about a system for a specific context. Generally, usability can be composed of effectiveness, efficiency, satisfaction, learnability, and memorability. The evaluation of the usability of a system must centre in one or more of these factors. Security is a term that mostly is explained by using the attackers. Attackers are usually defined as malicious parties with bad intentions. However, everyone ignores the fact that a legal and authorised

user can also harm the system without any malicious intentions. For the development of the security-usability threat model, the researchers studied the HCISec usability analysis and pointed out the major factors that can be used for measuring usability and security.

The six factors were: 1. Authentication: For the authentication there are

different kind of mechanisms and they vary between the old traditional ways like the text passwords and the grid entry passwords or image authentication. The measuring data for the authentication are the memorability or cognition and the efficiency [2].

2. Encryption: This part is focusing on secure email. The studies are about how users understand the ways of sending a secure email. Understanding the mechanisms leads to the proper execution of the email encryption [2].

3. PKI (Public Key Infrastructure): This part is focusing on how users can identify a secure website or not. There are indicators (padlocks, colourful address bars, symbols and logos) applied to the browsers which can inform the user about a secure or not website [2].

4. Device Pairing: Device pairing is about efficiency, effectiveness and security failures [2].

5. Security Tools: Security tools are software systems with purpose on helping users be secure. These systems are firewalls, password managers and privacy managing tools. This part is focusing on users and their knowledge in using these tools. If the users achieved their goals and if they think that the system also achieved its purpose, then these factors are considered as the measurements for the usability [2].

6. Secure Systems: Systems that make sure that the user achieved his goal and they don't have a lot of security concepts (e.g. P2P softwares) [2].

“Some of the usability factors cause users to behave insecurely, and some of the security factors obviously impair performance” [2]. Studies about usability of secure systems concentrate mostly in usability elements. However, a correct evaluation should also concentrate on security and the elements that have impacts on it.

A. Security-Usability threat model Standard security threat models target on

attackers with malicious intentions who may not even be legitimate users. In HCISec, the security threat model should differ from the standard one. HCISec is mostly focusing on legal users who make mistakes and therefore may harm the system without any intentions. This is how Oxford University’s researchers design the Security-Usability threat model. This model in Figure 2 describes all the crucial factors that an evaluation of usability and security needs to investigate. The model includes factors regarding usability, factors regarding security and also those who are related to both. These factors concern the non-malicious user, the legal one who has no intention of breaking the system.

Figure 2: Security-usability threat model. Source: “Security and Usability: Analysis and Evaluation” [2].

Usability:

1. Effectiveness: If a user manages to achieve his goals, then the system can be described as useful. The effectiveness is calculated according to the ability of the user to complete a task or not [2].

2. Satisfaction: A system may be usable as an idea but when it comes to users the may find it unusable. If a system is not accessible to users it will probably fail as a system and no longer consider as usable. User satisfaction can be examine by interviews and rating scales [2].

3. Accuracy: Accuracy was discovered in authentication and device pairing studies. Most of the times, authentication systems require passwords with 100% accuracy while others in device pairing require 100% accuracy only when a user is entering or making a comparison between short strings [2].

4. Efficiency: The user must achieved his goal within a certain amount of time and effort. The required time for completing a task as well as the number of clicks are the components for measuring efficiency [2].

5. Memorability: Users some times are forced to memorise secrets that they should remember in order to be authenticated by a system. As a result, users have memorability problems and face a lot of difficulties regarding the authentication in different systems and at the end the have to reset those secrets [2].

6. Knowledge/Skill: This element discuss the learnability as the ease of learn to handle a system. However, they found out that people care about learning the parts of a system that they believe are useful for their actions and needs, and most of the times they put aside the

security tasks which they found not so important [2].

Security:

1. Attention: Many distractions may occur during the process and users can easily shift their attention from their task [2].

2. Vigilance: In secure systems people tend to believe that users are vigilant in evaluating the security conditions of a system. Studies have shown that even people who understand a secure system are not always alert [2].

3. Motivation: Users understand security in different ways depending on the situation. Studies showed that users preferred long passwords for financial accounts because they realise how important is the security for these circumstances [2].

4. Memorability: Users some times are forced to memorise secrets that they should remember in order to be authenticated by a system and these secrets are not very easy for someone to guess. As the secrets increase in numbers, they become more difficult for someone to remember a certain secret for a particular system. This happens very often especially when the system is not used many times by the user. As a result, users in order to remember all the secrets they write them down. This is not a secure way of remembering the secrets since the piece of paper may fall in hands of users with malicious intentions [2].

5. Knowledge/Skill: The ability of distinguish a secure system is a major skill for a user. There are many situations that users don't have the knowledge to understand whether a website is secure or not and they enter sensitive information. For the evaluation one can ask

who are the users? what do they know about the system? and what should they know? [2].

6. Social Context: People many times share their private data with others. Private data may consist of the security secrets. A most common example is when users share their secrets (e.g. passwords) because they afraid that they will forget them and the other person will reminder them. They also share passwords for many other social reasons or when they are working on a project and they want someone else to submit it for them. For the evaluation it is important to analyse how security is affected by social context [2].

7. Conditioning: “Repetitive security tasks for which users can predict an outcome can become a threat to the security of a system” [2]. In other words, a lot of pop-up windows may appear on the screen, and by clicking on a button they disappear and the user can continue his task but what are the effects of clicking that button?

B. Measurable metrics

Table 1: Measurable Metrics. Source: “Security and Usability: Analysis and Evaluation” [2].

C. Security-Usability Analysis of Secure Systems

The Oxford University team used the usage scenarios and the threat scenarios for analysing the security and usability of a system. They determined the usage scenarios as desirable activities of a secure system and the threat scenarios as unwanted activities that should prohibited by the system. The concept of the usage scenarios regarding HCISec, is that they should be approachable to the user without addressing any difficulties, while the threat scenarios should represent undesired activities from a non-malicious user to break the secure system. The usage scenarios were defined as “specific tasks” performed by a normal user to accomplish some goals. Performance data from all the usability elements in the threat model are required for evaluating the scenarios. They are considered usable once they meet all the criteria. The threat scenarios were defined as the mistakes that a legitimate user makes to a secure system. The purpose of these scenarios is to measure how legal users can make these mistakes without realising it and how easy it was for them to fall in the trap.

Figure 3: Process for security-usability analyses. Source: “Security and Usability: Analysis and Evaluation” [2].

Difficult-of-use usage scenarios: The usability of usage scenarios is serious and the main goal is to make users perform their tasks with the minimum effort. This fact is important to consider and the team identified the elements that cause difficult-of-use into a system so the could eliminated or minimised them. Difficult-of-use usage scenarios can be evaluated by experiments, interviews, etc., and each one of them should be assessed against effectiveness, satisfaction, accuracy, efficiency, memorability, and knowledge/skill of users (usability factors in the threat model) [2].

Ease-of-use threat scenarios:

These scenarios are more difficult to achieved since it is improbable for legitimate users to perform them. On the other hand, if usage scenarios are difficult to accomplish, it is likely that users may begin treating the system without the intention of doing so. The team used an example that is worth mentioning it: “For example, an evaluation of an authentication system may consider how difficult it is for users to memorise secrets (usage scenario), which may force users to write them down (threat scenario), while an evaluation of a P2P system may consider how easy it is for users to share files they do not intend to share”.

D. Conclusions In conclusion, the team resulted in some recommendations about the usage scenarios that must be accessible for the users and the threat scenarios harder to happen. They also concluded that a system may look usable but when it comes to actual use it is proved that it is not due to external factors.

The combination of usability and security it is pointless for someone to believe that they can reach the maximum level for all the secure systems.

It will always be a “trade-off” between them so the main goal is to reduce the likelihood of threat scenarios and maximise the availability of usage scenarios [2].

III. PASSWORDS AND INTERFACES Strong passwords require capital and lowercase letters, digits and special characters. Constructing a strong password on a PC keyboard is easier than using a mobile device. Changing a lowercase letter to capital or inserting a digit or a special character is more easier on a PC keyboard than on a mobile device [3]. These facts show that if someone is using a mobile handset to construct passwords, will result in weaker passwords than those that are constructed by computer user. This reason has motivated researchers from the University of Texas to conduct an experiment in order to examine how the creation of a strong password is affected when using a mobile phone. Their goal was to study how password strength differs from the kind of keyboard they were constructed (keyboard or keypad layouts). They also aimed to observe how users reacted when they are given a more usable interface for typing passwords with digits and special characters on a mobile handset. According to the experiment [3], users were asked to construct passwords using a computer and a mobile device with different input layouts. At the end of the experiment they concluded that users who used a computer keyboard created stronger passwords than those who used a touchscreen keypad. They also discovered that when users created passwords using a mobile device with a physical keyboard, the passwords were stronger than those created by a computer keyboard. For the purposes of the experiment, the University team designed and created a new custom layout as an alternative keypad for mobile devices. This layout was aimed to offer a more convenient way of typing on a touchscreen and be more usable for the

participants. As a result, the custom layout motivated the users to create stronger passwords when using a mobile phone. Also it was shown that if you present a more convenient way of typing digits and special characters to the users, they will use it effectively and create stronger passwords.

A. Experiment I They conducted a between-group experiment with 72 participants (University students), from which the 45 were females and the 27 were males. For the experiment they used an Android phone with a slide-out physical keyboard and a QWERTY touchscreen keypad. The phone also contained the custom layout that the team designed and implemented. This new layout consisted of two extra rows of characters. The first row consisted of the ten digits (0-9) and the second of the 10 most common characters that exist on a regular computer keyboard [3]. The purpose of the experiment was to ask the participants to create passwords for two different banking websites (chase.com and wellsfargo.com) and each one of them must use one interface only. There were four groups of interfaces and for each participant the selection was made randomly. The four groups were: 1. Computer keyboard, 2. Mobile phone with physical keyboard, 3. Mobile phone with touchscreen keyboard, 4. Mobile phone with the custom layout. The reason which they selected the creation of banking accounts was that the users were aware that the passwords should be strong containing capital letters, digits and special characters.

B. Results They calculated the mean entropy of the passwords for each interface using the H = L.log2 N. Furthermore, they conducted a one-way Anova test to examine the differenced between the means for the four interfaces. The result was that the entropy

of passwords differed significantly between the four interfaces. As a conclusion, according to the results, the physical group (mobile phone with physical keyboard) created stronger passwords than the keyboard group (Computer keyboard). The custom group (mobile phone with the custom layout) created stronger passwords than the touchscreen group (mobile phone with touchscreen keyboard).

Figure 4: Custom layout with two extra rows of keys for digits and special characters. Source: “Passwords and Interfaces: Towards Creating Stronger Passwords by Using Mobile Phone Handsets” [3].

C. Experiment II A second experiment was conducted in order to test the standard touchscreen versus the custom touchscreen and the standard touchscreen versus the physical keyboard.

D. Results They used a paired t-test in order to compare the entropy values for the standard touchscreen and the custom touchscreen. The entropy values were significantly higher for custom touchscreen than the

standard. They also used a paired t-test to compare the entropy values for the standard touchscreen and the physical keyboard. The results showed that there was no significant difference in the values for the standard touchscreen and the physical keyboard. As a conclusion, using the custom layout, users created stronger passwords than using the standard layout. They also saw that there was no difference in the strength of passwords when using the standard touchscreen and the physical keyboard. This was due to an artifact of the design methodology between the two experiments. To conclude, their results showed that “users construct stronger passwords on interfaces that make them relatively more engaged in their password construction activity” [3].

IV. THE “WEAKEST LINK”

Users and their behaviour tend to cause many failures in the security of a system. The security research community make reference to the users as “the weakest link in the security chain”. The designers of the security systems must address the problems that are caused by users and understand the reasons why this is happening. “Undesirable user behaviour” should motivate designers to build more effective and efficient security systems [6].

In this research study, are presented examples of how people cause non-desired actions. For example, people may fail to recognise objects, they fail to perform unreachable and complex tasks, the absence of support, of the motivation and mostly of the knowledge and training. Finally, they have resulted in the theory that HCI can limit these problems or even prevent them and they proposed a “holistic design approach” in order to have “usable and effective security” [6].

A. Undesired Human behaviour

The need for computer security has increased dramatically and it is considered that organisations are in need since they are vulnerable. Many of them report a lot of security issues and in most cases the human factor is the main cause. Τhe world’s most famous hacker, “Kevin Mitnick”, testified that he had retrieved more passwords by tricking users than by cracking [7]. Now he is a “security evangelist”, and in one of his statements he pointed out that “... the human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain” [7]. They have concluded that instead of spending large amounts of money and putting so much effort to build more complex softwares, they should focus on the user and his behaviour since the former solution is not efficient.

The most known examples of how users perform undesired actions regarding passwords are:

1. Ambushing: The case that the system is asking for the user to change his password because it has expired or the system will log him out. The user under this pressure, chooses a password which is maybe familiar to others and if they want access to the user’s personal account they will succeed it. This is the kind of secure system that “ambush” [6] users. As a result, they can not create new strong passwords especially ones that they have to memorise.

2. Conflicting goals: The case that a user must keep a number of different strong passwords for accessing different systems, e.g. 6, and also it is required to change them every month. The user may not be able to recall a password and can not use the system. At the end, the user is forced to write down the passwords and keep the paper

in a place that anyone who may observe the office can find it. This is a very difficult memory task and after the user fails to complete his tasks for his work, he is left with two conflicting goals and finally he leaves security out of his primary tasks [6].

3. Requested disclosure: The case that in a company the IT support did not install all the required programs and often they have to call the employees so they can give them their passwords. If a hacker calls the employees, they are not in a position to recognise if this is a safe call and if they can give their passwords without fear since this is happening in a regular base.

B. Passwords - Security Mechanism

Security most of the times ignores the usability problems that may occur. “A human/computer interaction (HCI) design approach takes into account that users and technology work together completing a task (in order to achieve a goal) in a physical and social context” [6]. So how HCI can address problems involved in security design; issues like technology, user, goals and tasks, context? This study focusses on examples from their research for one security mechanism, the passwords.

The most common security mechanism for user authentication is a two-step procedure. This mechanism combines identification and authentication. An example of this is for our banking accounts where we use cards and PINs. In other words, a combination of a username/user id and a password. Firstly, the user is given a user id and is asked to create a password which must be kept secret and not written down. Secondly, the user in order to have access to the system must enter the user id and the password and if they match those stored in the PC he will get access.

The password mechanism is well-known authentication system and it is very familiar to the

users. However, it is a mechanism with usability issues. They are implemented on a per-system basis and this means that users need to log in to their secure systems individually. Also, nowadays users are using many systems and therefore they have to remember their passwords which must be strong (combination of letters, numbers and special characters), they have to differ for each system and they must change them in a regular basis after a short period of time. Besides the need for different passwords, there is the fact that each system requires different kind of passwords and user ids. They differ at the length, the number of capital letters, the number of the digits or the characters. All these factors cause memorability issues to the users and therefore they affect the usability of the system.

C. Conclusions Many problems are caused because of the

ways in which password mechanisms are implemented. In this study they propose some alternative methods of developing a password mechanism and methods for logging into systems.

1. Single sign-on: Instead of building a password security mechanism based on a per-system, they can use the SSO [6]. SSO is a technical solution which helps to minimise the number of passwords, the need to memorise a lot of complicated strings and also the total amount of time users spend on logins [8].

2. Reducing forced changes: If the existing password policies change, they will make it easier to manage strong passwords. The number of passwords that each user must keep will decrease if they are not forcing the change of passwords and authorise the use of the same password for many systems. Passwords that are memorised are easier to protect than those that are written down.

3. Alternative ways of authentication: There are other kinds of authentication that can be used

instead of the two-step password procedure like recall schemes, cognitive passwords, associative passwords, passfaces, object recognition. These techniques can be used for non frequently used systems.

4. Password management: Techniques that can help users create and design strong passwords and they must be available to the users anytime they need them.

V. IMPROVING USER AUTHENTICATION ON MOBILE DEVICES: A TOUCHSCREEN GRAPHICAL

PASSWORD

This chapter concerns a similar investigation to the previous discussion. Researchers from the Carleton University studied mobile devices and their input methods via their touchscreens. The size of the screen makes typing less efficient and not very usable especially when authentication is involved. They focused on the question: “Given the physical constraints of mobile devices, is there an alternative type of authentication that can be easily deployed, improve usability, and maintain security?” [4]. A solution to this question is to use graphical passwords instead of text passwords. Graphical passwords have the same purpose as text passwords but they differ in consisting of handwritten designs (drawings), or displaying icons or images. For the purposes of their study, they developed and designed a different graphical password called Touchscreen Multi-layered Drawing (TMD). This new concept is specialised for touchscreens, is more usable, is memorable (no need to memorise images) and provides more security than other graphical passwords. In order to create this new scheme they had to study the existing graphical password schemes, find their weaknesses and try to address the usability and

security issues that may have. For this reason, they conducted an “exploratory user study” of the three existing graphical passwords which are used on smart phones and tablets. There are three classes in which graphical passwords are categorised; recall, recognition, cued-recall [4].

• Recall schemes: drawing sequences in formations. For example, a popular recall scheme is the Draw A Secret [4].

• Recognition schemes: recognise items that you have memorised them before. For example, Passfaces [4].

• Cued-Recall schemes: select points from object that you have previously chosen. For example, Persuasive Cued Click-Points [4].

Like all authentication systems, graphical passwords are vulnerable to “guessing attacks”. One common attack is the “Shoulder surfing” in which the attacker observes directly the user while is using the authentication scheme or by recording the user with a video device [4].

(a) DAS

(b) Object Recognition

(c) PCCP

Figure 5: (a), (b), (c) Interfaces for the graphical password schemes used in the exploratory study. Source: “Improving user authentication on mobile devices: A touchscreen Graphical Password” [4].

A. Exploratory design They started the experiment by choosing on existing scheme from every category. To test if the screen size affects the usability they used an iPod and an iPad. In the experiment took part 31

participants, mostly students for the university campus. More than half of the participants owned a mobile device and 50% of them have already used a graphical password before. They used a “mixed design”. All the participants interacted with the device for one hour each one and the type of the device was randomly selected. The two groups (iPod/iPad) assessed all the three schemes. The participants were asked to create a password, confirm it, answer a questionnaire, login and answer a final questionnaire for each different scheme.

B. Results The study was mainly about the usability and the choices of the users. The main target was to discover wether the screen size causes any effects on performance. The measures were the differences on creation time, login time, login success rate and password length for every scheme for both devices [4]. An Anova test was used to determine the differences and t-tests for determining where were the differences. The results showed that the screen size didn't affect the creation time but they found that with DAS (Draw A Scheme) the users created faster the passwords than using the other schemes. Furthermore, results showed that longer DAS passwords were created by using a tablet than a mobile device, probably due to the smaller screen size of the mobile device. Screen size also had no effect on Object Recognition. In conclusion, screen size affected only users with the DAS scheme. Tablet users found it easy to use compared to mobile users.

C. TMD scheme As part of the design of the new scheme, the researchers had to find the weaknesses of the existing schemes in order to create a stronger one. The main weakness was found to be the accuracy. The TMD had to include all the positive components of the other schemes, larger target areas

while it had to avoid asking the users to memorise images or to force them remember more unfamiliar images [4].

Figure 6: TMD Interface. Source: “Improving user authentication on mobile devices: A touchscreen Graphical Password” [4].

The TMD was designed to consist three types of “cells”: Unselected, Selected and Warp cells [4]. The points at the boundaries have no connection to reduce the “fuzzy boundary problem” whereas there are signs to guide the user which directions can follow. Every chosen cell changes its colour to warn the user which cells are already selected. For the creation of the password, the user must selected any unchosen cell as a start and then drag his finger across any unselected cells to create a sequence. Once the user lifts up his finger, he indicates the end of the sequence and the password is completed. Users can reselect any selected cells to reach more cells to complete the sequence, although this path in not recorded.

Figure 7: The scheme displays the next layer and the user may continue the pass- word on any of the 3 indicated cells. Source: “Improving user authentication on mobile devices: A touchscreen Graphical Password” [4].

D. User study for TMD A user study was conducted to evaluate the

usability of the TMD scheme for mobile devices. A comparison with a similar scheme was necessary in order to reach the desired results and DAS was selected since is one of the most famous and in use recall graphical password.

The study was a between-subjects design with 90 participants. The participants were randomly splitted into four groups according to the scheme and the device. One for TMD on mobile phone, TMD on tablet, DAS on mobile phone and DAS on tablet. It is noteworthy that for this study they used the same devices as the exploratory study. They did two sessions with 5-10 days between them. At the first session, the participants were asked to create a new password and that it should be secure and memorable. After the period of 5-10 days, at the second session the participants were

asked to used their password to logged in. The system was design to give three chances to users to enter the correct password.

E. Results They conducted a two-way Anova test to

evaluate the scheme according to the creation time, length and depth of the password, login time and success rate. The results showed that all users in all groups were able to create passwords in only one minute. Also showed that there was no difference in the length of the passwords for both schemes and devices. The login success rate for the TMD was 95% for the first 3 attempts whereas the login success rate for the DAS was 71%. Furthermore, using the TMD on a tablet resulted in higher success rate for logging in from the first attempt than on DAS, whereas no difference was found between the two schemes on the phone.

Table 2: Session 2 login success rate (percentage). Source: “Improving user authentication on mobile devices: A touchscreen Graphical Password” [4].

F. Conclusion As we know, a password is secure when it is

memorable with no need to reuse it in other systems or to write it down. TMD helped users to remember their passwords because of the changing colour of the cells and also for not having to enter text passwords. Users with no previous experience on a similar scheme along with more experienced users, were able to remember the password even after a week.

The warp cells, the multiple layers and the design of the TMD made it successful and usable.

All users understood how the layers worked, how to create their passwords and how to use the scheme. In addition to this, TMD encouraged users to think of longer passwords and thus to strengthen the security of their passwords. The large cells reduced the problem of accuracy and the space between the cells reduced the “fuzzy boundaries problem”. For some of the measures, TMD performed better than the DAS while on the remaining measures TMD performed as well as DAS.

VI. SECURITY IN OUR EVERY DAY LIVES

Security is not only associated with computer and internet systems. Personal security is considered one of the most important factors in our lives. Keeping our beloved ones safe, our houses, ours properties or our money is something that comes first in our minds. In almost all countries communities and police have to deal with criminality. In some of them the criminality is at high levels and many houses are threatened by burglars. Attackers can also b a threat for our personal belongings and safety. Latest statistics from the Crime Survey for England and Wales (CSEW) showed that, there were approximately 6.8 million incidents against households the past year [9].

A. Burglars alarms The most common solution for keeping our

minds in peace regarding our safety is to have a alarm in our houses. This is an additional level of protection no matter how many locks are in the house. A company named “Yale” [10] offers a range of alarms that are suitable for every house and usable for all people.

An easy fit alarm has a touchscreen panel from which you can regulate all the functions that you need and also the feature to be alerted by telephone if the alarm is activated. It can store three telephone numbers and it can call them in any

sequence the user wants. But the most useful feature is that the user can activate and deactivate the alarm using his telephone [10].

Figure 8: Remote control. Source: http://www.yale.co.uk/en/yale/couk/productsdb/alarms/-easy-fit-alarm--accessories/Easy-Fit-Telecommunicating-Alarm---Kit-2/

A SmartPhone Alarm can be operated with the use of iPhone/Android SmartPhone or by PC web browser [10]. The alarm includes a PIR camera which can take an image of the room during an attack and send it direct to the user’s phone. The user not only can be alerted for an attack but also can see that specific hour what is happening to his house and what has caused the alert. The external siren will start automatically sounding notifying the neighbours and the owner will be notified by email and notification on his smartphone. The system also provides a switch accessory that can be used by a smartphone for turning on and off the lights and all electrical appliances in the house [10].

Figure 9: User-friendly Alarm Interface. Source: http://www.yale.co.uk/en/yale/couk/productsdb/alarms/-easy-fit-alarm--accessories/Easy-Fit-SmartPhone-Alarm---Kit-3/

Humans can use these alarms in a very convenient way for them, and we can see how many useful features provide for making people’s lives easier. A professional alarm [10] provides the ability to turn on the lights in a specific room when there is a trigger in the back garden or in the next room. There is also the possibility to arm the alarm when the user has left the house forgetting to switch it on. A nice looking and very usable touchscreen can be used for regulating all the features. Users with disability problems can be guided by the user-friendly voice assist provided by the system.

Figure 10: User-friendly Touch Screen Control Panel. Source: http://www.yale.co.uk/en/yale/couk/productsdb/alarms/-easy-fit-alarm--accessories/Easy-Fit-Telecommunicating-Alarm---Kit-2/

B. Money management

People manage their money through the online accounts every day using their smartphones or browsers. These new methods made our lives easier since there is no need to wait at the line in a branch for transferring money, to check your available balance or wait for the mail to check your latest transactions. The only thing that we can not do via our smartphones are the money withdrawals.

The most common way to withdraw money is from the ATM machines.

How accessible are the ATM machines to people? Nowadays there are ATM machines everywhere on the streets, but mostly on central streets with traffic and a lot of people. What happens to people with disabilities or to people who do not live in central streets and do not have the ability or the chance to drive there? All these factors lead to actions that do not take into account the security and the safeguarding of personal data. For example, one might ask for someone else to withdraw money for him providing his personal credit card and the PIN. This person may trust the other person but for how long he/she should trust him/her? These actions are vulnerable and the data may fall in the wrong hands. As we can see people leave aside the security factors and give more attention to the need to have access to their money.

VII. CONCLUSIONS

It is now indisputable that technology is a part of our lives and it is necessary for processing and operating of almost all of our actions, tasks and business. There is no doubt that people are dependent on technology and as computer scientists our role is to make this technology as much as accessible it can be to people, more usable, effective and efficient. The effectiveness can be described as the users’ goals, the efficiency as the minimum amount of time that a task can be achieved, and also the satisfaction of the user for a specific content. By today’s standards, technology can become dangerous to our private data and safety. Security is a term that most people explain it by using the attackers. Attackers are usually defined as people with bad intentions and the organisations ignore the fact that a legal and authorised user can also harm the system without any malicious intentions. Most of the systems care mostly about the security that can provide to the user’s private data and everything

else comes second. However, usability in such systems plays an important role in order to succeed high security, since secure systems are not usable and users end up performing undesired actions. The growth in Human-Computer Interaction has also involved security in a lot of different ways. A secure system seems to work counter to the users needs and as usability increases, security decreases. However, through this investigation we can see that we can counterbalance these two important factors in a system and considering each one’s aims, we can assume that improving the one may result in improving the other. Security is aimed to prevent actions that are not desirable to a system, while at the same time usability’s goal is to make actions that are desired easier to the users. Many researchers have investigated the ways in which we can succeed high usability in a secure system and they have achieved their goals. They have came up with new interfaces for typing characters to create passwords in a more efficient way and new graphical password interfaces with more possibilities of creating a memorable password and be more secure than other schemes. Moreover, security does not exist only in technology. There is also the personal security and it should be managed without any difficulties and instead of being an extra and not accessible factor in people’s lives, it should be pleasant and make people feel happy and safe. In this study we saw examples of how people stay safe in their houses using an efficient alarm system that is usable and very easy to manage. We also saw examples like money withdrawals and security can not be achieved with machines that are not accessible to people. To conclude, it is believed that security and usability are at odds, and in many cases this is true and unachievable to have both in high levels. However, there are hopes that a system can have both in high levels and with a good understanding of both factors and how they can be achieved, we can counterbalance them and build efficient, usable high security systems.

REFERENCES [1] Wikipedia. Human–computer interaction (security). https://en.wikipedia.org/wiki/Human–computer_interaction_(security)

[2] Ronald Kainda and Ivan Flechais and A.W. Roscoe. Security and Usability: Analysis and Evaluation. Oxford University Computing Laboratory.

[3] S M Taiabul Haque, Matthew Wright, Shannon Scielzo. Passwords and Interfaces: Towards Creating Stronger Passwords by Using Mobile Phone Handsets. Department of Computer Science and Engineering, Department of Psychology, University of Texas at Arlington, USA.

[4] Hsin-Yi Chiang, Sonia Chiasson. Improving user authentication on mobile devices: A touchscreen Graphical Password. Carleton University, Munich, Germany. August 2013.

[5] Ka-Ping Yee. User Interaction Design for Secure Systems. University of California.

[6] M A Sasse, S Brostoff and D Weirich. Tranforming the ‘weakest link’ — a human/computer interaction approach to usable and effective security.

[7] Poulsen K. Mitnick to lawmakers: People, phones and weakest links, (March 2000) — http://www.politechbot.com/p-00969.html

[8] Wikipedia. Single Sign-on. https://en.wikipedia.org/wiki/Single_sign-on

[9] Crime in England and Wales: Year ending March 2015. http://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/2015-07-16

[10] Yale alarms. http://www.yale.co.uk/en/yale/couk/ProductsDB/?groupId=4313

[11] D. Balfanz, G. Durfee, D. Smetters, and R. Grinter. In search of usable security: five lessons from the field. IEEE Security & Privacy, vol. 2, no. 5, pp. 19–24, 2004.