An Experimental System for Studying the Tradeoff between Usability and Security

An ideal system should be usable and secure. However, increasing the security of a system often makes its use more cumbersome and less efficient. This tradeoff between usability and security poses major challenges for system designers. System security may be impaired when users override or ignore security features to facilitate the use of the system. Little empirical data are available on user behavior regarding the tradeoff between security and usability. To obtain such data we developed a controlled research environment (i.e., a microworld) for studying userspsila tendency to take precautionary actions as a function of the tradeoff between a systempsilas usability and the level of security the system provides. It is a modified version of a ldquoTetrisrdquo game and includes an alert system that warns about possible virus attacks, which, if not prevented, can cause losses of monetary earnings. Users could alter the threshold settings of the security system. The system allows us to manipulate the usability cost of using a security feature, the severity of the consequences of an attack, the likelihood that a threat will occur, and the statistical properties of the security system. In a preliminary experiment two groups of 10 participants each used the system for three 20-minutes sessions. The likelihood for an attack was 4 times higher for one group than for the other group. The likelihood of an attack clearly affected participants´ behavior. When attacks were more likely, participants altered thresholds more frequently, selected more cautious thresholds, and tended to respond more to security system alerts. This microworld is a step towards the development of quantitative predictive models of user interactions with security features while using a system.