Beyond Usable Security to Security Ergonomics by Design

“Securing cyber-physical systems is hard. They are complex infrastructures comprising multiple technological artefacts, designers, operators and users. Existing research has established the security challenges in such systems as well as the role of usable security to support humans in effective security decisions and actions. In this paper we focus on smart cyber-physical systems, such as those based on the Internet of Things (IoT). Such smart systems aim to intelligently automate a variety of functions, with the goal of hiding that complexity from the user.

Furthermore, the interactions of the user with such systems are more often implicit than explicit, for instance, a pedestrian with wearables walking through a smart city environment will most likely interact with the smart environment implicitly through a variety of inferred preferences based on previously provided or automatically collected data. The key question we explore is that of empowering software engineers to pragmatically take into account how users make informed security choices about their data and information in such a pervasive environment. We discuss a range of existing frameworks considering the impact of automation on user behaviours and argue for the need of a shift—from usability to security ergonomics as a key requirement when designing and implementing security features in smart cyber-physical environments.”

This paper is available online now from Lancaster University (Paper: Smart cyber-physical systems:beyond usable security to security ergonomics by design) and will be presented by Barney Craggs at the 3rd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS’17) as part of ICSE in Buenos Aires, late May 2017.