People and computers XII : proceedings of HCI '97

Most organisations try to protect their systems from unauthorised access, usually through passwords. Considerable resources are spent designing secure authentication mechanisms, but the number of security breaches and problems is still increasing (DeAlvare, 1990; Gordon, 1995; Hitchings, 1995). Unauthorised access to systems, and resulting theft of information or misuse of the system, is usually due to hackers "cracking" user passwords, or obtaining them through social engineering. System security, unlike other fields of system development, has to date been regarded as an entirely technical issue - little research has been done on usability or human factors related to use of security mechanisms. Hitchings (1995) concludes that this narrow perspective has produced security mechanisms which are much less effective than they are generally thought to be. Davis & Price (1987) point out that, since security is designed, implemented, used and breached by people, human factors should be considered in the design of security mechanism. It seems that currently hackers pay more attention to human factors than security designers do. The technique of social engineering, for instanc- obtaining passwords by deception and persuasion- exploits users' lack of security awareness. Hitchings (1995) also suggests that organisational factors ought to be considered when assessing security systems. The aim of the study described in this paper was to identify usability and organisational factors which affect the use of passwords. The following section provides a brief overview of authentication systems along with usability and organisational issues which have been identified to date. 1.

A. Adams, M.A. Sasse, P. Lunt, Making Passwords Secure and Usable.- O. Bdlter, Strategies for organising email.- S. Brewster, Navigating Telephone-Based Interfaces with Earcons.- D. Caulton, K. Dye, Do Users Always Benefit When User Interfaces Are Consistent?- L. Clark, M.A. Sasse, Conceptual Design Reconsidered - The Case of the Internet Session Directory Tool.- D. Day, P. Mdkirinne-Crofts, Computer Anxiety and the Human Computer Interface.- A. Faro, D. Giordano, Towards a situated action calculus for modelling interactions.- M. Fernstrom, L. Bannon, Explorations in Sonic Browsing.- D. Frohlich, K. Chilton, P. Drew, Remote homeplace communication: what is it like and how might we support it?- M. Jacomi, S. Chatty, P. Palanque, A Making-Movies Metaphor for Structuring Software Components in Highly Interactive Application.- C. Johnson, The Impact of Time and Place on the Operation of Mobile Computing Devices.- C. Johnson, The Impact of Marginal Utility and Time on Distributed Information Retrieval.- P. Jones, Computer-Assisted Remote Control for the User with Motor Impairment.- J. Long, Research and the Design of Human-Computer Interactions or hat Happened to Validation?- L. Love, C. Johnson, Using Diagrams to Support the Analysis of System 'Failure' and Operator 'Error'.- D. Martin, J. Bowers, D. Wastell, The Interactional Affordances of Technology.- D. Ramduny, A. Dix, Why, What, Where, When: Architectures for Cooperative work on the World Wide Web.- M. Rauterberg et al., BUILD-IT: a computer vision-based interaction technique for a planning tool.- Chris Roast, Formally Comparing and Informing Notation Design.- K. Sedighian, M. Westrom, Direct Object Manipulation vs Direct Concept Manipulation.- Y.L. Theng et al., HyperAT: HCI and Web Authoring.- P. Timmer, J. Long, Separating User Knowledge of Domain and Device.- W. Wong et al., Eliciting Information Portrayal Requirements.