What Usable Security Really Means: Trusting and Engaging Users

  • Iacovos Kirlappos
  • M. Angela Sasse
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


Non-compliance with security mechanisms and processes poses a significant risk to organizational security. Current approaches focus on designing systems that restrict user actions to make them ‘secure’, or providing user interfaces to make security tools ‘easy to use’. We argue that an important but often-neglected aspect of compliance is trusting employees to ‘do what’s right’ for security. Previous studies suggest that most employees are intrinsically motivated to behave securely, and that contextual elements of their relationship with the organization provide further motivation to stay secure. Drawing on research on trust, usable security, and economics of information security, we outline how the organization-employee trust relationship can be leveraged by security designers.


trust usable security information security management 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Von Solms, B.: Information security–the fourth wave. Computers & Security 25(3), 165–168 (2006)CrossRefGoogle Scholar
  2. 2.
    Schneier, B.: Secrets and lies: digital security in a networked world. Wiley (2000)Google Scholar
  3. 3.
    Sasse, M.A.: Designing for Homer Simpson - D’Oh! Interfaces: The Quarterly Magazine of the BCS Interaction Group 86, 5–7 (2011)Google Scholar
  4. 4.
    Adams, A., Sasse, M.A.: Users Are Not The Enemy: Why users compromise security mechanisms and how to take remedial measures. Communications of the ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  5. 5.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the “weakest link”: a human-computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–131 (2001)CrossRefGoogle Scholar
  6. 6.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM, New York (2008)CrossRefGoogle Scholar
  7. 7.
    Weirich, D.: Persuasive password Security, PhD thesis, University College London (2005)Google Scholar
  8. 8.
    Faily, S., Fléchais, I.: Eliciting Policy Requirements for Critical National Infrastructure Using the IRIS Framework. International Journal of Secure Software Engineering (IJSSE) 2(4), 1–18 (2011)CrossRefGoogle Scholar
  9. 9.
    Kirlappos, I., Sasse, M.A.: Security Education against Phishing: A Modest Proposal for a Major Rethink. IEEE Security & Privacy 10(2), 24–32 (2012)CrossRefGoogle Scholar
  10. 10.
    Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behavior in organizations. In: Proceedings of the 2008 New Security Paradigms Workshop, pp. 47–58. ACM (2008)Google Scholar
  11. 11.
    Kirlappos, I., Parkin, S., Sasse, M.A.: Learning from “Shadow security”: Why understanding non-compliant behaviors provides the basis for effective security (in press, 2014)Google Scholar
  12. 12.
    Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW 2009), pp. 133–144. ACM, New York (2009)CrossRefGoogle Scholar
  13. 13.
    Herley, C.: More is Not the Answer. IEEE Security & Privacy Magazine (2014)Google Scholar
  14. 14.
    Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T.J.: Common sense guide to prevention and detection of insider threats, 3rd edn. version 3.1. CERT, Software Engineering Institute, Carnegie Mellon University (2009), Google Scholar
  15. 15.
    Kirlappos, I., Beautement, A., Sasse, M.A.: “Comply or die” is dead: Long live security-aware principal agents. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 70–82. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. 16.
    Riegelsberger, J., Sasse, M.A., McCarthy, J.D.: The mechanics of trust: a framework for research and design. International Journal of Human-Computer Studies 62(3), 381–422 (2005)CrossRefGoogle Scholar
  17. 17.
    Hu, X.R., Lin, Z.X., Zhang, H.: Myth or reality: effect of trust promoting seals in electronic markets. In: Proceeding of the Eleventh Annual Workshop on Information Technologies and Systems (WITS), New Orleans, Louisiana, pp. 65–70 (2001)Google Scholar
  18. 18.
    Resnick, P., Zeckhauser, R., Friedman, E., Kuwabara, K.: Reputation systems: facilitating trust in internet interactions. Communications of the ACM 43(12), 45–48 (2000)CrossRefGoogle Scholar
  19. 19.
    Kim, D., Ferrin, D., Rao, H.: A trust-based consumer decision-making model in electronic commerce: The role of trust, perceived risk, and their antecedents. Decision Support Systems 44(2), 544–564 (2008)CrossRefGoogle Scholar
  20. 20.
    Ba, S., Whinston, A.B., Zhang, H.: Building trust in online auction markets through an economic incentive mechanism. Decis. Support Syst. 35(3), 273–286 (2003)CrossRefGoogle Scholar
  21. 21.
    Nielsen, J., Molich, R., Snyder, S., Farrell, C.: E-Commerce User Experience: Trust. Nielsen Norman Group, Fremont (2000)Google Scholar
  22. 22.
    Mayer, R., Davis, J., Schoorman, F.D.: An integrative model of organizational trust. Academy of Management Review 20(3), 709–734 (1995)Google Scholar
  23. 23.
    Blythe, J., Koppel, R., Smith, S.W.: Circumvention of Security: Good Users Do Bad Things. IEEE Security & Privacy 11(5), 80–83 (2013)CrossRefGoogle Scholar
  24. 24.
    Pallas, F.: Information Security inside organizations, PhD Thesis, technical University of Berlin (2009Google Scholar
  25. 25.
    Björck, F.: Security Scandinavian style. PhD diss., Stockholm University (2001)Google Scholar
  26. 26.
    Sasse, M.A.: Computer security: Anatomy of a usability disaster, and a plan for recovery. In: Proceedings of CHI 2003 Workshop on HCI and Security Systems (2003)Google Scholar
  27. 27.
    Bartsch, S., Sasse, M.A.: How Users Bypass Access Control and Why: The Impact of Authorization Problems on Individuals and the Organization. In: ECIS 2013: The 21st European Conference in Information Systems (2013)Google Scholar
  28. 28.
    Albrechtsen, E., Hovden, J.: The information security digital divide between information security managers and users. Computers & Security 28(6), 476–490 (2009)CrossRefGoogle Scholar
  29. 29.
    Morrison, E.W., Robinson, S.L.: When employees feel betrayed: A model of how psychological contract violation develops. Academy of Management Review 22(1), 226–256 (1997)Google Scholar
  30. 30.
    Flechais, I., Riegelsberger, J., Sasse, M.A.: Divide and conquer: the role of trust and assurance in the design of secure socio-technical systems. In: Proceedings of the 2005 Workshop on New Security Paradigms (NSPW 2005), pp. 33–41. ACM, New York (2005)CrossRefGoogle Scholar
  31. 31.
    Hanifan, L.J.: The rural school community center. Annals of the American Academy of Political and Social Science 67, 130–138 (1916)CrossRefGoogle Scholar
  32. 32.
    Tyler, T.R.: Trust within organizations. Personnel Review 32(5), 556–568 (2003)CrossRefGoogle Scholar
  33. 33.
    Bussing, A.: Trust and its relations to commitment and involvement in work and organizations. SA Journal of Industrial Psychology 28(4) (2002)Google Scholar
  34. 34.
    Tsai, W., Ghoshal, S.: Social capital and value creation: The role of intrafirm networks. Academy of Management Journal 41(4), 464–476 (1998)CrossRefGoogle Scholar
  35. 35.
    Rousseau, D.M.: Psychological and implied contracts in organizations. Employee Responsibilities and Rights Journal 2(2), 121–139 (1989)CrossRefMathSciNetGoogle Scholar
  36. 36.
    Von Solms, B., von Solms, R.: From information security to business security. Computers & Security 24(4), 271–273 (2005)CrossRefGoogle Scholar
  37. 37.
    Castelfranchi, C., Falcone, R.: Trust theory: A socio-cognitive and computational model, vol. 18. John Wiley & Sons (2010)Google Scholar
  38. 38.
    Caputo, D., Maloof, M., Stephens, G.: Detecting insider theft of trade secrets. IEEE Security & Privacy 7(6), 14–21 (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Iacovos Kirlappos
    • 1
  • M. Angela Sasse
    • 1
  1. 1.Department of Computer ScienceUniversity College LondonLondonUK

Personalised recommendations