Angela Sasse

043 16_043_UCL IWD 2016 Prof Angella Sasse 1802

Busting the Usability-Security Tradeoff Myth

As the value of the digital economy has grown, so has cyber crime. Security specialists develop policies and security mechanisms to stop attacks succeeding, but in practice that people make mistakes, or don’t behave as policies demand – and so many solutions are ineffective. Usability knowledge and methods could be applied to develop solutions that are usable and secure – but even there is a growing body of usable security research, there has been little progress in practice.

The talk will present results from a study that examined how usabilty and security are considered in the software development process. We found that there is a widely held belief that there is a tradeoff between usability and security, and that this erroneous belief leads to design decisions that then lead to solutions that do not work in practice. I will conclude that despite of 30 years of HCI research and practice, the benefits of applying its concepts and methods in practice is not understood by developers and security specialists, and will make some suggestion on what we can do to change this.


M. Angela Sasse FREng is the Professor of Human-Centred Technology in the Department of Computer Science at University College London, UK. She read psychology in Germany and obtained an MSc in Occupational Psychology from Sheffield University before obtaining a PhD in Computer Science from the University of Birmingham. She started investigating the causes and effects of usability issues with security mechanisms in 1996. Her 1999 seminal paper with her then Phd student Anne Adams, Users are Not the Enemy, is the most cited paper in usable security. She became a full professor in 2003, and has led several multi-disciplinary projects, working with economists, mathematicians and crime scientists. She worked with many international companies and received Faculty Awards from Intel in 2012 and IBM in 2013. She became Director of the UK Research Institute for Science of Cyber Security (RISCS), co-funded by the EPSRC and GCHQ in 2012, and was elected a Fellow of the Royal Academy of Engineering in 2015.