CHAPTER 3 FRAMEWORK DEVELOPMENT
The relationship between humans and computers has existed since the introduction of computers. Although users were just glad to have computing power to perform basic tasks at the beginning, as time passed and computers evolved, it became apparent that computer functionality alone was not enough. This led to the introduction of the field of human-computer interaction (HCI) and more emphasis on system usability. This research work falls into the human-computer interaction security (HCISec) or usable security category, where HCI meets InfoSec. Usable security involves the application of usability design principles in the design and development of InfoSec mechanisms in an IS application.
The main goal of usable security is to enable users to use InfoSec mechanisms in order to mitigate InfoSec risks through effective use of applications. Ultimately, having InfoSec systems that users can use helps to create a viable security culture in an organisation and society at large. The previous chapter discussed the technical aspects of securing online applications. This chapter provides a critical discussion of the social aspects of the InfoSec problem in the context of online InfoSec applications, before the presentation of the preliminary STInfoSec framework. The two chapters combined complete the literature review of this socio-technical approach to designing online InfoSec applications.
The researcher argued that, for a holistic solution to InfoSec problems, both technical and social aspects needed equal attention in IS design. The proposed STInfoSec framework for the design of secure and usable online InfoSec applications, therefore, consisted of validated design principles. This chapter provides a critical discussion of design principles in the literature that guided the selection of those principles selected for investigation in the study.
HCI is an interdisciplinary field associated with a number of other fields of study, all with the goal of designing computer technology that is easy and pleasant to use. Related fields of study include computer science, cognitive science, and psychology, to mention just a few. There are various definitions of HCI, with the notable ones included here. According to ACM SIGCHI (1992:5), HCI is “[a] discipline concerned with the design, evaluation and implementation of interactive computing systems for human use and with the study of major phenomena surrounding them”. HCI relates to how humans interact with computer technology in their everyday work and other activities. Broadly speaking, computer technology involves any devices with computing capabilities. Apart from computers themselves, other devices include mobile phones and appliances.
The concept of considering human factors in the design of equipment started during World War II, and it developed into HCI in the late 1960s, just after the introduction of mainframe computers (Grudin 2012). HCI has evolved rapidly over time. Figure 3-2 illus-trates the timeline of the evolution of human factors, ergonomics, ISs, and HCI during the century between 1905 and 2005.
Liu, Goncalves, Ferreira, Xiao, Hosio, and Kostakos (2014) presented a comparison of two decades of articles and keywords at ACM’s CHI Conference on Human Computer Interaction, which has been running since 1982 and is one of the leading conferences in the field of HCI. Their comparison was between the periods 1994 to 2003 and 2004 to 2013 to identify the landscape of the field. Usability appeared significantly in both periods, while security was only prevalent in the second period, especially due to the influx of mobile devices (Liu et al. 2014).
The following sections detail the evolution of HCI and other related terms, thus providing the context of the current trend of usable security design – the subject of this research.
Human factors and ergonomics
Human factors and ergonomics are important wherever people work with systems, be these social or technical in nature. The range of such socio-technical systems includes system elements such as tools, software, tasks, and environments. Human factors are concerned with how people interact with these systems in their workplace. The International Ergonomics Association (IEA) gives a combined definition of ergonomics (or human factors) on its homepage as (IEA 2018):
“the scientific discipline concerned with the understanding of interactions among humans and other elements of a system, and the profession that applies theory, principles, data, and methods to design in order to optimise human well-being and overall system performance”.
It is important to note that this definition does not single out any particular type of system; the field applies to any system, be it machinery or a software application. In the context of information technology, designers are more concerned with human factor aspects than strict ergonomics issues, since human factors specifically address concerns about how technology and computers, in particular, are integrated in the workplace to achieve optimum productivity for the user.
Human factors in InfoSec are factors that can improve the use of InfoSec systems or the features of these systems or that can deter users from using them. The focus is on a design that fosters optimum use of system features, particularly security features. If designers fail to address human factors in security, users will misuse the systems, as they will bypass security mechanisms, thereby creating an unsecure environment.
The term ‘mental model’ was first coined in cognitive psychology and is now extensively applied in HCI to explain human behaviour. Users’ behaviour in relation to information systems can be explained through the content of their knowledge, including their theories and beliefs (Payne 2012). Fulfilling expectations depends on keeping behaviour and expectations in agreement, where user expectations are mainly influenced by users’ mental model of the system. Yee (2005; 2004a) asserts that security policy and the mental model are dynamic, since they change in response to user actions. Getting users to use InfoSec systems effectively is one of the key challenges (Dourish, Grinter, De la Flor & Joseph 2004). Hence, designers of information systems need to understand the mental model users have of the system’s capabilities and limitations to avoid a mismatch. This is even more important in InfoSec systems, as it might create an unsecure environment.
Understanding unique mental models users have of InfoSec and privacy issues online assists in understanding the problem and providing effective solutions. Prettyman, Furman, Theofanos, and Stanton (2015) found that online users had multiple and often contradictory mental models of their understanding of, and experience with, InfoSec and privacy. Therefore, a socio-technical approach ensures that proposed solutions provide an array of social aspects such as usability and user experience (UX), thereby addressing some of the multiple mental models held by users.
Humans are not machines. The human mind can only hold and recall a certain amount of information, which varies significantly from one person to another. According to Proctor and Vu (2012:30), memory “refers to explicit recollection of information in the absence of the original stimulus and persisting effects of that information on information processing that may be implicit”. Short-term memory (STM), also known as working memory, refers to “representations that are presently being used or have recently been used and that last for a short period” (Proctor & Vu 2012). Therefore, users of infor-mation systems often utilise STM to remember things such as usernames, passwords, PINs, and essentially how to use these systems. It is imperative that system designers do not overload the STM. This is even more important in InfoSec systems to avoid unsecure behaviour such as writing down passwords. Memory load was taken into consideration in the proposed STInfoSec framework by making sure that the design enhanced learnability and provided help and documentation to users. This ensures the application is easy to use for repeat users and they will not have to learn the user interface all over again.
Usability is invisible, and it is the reason why users love certain products or services they use daily. As Barnum (2011:1) puts it, “[w]hen usability is inherent in the products we use, it’s invisible. We don’t think about it. But we know it’s there”. The absence of usability in a product or service brings about frustration; in extreme cases, users decide not to bother using the product or service. Preece et al. (2015) note that most gadgets are engineered to work effectively, while neglecting the usability aspects from the users’ perspective. The same can be said of most software applications, even more so InfoSec systems. The introduction of usability early in the design process has become the norm to mitigate usability problems – hence, the suggestion by Mitnick and Simon (2002) that attackers are exploiting the human factors neglected by designers to gain access to computer systems.
One definition of usability that has become standard is the usability process-oriented approach from the ISO (ISO 9241-11 1998:6), namely, “the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use”. The definition highlights three key aspects: specific users, specified goals, and a specified context of use. The ISO also highlights the importance of the context of use in its definition of product-oriented usability. ISO/IEC 9126-1 (2001) defines usability with emphasis on the ability of users to understand, learn, and use a software product under specified conditions, while the Institute of Electrical and Electronics Engineers (IEEE) standard defines usability as the ease with which users can learn to operate the system (IEEE Std. 610.12 1990). In the context of product-oriented usability, product usability hinges on the user, the task, and the environment in which the product is being used.
Subsequent definitions of usability emphasise different usability attributes, as new insights have given rise to new attributes, since both researchers and practitioners have started to appreciate that usability has many facets. Nielsen (2010) states that usability is not one-dimensional and specifies five quality attributes of usability, namely, learnability, efficiency, memorability, errors, and satisfaction. Other authors such as Rubin and Chisnell (2008) characterise the usability of a product or service in terms of the following attributes: useful, efficient, effective, satisfying, learnable, and accessible. The main usa-bility attributes as applied in usability studies are discussed in the following section.
In this research, the researcher incorporated both the process-oriented and product-oriented usability approaches to investigate the usability of online banking user interfaces, enabling users to achieve effectiveness, efficiency, and satisfaction from the service. Conversely, the researcher looked at the usability of the system as a product; that is, the interface needed to be learned, understood, and used and had to be satisfactory to the user. Rubin and Chisnell (2008:1) argue that what makes a system ‘usable’ is the absence of frustration while interacting with it. The authors go on to state that, when a product or service is truly usable, “the user can do what he or she wants to do the way he or she expects to be able to do it, without hindrance, hesitation, or questions” (Rubin & Chisnell 2008:3). This highlights the significance of understanding the user’s mental model of the system in order to match system capabilities with user expectations. Nielsen (2010) explains usability as part of the larger issue of system acceptability, as depicted in Figure 3-3.
Social acceptability and practical acceptability form part of system acceptability. Practical acceptability, furthermore, considers aspects such as reliability, compatibility, cost, and usefulness, to mention but a few. Usefulness is explained in terms of utility and usability, where utility assesses whether the system provides the intended functionality and usability considers how well users can use the system functionality (Nielsen 2010).
Online applications need to ensure that users get an experience that makes them come back by satisfying both their functional and sensory needs. These online applications offer the services through some form of interface – be it web or device (such as smartphone) applications. A number of usability goals were found in the literature. After an in-depth literature review, the researcher identified the most significant of these in the context of the current case study: online banking.
Error tolerance and prevention
The system should ensure that users make as few errors as possible, where an error is any action that does not achieve the wanted goal. The error rate is the number of errors users make during the use of a system while performing a specific task (Nielsen 2010). The system error rate should be low to prevent users from making many errors and to allow them to recover without catastrophic consequences (Nielsen 2010). This goal can be thought of as related to the safety goals that ensure that no serious harm can result from users making serious mistakes when using a product or service. In the context of online banking, this entails, for instance, avoiding errors such as paying the wrong beneficiary, which might cause serious inconvenience to users.
Satisfaction refers to the users’ perceptions, feelings, and opinions of the system, meaning that the users should be subjectively satisfied when using it (Nielsen 2010). This infor-mation is generally captured by means of both oral and written questioning (Rubin & Chisnell 2008). A system that meets users’ needs and provides satisfaction allows users to perform well.
Learnability is regarded as the most essential usability goal, since systems need to be easy to learn (Preece et al. 2015). The system should allow users to rapidly learn the design and quickly start to get some work done (Nielsen 2010). Rubin and Chisnell (2008) consider learnability as being linked to effectiveness, since users should be able to use the system after some period of training to some defined level of competence. Users prefer learning how to use a system by actually using it, especially online applications, as users are too impatient to read tutorial manuals.
Memorability refers to the ability of a returning user to use a system without having to be trained for it all over again (Preece et al. 2015). A system with good learnability helps users to remember how to use it quickly. Apparently, interface memorability is one of the rarely evaluated usability attributes compared to other attributes (Nielsen 2010).
Usefulness is the ability of a system to achieve a specific desired goal(s) (Nielsen 2010). As mentioned earlier, Nielsen (2010) considers usability as a function of usefulness; thus, usefulness is not an attribute of usability (refer to Figure 3-3), since a system has to be useful first before looking at how usable it is to the user.
Safety protects the user against conditions and situations that may be undesirable and dangerous (Preece et al. 2015; Petrie & Bevan 2009). Safety as a usability goal was initially intended to protect people operating machinery in workplaces (ISO 9241-210 2010). In the context of software products, safety strives for reduced risk of harm to system users or other resources, including hardware or data. The ISO/IEC 9126-4 (2004) standard defines two aspects of software product safety. Operational safety enables a software product to meet user requirements during normal operation without harm to other resources and the environment, with attributes such as consistency, completeness, accuracy, insurance, and security. Contingency safety ensures that the product is capable of operating outside its normal operation, while still preventing risks, with attributes such as fault tolerance and resource safety. In general, safety ensures that no severe harm can result from users making serious mistakes when using a product or service.
Utility ensures that the product provides the right kind of functionality that allows users to complete their tasks (Preece et al. 2015). In other words, utility ensures that a product can deliver the intended results if used properly without obvious mistakes. For example, a calculator should give the correct sum of numbers if the numbers are entered correctly. As depicted in Figure 3-3, Nielsen (2010) places utility outside usability goals, arguing that usability is not an issue in products or services that have no functionality.
The usability goals presented here do not represent an exhaustive list, as there are numerous others for specific systems. The above list consists of the usability goals within the scope of this research. The order of importance of usability goals depends on system requirements and what designers perceive as necessary to achieve system goals. In the context of online InfoSec and the case study (online banking) of this research, in particular, the above list was deemed important in addressing usability problems. Although not all of the above principles were included in the final framework. There are also other goals that were deemed either implicit or outside the research scope, including effectiveness, efficiency, accessibility, universality, and flexibility, to mention but a few.
Usability is a narrower concept that mainly focuses on the ability of the user to success-fully complete some specific system task. In other words, usability is mainly concerned with the functionality of the system that allows the completion of a task (Albert & Tullis 2013). Since the permeation of technology in our daily lives, our main concern is not only the successful completion of tasks, but also enjoyment of the whole experience of system interaction, referred to as user experience (UX). UX takes a broader view than, and goes beyond, usability, in that it includes the user’s entire interaction, including thoughts, feelings, and perceptions that result from interaction with the system (Albert & Tullis 2013). UX essentially includes aspects such as HCI, human factors, ergonomics, usability, and accessibility, which is more than just system usability (Hassenzahl, Platz, Burmester & Lehner 2000).
Therefore, the term ‘user experience’ has emerged to address aspects of users’ interac-tions with systems that go beyond effectiveness, efficiency, and satisfaction (Petrie & Bevan 2009). In essence, usability is included in the broader realm of UX, as current systems seek to amuse and entertain users (Albert & Tullis 2013). Yet usability uses objective metrics for measurement, while UX is more about users’ hedonic reactions, which are generally subjective, to the system (Petrie & Bevan 2009).
Law, Roto, Hassenzahl, Vermeeren, and Kort (2009) argue for the separation of UX from other experiences, such as the broader product experience and service experience, recommending that the term should exclusively refer to products, systems, services, and objects with which a user interacts through a user interface. Bevan (2008) advocates that usability can be extended to encompass UX by interpreting ‘satisfaction in use’, a sub-characteristic of usability, as proposed in ISO/IEC 25010 (2011), as a UX attribute. The four sub-characteristics are likability, deals with the satisfaction from the perceived achievement of pragmatic goals. Pleasure is the extent to which the user gains satisfaction from the perceived achievement of hedonic goals of stimulation, identification, evocation, and associated emotional responses. Comfort relates to satisfaction of physical comfort. Lastly, trust deals with satisfaction that the product will behave as intended. User satisfaction is usually measured using a psychometrically designed questionnaire for more reliable results (Hornbæk 2006).
Apart from usability goals, researchers and practitioners are now looking at improving interaction design systems to cater for additional goals such as UX. Compared to the more objective usability goals, UX goals are mostly subjective, since they are based on how users experience the product from their perspective (Preece et al. 2015). Preece et al. (2015) provide UX goals that include a wide range of emotions and felt experiences, grouped according to two categories: desirable and undesirable aspects. Table 3-1 lists some of these emotions.
TABLE OF CONTENTS
LIST OF PUBLICATIONS
TABLE OF CONTENTS
LIST OF FIGURES
LIST OF TABLES
LIST OF ABBREVIATIONS
CHAPTER 1 INTRODUCTION
1.2 PROBLEM STATEMENT
1.3 RESEARCH QUESTIONS AND OBJECTIVES
1.4 THEORETICAL FRAMEWORK
1.5 RESEARCH DESIGN AND METHODOLOGY
1.6 ETHICAL CONSIDERATIONS
1.7 RESEARCH PURPOSE AND CONTRIBUTIONS
1.8 RESEARCH SCOPE
1.10 THESIS STRUCTURE
1.11 CHAPTER CONCLUSION
CHAPTER 2 LITERATURE REVIEW
2.3 ELECTRONIC COMMERCE
2.4 INFORMATION SECURITY
2.5 PRINCIPLES OF INFORMATION SECURITY
2.6 ACCESS CONTROL
2.7 INFORMATION SECURITY RISKS AND THREATS
2.8 INFORMATION SECURITY ATTACKS
2.9 ONLINE SECURITY
2.10 ONLINE BANKING
2.11 CHAPTER CONCLUSION
CHAPTER 3 FRAMEWORK DEVELOPMENT
3.2 HUMAN-COMPUTER INTERACTION
3.4 USER EXPERIENCE
3.5 WEBSITE USABILITY
3.6 USER-CENTRED INTERACTION DESIGN
3.7 HUMAN-COMPUTER INTERACTION SECURITY
3.8 USABLE SECURITY
3.9 THEORETICAL FRAMEWORK
3.10 PRELIMINARY STINFOSEC FRAMEWORK
3.11 CHAPTER CONCLUSION
CHAPTER 4 RESEARCH DESIGN AND METHODOLOGY
4.2 RESEARCH DESIGN
4.3 RESEARCH PARADIGM
4.4 RESEARCH APPROACH
4.5 METHODOLOGICAL CHOICE
4.6 RESEARCH STRATEGY
4.7 SURVEY RESEARCH
4.8 CASE STUDY RESEARCH
4.9 CHAPTER CONCLUSION
CHAPTER 5 QUANTITATIVE DATA ANALYSIS
5.2 DATA COLLECTION
5.3 DATA ANALYSIS
5.4 DESCRIPTIVE STATISTICS
5.5 INFERENTIAL STATISTICS
5.6 STRUCTURAL EQUATION MODELLING
5.7 CHAPTER CONCLUSION
CHAPTER 6 QUALITATIVE DATA ANALYSIS
6.2 DATA COLLECTION
6.3 FRAMEWORK ANALYSIS
6.4 MAPPING AND INTERPRETATION
6.5 CHAPTER CONCLUSION
CHAPTER 7 FRAMEWORK EVALUATION
7.2 EVALUATION PROCESS
7.3 EVALUATION FINDINGS
7.4 VALIDATED STINFOSEC FRAMEWORK
7.5 CHAPTER CONCLUSION
CHAPTER 8 CONCLUSION
8.2 SYNOPSIS OF RESEARCH QUESTIONS AND OBJECTIVES
8.5 FURTHER RESEARCH
8.6 CHAPTER CONCLUSION
GET THE COMPLETE PROJECT