Article

Why Johnny can't encrypt: a usability evaluation of PGP 5.0

Authors:

J. D. TygarAuthors Info & Claims

SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium - Volume 8

Page 14

Published: 23 August 1999 Publication History

Abstract

User errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. Is this simply due to a failure to apply standard user interface design techniques to security? We argue that, on the contrary, effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software.

To test this hypothesis, we performed a case study of a security program which does have a good user interface by general standards: PGP 5.0. Our case study used a cognitive walkthrough analysis together with a laboratory user test to evaluate whether PGP 5.0 can be successfully used by cryptography novices to achieve effective electronic mail security. The analysis found a number of user interface design flaws that may contribute to security failures, and the user test demonstrated that when our test participants were given 90 minutes in which to sign and encrypt a message using PGP 5.0, the majority of them were unable to do so successfully.

We conclude that PGP 5.0 is not usable enough to provide effective security for most computer users, despite its attractive graphical user interface, supporting our hypothesis that user interface design for effective security remains an open problem.

We close with a brief description of our continuing work on the development and application of user interface design principles and techniques for security.

References

[1]

1. Ross Anderson. Why Cryptosystems Fail. In Communications of the ACM, 37(11), 1994.]]

Digital Library

[2]

2. Matt Bishop. UNIX Security: Threats and Solutions. Presentation to SHARE 86.0, March 1996.]]

[3]

3. Don Davis. Compliance Defects in Public-Key Cryptography. In Proceedings of the 6th USENIX Security Symposium, 1996.]]

Digital Library

[4]

4. The Economist. The End of Privacy. May 1, 1999, pages 21-23.]]

[5]

5. Simson Garfinkel. PGP: Pretty Good Privacy. O'Reilly and Associates, 1995.]]

Digital Library

[6]

6. John D. Howard. An Analysis of Security Incidents on the Internet 1989-1995. Carnegie Mellon University Ph.D. thesis, 1997.]]

Digital Library

[7]

7. John, B. E., & Mashyna, M. M. (1997) Evaluating a Multimedia Authoring Tool with Cognitive Walkthrough and Think-Aloud User Studies. In Journal of the American Society of Information Science, 48 (9).]]

Digital Library

[8]

8. Clare-Marie Karat. Iterative Usability Testing of a Security Application. In Proceedings of the Human Factors Society 33rd Annual Meeting, 1989.]]

[9]

9. Stephen Kent. Security. In More Than Screen Deep: Toward Every-Citizen Interfaces to the Nation's Information Infrastructure. National Academy Press, Washington, D.C., 1997.]]

Digital Library

[10]

10. Nancy G. Leveson. Safeware: System Safety and Computers. Addison-Wesley Publishing Company, 1995.]]

[11]

11. Jakob Nielsen. Heuristic Evaluation. In Usability Inspection Methods, John Wiley & Sons, Inc., 1994.]]

Digital Library

[12]

12. The Open Group Research Institute. Adage System Overview. Published on the web in July 1998.]]

[13]

13. Pretty Good Privacy, Inc. PGP 5.0 Features and Benefits. Published on the web in 1997.]]

[14]

14. Pretty Good Privacy, Inc. User's Guide for PGP for Personal Privacy, Version 5.0 for the Mac OS. Packaged with software, 1997.]]

[15]

15. Jeffrey Rubin. Handbook of usability testing: how to plan, design, and conduct effective tests. Wiley, 1994.]]

Digital Library

[16]

16. HongHai Shen and Prasun Dewan. Access Control for Collaborative Environments. In Proceedings of CSCW '92.]]

Digital Library

[17]

17. Cathleen Wharton, John Rieman, Clayton Lewis and Peter Polson. The Cognitive Walkthrough Method: A Practioner's Guide. In Usability Inspection Methods, John Wiley & Sons, Inc., 1994.]]

Digital Library

[18]

18. Alma Whitten and J.D. Tygar. Usability of Security: A Case Study. Carnegie Mellon University School of Computer Science Technical Report CMU-CS-98-155, December 1998.]]

[19]

19. Wogalter, M. S., & Young, S. L. (1994). Enhancing warning compliance through alternative product label designs. Applied Ergonomics, 25, 53-57.]]

[20]

20. Mary Ellen Zurko and Richard T. Simon. User-Centered Security. New Security Paradigms Workshop, 1996.]]

Digital Library

Cited By

Logas JGarg PArriaga RDas S(2024)The Subversive AI Acceptance Scale (SAIA-8): A Scale to Measure User Acceptance of AI-Generated, Privacy-Enhancing Image ModificationsProceedings of the ACM on Human-Computer Interaction10.1145/36410248:CSCW1(1-43)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3641024
Elmimouni HBaumer EForte A(2024)On Being an Expert: Habitus as a Lens for Understanding Privacy ExpertiseProceedings of the ACM on Human-Computer Interaction10.1145/36373798:CSCW1(1-25)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637379
Hielscher JSch�ps MMenges UGutfleisch MHelbling MSasse MKelley PKapadia A(2023)Lacking the tools and support to fix frictionProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632194(131-150)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632194
Show More Cited By

Index Terms

Why Johnny can't encrypt: a usability evaluation of PGP 5.0

Recommendations

Can Johnny finally encrypt?: evaluating E2E-encryption in popular IM applications
STAST '16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust

Recently, many popular Instant-Messaging (IM) applications announced support for end-to-end encryption, claiming confidentiality even against a rogue operator. Is this, finally, a positive answer to the basic challenge of usable-security presented in ...
Work in�Progress: Can Johnny Encrypt E-Mails on�Smartphones?
Socio-Technical Aspects in Security
Abstract
E-mail is nearly 50 years old and is still one of the most used communication protocols nowadays. However, it has no support for End-to-end encryption (E2EE) by default, which makes it inappropriate for sending sensitive information. This is why ...
Helping Johnny 2.0 to encrypt his Facebook conversations
SOUPS '12: Proceedings of the Eighth Symposium on Usable Privacy and Security

Several billion Facebook messages are sent every day. While there are many solutions to email security whose usability has been extensively studied, little work has been done in the area of message security for Facebook and even less on the usability ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium - Volume 8

August 1999

248 pages

Publisher

USENIX Association

United States

Publication History

Published: 23 August 1999

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

300
Total Citations
View Citations
40
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Logas JGarg PArriaga RDas S(2024)The Subversive AI Acceptance Scale (SAIA-8): A Scale to Measure User Acceptance of AI-Generated, Privacy-Enhancing Image ModificationsProceedings of the ACM on Human-Computer Interaction10.1145/36410248:CSCW1(1-43)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3641024
Elmimouni HBaumer EForte A(2024)On Being an Expert: Habitus as a Lens for Understanding Privacy ExpertiseProceedings of the ACM on Human-Computer Interaction10.1145/36373798:CSCW1(1-25)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637379
Hielscher JSch�ps MMenges UGutfleisch MHelbling MSasse MKelley PKapadia A(2023)Lacking the tools and support to fix frictionProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632194(131-150)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632194
Marky KMacdonald SAbdrabou YKhamis MCalandrino JTroncoso C(2023)In the quest to protect users from side-channel attacksProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620530(5235-5252)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620530
Hielscher JMenges UParkin SKluge ASasse MCalandrino JTroncoso C(2023)"Employees who don't accept the time security takes are not aware enough"Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620367(2311-2328)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620367
Tally AAbbott JBochner ADas SNippert-Eng C(2023)What Mid-Career Professionals Think, Know, and Feel About Phishing: Opportunities for University IT Departments to Better Empower Employees in Their Anti-Phishing DecisionsProceedings of the ACM on Human-Computer Interaction10.1145/35795477:CSCW1(1-27)Online publication date: 16-Apr-2023
https://dl.acm.org/doi/10.1145/3579547
Mayer PPoddebniak DFischer KBrinkmann MSomorovsky JSasse ASchinzel SVolkamer MChiasson SKapadia A(2022)"i don't know why i check this ... " — investigating expert users' strategies to detect email signature spoofing attacksProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563614(77-96)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563614
Yadav THales JSeamons KYin HStavrou ACremers CShi E(2022)PosterProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3563541(3499-3501)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3563541
Logas JSchlesinger ALi ZDas S(2022)Image DePO: Towards Gradual Decentralization of Online Social Networks using Decentralized Privacy OverlaysProceedings of the ACM on Human-Computer Interaction10.1145/35129076:CSCW1(1-28)Online publication date: 7-Apr-2022
https://dl.acm.org/doi/10.1145/3512907
Koh JNieh JBellovin SBanerjee SMottola LZhou X(2021)Encrypted cloud photo storage using Google photosProceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services10.1145/3458864.3468220(136-149)Online publication date: 24-Jun-2021
https://dl.acm.org/doi/10.1145/3458864.3468220
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents