Question 1: One of the classical papers of usable security is Doug Tygar’s and Alma Whitten’s paper “Why Johnny Can’t Encrypt” (http://www.gaudior.net/alma/johnny.pdf ) Explain what makes this paper a classic. You can also additionally discuss in what ways the paper may be outdated.

Question 2: Describe usable security as a research field: when did it emerge and why, what kind of topics does it address, and what kind of methods does it use?

Question 3: Why do current online security indicators fail? Hint: the Schechter et al. paper “Emperor’s New Security Indicators” (http://www.usablesecurity.org/emperor/ ) may be helpful.

Part II: Answer 1 of the 2 analysis tasks

Analysis task 1
Compare the trustworthiness of the following two sites on basis of the trust elements presented in the Cheskin: eCommerce Trust Study
(http://www.cheskin.com/cms/files/i/articles//17__report-eComm%20Trust1999.pdf):

http://www.nowpublic.com/ and http://news.yahoo.com/

Analysis task 2
Turn off the sound on your computer not to disturb others, and then try out the Disney children’s security game at http://home.disney.com.au/activities/surfswellisland/ You don’t need to complete it, just see how it works. Discuss if and how a game-like approach could be used to educate also adult users. Why would it be needed? How could it help to tackle current problems in usable security?

VERSION 2: without the assignments

This exam has two parts.

Answer 3 questions from part I and 1 analysis task from part II.

Part I:. Answer 3 out of the 4 questions.

Question 1: One of the classical papers of usable security is Anne Adams’ and Angela Sasse’s paper “Users are not the Enemy”. What are the major findings of this paper and why are they so important?

Question 2: By comparing the findings of “Users are not the Enemy” against Jean Camp’s paper “Mental models of privacy and security”, analyse how the differences between perceived and actual risks may affect users’ abilities and motivation to act securely.

Question 3: Discuss the pros and cons of various authentication mechanisms from a usability point of view on basis of Andreas Heiner’s lecture. You can also make use of other course material as you see appropriate.

Question 4: The Cheskin et al study on Ecommerce Trust aimed to analyse the ingredients of online trust formation. What methods were used to gather the data? Discuss the possible strengths and weaknesses of the study.

Part II: Answer 1 of the 2 analysis tasks

Analysis task 1
Compare the trustworthiness of the following two sites on basis of the trust elements presented in the Cheskin: eCommerce Trust Study
(http://www.cheskin.com/cms/files/i/articles//17__report-eComm%20Trust1999.pdf):

http://www.nowpublic.com/ and http://news.yahoo.com/

Analysis task 2
Here is a picture of a recent news article on facebook privacy management from New York Times (http://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html) and a related article http://www.nytimes.com/2010/05/13/technology/personaltech/13basics.html . After reading the article and observing the picture, analyse the usability problems of facebook privacy management on basis of the findings and claims presented in Smetters and Good’s paper “How Users Use Access Control”

facebook privacy management ny times

T-110.5220 Information Security and Usability - Final exam 12.5.2010 P
3 credits

This exam has two parts. Answer 2 questions from part I and 1 analysis task from part II.

Part I:. Answer 2 out of the 4 questions.

Question 1: One of the classical papers of usable security is Doug Tygar’s and Alma Whitten’s paper “Why Johnny Can’t Encrypt” (http://www.gaudior.net/alma/johnny.pdf ) Explain what makes this paper a classic. You can also additionally discuss in what ways the paper may be outdated.

Question 2: Usability and security are sometimes seen as opposite goals. Can you explain why this is the case?

Question 3: Many claim that online privacy policies are hard to understand. Discuss why this may be the case and suggest improvements to the current situation. You can use examples from real online privacy policies of your choice.

Question 4: Discuss the relevance of role-playing in applying usability testing to security and how it may affect the validity of the results. Use the two papers “Why Johnny Can’t Encrypt” (http://www.gaudior.net/alma/johnny.pdf ) and “Emperor’s New Security Indicators” (http://www.usablesecurity.org/emperor/ ) as basis for your analysis.

Part II: Answer 1 of the 2 analysis tasks

Analysis task 1
Analyse the trustworthiness of one of the following sites against the trust elements presented in the Cheskin: eCommerce Trust Study
(http://www.cheskin.com/cms/files/i/articles//17__report-eComm%20Trust1999.pdf):
a) http://www.rephlex.com/
b) http://www.vangoghartprints.net/index.html
c) http://www.eimsdirect.com/

Analysis task 2
Compare the trust elements on the two sites on basis of the course material:

1) http://www.zedge.net/ 2) http://www.myxer.com/