Exploring the Meaning of “Usable Security”

. While there are many examples of incidents that make the need for more work around the human aspects of security apparent, the literature makes it obvious that usable security can mean many diﬀerent things and usable security is a complex matter. This paper reports on a structured literature review that analyzed what the research community considers to be included in the term “usable security”. Publications from the past ﬁve years were analyzed and diﬀerent perceptions of usable security were gathered. The result is a listing of the diﬀerent aspects that are discussed under the term “usable security” and can be used as a reference for future research of practitioners who are developing security functions with usability in mind.


Introduction
A lot of attention is currently given to the human, or user, side of information security and it is widely acknowledged that user behavior is a crucial factor in information security [74].An important topic in this area is usable security, the notion that security tools and measures have to live up to usability demands in order to function as intended [73].Tools that are lacking in usability are likely to not be used at all or be used incorrectly.If a given tool is not used, the security value that it is supposed to add will be lost.A tool that is used incorrectly can give a false sense of security, or even have a negative impact on security [81].
While there are many papers that provide usability evaluations on various tools and techniques, there is an ambiguity in the research community as to what the concept of usable security actually encompasses.There are several examples of papers that discuss or validate usability and two examples are [79] that evaluates certain usability criteria of a phishing defense mechanism and another is [75] where usability in access control in IoT is discussed.While valuable pieces of research, none of them discuss usability in a broader sense.Further, [77] evaluates usability around the keywords "convenience, annoyance, time-consuming and tiring" and builds on the System Usability Scale (SUS) presented by [72].While the SUS scale measures important aspects of usability, it does not factor in ideas that [81] consider essential in usable security, for instance, that users should not make dangerous errors.
The existing research demonstrates that usable security is a complex area with many dimensions.However, to the best of our knowledge, there is no common definition or understanding of what the term actually includes.The aim of this paper is to address this gap by reviewing how the term is applied in recent research.The result will describe what researchers mean with usable security and can be used as a reference for future studies.Future research will build on this paper with the goal of establishing evaluation criteria for usability is security tools and measures designed to be used by end-users.

Methodology
The research was carried out using a structured literature review targeting research published in the past five years.The review followed the process described by [78].The outcomes of a literature review are heavily dependent on the databases used, search terms are chosen, and the criteria applied to select relevant literature [80,76].The databases and search terms used in this study are shown in  The initial searches resulted in 378 articles, papers that were duplicates or failed to meet inclusion criteria were removed resulting in 49 papers that were selected for further analysis.Backward snowballing, as described by [82], was employed and resulted in another 21 papers, resulting in 70 papers that were included for the study.Table 2 presents the inclusion and exclusion criteria used in this study and Table 3 shows the result of the initial selection process.Table 4 shows the results of the backward snowballing.

Inclusion criteria
Exclusion criteria IC1: Published between 2015 and 2020 EC1: Publication occurs multiple times IC2: Published in peer-reviewed journal or conference EC2: Fails to meet inclusion criteria IC3: Publication is relevant to the topic EC3: Payment required for access IC4: Written in English, Swedish EC4: Dubious description of method or German or results The selected papers were analysed, using the software MAXQDA, using thematic coding as described by [71].

Results
Following the selection process, the included papers were analyzed using thematic coding.First, high-level aspects of usable security were identified.They were then refined into subcategories.The results are summarized in Figure 1, below, where the high-level aspects and their subcategories are displayed.The number in parenthesis shows the number of papers connected to a given subcategory.
The remainder of this chapter will describe the discovered aspects of usable security.The papers classified in each aspect will be referenced continuously and are listed in the reference list, preceded by an asterisk (*).
Cost of Use: This aspect addresses factors that users tend to perceive as inconvenient in terms of cost-effectiveness.Financial costs are mentioned repeatedly [1,34,25] and one publication [1] states that resource consumption (e. g. battery) might be of significance.
Consistency: Security solutions are perceived as usable when they are operating predictably.This applies to matters of behavior [34,31], meaning that similar tasks work identically, and implementation[6, 55, 57] factors including standardized setups, consistent phrasing, and design that allows to easily recognize requirements and conditions.
Perception: Willingness to adopt security solutions depends partially on how they are perceived by individuals.One aspect relates to trust and reputation [61,12,10,67,11,45,25,4,36,60].Multiple studies report that users prefer Also, the GUI should not require unnecessary user attention and merely display information necessary for decision making.A GUI that is adjustable [6, 31,55] to the user's preferences increases usability since it improves learnability.
Scalability: Another factor is the extent to which security solutions can deal with multiple user accounts and security keys.Usable account handling [22,24,57] does not restrict the number of allowed user accounts and allows to operate multiple accounts with mutual keys.Concerning key handling [12], a scalable solution should be able to install and control multiple keys without complicating usage.
Compatibility: Security solutions should be compatible with commonly used systems and services[20, 1, 22, 24, 57] to be perceived as usable.The trend of developing new security solutions with separate and fragmented user bases is a hinder to usability.Compatibility with other security solutions [1] is crucial since users will presumably reject overly incompatible products such as communication tools that only allow conversations with other instances of themselves.
Adaptability: How well a security solution can be adapted to the specific needs of individuals represents an important factor according to 19 publications.The first subcategory deal with the amount of allowed user control [20, 69,22,28,31,40,49,55].Enabling users to customize configurations to their preferences increases convenience.Facilitating memorability by allowing users to choose their own passwords is also advantageous.Regarding user capacity [34,51,5,12,18,27,28,38,49,55,70], security solutions should be adaptable to various expertise levels and be able to, preferably intelligently, adapt to individual abilities and disabilities.
Interference: Usability is reduced when users' primary tasks are disturbed.The first subcategory addresses workflow [20, 63,26,27,30,49,53] interference.Necessary security actions should be arranged in ways that minimize interruptions.Even re-authentication [3,6,14,24,27,39] requests are described as disruptive and inconvenient .They can be perceived as wasted time and cause increased complexity.Also, compelling users to remember passwords repeatedly interrupts other tasks since enforced context switches may cause confusion.Finally, there is a physical [61, 15, 56, 57] category to this aspect.Users are anxious to lack immediate access to a token when needed, fear of loss or theft are common.
Error rate [20, 34, 63, 37, 3, 4, 17, 21, 26, 33, 35, 36, 38-40, 53, 57, 58, 66, 68, 70] To which extent a security solution enables users to conduct their primary task without having to deal with annoying completion failures is a prominent usability precondition.Increasing error rates cause substantial inconvenience since users are forced to repeat actions.Solutions become ineffective since they are unable to complete tasks as intended.In this context, it is secondary if errors are caused directly by the system or indirectly via users.When security solutions are errorprone, users may choose to circumvent them to preserve usability.
Error of security solutions and particular user decisions reduces usability issues and increases trust.Making users aware of threats and consequences helps increasing acceptance of security requirements and enables better system understanding and utilization.Context related [65,59,22,6,21,28,55,62] information corresponds directly to executed tasks and allows to exhibit specifically required actions without the need to interrupt said tasks.This reduces perceived complexity and strain.

Conclusions
This paper aimed to summarize the meaning of usable security by analyzing recently published research to identify the dimensions that encompass the term usable security.Using a structured literature review, this research identified 70 papers from the past five years that discussed the topic of usable security.Using thematic coding, 14 aspects were created from analyzing the included papers, the aspects were then refined into 31 subcategories that describe usability factors for security measures.The most discussed subcategories dictate that the time needed to complete security tasks, the cognitive load added by security tasks and the ease of completing security tasks.While this research does not attempt to weight the different identified aspects, this aligns well with the common understanding of a need for time-efficient and easy-to-use security functions.
The results of this paper is a summary of current research that can help researchers as well as practitioners to better understand the topic of usable security, a necessity in implementing user-centred security measures and applications.It also provides a better understanding of the users roles and challenges in security and can be used as a reference model when developing security functions, applications and procedures.While this research employs measures such as backwards snowballing to be as complete as possible, a given limitation is that it relies on previous research.A possible impact on that is that no previously unknown usability factors has been discovered.
An apparent direction for future work would be to research the identified usability factors from a user-centred standpoint.Such a project could aim to include users in an attempt to weight the different factors according to the users perception.Another direction for future work would be to continue the research by developing concrete guidelines for implementation of user-centered security.Such a project would include practitioners as well as researchers and users.

Fig. 1 .
Fig. 1.Identified aspects of Usable Security.The number in parenthesis display the number of publications relation to each sub-category.

Table 1 .
1, below.List of used databases and search terms

Table 2 .
Inclusion and exclusion criteria