Usability problems are a major cause of many of today’s IT-security incidents. Security systems are often too complicated, time-consuming, and error prone. For more than a decade, researchers in the domain of usable security (USEC) have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the end-user problems and on the creation of usable security mechanisms.
Our group is particularly focusing on the human factors of experts such as IT administrators and developers, since many of the most catastrophic security incidents were not caused by end-users, but by developers or administrators. Heartbleed and Shellshock were both caused by single developers yet had global consequences. The recent Sony hack compromised an entire multi-national IT-infrastructure and misappropriated over 100 TB of data, unnoticed. Fundamentally, every software vulnerability and misconfigured system is caused by developers or administrators making mistakes.
We are studying these kind of incidents and developing strategies to prevent them from happening in the future.