USENIX Technical Program - Abstract - Security Symposium 99
Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0
Alma Whitten, Carnegie Mellon University; and J. D. Tygar University of California, Berkeley
User errors cause or contribute to most computer security failures,
yet user interfaces for security still tend to be clumsy, confusing, or
near-nonexistent. Is this simply due to a failure to apply standard user
interface design techniques to security? We argue that, on the contrary,
effective security requires a different usability standard, and that it
will not be achieved through the user interface design techniques appropriate
to other types of consumer software.
To test this hypothesis, we performed a case study of a security program
which does have a good user interface by general standards: PGP 5.0.
Our case study used a cognitive walkthrough analysis together with a laboratory
user test to evaluate whether PGP 5.0 can be successfully used by cryptography
novices to achieve effective electronic mail security. The analysis
found a number of user interface design flaws that may contribute to security
failures, and the user test demonstrated that when our test participants
were given 90 minutes in which to sign and encrypt a message using PGP
5.0, the majority of them were unable to do so successfully.
We conclude that PGP 5.0 is not usable enough to provide effective security
for most computer users, despite its attractive graphical user interface,
supporting our hypothesis that user interface design for effective security
remains an open problem. We close with a brief description of our
continuing work on the development and application of user interface design
principles and techniques for security.