Humans in the loop: human-computer interaction and security

The security field suffers from an endemic problem: despite our best efforts, the current infrastructure is continually full of security vulnerabilities. The systems that comprise this infrastructure also are full of boundaries and interfaces where humans and systems must interact: most secure systems exist to serve human users and carry out human-oriented processes, and are designed and built by humans. From the perspective of the human-computer interaction (HCO community), many of these interfaces do not reflect good thinking on how to make them easy to use in a manner that results in security. From the perspective of the security community, many widespread security problems arguably might stem from bad interaction between humans and systems. I recently attended a workshop (ACM/CHI 2003 Workshop on Human-Computer Interaction and Security Systems) that tried to bring together these communities to trigger further inquiry into this area. In this article, I want to discuss the workshop and how the thinking there applies to the secure systems topic this department addresses.