"User errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. Is this simply due to a failure to apply standard user interface design techniques to security? We argue that, on the contrary, effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software." - from Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0

     In this presentation I will discuss the theories and findings from the seminal HCISEC paper quoted above. This includes a discussion of why usability for security may be a distinct subset of HCI, the abstractions necessary, and some of visual metaphors involved. It also includes a discussion of the danger of irreversible actions and information overload. The paper's examples are specific to PGP 5.0, but the principles can be more generally applied. If possible I will also be reviewing a paper I am working on which applies similar analysis to the issues of Secure Instant Messaging using publicly available clients.