Usable Security

The following is the review I posted on Coursera.

===
This was an extremely elementary and thus disappointing course. While the importance of "Usability" was rightly emphasized, the representation in terms of examples, case studies, etc. was simplistic. I appreciated having my attention drawn to the pitfalls of HCI design and the consequent failure of the corresponding systems. However, the solutions were presented as if: 1.) there are always "correct" interface/usability choices; 2.) the "correct" choice is all that's needed for the system to be optimally functional; and 3.) there is never a tension between usability and effective functioning of a system (that can't be resolved with correcting the usability).

It is irresponsible to suggest, for example, that a user selected memorable password is generally adequately secure without also covering ways that an interface can guide/nudge the user to create a secure password. Wide recognition of the importance of this may be more recent than the studies covered in the course. There is nothing wrong with studying old, seminal research, even in this age of "Internet time," but I wish I wasn't left wondering what, if any, developments had occurred in the decade or so since that research took place.

As for tension between usability and security, it absolutely exists. For instance, PGP encryption is a reliable way to secure information, yet making it usable remains a challenge. This is not even mentioned in the entire course. In fact, this course would leave an otherwise uninformed student believing that there are usability solutions waiting to be applied to every cause of info insecurity if the techies would just look. I wish the course had at least acknowledged that there are cases where a slight compromise on usability might be necessary for the sake of appropriate security.

Lastly, for those designing an HCI for security, it is important to understand threat models. This concept is also missing from the course.
===

I reviewed this course (above) immediately after I finished it. I am now in the 3rd week of Software Security, the 2nd course in the Cybersecurity specialization, and am realizing that 2 stars was a generous assessment. Based on the prerequisites of the Software Security course, the Usable Security course, in its current form, is too elementary to be appropriate for people who have the experience/knowledge required for the rest of the courses in this specialization. As I explained above, the course relies heavily on decade-old research but does not cover any developments since. For instance, the usability issues covered in the studies are for ancient versions of browsers with no discussion of how the browsers and our infosec vulnerabilities have changed since those studies were published. Another example is the instructor's eschewing of password managers while many knowledgeable folks in the infosec community today recommend their use. The usability challenges of password managers and a discussion of how they might be mitigated would have been more appropriate.

I took this course at the same time as "Software Security". I really enjoyed Software Security, but Usable Security was horrible. The instructor is a really bad teacher, and she doesn't seem to know anything about computer science, she is just a psychologist. The videos a poorly made (most of the course are not even prepared and they are just 3 people openly discussing about something). The slides are useless (just some photos and 2-3 words per slide, and there are a lot of courses which don't even have any slides). The quizzes are useless, you could answer them without even looking at the course. The questions of the final exam do not have a clear answer (for instance: they think that a password with 8 random characters is hard to crack, but it would take only a few days with a brute force attack, and also they think that a user chosen 8 character password is more secure than a random one, which is wrong in my opinion). A lot of questions could be either true or false depending on the context and there is no formality in this course. I would not recommend it at all, but I took it as part of the cybersecurity specialization. Thankfully, the Software Security course was really amazing.