Despite the advances in research on usable secureemail, the majority of mail user agents found in practicestill violates best practices in UI design and uses ineffectiveand inhomogeneous design strategies to communicate andlet users control the security status of an email message.We propose a novel interaction and design concept thatwe refer to as persuasive message design. Our approachis derived from heuristics and a systematic meta-study ofexisting HCI literature on email management, usable secureemail and phishing research. Concluding on this body ofknowledge we propose the design of interfaces that sup-presses weak cues and instead manipulates the display ofemails according to their technical security level. Persuasivemessage design addresses several shortcomings of currentsecure email user interfaces and provides a consistent userexperience that can be deployed even by email providers.
Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.
