posted on 2008-01-01, 00:00authored byLorrie F Cranor
Many secure systems rely on a “human in the loop” to perform security-critical functions. However, humans often
fail in their security roles. Whenever possible, secure system designers should find ways of keeping humans out of
the loop. However, there are some tasks for which feasible or cost effective alternatives to humans are not available.
In these cases secure system designers should engineer their systems to support the humans in the loop and maximize
their chances of performing their security-critical functions successfully. We propose a framework for reasoning
about the human in the loop that provides a systematic approach to identifying potential causes for human failure.
This framework can be used by system designers to identify problem areas before a system is built and proactively
address deficiencies. System operators can also use this framework to analyze the root cause of security
failures that have been attributed to “human error.” We provide examples to illustrate the applicability of this
framework to a variety of secure systems design problems, including anti-phishing warnings and password policies.