Review on Usable Security Course by Maryland University on coursera.org
During one of the autumn evenings I found an email from Coursera about Specialization program. For me I found interesting specialization in Cybersecurity. If I'm not mistaken in Maryland University there is one of the biggest Security Operation Centers in US. The specialization contains 4 courses: Usable Security, Software Security, Cryptography, Hardware Security. All courses have their own dates to start, so you can enter a course. If you want verified certificate or you'd like to finish Cybersecurity specialization you should follow signature track and pay 49$ for each course.
Signature Track is a way that you can confirm your identity. You should type some text, so they can verify you. Also they took your photo and asked to send your government id with photo. This scheme is implemented in such way: you complete quizz and then they took your typo and photo. Of course, this is not the way to clearly identify you, there are a lot of ways to overcome it. But as for me, the main reason is to get knowledge, not to achieve certificates.
Let's come back to our courses. I started with Usable Secuity. When I first read the syllabus, I thought: "Oh, piece of cake... What is the reason to give such kind of material?" I worked in the field of security for almost 4 years, not so much, but enough to understand some key principles. You assess risks, find suitable security measures, implement them and also include this in your information security policy. Of course, your users are a part of this process, but you educate them and control what they are doing. But this course gave me some info to think about...
Course included 5 key themes: design principles, measuring and evaluating usability, authentication, web browsing and privacy. The material was not technical, so you could not find any descriptions of secure authentication schemes and etc. During week 1 human computer interaction and ways of measuring usability was described in details. Week 2 was about design and ways how to perform it. Week 3 gave key concepts how to evaluate system design (controlled experiments, A\B testing and etc). Week 4 provided me with solid guidelines for usable security. Week 5 revealed usable authentication theme. I was surprised when professor started to check current browser https certificate validation on professor of biology, who was not so familiar with computer security at all. He was a little bit shocked when he saw warning. When she became to show him how to accept risk and got access to site... For him it was a rocket science... As for me, he is smart person, but he is not living in the field of computer security, so all these things and tricks are not convenient for him.
Week 6 was about usable privacy. Professor gave good list about how to make terms and agreements clear to users. Then final exam and course was finished.
I got certificate with verification link on it.
For me this course was very useful. Now I tried to think and act like a user or ask user to do something, because the only way to develop a secure system by design is to develop it convenient and clear for users and administrators.