Usable Security Beyond End Users
For more than 20 years, the human-centered security community has investigated how to improve the usability and utility of security tools and interfaced aimed at end users. End users, however, are not the only people who make critical security decisions -- we must also consider how to make security easier for information-technology professionals such as software developers, software testers, and sysadmins. In this talk, I will discuss a research agenda for applying the methods and findings of human-centered security research to this constituency. This talk will focus on findings from several studies exploring the human reasons why secure development and operations often fail, as well as possible approaches for improvement. These include the effects of information resources (such as Stack Overflow), API design, and choice of programming tools on developers' likelihood of writing secure code, as well as the efficacy of educational tools such as capture-the-flag contests and threat modeling frameworks for improving software development and security operations.