Revisiting what it means to be usable: Usable security beyond end users

The usable security community has made significant progress in making security and privacy tools, notifications, and warnings more legible for end users. However, many security and privacy problems remain out of the hands of end users, or -- even when simplified -- require more knowledge and effort than is reasonable to expect. As such, the next important challenge in usable security is to go beyond end users and explore how to make security and privacy more usable for professionals: software developers and security operations personnel, but also professionals who can influence end users at larger scale. In this talk, I will discuss three studies relevant to this goal: a study of the benefits and challenges of adopting secure programming languages, with Rust as a case study; a study evaluating the usefulness of security operations playbooks for incident response; and a study of whether and how product reviewers can help end users make more informed security and privacy decisions.