Revisiting what it means to be Usable: Human-Centered Security Beyond End Users

The human-centered security community has made significant progress in making security and privacy tools, notifications, and warnings more legible and usable for end users. However, many critical security and privacy problems remain out of the hands of end users, or -- even when simplified -- require more knowledge, time, or effort to manage than is reasonable or fair to expect from most users. As such, the next important challenge in human-centered security is to go beyond end users and explore how to make security and privacy more usable for the professionals whose decisions directly or indirectly affect end users at larger scale. These professionals include not only software developers, vulnerability analysts, and security operations personnel, but also social scientists who publish research data, product reviewers, and even YouTube influencers. In this talk, I will discuss three recent studies relevant to this goal: an experimental study evaluating the usefulness of security operations playbooks for incident response; a measurement study of the internet threat models conveyed by YouTube influencers in the process of advertising VPNs; and an interview study with social science researchers about how they de-identify datasets before they release them.