Security software is often difficult to use thus leading to poor adoption and degraded security. This paper describes a usability study that was conducted on the software 'Polaris'. This software is an alpha release that uses the Principle of Least Authority (POLA) to deny viruses the authority to edit files. Polaris was designed to align security with usability. The study showed that despite this aim, usability problems remained, especially when the study participants had to make security related decisions. They also showed apathy towards security, and knowingly compromised their security to get work done faster. This study also demonstrates the difficulty in achieving security and usability alignment when the usability is a post hoc consideration added to a developed product, rather than being integrated from the start. The alleviation of usability problems from security software proposed in this paper are threefold: reducing the burden on the user to make security related decisions, counteracting user's apathy by ensuring that the fast way of doing things is the secure way, and integrating security software with the operating system throughout development.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Dirk Balfanz , Glenn Durfee , Rebecca E. Grinter , D. K. Smetters, In Search of Usable Security: Five Lessons from the Field, IEEE Security and Privacy, v.2 n.5, p.19-24, September 2004  [doi>10.1109/MSP.2004.71]
	2	Barry W. Boehm, A Spiral Model of Software Development and Enhancement, Computer, v.21 n.5, p.61-72, May 1988  [doi>10.1109/2.59 ]
	3	Brooke, J., Sus: A quick and dirty usability scale, in Usability evaluation in industry, P. Jordan, B. Thomas, and B. Weerdmeester, Editors. 1996, Taylor and Francis: London.
	4	Rogério de Paula , Xianghua Ding , Paul Dourish , Kari Nies , Ben Pillet , David Redmiles , Jie Ren , Jennifer Rode , Roberto Silva Filho, Two experiences designing for effective security, Proceedings of the 2005 symposium on Usable privacy and security, p.25-34, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073004]
	5	Dourish, P., J. Delgado de la Flor, and M. Joseph. Security as a practical problem: Some preliminary observations of everyday mental models. in Workshop on HCI and Security Systems, CHI20032003. Fort Lauderdale, Florida, USA: ACM.
	6	Paul Dourish , David Redmiles, An approach to usable security based on event monitoring and visualization, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia  [doi>10.1145/844102.844116]
	7	eBay, Using ebay toolbar's account guard, http://pages.ebay.com/help/confidence/account-guard.html. 2006. Accessed on 20th April 2006.
	8	Ivan Flechais , M. Angela Sasse , Stephen M. V. Hailes, Bringing security home: a process for developing secure and usable systems, Proceedings of the 2003 workshop on New security paradigms, August 18-21, 2003, Ascona, Switzerland  [doi>10.1145/986655.986664]
	9	Simson L. Garfinkel , Robert C. Miller, Johnny 2: a user test of key continuity management with S/MIME and Outlook Express, Proceedings of the 2005 symposium on Usable privacy and security, p.13-24, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073003]
	10	Gerd, D. and T. Markotten. User-centered security engineering. in Nordu20022002. Helsinki, Finland.
	11	Gutmann, P., Inadvertent case study in ssl server cert effectiveness, hcisec@Yahoogroups.com, Editor. 2005.
	12	ISO, Ergonomic requirements for office work with visual display terminals (vdts) - part 11: Guidance on usability. 1998, BSI.
	13	Nielsen, J., Security & human factors, http://www.useit.com/alertbox/20001126.html. 2000. Accessed on 20th February 2006.
	14	Nielsen, J., Why you only need to test with 5 users, http://www.useit.com/alertbox/20000319.html. 2000. Accessed on 29th November 2005.
	15	Volker Roth , Kai Richter , Rene Freidinger, A PIN-entry method resilient against shoulder surfing, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030116]
	16	Saltzer, J. and M. Schroeder, The protection of information in computer systems. Proceedings of the IEEE, 1975. 63(9): p. 1278--1308.
	17	Stiegler, M., A. H. Karp, K.-P. Yee, and M. Miller, Polaris: Virus safe computing for windows xp. 2004, HP. http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html
	18	Straub, T. and H. Baier. A framework for evaluating the usability and the utility of pki-enabled applications. in EuroPKI. 112--125 2004. Samos Island, Greece: Springer-Verlag GmbH.
	19	Robert A. Virzi, Refining the test phase of usability evaluation: how many subjects is enough?, Human Factors, v.34 n.4, p.457-468, Aug. 1992
	20	Dirk Weirich , Martina Angela Sasse, Pretty good persuasion: a first step towards effective password security in the real world, Proceedings of the 2001 workshop on New security paradigms, September 10-13, 2001, Cloudcroft, New Mexico  [doi>10.1145/508171.508195]
	21	Whitten, A. and J. D. Tygar. Why johnny can't encrypt: A usability evaluation of pgp 5.0. in Proceedings of the 8th USENIX security symposium. 169--184 1999. Washington, D.C.
	22	Jeff Yan , Alan , Ross , Alasdair, Password Memorability and Security: Empirical Results, IEEE Security and Privacy, v.2 n.5, p.25-31, September 2004  [doi>10.1109/MSP.2004.81]
	23	Ka-Ping Yee, User Interaction Design for Secure Systems, Proceedings of the 4th International Conference on Information and Communications Security, p.278-290, December 09-12, 2002
	24	Ka-Ping Yee, Aligning Security and Usability, IEEE Security and Privacy, v.2 n.5, p.48-55, September 2004  [doi>10.1109/MSP.2004.64]
	25	Mary Ellen Zurko , Charlie Kaufman , Katherine Spanbauer , Chuck Bassett, Did You Ever Have To Make Up Your Mind? What Notes Users Do When Faced With A Security Decision, Proceedings of the 18th Annual Computer Security Applications Conference, p.371, December 09-13, 2002
	26	Mary Ellen Zurko , Richard T. Simon, User-centered security, Proceedings of the 1996 workshop on New security paradigms, p.27-33, September 17-20, 1996, Lake Arrowhead, California, United States  [doi>10.1145/304851.304859]