ABSTRACT
In our research, we have been concerned with the question of how to make relevant features of security situations visible to users in order to allow them to make informed decisions regarding potential privacy and security problems, as well as regarding potential implications of their actions. To this end, we have designed technical infrastructures that make visible the configurations, activities, and implications of available security mechanisms. This thus allows users to make informed choices and take coordinated and appropriate actions when necessary. This work differs from the more traditional security usability work in that our focus is not only on the usability of security mechanism (e.g., the ease-of-use of an access control interface), but how security can manifest itself as part of people's interactions with and through information systems (i.e., how people experience and interpret privacy and security situations, and are enabled or constrained by existing technological mechanisms to act appropriately). In this paper, we report our experiences designing, developing, and testing two technical infrastructures for supporting this approach for usable security.
- Carzaniga, A., Rosenblum, D. S., and Wolf, A. L. 2001. Design and Evaluation of a Wide-Area Event Notification Service. ACM Transactions on Computer Systems, August, Vol. 19 Issue 3, pp. 332--383.]] Google ScholarDigital Library
- Denning, D. 1987. An Intrusion-Detection Model. IEEE Trans. Software Engineering, 13(2), 222--232.]] Google ScholarDigital Library
- de Paula, R. (2004). The construction of usefulness: How users and context create meaning with a social networking system. Unpublished Unpublished Ph.D. Dissertation, University of Colorado at Boulder, Boulder, CO.]] Google ScholarDigital Library
- de Paula, R., Ding, X., Dourish, P., Nies, K., Pillet, B., Redmiles, D., et al. (2005). In the eye of the beholder: A visualization-base approach to information system security. International Journal of Human-Computer Studies (to appear).]] Google ScholarDigital Library
- Dourish, P., & Anderson, K. (2005). Privacy, security ... and risk and danger and secrecy and trust and identity and morality and power: Understanding collective information practices: Irvine, CA: Institute for Software Research. Technical Report UCI-ISR-05-1.]]Google Scholar
- Dourish, P. and Byttner, J. (2002). A Visual Virtual Machine for Java Programs: Exploration and Early Experiences. Proceedings of the ICDMS Workshop on Visual Computing (Redwood City, CA).]]Google Scholar
- Dourish, P., Grinter, R., Delgado de la Flor, J., and Joseph, M. (2004). Security in the Wild: User Strategies for Managing Security as an Everyday, Practical Problem. Personal and Ubiquitous Computing, 8(6), 391--401.]] Google ScholarCross Ref
- Dourish, P. and Redmiles, D. (2002). An Approach to Usable Security Based on Event Monitoring and Visualization. Proceedings of the New Security Paradigms Workshop 2002 (Virginia Beach, VA). New York: ACM.]] Google ScholarDigital Library
- Goland, Y., Whitehead, E., Faizi, A., Carter, S. and Jensen, D., 1999. HTTP Extensions for Distributed Authoring - WEBDAV. Internet Engineering Task Force, Internet Proposed Standard Request for Comments 2518, February.]] Google ScholarDigital Library
- Good, N., and Krekelberg, A. 2003. Usability and Privacy: A study of Kazaa P2P file-sharing. Proc. ACM Conf. Human Factors in Computing Systems CHI 2003 (Ft Lauderdale, FL). New York: ACM.]] Google ScholarDigital Library
- Henning, R. 1999. Security Service Level Agreements: Quantifiable Security for the Enterprise? New Security Paradigm Workshop (Ontario, Canada), 54--60. IEEE.]] Google ScholarDigital Library
- Irvine, C. and Levin, T. 1999. Towards a Taxonomy and Costing Method for Security Services. Proc. 15th Annual Computer Security Applications Conference. IEEE.]] Google ScholarDigital Library
- Irvine, C. and Levin, T. 2001. Quality of Security Service. Proc. ACM New Security Paradigms Workshop, 91--99.]] Google ScholarDigital Library
- Kantor, M., Redmiles, D. 2001. Creating an Infrastructure for Ubiquitous Awareness, Eight IFIP TC 13 Conference on Human-Computer Interaction (INTERACT 2001---Tokyo, Japan), 431--438.]]Google Scholar
- Lunt, T. and Jagannathan. 1988. A Prototype Real-Time Intrusion-Detection Export System. Proc. IEEE Symposium on Security and Privacy, 59--66. New York: IEEE.]]Google Scholar
- Orlikowski, W. J., & Gash, D. C. (1994). Technological frames: Making sense of information technology in organizations. ACM Transactions on Information Systems (TOIS), 12(2), 174--207.]] Google ScholarDigital Library
- Palen, L. and P. Dourish (2003). Unpacking "privacy" for a networked world. Proceedings of the SIGCHI conference on Human factors in computing systems, Ft. Lauderdale, Florida, USA, ACM Press.]] Google ScholarDigital Library
- Segall, B. and Arnold, D. (1997). Elvin has left the building: A publish/subscribe notification service with quenching Proceedings AUUG97 (Brisbane, Australia).]]Google Scholar
- Sheehan, K. 2002. Towards a Typology of Internet Users and Online Privacy Concerns. The Information Society, 18, 21--23.]]Google ScholarCross Ref
- Silva Filho R. S., De Souza C. R. B., and Redmiles D. F.(2003). The Design of a Configurable, Extensible and Dynamic Notification Service. Proc. Second International Workshop on Distributed Event-Based Systems (DEBS'03).]] Google ScholarDigital Library
- Spyropoulou, E., Levin, T., and Irvine, C. 2000. Calculating Costs for Quality of Security Service. Proc. 16th Computer Security Applications Conference. IEEE.]] Google ScholarDigital Library
- Tatar, D., Foster, G., and Bobrow, D. (1991). Designing for Conversation: Lessons from Cognoter. International Journal of Man-Machine Studies, 34, 185--209.]] Google ScholarDigital Library
- Thomsen, D. and Denz, M. 1997. Incremental Assurance for Multilevel Applications. Proc. 13th Annual Computer Security Applications Conference. IEEE.]] Google ScholarDigital Library
- Whitten, A. and Tygar, J.D. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Proc. Ninth USENIX Security Symposium.]] Google ScholarDigital Library
- Zurko, M. E. and Simon, R. 1996. User-Centered Security. Proc. New Security Paradigms Workshop. ACM.]] Google ScholarDigital Library
Recommendations
Seeing further: extending visualization as a basis for usable security
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityThe focus of our approach to the usability considerations of privacy and security has been on providing people with information they can use to understand the implications of their interactions with a system, as well as, to assess whether or not a ...
In the eye of the beholder: a visualization-based approach to information system security
Special isssue: HCI research in privacy and security is critical nowComputer system security is traditionally regarded as a primarily technological concern; the fundamental questions to which security researchers address themselves are those of the mathematical guarantees that can be made for the performance of various ...
Refining the Understanding of Usable Security
HCI for Cybersecurity, Privacy and TrustAbstractCybersecurity technologies and processes must be usable if users are to make effective use of protection. Many security practitioners accept the value of usable security, but few can precisely define it in practice and in terms of how it ...
Comments