ABSTRACT
End users are often cast as the weak link in computer security; they fall victim to social engineering and tend to know very little about security technology and policies. This paper challenges this view as derogatory and unconstructive, arguing that users, as agents of organizations, often have sophisticated strategies regarding sensitive data, and are quite cautious. Existing work on user security practice has failed to consider how users view security; this paper provides content on and analysis of end user perspectives on security management. We suggest that properly designed systems would bridge the knowledge gap (where necessary) and mask levels of detail (where possible), allowing users to manage their security needs in synchrony with the needs of the organization. The evidence for our arguments comes from a set of in-depth interviews with users with no special training on, knowledge of, or interest in computer security. We conclude with guidelines for security and privacy tools that better leverage existing users knowledge.
- Women in the Labor Force: A Databook. Labor, U.S.D.o. ed., 2005.Google Scholar
- Worm targets Macs via Bluetooth Cnn.com, 2006.Google Scholar
- Acquisiti, A. and Grossklags, J. Privacy and Rationality in Individual Decision Making. IEEE Security and Privacy. 26--33, 2005. Google ScholarDigital Library
- Adams, A. and Blandford, A. Bridging the gap between organizational and user perspectives of security in the clinical domain. International Journal of Human-Computer Studies, 63. 175--202, 2005. Google ScholarDigital Library
- Anderson, R., Why Information Security is Hard: An Economic Perspective. in Seventeenth Computer Security Applications Conference, 2001, 358--365. Google ScholarDigital Library
- Brooks, F. P., Jr. No Silver Bullet: Essence and Accidents of Software Engineering. IEEE Computer, 20 (4), 1987, 10--19. Google ScholarDigital Library
- Carroll, J. M. Making Use: Scenario-Based Design of Human-Computer Interaction. The MIT Press, Cambridge, MA, 2000. Google ScholarDigital Library
- De Angeli, A., Coventry, L., Johnson, G. and Renaud, K. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 63, 2005 128--152. Google ScholarDigital Library
- de Paula, R., Ding, X., Dourish, P., Nies, K., Pillet, B., Redmiles, D. F., Ren, J., Rode, J. A. and Filho, R. S. In the eye of the beholder: A visualization-based approach to information system security. International Journal of Human-Computer Studies, 63, 2005, 5--24. Google ScholarDigital Library
- Dhamija, R., Why Phishing Works. in CHI, (Montreal, Quebec), 2006, 581--590. Google ScholarDigital Library
- Dhamija, R. and Tygar, J. D., The battle against phishing: Dynamic Security Skins. in Symposium on Usable Privacy and Security, (Pittsburgh, PA), 20005, 77--88. Google ScholarDigital Library
- Dourish, P., Grinter, R. E., Delgado de la Flor, J. and Joseph, M. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal Ubiquitous Computing, 8 (6), 2004, 391--401. Google ScholarCross Ref
- Gaw, S. and Felten, E. W., Password Management Strategies for Online Accounts. in Symposium on Usable Privacy and Security, (Pittsburgh, PA), 2006. Google ScholarDigital Library
- Holmstrom, U., User-centered design of secure systems. in Proceedings of Human Factors in Telecommunications, (Copenhagen, Denmark), 1999.Google Scholar
- Jeffs, T. and Smith, M. K. Informal Education: Conversation, Democracy and Learning. Education Now, 1996.Google Scholar
- Jensen, C., Potts, C. and Jensen, C. Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies, 63 (203--227), 2005. Google ScholarDigital Library
- Karat, C.-M., Iterative Usability Testing of a Security Application. in Human Factors, 1989.Google Scholar
- Karat, J., Karat, C.-M., Brodie, C. and Feng, J. Privacy in information technology: Designing to enable privacy policy management in organizations. International Journal of Human-Computer Studies, 63. 153--174, 2005. Google ScholarDigital Library
- Kormann, D. P. and Rubin, A. D. Risks of the Passport single signon protocol. Computer Networks, 33, 2000, 51--58. Google ScholarDigital Library
- Lee, K. M. and Nass, C., Designing Social Presence of Social Actors in Human Computer Interactions. in CHI, (Ft. Lauderdale, Florida), ACM Press, 2003, 289--296. Google ScholarDigital Library
- March, J. G. and Simon, H. A. Organizations, 1958.Google Scholar
- Mason, J. Qualitative Researching. SAGE Publications Ltd, London, UK, 1996.Google Scholar
- Maxion, R. A. and Reeder, R. W. Improving userinterface dependability through mitigation of human error. International Journal of Human-Computer Studies, 63. 2005, 25--50. Google ScholarDigital Library
- Mitnick, K. D. The Art of Deception. John Wiley & Sons, New York, 2003.Google Scholar
- Mosteller, W. S. and Ballas, J., Usability Analysis of Messages from a Security System. in Human Factors, 1989.Google Scholar
- Orlikowski, W. J. Using Technology and Constituting Structures: A Practice Lens for Studying Technology in Organizations. Organization Science, 11 (4), 2000, 404--428. Google ScholarDigital Library
- Roth, V., Straub, T. and Richter, K. Security and usability engineering with particular attention to electronic mail. International Journal of Human-Computer Studies, 63, 2005, 51--73. Google ScholarDigital Library
- Sasse, M. A., Brostoff, S. and Weirich, D. Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security. BT Technology Journal, 19 (3), 2001. Google ScholarDigital Library
- Schneier, B. Secrets and Lies. John Wiley & Sons, NY, 2000. Google ScholarDigital Library
- Seely Brown, J. and Duguid, P. Organizational Learning and Communities-of-Practice: Toward a Unified View of Working, Learning, and Innovation. Organization Science, 2 (1), 1991, 40--57.Google ScholarCross Ref
- Selber, S. A. Multiliteracies for a Digital Age. Southern Illinois University Press, 2004.Google Scholar
- Serazzi, G. and Zanero, S. Computer Virus Propagation Models. in Performance Tools and Applications to Networked Systems, Spring, 2004, 26--50.Google ScholarCross Ref
- Siponen, M. T. A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8 (1), 2000, 31--41.Google ScholarCross Ref
- Thomas, D. A. Security Threats and FBI Counterintrusion Efforts, Penn State, 2005.Google Scholar
- Thorpe, J. and van Oorschot, P. C., Towards Secure Design Choices for Implementing Graphical Passwords. in 20th Annual Computer Security Applications Conference, 2004, IEEE Computer Society. Google ScholarDigital Library
- Watkins, K. E. and Marsick, V. J. Towards a Theory of Informal and Incidental Learning in Organizations. International Journal of Lifelong Education, 11 (4), 2001, 287--300.Google Scholar
- Weidenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A. and Memon, A. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, 63, 2005 102--127. Google ScholarDigital Library
Index Terms
- Looking for trouble: understanding end-user security management
Recommendations
Invited - Things, trouble, trust: on building trust in IoT systems
DAC '16: Proceedings of the 53rd Annual Design Automation ConferenceThe emerging and much-touted Internet of Things (IoT) presents a variety of security and privacy challenges. Prominent among them is the establishment of trust in remote IoT devices, which is typically attained via remote attestation, a distinct ...
From retrospective verification to forward-looking development
NFM'11: Proceedings of the Third international conference on NASA Formal methodsOne obstacle in applying program verification is coming up with specifications. That is, if you want to verify a program, you need to write down what it means for the program to be correct. But doesn't that seem terribly wrong? Why don't we see it as "...
Making epistemological trouble: Third-paradigm HCI as successor science
Epistemological issues have long been debated by feminist philosophers aiming to answer the question, ''what difference does it make to take gendered points of view seriously in the construction of knowledge?'' Coming out of this history, a strand of ...
Comments