Conference Paper

Two experiences designing for effective security

DOI: 10.1145/1073001.1073004 Conference: Proceedings of the 1st Symposium on Usable Privacy and Security, SOUPS 2005, Pittsburgh, Pennsylvania, USA, July 6-8, 2005
Source: DBLP


In our research, we have been concerned with the question of how to make relevant features of security situations visible to users in order to allow them to make informed decisions regarding potential privacy and security problems, as well as regarding potential implications of their actions. To this end, we have designed technical infrastructures that make visible the configurations, activities, and implications of available security mechanisms. This thus allows users to make informed choices and take coordinated and appropriate actions when necessary. This work differs from the more traditional security usability work in that our focus is not only on the usability of security mechanism (e.g., the ease-of-use of an access control interface), but how security can manifest itself as part of people's interactions with and through information systems (i.e., how people experience and interpret privacy and security situations, and are enabled or constrained by existing technological mechanisms to act appropriately). In this paper, we report our experiences designing, developing, and testing two technical infrastructures for supporting this approach for usable security.


Available from: Paul Dourish
  • Source
    • "While an effective mental model does not need to include all the technical system details , it does need to be functional and allow users to predict both observable system behaviours and the consequences of the users' actions [4]. Concealing system details as a means of reducing complexity may leave users unable to respond to unexpected system events [9]; enough technical details must be provided so that users can make informed decisions as they interact with security tools [8]. We cannot hide the inner complexity for the sake of interface simplicity, if the user is then left with an ineffective mental models for those times they must interact. "
    [Show abstract] [Hide abstract]
    ABSTRACT: The Windows Vista personal rewall provides its diverse users with a basic interface that hides many operational de- tails. However, concealing the impact of network context on the security state of the rewall may result in users devel- oping an incorrect mental model of the protection provided by the rewall. We present a study of participants' men- tal models of Vista Firewall (VF). We investigated changes to those mental models and their understanding of the re- wall's settings after working with both the VF basic interface and our prototype. Our prototype was designed to support development of a more contextually complete mental model through inclusion of network location and connection infor- mation. We found that participants produced richer mental models after using the prototype than when working with the VF basic interface; they were also signicantly more ac- curate in their understanding of the conguration of the re- wall. Based on our results, we discuss methods of improving user understanding of underlying system states by revealing hidden context, while considering the tension between com- plexity of the interface and security of the system.
    Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, Mountain View, California, USA, July 15-17, 2009; 01/2009
  • Source
    • "Further, literature and history shows that the ICT evolution is heavily linked with the core concepts of creativity which enables new technologies to emerge. Gupta [20] introduced the idea of creative knowledge networks that have the capacity to " unfold tremendous creative energy of our society by helping people dream and converting these dreams into reality by networking with other individuals and institutions. " Likewise, the importance of collaboration, for our focus digital or virtual collaboration, is identified as being a valued commodity for successful innovation [21]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Digital Collaborations are proving themselves as ideal environments for increasing the productivity and knowledge exploration capabilities of their members. Many organizations are realizing the diverse range of benefits they provide to not only their organization as a whole but also to individual employees. The challenge in environments that encourage the sharing of resources, in particular data, is finding a sustainable balance between the need to provide access to data while also insuring its security in addition to the privacy of the entities it may pertain to. In this paper we propose an authentication framework that uniquely combines both traditional and biometric methods of authentication with an additional novel audiovisual method of authentication. The CASE (Combined Authentication Scheme Encapsulation) methodology, the name of our solution, provides an effective visual representation of both the authentication and information privacy hierarchies associated with data requests within digital collaborative environments.
    Proceedings of the 2008 International Conference on Security & Management, SAM 2008, Las Vegas, Nevada, USA, July 14-17, 2008; 06/2008
  • Source
    • "In order for a user to make an informed decision, certain aspects of security situations need to be made visible to the user. Rogerio de Paula et al. [3] report their experiences in designing, developing, and testing technical infrastructures in order to see how security is manifested during these phases. The discovered that the implementations and integration of various components of today's technical infrastructure is awkward and hard to use. "
    [Show abstract] [Hide abstract]
    ABSTRACT: An increasing number of people rely on secure websites to carry out their daily business. A survey conducted by Pew Internet states 42% of all internet users bank online. Considering the types of se- cure transactions being conducted, businesses are rigorously testing their sites for security flaws. In spite of this testing, some design flaws still remain that prevent secure usage. In this paper, we exam- ine the prevalence of user-visible security design flaws by looking at sites from 214 U.S. financial institutions. We specifically chose financial websites because of their high security requirements. We found a number of flaws that may lead users to make bad security decisions, even if they are knowledgeable about security and ex- hibit proper browser use consistent with the site's security policies. To our surprise, these design flaws were widespread. We found that 76% of the sites in our survey suffered from at least one design flaw. This indicates that these flaws are not widely understood, even by experts who are responsible for web security. Finally, we present our methodology for testing websites and discuss how it can help systematically discover user-visible security design flaws.
    Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS 2008, Pittsburgh, Pennsylvania, USA, July 23-25, 2008; 01/2008
Show more