Chapter

Privacy, Security, and Trust: Human-Computer Interaction Challenges and Opportunities at Their Intersection.

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

This chapter employs a medical scenario as context to illustrate privacy, security, and trust issues, and the pivotal nature of policy and the relationships among the three research areas are discussed. An overview of human-computer interaction and usability research and development in the privacy, security, and trust domains is presented. Views on privacy, security, and trust are reviewed in the context of current research and practice and directions for the future.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... We consider DevSecOps as an arena that, more than ever, promotes the industrial adoption of usable security tools [7,23]. On one hand, since DevSecOps is so tool intensive it lowers the usability threshold to allow more tools to be incorporated into the development tool-chain. ...
Preprint
Full-text available
DevSecOps, as the extension of DevOps with security training and tools, has become a popular way of developing modern software, especially in the Internet of Things arena, due to its focus on rapid development, with short release cycles, involving the user/client very closely. Security classification methods, on the other hand, are heavy and slow processes that require high expertise in security, the same as in other similar areas such as risk analysis or certification. As such, security classification methods are hardly compatible with the DevSecOps culture, which to the contrary, has moved away from the traditional style of penetration testing done only when the software product is in the final stages or already deployed. In this work, we first propose five principles for a security classification to be \emph{DevOps-ready}, two of which will be the focus for the rest of the paper, namely to be tool-based and easy to use for non-security experts, such as ordinary developers or system architects. We then exemplify how one can make a security classification methodology DevOps-ready. We do this through an interaction design process, where we create and evaluate the usability of a tool implementing the chosen methodology. Since such work seems to be new within the usable security community, and even more so in the software development (DevOps) community, we extract from our process a general, three-steps `recipe' that others can follow when making their own security methodologies DevOps-ready. The tool that we build is in itself a contribution of this process, as it can be independently used, extended, and/or integrated by developer teams into their DevSecOps tool-chains. Our tool is perceived (by the test subjects) as most useful in the design phase, but also during the testing phase where the security class would be one of the metrics used to evaluate the quality of their software.
... Human-Computer Interaction. Having the goal to evaluate the usability of privacy in technological systems and products, makes our work part of the larger Human-Computer Interaction (HCI) research on privacy [3,7,6,8]. Following the classifications made by Iachello and Hong in their review [4], we approach privacy from a "data protection" perspective by extracting usability related criteria from the GDPR. ...
Preprint
Full-text available
We introduce a new perspective on the evaluation of privacy, where rights of the data subjects, privacy principles, and usability criteria are intertwined. This new perspective is visually represented through a cube where each of its three axes of variability captures, respectively: principles, rights, and usability criteria. In this way, our model, called Usable Privacy Cube (or UP Cube), brings out two perspectives on privacy: that of the data subjects and that of the controllers/processors. In the long run, the UP Cube is meant to be the model behind a new certification methodology capable of evaluating the usability of privacy. Our research builds on the criteria proposed by the EuroPriSe certification scheme by adding usability criteria to their evaluation. We slightly reorganize the criteria of EuroPriSe to fit with the UP Cube model, i.e., we show how the EuroPriSe can be viewed as a combination of only principles and rights, forming the basis of the UP Cube. Usability criteria are defined based on goals that we extract from the data protection regulations, at the same time considering the needs, goals and characteristics of different types of users and their context of use. The criteria are designed to produce measurements of the level of usability with which the privacy goals of the data protection are reached. Considering usability criteria allows for greater business differentiation beyond GDPR compliance.
Article
Full-text available
The paper, ‘“Who Wants to Know all this Stuff?!”: Understanding Older Adults’ Privacy Concerns in Aged Care Monitoring Devices’, by Sami Alkhatib, Ryan Kelly, Jenny Waycott, George Buchanan, Marthie Grobler and Shuo Wang, published in Interacting with Computers (November 2021), explores the use of care technology and the privacy concerns of older people.
Article
Full-text available
Aged care monitoring devices (ACMDs) enable older adults to live independently at home. But to do so, ACMDs collect and share older adults’ personal information with others, potentially raising privacy concerns. This paper presents a detailed account of the different privacy problems in ACMDs that concern older adults. We report findings from interviews and a focus group conducted with older adults who are ageing in place. Using Daniel Solove’s privacy taxonomy to categorize privacy concerns, our analysis suggests that older adults are concerned about the potential for ACMDs to give rise to six problems: surveillance, secondary use of data, breach of confidentiality, disclosure, decisional interference and disturbing others. Other findings indicate that participants are worried about their ability to impose control over collection and management of their personal details and are willing to only accept privacy trade-offs during emergencies. We provide recommendations for ACMD developers and future directions to address findings from this research.
Chapter
We introduce a new model for evaluating privacy that builds on the criteria proposed by the EuroPriSe certification scheme by adding usability criteria. Our model is visually represented through a cube, called Usable Privacy Cube (or UP Cube), where each of its three axes of variability captures, respectively: rights of the data subjects, privacy principles, and usable privacy criteria. We slightly reorganize the criteria of EuroPriSe to fit with the UP Cube model, i.e., we show how EuroPriSe can be viewed as a combination of only rights and principles, forming the two axes at the basis of our UP Cube. In this way we also want to bring out two perspectives on privacy: that of the data subjects and, respectively, that of the controllers/processors. We define usable privacy criteria based on usability goals that we have extracted from the whole text of the General Data Protection Regulation. The criteria are designed to produce measurements of the level of usability with which the goals are reached. Precisely, we measure effectiveness, efficiency, and satisfaction, considering both the objective and the perceived usability outcomes, producing measures of accuracy and completeness, of resource utilization (e.g., time, effort, financial), and measures resulting from satisfaction scales. In the long run, the UP Cube is meant to be the model behind a new certification methodology capable of evaluating the usability of privacy, to the benefit of common users. For industries, considering also the usability of privacy would allow for greater business differentiation, beyond GDPR compliance.
Article
Policies that address security and privacy are pervasive parts of both technical and social systems, and technology that enables both organizations and individuals to create and manage such policies is a critical need in information technology (IT). This paper describes the notion of end-to-end policy management and advances a framework that can be useful in understanding the commonality in IT security and privacy policy management.
ResearchGate has not been able to resolve any references for this publication.