Archive for the 'User Understanding' Category

How Users Use Access Control

Friday, July 17th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a15-smetters.pdf
Diana Smetters and Nathan Good
Access control is a specification of policy indicating who can do what to whom.  Access control is hard to use.  People often get around it by granting overly permissive capabilities.  Looking at Windows XP, there are over a dozen of checkboxes that can be flipped for each file!  However, people like [...]

Discussion Session: Invisible HCI-SEC: Ways of re-architecting the operating system to increase usability and security

Thursday, July 16th, 2009

Discussion session lead by Simson Garfinkel.  Free form discussion follows.
(there were other sessions, but as I only attended this one, this is the only one I got to blog)
Simson wants to talk about system constraints rather than usability constraints.  In practice, focusing on one at the detriment of the other simply creates an insecurity at [...]

1 + 1 = You: Measuring the comprehensibility of metaphors for configuring backup authentication

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a9-schechter.pdf
Stuart Schechter and Robert Reeder
What to do when the user forget their password?  A common method is to provide security questions.  Unfortunately, an initial analysis of the most commonly used security questions found that none were all that great, suffering from either poor memorability or poor security.  What about e-mail based recovery?  This doesn’t work [...]

A “Nutrition Label” for Privacy

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a4-kelley.pdf
Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W.  Reeder
Privacy polices in their current form are typically long, dense, and ignored by users.  P3P is an XML-format allowing websites to specify their privacy policy in a machine-readable manner.  The study’s initial attempt at visualizing the P3P data was to expand it into a [...]

School of Phish: A Real-Word Evaluation of Anti-Phishing Training

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a3-kumaraguru.pdf
Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair and Theodore Pham
How do we train users to not be phished?  There are existing materials out there that are pretty good, but they could be better.  Regardless, most people don’t proactively go looking for security training materials and “security notice” e-mails sent [...]

Social Applications: Exploring A More Secure Framework

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a2-besmer.pdf
Andrew Besmer, Heather Lipford, Mohamed Shehab and Gorrell Cheek
Social applications are apps built on top of social network platforms such as Facebook or Google’s OpenSocial.  They are intended to leverage the social network to provide value to users.
Typically when installing the app they are presented with a screen prompting the user to approve access to [...]

Revealing Hidden Context: Improving Mental Models of Personal Firewall Users

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a1-raja.pdf
Fahimeh Raja, Kirstie Hawkey and Konstantin Beznosov
A tenet of Usable Security put forth by Ka-Ping Yee and others is that the user should always be able to view and understand their current security state.  As users become more mobile this becomes even more important because the underlying state may be dynamic and so security implications [...]