SOUPS Discussion Forums
July 25, 2008 by Richard ConlanSOUPS included four parallel track discussion forums:
http://cups.cs.cmu.edu/soups/2008/program.html#discuss
Understanding PCI Regulations and Applying Strategies to Ensure Cardholder Privacy
Moderator: Eric Offenberg, IBM
Discussion topics will include:
* Understanding how safeguarding customer data protects a company’s bottom line
* Assessing the impact of PCI requirements on retailers, merchants, banks, and other affected corporations.
* Overcoming the fears associated with implementing technologies to become/remain compliant with PCI
* Discovering how PCI compliance can be leveraged to reduce costs and improve operational efficiency
Metrics for Characterizing Research Participants’ Technical Knowledge
Moderators: Serge Egelman and Ponnurangam Kumaraguru, Carnegie Mellon University
User studies can only contribute to human knowledge if they are generalizable across a known population. Thus, the sample for a given user study needs to be describable so that it can be generalized to a larger population. In many user studies, a user’s technical prowess can have a profound impact on the results of the study. The ability to quantify (or at least classify) a user’s technical knowledge is becoming increasingly necessary in order to generalize studies across populations as well as compare the results of one study to another. Some examples that researchers have used in the past are: (1) Educational background, (2) Internet usage, (3) Computer usage, and (4) Security knowledge. But, these metrics are not consistently used in all the studies. In this discussion session we plan to examine various metrics that can be used to quantify or classify technical knowledge. We plan to present the metrics that have been used in previous studies and plan to get some consensus on the metrics during the session.
HCI-SEC Research, Private Data, and complying with the Common Rule
Moderator: Simson Garfinkel, Naval Postgraduate School
Even if you aren’t working with living breathing human subjects, your work into security and usability could easily require that you involve your organization’s Institutional Review Board (IRB). That’s because 45 CFR 46, the Common Rule, covers not just the use of humans in experimental research but the use of data generated by humans under many circumstances. In this discussion we will explore some of the ways that federal regulations may read on research, alternative interpretations, and formulate an agenda for change.
Balancing Security, Usability and Cost
Moderator: Ehab Al-Shaer, DePaul University
The main objective of deploying security in IT networks is to minimize risks of compromising or interrupting network services. Due to lack of theoretical foundations, experimentations in this area, achieving cost-effective security configuration is very challenging. As a result, most of the existing practice by even expert IT administrator is ad hoc, causing errors and instability. This panel will address many of important related issues and others in this area:
* What are the main factors of security risk? How to define and measure them objectively?
* How to consider exiting counter measures in estimating residual risk? - Although performance is well-defined, defining metrics for flexibility and cost are not far from being realized.
* How to optimize security configuration to achieve balanced cost-effective security? Is there a scalability issues here? - How security configuration can be automatically optimized to track dynamic changing in risk?
* How a solution will be envision in a multi-domain networks where they often have conflicting objectives and independent administration?
* How this framework will be interfaced to end-user to enable easy to use and manage?