Usable Security

This morning’s panel compared the design of usable security for end users and for security administrators.  Kosta Beznosov introduced the panel and raised the question of the boundary between users and administrators: what about systems where users are responsible for some amount of self-administration?  Mary Ellen Zurko extended the comparison to three groups: developers, administrators, and users, with each one successively later in the lifecycle.  When there is no administrator, the developer must substitute; but most developers would rather not deal with security permissions.  Steve Chan pointed out that most GUIs don’t scale to handle large datasets (”Sysadmins don’t use emacs just because they’re hairy-chested machos; they have good reasons.”).  So lots of admins use grep; everyone has their own background, which shapes their work practices.  Greg Conti emphasized the clash of cultures between users and administrators.  Users see the paperclip; admins read man pages; users get ZoneAlarm; admins use iptables; and so on.

• How much of the responsibility for security can administrators take on?  How much must remain on users?
• Whose responsibility is it to bridge the culture gap, and how can it be done?
• What about bridging the gap between management and administrators?
• How can tools help administrators maintain better awareness of what their users and systems are doing, so that they feel more comfortable delegating?
• Can information visualization tools be developed to provide enough flexibility for system administrators to use, or is the abstraction of data fundamentally too risky?

Your thoughts?

This entry was posted on Friday, July 8, 2005 at 05:54 under General. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.