Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less? Mary Ellen Zurko, IBM Maritza Johnson, Columbia University.

Slides:

Advertisements

Similar presentations

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Advertisements

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Copyright © 2004 ProsoftTraining, All Rights Reserved. Lesson 10: GUI HTML Editors.

TC 310 The Computer in Technical Communication Dr. Jennifer Turns Week 4, Day 1 (4/21)

Using Digital Credentials On The World-Wide Web M. Winslett.

Inspection Methods. Inspection methods Heuristic evaluation Guidelines review Consistency inspections Standards inspections Features inspection Cognitive.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Chapter 14: Personalization and TrustCopyright © 2004 by Prentice Hall User-Centered Website Development: A Human- Computer Interaction Approach.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

The Vision Document 1. Importance of a Vision Document  It describes the application in general terms, including descriptions of the target market, the.

Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004.

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Web Development Process Description

NetService Cardholder Tutorial GE Corporate Payment Services 4246 South Riverboat Road Salt Lake City, Utah Copyright Information.

WESS BETA TEST BETA Testing and Reporting “Bugs” Web Enabled Safety System.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

P3P A New Standard in Online Privacy Overview and Demos from Summer 2000.

Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Overview of IHE IT Infrastructure Patient Synchronized Applications.

An XPath-based Preference Language for P3P IBM Almaden Research Center Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu.

Classroom Collaborator Brandon Reagen, Matthew Ng, Runfeng Chen, Robert Connelly Faculty Advisor: Prof. Tessier Department of Electrical and Computer Engineering.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.

Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite

Template. Mobile devices used in the exploration.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Marking Scheme ISM ISM Top-up. Project Contents Abstract, – A one page summary (max. 400 words) of the Intent, work undertaken. Introduction, – An overview.

HTTPA (Accountable Hyper Text Transfer Protocol) PhD Proposal Talk Oshani Seneviratne DIG, MIT CSAIL May 31, 2011.

A Strategy… Nancy N. Soreide NOAA/PMEL NOAA WebShop 2004 July 27-29, 2004, Philadelphia, PA For improving the security of Web and Internet applications.

Javascript Cog Kit By Zhenhua Guo. Grid Applications Currently, most grid related applications are written as separate software. –server side: Globus,

1 Personalization and Trust Personalization Mass Customization One-to-One Marketing Structure content & navigation to meet the needs of individual users.

IHE IT Infrastructure: The Value Proposition HIMSS 2003 Joining the IHE in its New Enterprise Initiatives.

Chapter 9 Publishing and Maintaining Your Site. 2 Principles of Web Design Chapter 9 Objectives Understand the features of Internet Service Providers.

ACCESSIBILITY VIOLATIONS CMPE 451 SPRING 2012 GROUP 5.

Developed by Kelly J Howard.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Module 11: Securing a Microsoft ASP.NET Web Application.

Analysis. Solution Requirements 1. Identify the functions and attributes of the website. 2. Write a problem statement. (What is the problem? What will.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 

Chapter Fourteen Communicating the Research Results and Managing Marketing Research Chapter Fourteen.

Web Center Training ©2003 Optimum Technology, Inc.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

AT&T Privacy Bird Screen Shots For more information see

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Moodle Introduction Here at Alphacrucis College we have been using Moodle version 2 for several years. The latest version to be installed is

Privecsg Privacy Recommendation PAR Proposal Date: [ ] Authors: NameAffiliationPhone Juan Carlos ZúñigaInterDigital

Kypros-net Website : Greek Tutorial Program SI 622 Evaluation of Systems and Services M. Elledge P. Zaphiris.

© Blackboard, Inc. All rights reserved. SOAP-based Mobilization for an Efficient Personal Learning Environment Nick Schiavi Blackboard R&D.

Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Unit 1 - Introducing Abstract Data Type (ADT) Part 1.

Presented by Deepak Varghese Reg No: Introduction Application S/W for server load balancing Many client requests make server congestion Distribute.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Group 3 CMPE Community Project. What is CMPE Community project? CMPE Community project aims to create a social web application to create an environment,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Accessing the Database Server: ODBC, OLE DB, and ADO

User configurable advertising profiles applied to Web page banners

How P3P Works Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research 4 February

Teacher: Alison Roberts Northern Sydney Institute of TAFE

How to Submit your Booking Requests?

It's Time to Take Action I am now ready to take action!

Security - Forms Authentication

UML Design for an Automated Registration System

Presentation transcript:

Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less? Mary Ellen Zurko, IBM Maritza Johnson, Columbia University

Web Security Context Working Group Specify a baseline set of security context information Specify practices for the secure and usable presentation Help users make decisions by providing them with the necessary information

Example WSC Conformance Statements User agents MUST make identity information available to users in all cases (even when the only identity information available is that no identity information was supplied.) A client MUST NOT submit passwords from an unsecure page (even if the form is in a "secure" frame) to a secure server. Web User Agents MUST NOT display bitmaps controlled by Web Content in areas of the user interface that are intended or commonly used to communicate trust information to users A user agent SHOULD allow users to view details of why a request or access to a site was blocked based on profile settings, including a description of which configuration setting or settings contributed to the site being blocked (but displayed only on request).

Existing Standards Human-Centered Design Processes Usability Testing and Reporting Voting Privacy Standards - P3P How do usable security standards relate?

Potential Gains Increased interoperability and homogeneity Raise the bar on minimum expectations Motivate other work

Are we ready? Results show what we’re doing wrong Can we extrapolate a better solution? Is stating what not to do better than nothing?

How do we avoid … Enshrining the lowest common denominator Introducing abstract or confusing options

Getting it Right What’s the baseline? How much improvement is enough? What conditions should be tested and how much testing is enough? What’s the balance for effectiveness, efficiency, and satisfaction?

Testing Validity What level of assurance is necessary before a standard is suggested? How to keep a variety of needs in mind while keeping testing manageable? Is general testing possible while making specific recommendations?

Related links Usability standards: Voting and standards: W3C standards: