Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)"— Presentation transcript:

1 Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

2 Principles of Designing Secure Systems 1. Least privilege 2. Fail-safe defaults 3. Economy of mechanism 4. Complete mediation 5. Open Design 6. Separation of privilege 7. Least common mechanism 8. Psychological Acceptability 9. Defense in depth 10. Question assumptions

3 Principles of Designing Secure Systems 1. Least privilege 2. Fail-safe defaults 3. Economy of mechanism 4. Complete mediation 5. Open Design 6. Separation of privilege 7. Least common mechanism 8. Psychological Acceptability 9. Defense in depth 10. Question assumptions Psychological Acceptability  Hide complexity introduced by security mechanisms  Ease of installation, configuration, use  Human factors critical here

4 Usable Security "A computer is secure if you can depend on it and its software to behave as you expect." – Garfinkel & Spafford Humans are often the weak link in the security chain.

5 POP!

6 A Key Usable Security Problem Security is a secondary task  Nobody buys a computer so they can spend time securing it.  Time we spend configuring security and privacy tools is time we are not spending doing what we really want to be doing with our computers

7 Other Key Usability Problems Security systems and solutions are often complex  If the user cannot understand it, costly errors will occur Diverse users with diverse skills and diverse knowledge need to incorporate security in their daily lives

8 Grand Challenge “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Computing Research Association 2003

9 Approaches to usable security Make it “just work”  Invisible security Make security/privacy understandable  Make it visible  Make it intuitive  Use metaphors that users can relate to Train the user

10 Help Users Make Decisions Developers should not expect users to make decisions they themselves can’t make Present choices, not dilemmas

11

12

13

14 Users Don’t Check Certificates

15 Making concepts understandable

16

17 Making security and privacy visible Users could better manage online privacy and security if cues were more visible Cues must be understandable

18 Netscape SSL icons Cookie flag IE6 cookie flag Firefox SSL icon Symbols & Metaphors

19 Privacy policy matches user’s privacy preferences Privacy policy does not match user’s privacy preferences Privacy Bird Icons Web site privacy policies Many posted, few read

20 How do we know if a security or privacy cue is usable? Evaluate it  Why is it there?  Do users notice it?  Do they know what it means?  Do they know what they are supposed to do when they see it?  Will they actually do it?  Will they keep doing it?

21 Designing and Developing Usable and Secure Systems Requirements gathering Iterative design and development process Prototype evaluation Design walkthroughs Heuristic evaluation Usability tests  Lab or field studies

22 Heuristic Evaluations Discount usability technique Experts adopt the role of target users Review the prototype and identify issues  Complete core scenarios developed from requirements gathering  Identify usability issues through the application of design guidelines

23 General Usability Heuristics Heuristics as guidelines  Simple and natural dialogue  Speak the users' language  Minimize user memory load  Be consistent  Provide feedback  Provide clearly marked exits  Provide shortcuts  Deal with errors in positive and helpful manner  Provide help and documentation

24 Specialized Usability Heuristics Several specialized guidelines may apply  Web: http://www.usability.gov/pdfs/guidelines.html http://www.usability.gov/pdfs/guidelines.html

25 Principles for Secure Systems (2002) Path of Least Resistance  Match the most comfortable way to do tasks with the least granting of authority. Active Authorization  Grant authority to others in accordance with user actions indicating consent. Revocability  Offer the user ways to reduce others' authority to access the user's resources. Visibility  Maintain accurate awareness of others' authority as relevant to user decisions. Self-Awareness  Maintain accurate awareness of the user's own authority to access resources. Trusted Path  Protect the user's channels to agents that manipulate authority on the user's behalf. Expressiveness  Enable the user to express safe security policies in terms that fit the user's task. Relevant Boundaries  Draw distinctions among objects and actions along boundaries relevant to the task. Identifiability  Present objects and actions using distinguishable, truthful appearances. Foresight  Indicate clearly the consequences of decisions that the user is expected to make.

26 Guidelines for Security Interfaces (2007) Users should:  Be reliably made aware of the security tasks they must perform  Be able to figure out how to successfully perform those tasks  Not make dangerous errors  Be sufficiently comfortable with the interface to continue using it  Be able to tell when their task has been completed  Have sufficient feedback to accurately determine the current state of the system

Download ppt "Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)"

Similar presentations

Design, prototyping and construction

Design, prototyping and construction
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
User Interface Structure Design

User Interface Structure Design
2-May-15 GUI Design. 2 HMI design There are entire college courses taught on HMI (Human-Machine Interface) design This is just a very brief presentation.

2-May-15 GUI Design. 2 HMI design There are entire college courses taught on HMI (Human-Machine Interface) design This is just a very brief presentation.
IS214 Recap. IS214 Understanding Users and Their Work –User and task analysis –Ethnographic methods –Site visits: observation, interviews –Contextual.

IS214 Recap. IS214 Understanding Users and Their Work –User and task analysis –Ethnographic methods –Site visits: observation, interviews –Contextual.
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Ch 11 Cognitive Walkthroughs and Heuristic Evaluation Yonglei Tao School of Computing and Info Systems GVSU.

Ch 11 Cognitive Walkthroughs and Heuristic Evaluation Yonglei Tao School of Computing and Info Systems GVSU.
Part 2c: Requirements Chapter 2: How to Gather Requirements: Some Techniques to Use Chapter 3: Finding Out about the Users and the Domain Chapter 4: Finding.

Part 2c: Requirements Chapter 2: How to Gather Requirements: Some Techniques to Use Chapter 3: Finding Out about the Users and the Domain Chapter 4: Finding.
Human Computer Interface. HCI and Designing the User Interface The user interface is a critical part of an information system -- it is what the users.

Human Computer Interface. HCI and Designing the User Interface The user interface is a critical part of an information system -- it is what the users.
James Tam User Centered Design Why User Centered Design is important Approaches to User Centered Design.

James Tam User Centered Design Why User Centered Design is important Approaches to User Centered Design.
Part 4: Evaluation Days 25, 27, 29, 31 Chapter 20: Why evaluate? Chapter 21: Deciding on what to evaluate: the strategy Chapter 22: Planning who, what,

Part 4: Evaluation Days 25, 27, 29, 31 Chapter 20: Why evaluate? Chapter 21: Deciding on what to evaluate: the strategy Chapter 22: Planning who, what,
Heuristic Evaluation. Sources for today’s lecture: Professor James Landay: stic-evaluation/heuristic-evaluation.ppt.

Heuristic Evaluation. Sources for today’s lecture: Professor James Landay: stic-evaluation/heuristic-evaluation.ppt.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏

(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
Designing for security and privacy. Agenda Tests Tests Project questions? Project questions? Design lecture Design lecture Assignments Assignments.

Designing for security and privacy. Agenda Tests Tests Project questions? Project questions? Design lecture Design lecture Assignments Assignments.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
Today’s class Group Presentation More about principles, guidelines, style guides and standards In-class exercises More about usability Norman’s model of.

Today’s class Group Presentation More about principles, guidelines, style guides and standards In-class exercises More about usability Norman’s model of.
Heuristic Evaluation Evaluating with experts. Discount Evaluation Techniques  Basis: Observing users can be time- consuming and expensive Try to predict.

Heuristic Evaluation Evaluating with experts. Discount Evaluation Techniques  Basis: Observing users can be time- consuming and expensive Try to predict.
Nine principles of design Simple and natural dialog Speak the user’s language Minimize user’s memory load Be consistent Provide feedback Provide clearly.

Nine principles of design Simple and natural dialog Speak the user’s language Minimize user’s memory load Be consistent Provide feedback Provide clearly.
Evaluating with experts

Evaluating with experts

Similar presentations

Ads by Google