May 06

To dismiss front-end design as mere ‘icing’ is to jeopardize the success of any site

-- Curt Cloninger, 2001

 
 

Featured chapter

Marc Hassenzahl explains the fascinating concept of User Experience and Experience Design. Commentaries by Don Norman, Eric Reiss, Mark Blythe, and Whitney Hess

User Experience and Experience Design !

 
 

Our Latest Books

Kumar and Herger 2013: Gamification at Work: Designing Engaging Business Software...
by Janaki Mythily Kumar and Mario Herger

 
Start reading

Whitworth and Ahmad 2013: The Social Design of Technical Systems: Building technologies for communities...
by Brian Whitworth and Adnan Ahmad

 
Start reading

Soegaard and Dam 2013: The Encyclopedia of Human-Computer Interaction, 2nd Ed....
by Mads Soegaard and Rikke Friis Dam

 
Start reading
 
 

Help us help you!

 
 

Proceedings of the 2006 Symposium on Usable Privacy and Security


 
Time and place:

2006
Conf. description:
Topics of SOUPS include, but are not limited to; innovative security or privacy functionality and design, new applications of existing models or technology, field studies of security or privacy technology, usability evaluations of security or privacy features or security testing of usability features, and lessons learned from deploying and using usable privacy and security features.
Next conference:
is coming up
Jul9
09 Jul 2014 in Menlo Park, USA
Series:
This is a preferred venue for people like Lorrie Faith Cranor, Robert W. Reeder, Jason Hong, Konstantin Beznosov, and Lorrie Cranor. Part of the SOUPS - Symposium on Usable Privacy and Security conference series.
Publisher:
EDIT

References from this conference (2006)

The following articles are from "Proceedings of the 2006 Symposium on Usable Privacy and Security":

 what's this?

Articles

p. 1-7

DeWitt, Alexander J. and Kuljis, Jasna (2006): Aligning usability and security: a usability study of Polaris. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 1-7. Available online

Security software is often difficult to use thus leading to poor adoption and degraded security. This paper describes a usability study that was conducted on the software 'Polaris'. This software is an alpha release that uses the Principle of Least Authority (POLA) to deny viruses the authority to edit files. Polaris was designed to align security with usability. The study showed that despite this aim, usability problems remained, especially when the study participants had to make security related decisions. They also showed apathy towards security, and knowingly compromised their security to get work done faster. This study also demonstrates the difficulty in achieving security and usability alignment when the usability is a post hoc consideration added to a developed product, rather than being integrated from the start. The alleviation of usability problems from security software proposed in this paper are threefold: reducing the burden on the user to make security related decisions, counteracting user's apathy by ensuring that the fast way of doing things is the secure way, and integrating security software with the operating system throughout development.

© All rights reserved DeWitt and Kuljis and/or ACM Press

p. 102-113

Wu, Min, Miller, Robert C. and Little, Greg (2006): Web wallet: preventing phishing attacks by revealing user intentions. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 102-113. Available online

We introduce a new anti-phishing solution, the Web Wallet. The Web Wallet is a browser sidebar which users can use to submit their sensitive information online. It detects phishing attacks by determining where users intend to submit their information and suggests an alternative safe path to their intended site if the current site does not match it. It integrates security questions into the user's workflow so that its protection cannot be ignored by the user. We conducted a user study on the Web Wallet prototype and found that the Web Wallet is a promising approach. In the study, it significantly decreased the

© All rights reserved Wu et al. and/or ACM Press

p. 114-121

Karger, Paul A. (2006): Privacy and security threat analysis of the federal employee personal identity verification (PIV) program. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 114-121. Available online

This paper is a security and privacy threat analysis of new Federal Information Processing Standard for Personal Identity Verification (FIPS PUB 201). It identifies some problems with the standard, and it proposes solutions to those problems, using standardized cryptographic techniques that are based on the Internet Key Exchange (IKE) protocol [16]. When the standard is viewed in the abstract, it seems to effectively provide security and privacy, because it uses strong cryptographic algorithms. However, when you examine the standard in the context of potential user scenarios regarding its use; security, privacy, and usability problems can be identified. User scenarios are employed to provide the context for the identification of these problems, and the technical solutions are described to address the issues raised.

© All rights reserved Karger and/or ACM Press

p. 122-132

Newman, Richard, Gavette, Sherman, Yonge, Larry and Anderson, Ross (2006): Protecting domestic power-line communications. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 122-132. Available online

In this paper we describe the protection goals and mechanisms in HomePlug AV, a next-generation power-line communications standard. This is a fascinating case-history in security usability. There are also novel protocol issues; interactions with mechanisms at other layers; and opportunities for both researchers and third-party vendors to build on the mechanisms provided. The central problem -- being sure whether a device being enrolled in the network is the device you think, not a similar one nearby -- is not well solved by conventional mechanisms such as public-key infrastructures, but appears to require either very old-fashioned or very novel approaches.

© All rights reserved Newman et al. and/or ACM Press

p. 133-144

Gideon, Julia, Cranor, Lorrie, Egelman, Serge and Acquisti, Alessandro (2006): Power strips, prophylactics, and privacy, oh my!. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 133-144. Available online

While Internet users claim to be concerned about online privacy, their behavior rarely reflects those concerns. In this paper we investigate whether the availability of comparison information about the privacy practices of online merchants affects users' behavior. We conducted our study using Privacy Finder, a "privacy-enhanced search engine" that displays search results annotated with the privacy policy information of each site. The privacy information is garnered from computer-readable privacy policies found at the respective sites. We asked users to purchase one non-privacy-sensitive item and then one privacy-sensitive item using Privacy Finder, and observed whether the privacy information provided by our search engine impacted users' purchasing decisions (participants' costs were reimbursed, in order to separate the effect of privacy policies from that of price). A control group was asked to make the same purchases using a search engine that produced the same results as Privacy Finder, but did not display privacy information. We found that while Privacy Finder had some influence on non-privacy-sensitive purchase decisions, it had a more significant impact on privacy-sensitive purchases. The results suggest that when privacy policy comparison information is readily available, individuals may be willing to seek out more privacy friendly web sites and perhaps even pay a premium for privacy depending on the nature of the items to be purchased.

© All rights reserved Gideon et al. and/or ACM Press

p. 145-155

Rode, Jennifer Ann, Johansson, Carolina, DiGioia, Paul, Filho, Roberto Silva, Nies, Kari, Nguyen, David H., Ren, Jie, Dourish, Paul and Redmiles, David F. (2006): Seeing further: extending visualization as a basis for usable security. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 145-155. Available online

The focus of our approach to the usability considerations of privacy and security has been on providing people with information they can use to understand the implications of their interactions with a system, as well as, to assess whether or not a system is secure enough for their immediate needs. To this end, we have been exploring two design principles for secure interaction: visualizing system activity and integrating configuration and action. Here we discuss the results of a user study designed as a broad formative examination of the successes and failures of an initial prototype based around these principles. Our response to the results of this study has been twofold. First, we have fixed a number of implementation and usability problems. Second, we have extended our visualizations to incorporate new considerations regarding the temporal and structural organization of interactions.

© All rights reserved Rode et al. and/or ACM Press

p. 20-31

Cao, Xiang and Iverson, Lee (2006): Intentional access management: making access control usable for end-users. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 20-31. Available online

The usability of access control mechanisms in modern distributed systems has been widely criticized but little studied. In this paper, we carefully examine one such widely deployed access control mechanism, the one embedded in the WebDAV standard, from the point-of-view of an end-user trying to decide how to grant or deny access to some resource to a third party. This analysis points to problems with the conceptual usability of the system. Significant effort is required on the part of the user to determine how to implement the desired access rules; the user, however, has low interest and expertise in this task, given that such access management actions are almost always secondary to the collaborative task at hand. The analysis does however indicate a possible solution: to recast the access control puzzle as a decision support problem in which user intentions (i.e. the descriptions of desired system outputs) are interpreted by an access mediator that either automatically or semi-automatically decides how to achieve the designated goals and provides enough feedback to the user. We call such systems intentional access management (IAM) systems and describe them in both specific and general terms. To demonstrate the feasibility and usability of the proposed IAM models, we develop an intentional access management prototype for WebDAV. The results of a user study conducted on the system show its superior usability compared to traditional access management tools like the access control list editor.

© All rights reserved Cao and Iverson and/or ACM Press

p. 32-43

Yee, Ka-Ping and Sitaker, Kragen (2006): Passpet: convenient password management and phishing protection. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 32-43. Available online

We describe Passpet, a tool that improves both the convenience and security of website logins through a combination of techniques. Password hashing helps users manage multiple accounts by turning a single memorized password into a different password for each account. User-assigned site labels (petnames) help users securely identify sites in the face of determined attempts at impersonation (phishing). Password-strengthening measures defend against dictionary attacks. Customizing the user interface defends against user-interface spoofing attacks. We propose new improvements to these techniques, discuss how they are integrated into a single tool, and compare Passpet to other solutions for managing passwords and preventing phishing.

© All rights reserved Yee and Sitaker and/or ACM Press

p. 44-55

Gaw, Shirley and Felten, Edward (2006): Password management strategies for online accounts. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 44-55. Available online

Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.

© All rights reserved Gaw and Felten and/or ACM Press

p. 56-66

Tari, Furkan, Ozok, A. Ant and Holden, Stephen H. (2006): A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 56-66. Available online

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shoulder-surfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces through a keyboard is the most effective deterrent to shoulder-surfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

© All rights reserved Tari et al. and/or ACM Press

p. 67-78

Kuo, Cynthia, Romanosky, Sasha and Cranor, Lorrie Faith (2006): Human selection of mnemonic phrase-based passwords. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 67-78. Available online

Textual passwords are often the only mechanism used to authenticate users of a networked system. Unfortunately, many passwords are easily guessed or cracked. In an attempt to strengthen passwords, some systems instruct users to create mnemonic phrase-based passwords. A mnemonic password is one where a user chooses a memorable phrase and uses a character (often the first letter) to represent each word in the phrase. In this paper, we hypothesize that users will select mnemonic phrases that are commonly available on the Internet, and that it is possible to build a dictionary to crack mnemonic phrase-based passwords. We conduct a survey to gather user-generated passwords. We show the majority of survey respondents based their mnemonic passwords on phrases that can be found on the Internet, and we generate a mnemonic password dictionary as a proof of concept. Our 400,000-entry dictionary cracked 4% of mnemonic passwords; in comparison, a standard dictionary with 1.2 million entries cracked 11% of control passwords. The user-generated mnemonic passwords were also slightly more resistant to brute force attacks than control passwords. These results suggest that mnemonic passwords may be appropriate for some uses today. However, mnemonic passwords could become more vulnerable in the future and should not be treated as a panacea.

© All rights reserved Kuo et al. and/or ACM Press

p. 79-90

Downs, Julie S., Holbrook, Mandy B. and Cranor, Lorrie Faith (2006): Decision strategies and susceptibility to phishing. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 79-90. Available online

Phishing emails are semantic attacks that con people into divulging sensitive information using techniques to make the user believe that information is being requested by a legitimate source. In order to develop tools that will be effective in combating these schemes, we first must know how and why people fall for them. This study reports preliminary analysis of interviews with 20 non-expert computer users to reveal their strategies and understand their decisions when encountering possibly suspicious emails. One of the reasons that people may be vulnerable to phishing schemes is that awareness of the risks is not linked to perceived vulnerability or to useful strategies in identifying phishing emails. Rather, our data suggest that people can manage the risks that they are most familiar with, but don't appear to extrapolate to be wary of unfamiliar risks. We explore several strategies that people use, with varying degrees of success, in evaluating emails and in making sense of warnings offered by browsers attempting to help users navigate the web.

© All rights reserved Downs et al. and/or ACM Press

p. 8-19

Brodie, Carolyn A., Karat, Clare-Marie and Karat, John (2006): An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 8-19. Available online

Today organizations do not have good ways of linking their written privacy policies with the implementation of those policies. To assist organizations in addressing this issue, our human-centered research has focused on understanding organizational privacy management needs, and, based on those needs, creating a usable and effective policy workbench called SPARCLE. SPARCLE will enable organizational users to enter policies in natural language, parse the policies to identify policy elements and then generate a machine readable (XML) version of the policy. In the future, SPARCLE will then enable mapping of policies to the organization's configuration and provide audit and compliance tools to ensure that the policy implementation operates as intended. In this paper, we present the strategies employed in the design and implementation of the natural language parsing capabilities that are part of the functional version of the SPARCLE authoring utility. We have created a set of grammars which execute on a shallow parser that are designed to identify the rule elements in privacy policy rules. We present empirical usability evaluation data from target organizational users of the SPARCLE system and highlight the parsing accuracy of the system with the organizations' privacy policies. The successful implementation of the parsing capabilities is an important step towards our goal of providing a usable and effective method for organizations to link the natural language version of privacy policies to their implementation, and subsequent verification through compliance auditing of the enforcement logs.

© All rights reserved Brodie et al. and/or ACM Press

p. 91-101

Fu, Anthony Y., Deng, Xiaotie, Wenyin, Liu and Little, Greg (2006): The methodology and an application to fight against Unicode attacks. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 91-101. Available online

Unicode is becoming a dominant character representation format for information processing. This presents a very dangerous usability and security problem for many applications. The problem arises because many characters in the UCS (Universal Character Set) are visually and/or semantically similar to each other. This presents a mechanism for malicious people to carry out Unicode Attacks, which include spam attacks, phishing attacks, and web identity attacks. In this paper, we address the potential attacks, and propose a methodology for countering them. To evaluate the feasibility of our methodology, we construct a Unicode Character Similarity List (UC-SimList). We then implement a visual and semantic based edit distance (VSED), as well as a visual and semantic based Knuth-Morris-Pratt algorithm (VSKMP), to detect Unicode attacks. We develop a prototype Unicode attack detection tool, IDN-SecuChecker, which detects phishing weblinks and fake user name (account) attacks. We also introduce the possible practical use of Unicode attack detectors.

© All rights reserved Fu et al. and/or ACM Press




 
 

Join our community and advance:

 
1.

Your career

 
2.

Your network

 
 3.

Your skills

 
 
 
 
 

User-contributed notes

Give us your opinion! Do you have any comments/additions
that you would like other visitors to see?

 
comment You (your email) say: May 6th, 2014
#1
May 6
Add a thoughtful commentary or note to this page ! 
 

your homepage, facebook profile, twitter, or the like
will be spam-protected
How many?
= e.g. "6"
By submitting you agree to the Site Terms
 
 
 
 

Changes to this page (conference)

12 May 2008: Added
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified

Page Information

Page maintainer: The Editorial Team
URL: http://www.interaction-design.org/references/conferences/proceedings_of_the_2006_symposium_on_usable_privacy_and_security.html
May 06

To dismiss front-end design as mere ‘icing’ is to jeopardize the success of any site

-- Curt Cloninger, 2001

 
 

Featured chapter

Marc Hassenzahl explains the fascinating concept of User Experience and Experience Design. Commentaries by Don Norman, Eric Reiss, Mark Blythe, and Whitney Hess

User Experience and Experience Design !

 
 

Our Latest Books

Kumar and Herger 2013: Gamification at Work: Designing Engaging Business Software...
by Janaki Mythily Kumar and Mario Herger

 
Start reading

Whitworth and Ahmad 2013: The Social Design of Technical Systems: Building technologies for communities...
by Brian Whitworth and Adnan Ahmad

 
Start reading

Soegaard and Dam 2013: The Encyclopedia of Human-Computer Interaction, 2nd Ed....
by Mads Soegaard and Rikke Friis Dam

 
Start reading
 
 

Help us help you!