More than Screen Deep: Toward Every-Citizen Interfaces to the Nation's Information Infrastructure National Research Council Report, 1996 ISBN 0-309-06357-4; QA76.9.U83M67 1997

User-centered security, Mary Ellen Zurko and Richard T. Simon, Proceedings of the UCLA conference on New security paradigms workshops September 17 - 20, 1996, Lake Arrowhead, CA USA, Pages 27-33

Abstract: We introduce the term user-centered security to refer to security models, mechanisms, systems, and software that have usability as a primary motivation or goal. We discuss the history of usable secure systems, citing both past problems and present studies. We develop three categories for work in user-friendly security: applying usability testing and techiques to secure systems, developing security models and mechanisms for user-friendly systems, and considering user needs as a primary design goal at the start of secure system development. We discuss our work on user-centered authorization, which started with a rules-based authorization engine (MAP) and will continue with Adage. We outline the lessons we have learned to date and how they apply to our future work. We evaluate the pros and cons of this effort, as a precursor to further work in this area, and include a brief description of our current work in user-centered authorization. As our conclusion points out, we hope to see more work in user-centered security in the future; work that enables users to choose and use the protection they want, that matches their intuitions about security and privacy, and that supports the policies that teams and organizations need and use to get their work done.

Flexible Meta Access-Control for Collaborative Applications Primitives for Building Flexibile Groupware Systems / Prasun Dewan / HongHai Shen Proceedings of ACM CSCW'98 Conference on Computer-Supported Cooperative Work 1998 p.247-256

Keywords: Access control, Collaboration, Computer supported cooperative work, Groupware, Privacy, Security

Abstract: Meta access-control, also called access administration, ensures that users do not make unauthorized access definitions. Such control in a collaborative system must support fine-grained protection, a flexible scheme for assigning access administrators, joint ownership of shared objects, multiple ownership semantics of varying complexity, delegation of access rights, and both shallow and deep revocation. It should also be easy to implement in a variety of applications, easy to use by users of varying sophistication with different protection needs, and offer a small set of features that can be incrementally learned. We have designed a new model to meet these requirements and implemented and used it in a generic, extensible collaborative system. We have also developed techniques for simulating a large variety of existing policies for meta access-control. In particular, we have developed an implementation-independent technique of indirect roles to support flexible delegation and revocation. In this paper, we identify requirements of meta access control, describe our model together with the techniques for using it, compare it with related work, give our experience with it, and evaluate how well it meets the requirements.

Task-Based Discretionary Security Considerations Congress II: Design and Implementation of Interactive Systems: HCI -- THE FUTURE; Knowledge-Based Systems / Gerhard Steinke Proceedings of the Fourth International Conference on Human-Computer Interaction 1991 v.2 p.996-1001

Keywords:Security, Discretionary access control, Knowledge base, Tasks

Abstract:A secure system should provide a user with permission to access only that information in the system which the user "needs to know". This paper suggests that tasks should be the focus of this need to know principle. At any point in time a user should be able to access only that information which is required for the completion of an assigned task. We provide an example of how task-based access permission is implemented in the Group Security model for a knowledge base system.

A Hierarchical Access Control Scheme for Digital Libraries, Chaitanya Baru, Arcot Rajasekar DL'98: Proceedings of the 3rd ACM International Conference on Digital Libraries 1998 p.275-276

Keywords:Digital library, Access control, Security

Abstract:We present an access control scheme that extends the authorization/privilege model employed in database systems to handle the notion of digital library collection hierarchies. This scheme is being implemented within the digital library infrastructure at the San Diego Supercomputer Center.

Access Control for Collaborative Environments Building Real-Time Groupware, HongHai Shen, Prasun Dewan Proceedings of ACM CSCW'92 Conference on Computer-Supported Cooperative Work 1992 p.51-58

Keywords:CSCW, Groupware, Access control, Protection, Security, User interface

Abstract: Access control is an indispensable part of any information sharing system. Collaborative environments introduce new requirements for access control, which cannot be met by using existing models developed for non-collaborative domains. We have developed a new access control model for meeting these requirements. The model is based on a generalized editing model of collaboration, which assumes that users interact with a collaborative application by concurrently editing its data structures. It associates fine-grained data displayed by a collaborative application with a set of collaboration rights and provides programmers and users a multi-dimensional, inheritance-based scheme for specifying these rights. The collaboration rights include traditional read and write rights and several new rights such as viewing rights and coupling rights. The inheritance-based scheme groups subjects, protected objects, and access rights; allows each component of an access specification to refer to both groups and individual members; and allows a specific access definition to override a more general one.

Authentication/Passwords

Are Passfaces more usable than passwords? A field trial investigation. S. Brostoff & M. A. Sasse. To be presented as a full paper at HCI 2000, September 5th - 8th, Sunderland, UK.

"Deja Vu: A User Study. Using Images for Authentication" by Rachna Dhamija and Adrian Perrig, to be published in the proceedings of the 9th USENIX Security Symposium, August 2000, Denver, Colorado

Users are not the Enemy: Why users compromise computer security mechanisms and how to take remedial measures. Anne Adams and Martina Angela Sasse; Commun. ACM 42, 12 (Dec. 1999), Pages 40 - 46

The Design and Analysis of Graphical Passwords (ps.gz, pdf). Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. In Proceedings of the 8th USENIX Security Symposium, August, Washington DC, 1999. (Best Paper Award)

Abstract: In this paper we propose and evaluate new graphical password schemes that exploit features of graphical input displays to achieve better security than text-based passwords. Graphical input devices enable the user to decouple the position of inputs from the temporal order in which those inputs occur, and we show that this decoupling can be used to generate password schemes with substantially larger (memorable) password spaces. In order to evaluate the security of one of our schemes, we devise a novel way to capture a subset of the "memorable" passwords that, we believe, is itself a contribution. In this work we are primarily motivated by devices such as personal digital assistants (PDAs) that offer graphical input capabilities via a stylus, and we describe our prototype implementation of one of our password schemes on such a PDA, namely the Palm Pilot TM .

Hash Visualization: A New Technique to Improve Real-World Security ( PS (~3Mb), PS.gz (~900kB), and HTML). Adrian Perrig and Dawn Song, Carnegie Mellon University, in the proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce

Keywords: Human Factors in Security, hash visualization, user authentication through image recognition, root key validation.

Abstract: Current security systems suffer from the fact that they fail to account for human factors. This paper considers two human limitations: First, people are slow and unreliable when comparing meaningless strings; and second, people have difficulties in remembering secure passwords or PINs. We identify two applications where these human factors negatively affect security: Validation of root keys in public-key infrastructures, and user authentication. Our approach to improve the security of these systems is to use hash visualization, a technique which replaces meaningless strings with structured images. We examine the requirements of such a system and propose the prototypical solution Random Art. We also show how to apply hash visualization to improve the real-world security of root key validation and user authentication.

TeSSA2: Usability of Computer Security Ursula Holmström, Kristiina Karvonen, a research project of the Telecommunication Software and Multimedia Laboratory, Helsinki University of Technology

Abstract: The goal of the usability subproject is to find out and analyse the key factors behind users' comprehension of the Internet and computer security, privacy and trustworthiness. On basis of conducted user studies, a user-centered security model will be developed. The usability studies will be designed and conducted in close contact with the HST subproject.(whose goal is to combine the TeSSA architecture and the Finnish Electronic Identity (HST) architectures and show that strong identification of a person to all parties involved is not usually necessary).

ID-Arts Passface papers :

The Science Behind Passfaces We find it very hard to remember passwords and PINs yet the human brain is amazingly effective at the apparently harder task of remembering and recognising individual faces. Passfaces exploits this ability to provide a robust and intuitive authentication mechanism. This document summarises the scientific research on the physiology and advanced cognitive psychology behind Passfaces. It is intended for the general reader: the references include links to more detailed notes, scientific papers, their authors and institutions.

Passfaces and SPEKE: Complementary Techniques for Identity Verification This paper discusses the relative merits of two security systems: the Passfaces identity verification system and the SPEKE cryptographic key exchange protocol. Both of these technologies are designed to verify human identity with a knowledge-based approach. This paper describes how these methods relate to each other, and how the combination of Passfaces and SPEKE provides a strong and convenient system for verifying identity over any network.

Making Passwords Secure and Usable Anne Adams, Martina Angela Sasse, Peter Lunt. Proceedings of the HCI'97 Conference on People and Computers XII 1997 p.1-19 [78K gzipped postscipt]

Keywords:Security, Passwords, Grounded theory, Organisational factors

Abstract: To date, system research has focused on designing security mechanisms to protect systems access although their usability has rarely been investigated. This paper reports a study in which users' perceptions of password mechanisms were investigated through questionnaires and interviews. Analysis of the questionnaires shows that many users report problems, linked to the number of passwords and frequency of password use. In-depth analysis of the interview data revealed that the degree to which users conform to security mechanisms depends on their perception of security levels, information sensitivity and compatibility with work practices. Security mechanisms incompatible with these perceptions may be circumvented by users and thereby undermine system security overall.

Human-computer cryptography: an attempt Tsutomu Matsumoto, Pages 68-75, Proceedings of the 3rd ACM conference on Computer and communications security March 14 - 15, 1996, New Delhi India

Keywords: authentication, human-computer interaction, passwords, information security.

Abstract: Can you securely prove your identity to a host computer by using no dedicated software at your terminal and no dediated token at your hands ? Conventional password checking schemes don’t need such a software and hardware but have a disadvantage that an attacker who has correctly observed an input password b:y peeping or wiretapping can perfectly impersonate the corresponding user. Conventional dynamic (one-time) password schemes or zero-knowledge identification schemes can be securely implemented but require special software or hardware or memorandums. This paper develops human-friendly identification schemes such that a human prover knowing a secret key in her or his brain is asked a vi- sual question by a machine verifier, who then checks if an answer sent from the prover matches the question with respect to the key. Thte novelty of these schemes lies in their ways of displaying questions. This paper also examines an application of the human identification schemes to human-computer cryptograp.hic communication protocols.

Cryptographic Human Identification III. Tsutomu Matsumoto, Proceedings of the Sixth International Conference on Human-Computer Interaction 1995 v.III. Analysis, Design and Evaluation in Human-Computer Interaction p.147-152

Keywords: Authentication, Human-computer interaction, Passwords, Information security

Abstract: Conventional password checking schemes have a disadvantage that an attacker who has correctly observed an input password can perfectly impersonate the corresponding user. To overcome it there have been proposed schemes such that a human prover knowing a secret key is asked a question by a machine verifier, who then checks if an answer from the prover matches the question with respect to the key. This paper presents practical interactive human identification schemes with novel ideas of displaying questions.

Authenticating Users by Word Association Random Access I / Sidney L. Smith Proceedings of the Human Factors Society 31st Annual Meeting 1987 p.135-138

Keywords:Computer security, User identification, Passwords, Associative memory

Abstract: Testing word associations, as an extension of simple password entry, may be a practical means of verifying the identify of individual computer users. If each user specifies his/her own cue-response associations, then responses will be easy to remember. It should be easy for legitimate users to respond correctly to word association testing, but virtually impossible for potential intruders. Such testing should also prove easy for a computer to process.

Authentication in Office System Internetworks Research Contributions / Jay E. Israel / Theodore A. Linden ACM Transactions on Office Information Systems 1983 v.1 n.3 p.193-210

Abstract: In a distributed office system, authentication data (such as password) must be managed in such a way that users and machines from different organizations can easily authenticate themselves to each other. The authentication facility must be secure, but user convenience, decentralized administration, and a capability for smooth, long-term evolution are also important. In addition, the authentication arrangements must not permit failures at a single node to cause systemwide down time. The design used in the Xerox 8000 Series products is described. This design anticipates applications in an open-network architecture where there are nodes from diverse sources and one node does not trust authentication checking done by other nodes. Furthermore, in some offices encryption will be required to authenticate data transmissions despite hostile intruders on the network. Requirements and design constraints when applying encryption for authentication in office systems are discussed. It is suggested that protocol standards for use in office systems should allow unencrypted authentication as well as two options for encrypted authentication. Issues that will arise as an office system evolves to deal with increasingly sophisticated threats from users of the system are described.

Electronic Monitoring Systems: An Examination of Physiological Activity and Task Performance within a Simulated Keystroke Security and Electronic Performance Monitoring System / Ron Henderson / Doug Mahar / Anthony Saliba / Frank Deane / Renee Napier International Journal of Human-Computer Studies 1998 v.48 n.2 p.143-157

Abstract: Electronic monitoring systems are becoming a prominent feature of the modern office. The aims of the present study were three-fold. First, to assess the effects electronic security monitoring systems (ESM) have on the user's physiological state. Second, the researches aimed to examine the effects explicit security challenges have on both user behaviour and physiological state when using an ESM system. Finally, the research aimed to examine the effects one form of electronic performance monitoring system may have on the user's physiological state. To this effect, the present study examined the physiological and performance effects of two simulated electronic monitoring systems (security/performance). The computer task required 32 subjects to enter mock clinical case notes under various conditions. In the first session subjects were only required to enter the case notes while keystroke data were collected. In the "security baseline" condition subjects were informed that a keystroke security monitoring system had been instituted, but no security challenges occurred. In the "security challenge" condition, however, a number of explicit security challenges occurred. In the final "performance monitoring" condition, subjects were informed that their data entry speed was monitored and they were placed on a response-cost schedule for poor performance. Blood pressure and continuous inter-heartbeat latency were recorded for the security and performance conditions. Results indicated that monitoring systems have the potential to evoke altered arousal states in the form of increased heart rate and blood pressure. Contrary to expectations, the hypothesized improvement in task performance within the performance monitoring condition was not observed. The implications of these results for the design and implementation of electronically based behavioural-based security and performance monitoring systems are discussed.

Theoretical Examination of the Effects of Anxiety and Electronic Performance Monitoring on Behavioural Biometric Security Systems / Frank Deane / Ron Henderson / Doug Mahar / Anthony Saliba Interacting with Computers 1995 v.7 n.4 p.395-411

Keywords:Anxiety, Computer security, Electronic performance monitoring

Abstract:Computerised biometric systems are automated methods of verifying or recognising the identity of a user on the basis of some physiological characteristic, like a fingerprint or some aspects of behaviour such as keystroke patterns. Behaviourally based biometric systems include signature, speaker and keystroke verification. The investigation of psychological factors which might impact on the efficiency of a behavioural biometric computer security monitoring system has to our knowledge not been conducted. Of particular concern in the present paper are the potential effects of state anxiety on individual's physiological and performance responses. It is suggested that in a behaviourally based biometric computer security monitoring system, state anxiety may have sufficient effects to alter typical physiological and performance responses, resulting in an increased risk of security challenges, interruption of work-flow and resultant poor performance. It is also proposed that behaviourally based biometric systems may have the potential to be used as electronic performance monitoring systems, and typical responses to such systems need to be examined when developing and implementing any behaviourally based biometric security system.

Employee Acceptance of Biometric Security Systems Affective Issues / Kate Barrelle / Frank Deane / Ron Henderson / Doug Maher Proceedings of OZCHI'94, the CHISIG Annual Conference on Human-Computer Interaction 1994 p.118-122

Keywords: Computer security, Biometric security systems, User acceptability, Electronic performance monitoring

Abstract:The present paper examined the perceived acceptability of biometric security systems, and the relationship between acceptability and sensitivity of information. Results from 46 respondents indicated that all biometric systems were perceived as less acceptable than the traditional password approach. Contrary to expectations, it was found that behaviourally based biometric systems were perceived as less acceptable than physiologically based systems. Interestingly, the password method displayed a negative relationship between acceptability and sensitivity. Results are discussed in relation to the potential for some behaviourally based biometric system to be used as a component of Electronic Performance Monitoring (EPM) systems.

Typist Identity Verification: A Comparison of the Utility of the Overall Reference Profile and the Digraph-Specific Estimates of Digraph Latency Variability Research 3 / Renee Napier / Doug Mahar / Ron Henderson / William Laverty / Mike Hiron / Jon Gough / Mike Wagner Proceedings of OZCHI'94, the CHISIG Annual Conference on Human-Computer Interaction 1994 p.253-257

Keywords: Computer security, User verification, Digraphs

Abstract:Data security is important for both social and organisational reasons. Umphress and Williams [1] have shown that individual differences in typing behaviour may provide a means of accurately verifying the identity of the user. The present research attempted to enhance their technique by using a digraph-specific measure of inter-key latency variability. Sixty seven subjects undertook a transcriptional typing task, typing both computer relevant words, and sentences. False acceptance and false rejection rates were calculated using the traditional overall estimate of inter-key latency variability and a new digraph-specific measures of inter-key latency variability. Results revealed that the digraph specific measure of inter-key latency variability, not only produced a better optimum false acceptance plus false rejection rate, than the overall method, but did so over a wide range of parameter settings.

The Effects of Password Length and Reference Profile Size on the Performance of a Multivariate Text-Dependent Typist Verification System / Doug Mahar / Ron Henderson / William Laverty / Rene Napier Interacting with Computers 1998 v.10 n.4 p.375-383

Keywords:Computer security, Typist verification, Password length

Abstract:The performance of Napier et al.'s typist verification algorithm (Keyboard user verification: toward an accurate, efficient, and ecologically valid algorithm, International Journal of Human-Computer Studies 43 (1995) 213-222) was assessed in a text-dependent setting. Twenty-nine subjects typed a 17 character password 50 times. False acceptance and false rejection rates were then calculated as the number of repetitions of the password included in the reference profile was increased from 6 to 20 and the number of digraphs from the password included in the verification process was increased from 2 to 16. The performance of the system (12% total error rate) was found to be comparable with the best results reported in other studies using text-dependent algorithms, and substantially better than that reported in studies using a text-independent paradigm with passwords of this length. The relationship between password length and reference profile size was found to conform to an exponential decay function, which accounted for 92% of the variability in verification error rates.

Verifying Identity via Keystroke Characteristics / John Leggett / Glen Williams International Journal of Man-Machine Studies 1988 v.28 n.1 p.67-76

Abstract:This paper reports on an experiment that was conducted to assess the viability of using keystroke digraph latencies (time between two successive keystrokes) as an identity verifier. Basic data are presented and discussed that characterize the class of keystroke digraph latencies that are found to have good potential as static identity verifiers as well as dynamic identity verifiers. Keystroke digraph latencies would be used in conjunction with other security measures to provide a total security package.

Dynamic Identity Verification via Keystroke Characteristics / John Leggett / Glen Williams / Mark Usnick / Mike Longnecker International Journal of Man-Machine Studies 1991 v.35 n.6 p.859-870

Abstract:The implementation of safeguards for computer security is based on the ability to verify the identity of authorized computer systems users accurately. The most common form of identify verification in use today is the password, but passwords have many poor traits as an access control mechanism. To overcome the many disadvantages of simple password protection, we are proposing the use of the physiological characteristics of keyboard input as a method for verifying user identity. After an overview of the problem and summary of previous efforts, a research study is described which was conducted to determine the possibility of using keystroke characteristics as a means of dynamic identity verification. Unlike static identity verification systems in use today, a verifier based on dynamic keystroke characteristics allows continuous identity verification in real-time throughout the work session. Study results indicate significant promise in the temporal personnel identification problem.

User Verification through Pointing Characteristics: An Exploration Examination / Kate Barrelle / William Laverty / Ron Henderson / Jon Gough / Michael Wagner / Michael Hiron International Journal of Human-Computer Studies 1996 v.45 n.1 p.47-57

Abstract:Previous research has highlighted that all data security systems rest on the assumption of accurate user verification. Although much research has focused on speech and keystroke characteristics, no study has examined the potential of indirect cursor control devices, such as mouse or pen, as a means of personal user verification. This paper presents the result of an exploratory examination of the measurement of individual users' behaviour elicited while using two indirect input devices (puck and pen). Ten subjects undertook two series of 500 trials using the puck and pen in a counterbalanced design. Each trial involved guiding the cursor to one of ten possible targets, projected upon one of five angles of projection and one of two distances. Data recorded comprised a series of (x, y) coordinates and associated time stamps of each component of the movement. Five parameters for each full movement were extracted -- total time to reach the target, maximum velocity of the movement, maximum acceleration for the movement, time to maximum velocity of movement, time to maximum acceleration of the movement. Results of a series of Multivariate Analyses of Variance indicated that for both the puck and the pen data, there were statistically significant differences between subjects for each of the five parameters. This set of discriminating parameters was then embedded in a verification paradigm. Results indicated that the average error rates varied between 39% (S.D.=2%) and 14% (S.D.=2%) for the puck and 38% (S.D.=2%) and 12% (S.D.=2%) for the pen. Error rates were dependent upon the number of samples used when making the verification decision. This research suggests that pointing device measurements using the current parameters are not a viable method of user verification by themselves. However, with average error rates as low as 12%, it may be reasonable to integrate them into a multi-modal security system. Practical implications and future research directions are discussed.

The Psysiological Effects of Electronic Employee Performance and Security Monitoring Systems Full Papers / Ron Henderson / Doug Mahar / Anthony Saliba / Kate Barrelle / Frank Deane / Renee Napier / Michael Hiron Proceedings of OZCHI'95, the CHISIG Annual Conference on Human-Computer Interaction 1995 p.223-228

Keywords:Electronic performance monitoring, Keyboard verification, Physiological reactions

Abstract:The present study examined the effects of both security and performance based electronic monitoring systems on physiological and performance indices of users' behaviour. The 32 subjects performed a computer-based data entry task under various conditions. In the "control security challenge" condition subjects were informed that a keystroke security monitoring system had been instituted, but no security challenges occurred. In the "explicit security challenge" condition, however, a number of explicit security challenges occurred. In the final "electronic performance monitoring" (EPM) condition, subjects were informed their data entry speed was monitored and they were placed on a response-cost schedule for poor performance. Blood pressure and continuous inter-heart beat latency were recorded for the security challenge and EPM conditions. Results indicated that monitoring systems have the potential to evoke altered arousal states in the form of increased heart rate and blood pressure. The implications of these results for the design and implementation of electronic behavioural based security and performance monitoring systems are discussed.

Computational Mail as Network Infrastructure for Computer-Supported Cooperative Work Innovations in E-Mail, Nathaniel S. Borenstein Proceedings of ACM CSCW'92 Conference on Computer-Supported Cooperative Work 1992 p.67-74

Keywords:Electronic mail, Active mail, Security, Portability, CSCW infrastructure

Abstract:Computational email -- the embedding of programs within electronic mail messages -- is proposed as a technology that may help to solve some of the key problems in deploying successful applications for computer-supported cooperative work. In particular, computational email promises to alleviate the problem of remote installation at separately-administered sites, the problem of getting users to "buy in" to new applications, and the problem of extremely heterogeneous user interaction environments. In order for computational email to be practical, however, key problems of security and portability must be addressed, problems for which this research offers new solutions. This paper outlines the promise of this new technology, the solutions to the key technical problems, and the areas where further work and application development are needed.

Distributed Systems, Multimedia, and Infrastructure Support in CSCW Workshops, Atul Prakash, John Riedl Proceedings of ACM CSCW'94 Conference on Computer-Supported Cooperative Work 1994 p.3

Abstract:The goal of this workshop was to identify common services needed by CSCW systems and to explore whether the support provided by current generation of distributed systems is satisfactory for developing robust CSCW applications. The topics included design of specific services to support collaborative applications; communication and group membership services to support CSCW systems; access control and security in synchronous and asynchronous CSCW systems; concurrency control and replicated data management in collaborative applications; incorporation of multimedia in CSCW systems; window systems support for building CSCW applications and extensions for supporting multiple media.

CSCW for Government Work: Polikom-Video Formal Video Program: Applications and Methodologies Uta Pankoke-Babatz Proceedings of ACM CSCW'94 Conference on Computer-Supported Cooperative Work 1994 p.10

Abstract:This video is a live performance of a scenario demonstrating telecommunication and telecooperation in a work setting. The scenario shows several geographically distributed members -- located in Bonn and Berlin -- of a government construction commission working on modifications to the parliament building. The integrated use of a variety of system prototypes supporting both asynchronous and real-time cooperation is illustrated. Access and interaction security are managed by SECUDE using smart-card technology. The ACTIVITY ASSISTANT facilitates asynchronous cooperation through coordination of shared to-do lists. The SEPIA hypertext system allows asynchronous and real-time joint editing of documents. Detailed discussions are supported using the LIVE video-conferencing tool. Orientation assistance is provided by the TOSCA organization information system which handles user queries concerning an organization's regulations and responsible cooperation partners [3].

J. Riegelsberger & M. A. Sasse (2000): "Trust Me, I'm a .com": Reassuring shoppers in electronic retail environments. To appear in Intermedia, June 2000.

Abad-Peiro, José L.; Steiger, Patrick: Making Electronic Commerce Easier to Use with Novel User Interfaces. In: Schmid, Beat F.; Selz, Dorian; Sing, Regine: EM - Electronic Contracting. EM - Electronic Markets, Vol. 8, No. 3, 10/98. URL: http://www.electronicmarkets.org/netacademy/publications.nsf/all_pk/1075 [03/19/99].

Abstract: Certain security properties of electronic commerce (e-commerce) services are too complex to be fully understood by nonprofessional users. For example, group signatures or anonymity with fair-exchange properties for online purchases are not easy to use by inexperienced users, who may not recognize the equivalent meaning in the real world, or may find that the parameters required in the protocols are too complex. The authors claim that by adopting new user-interface technologies they can provide the users of electronic-commerce services with powerful and easier-to-use tools. New technologies applied to user interfaces, e.g., virtual worlds and network-based games, have been targeted to increase sales in the entertainment industry. The paper addresses the border between user-interface technologies and protocols used to implement secure e-commerce services.

The "Social Engineering" of Internet Fraud, Jonathan J. RUSCH, United States Department of Justice USA, published in the proceedings of INET'99

User Interface Requirements for Sale of Goods Draft Revision 0.4 Dr. Phillip M.. Hallam-Baker World Wide Web Consortium

The Graphical Interface for Secure Mail, F. Bracun, B. Jerman-Blazic, T. Klobucar, D. Trcek (Jozef Stefan Institute, Slovenia), Communications and Multimedia Security Conference 95

Managing user perceptions of email privacy , Weisband, CACM [get proper reference]

Using a WWW-based mail user agent for secure electronic mail service for health care users Methods of Information in Medicine, vol.37, (no.3), F.K. Schattauer Verlagsgesellschaft, Sept. 1998. p.247-53.

Stacey L. Ashlund and Steven Pemberton A Future for E-Mail Proceedings of ACM CHI 96 Conference on Human Factors in Computing Systems, Workshops, Vol. 2, p. 434, 1996 (general email issues)

Usability Analysis of Messages from a Security System Computer System: On-Line Information/Expert Systems / William S. Mosteller / James Ballas Proceedings of the Human Factors Society 33rd Annual Meeting 1989 v.1 p.399-403

Abstract: Most software systems issue messages to reflect their progress in processing users' requests and to report error conditions. By instrumenting systems to collect these messages for later processing, a rich source of information about system and user behavior can be tapped. The work described herein is a study of system and user behavior related to messages, in an actual use setting. Our objective is assessing and improving the interaction with VMSECURE, a user directory management and security package for IBM's VM operating system. (VM is IBM's interactive system for mainframe computers. VMSECURE manages user resources and controls data access.) Pareto's principle to VMSECURE messages and error messages. A few different messages make up most of the traffic. Password prompting provides efficient, effective protection against unauthorized use of VMSECURE. Users of VMSECURE, when they receive an error messages, often re-enter the same, unsuccessful command again. Users of VMSECURE do not improve their error rates with experience, possible due to the low level of daily use they make of the product.

Applying Cryptographic Techniques to Problems in Media Space Security Architecture, Technologies and Infrastructure / Ian E. Smith / Scott E. Hudson / Elizabeth D. Mynatt / John R. Selbie Conference on Organizational Computing Systems 1995 p.190-196

Applying Cryptographic Techniques to Problems in Media Space Security A Reference Architecture for Multi-Author World-Wide Web Servers / Louis Perrochon Conference on Organizational Computing Systems 1995 p.197-205

Applying Cryptographic Techniques to Problems in Media Space Security Collaborative Computing: A Multi-Client Multi-Server Environment / Ming C. Hao / Alan H. Karp / Daniel Garfinkel Conference on Organizational Computing Systems 1995 p.206-213

A Multimodal Operational System for Security Services, M. L. Bourguet, S. Mimura, S. Ikeno, M. Komura, Proceedings of the Sixth International Conference on Human-Computer Interaction 1995 v.I. Human and Future Computing p.219-224 © Copyright 1995 Elsevier Science

Abstract: This paper addresses the question of multimodality applied to operational systems intended for professional users in charge of difficult and stressful tasks. For this type of application, the efficiency brought by a multimodal interface not only follows from the naturalness of the interaction but from the match between the communication modalities and the task to be performed. We report our experience in the design and prototyping of SECOM's Centralized Security System (CSS), a multimodal operational system for security services.

Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0, Alma Whitten, Carenegie Mellon University; and J. D. Tygar University of California, Berkeley

Usability of Security: A Case Study, Alma Whitten and J.D. Tygar, Carnegie Mellon School of Computer Science Technical Report, December 1998.

PathServer is a web-based service for authenticating PGP public keys. It works by enabling a user to find paths of certificates from a key she trusts to a key she wants to learn about. The primary technical challenges in this work result from allowing the user to specify properties of paths that she finds desirable, including independence and length properties that make locating a sufficiently large set of such paths NP-hard or worse. You can find out more about this by having a look at M. K. Reiter and S. G. Stubblebine. Path independence for authentication in large-scale systems. In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 57-66, April 1997.

pgp_trust_tree homepage This visual data-representation program (written in PERL) uses PGP and graphviz (specifically, dot) to extract information from a PGP public keyring and display it in a graphical and easy-to-understand manner.

Privacy interfaces for information management, Tessa Lau, Oren Etzioni and Daniel S. Weld, Communications of the ACM Vol. 42, No. 10 (Oct. 1999), Pages 88-94

Abstract: A system for examining Web browsing histories helps create a set of guidelines for designing privacy interfaces. The designers of information management software must strike a delicate balance between protecting user privacy and facilitating the sharing of information. Since there is no universal policy appropriate for all users, designers must provide users with a means of specify-ing their own individual privacy policies. Each user then determines what information to con-ceal, what to reveal, and to whom. While information protection mechanisms abound, the user interface to such mechanisms has received scant attention.

A. Adams & M. A. Sasse (1999): Privacy Issues in Ubiquitous Multimedia Environments: Wake Sleeping Dogs, Or Let Them Lie? In M. A. Sasse & C. Johnson [Eds.]: Human-Computer Interaction INTERACT '99 - Proceedings of IFIP TC.13 International Conference 30th August-3rd of September 1999, Edinburgh, pp 214-221. IOS.

Information Processing, Context and Privacy Foundations: Educational and Social Issues / Alan Dix Proceedings of IFIP INTERACT'90: Human-Computer Interaction 1990 p.15-20 Keywords:Information theory, Information processing, Privacy, Formal analysis

Abstract: This paper is about an old concept, data processing, but one that has taken on new meaning with the increasing complexity and interconnection of systems and the burgeoning of expert systems and connectionism. Classical information theory has been found to be inadequate even in the relatively formal context of security, but this inadequacy is intensified when we consider more human issues like privacy. Further, writers like Suchman and Winograd & Flores emphasise context in understanding communication and information. Relating these issues to a simple information life-cycle, this paper questions how we can retain an understanding of human issues when interacting with such complex systems.

What You Don't Know Can Hurt You: Privacy in Collaborative Computing User Involvement / Victoria Bellotti Proceedings of the HCI'96 Conference on People and Computers XI 1996 p.241-261

Keywords: Privacy, Access control, Collaboration, Communication, Design.

Abstract: Privacy is a popular subject in the CSCW literature but has largely been addressed as an issue of security by systems designers. With the growth of networked, multimedia CSCW systems comes an increasing need for better control over how people gain access to one another and to potentially shareable information. This paper poses some challenges for CSCW developers and provides some examples of systems which are beginning to meet such challenges.

The Active Badge Location System Practice and Experience Roy Want / Andy Hopper / Veronica Falcao / Jonathan Gibbons ACM Transactions on Information Systems 1992 v.10 n.1 p.91-102

Abstract:A novel system for the location of people in an office environment is described. Members of staff wear badges that transmit signals providing information about their location to a centralized location service, through a network of sensors. The paper also examines alternative location techniques, system design issues and applications, particularly relating to telephone call routing. Location systems raise concerns about the privacy of an individual, and these issues are also addressed.

Rapid prototyping

Rapid Prototyping, Structured Methods and Incorporation of Human Factors into System Development / Kee Yong Lim / John Long East-West International Conference on Human-Computer Interaction: Proceedings of the EWHCI'92 1992 p.407-417

Abstract: In recent years, two apparently opposing approaches for improving human factors incorporation into system development halve emerged, namely rapid prototyping and structured analysis and design methods. Arguments for and against configuring human factors inputs with respect to each of these approaches have become blurred. To clarify the issues, the paper examines how well existing problems of human factors input are addressed by the approaches. In so doing, a case for structured analysis and design methods is established. A specific solution to the problems is then proposed comprising the development and subsequent integration of a structured human factors method with a particular structured analysis and design method. The human factors method is then reviewed and illustrated using a case-study concerning the design of a network security management system.

Social Engineering

The "Social Engineering" of Internet Fraud, Jonathan J. RUSCH, United States Department of Justice USA, published in the proceedings of INET'99

People Hacking: The Psychology of Social Engineering by Harl, Talk at Access All Areas III 05/07/97

Usability testing of security systems

"Deja Vu: A User Study. Using Images for Authentication" by Rachna Dhamija and Adrian Perrig, to be published in the proceedings of the 9th USENIX Security Symposium, August 2000, Denver, Colorado

Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0, Alma Whitten, Carenegie Mellon University; and J. D. Tygar University of California, Berkeley

Iterative Usability Testing of a Security Application Computer Systems: Approaches to User Interface Design / Clare-Marie Karat Proceedings of the Human Factors Society 33rd Annual Meeting 1989 v.1 p.273-277

Abstract: This paper reports the results of three iterative usability tests of a security application as it evolved through the application development process and highlights the use of several methodological techniques: 1) reusable color foil prototypes of application panels as an alternative to developing online prototypes during short development cycles, 2) field tests as a complement to laboratory tests, 3) iterative testing of an evolving prototype, and 4) analysis of dollar value of usability work. The techniques used represent an attempt to apply usability engineering to system design (Whiteside, Bennett, and Holtzblatt; 1988) and to provide management with a dollar value estimate of human factors work (Mantei, 1988). Significant improvements in end user performance and satisfaction occurred across the three iterative tests (field prototype test, laboratory prototype test, and laboratory integration test) conducted across 7 months with 27 participants. The product usability objective was met during the third test. By using the reusable foil prototypes of the interface panels, usability staff were able to efficiently and effectively identify problems, make design changes, and retest the panels. The field test furnished unique data necessary to understanding end user issues. Iterative testing provided the opportunity to test the impact of changes made to the interface and a reliability check on previous results. The methodology for computing the value of usability work provided a feasible way of analyzing the cost benefit of the human factors work.

Usability Analysis of Messages from a Security System Computer System: On-Line Information/Expert Systems / William S. Mosteller / James Ballas Proceedings of the Human Factors Society 33rd Annual Meeting 1989 v.1 p.399-403

Abstract: Most software systems issue messages to reflect their progress in processing users' requests and to report error conditions. By instrumenting systems to collect these messages for later processing, a rich source of information about system and user behavior can be tapped. The work described herein is a study of system and user behavior related to messages, in an actual use setting. Our objective is assessing and improving the interaction with VMSECURE, a user directory management and security package for IBM's VM operating system. (VM is IBM's interactive system for mainframe computers. VMSECURE manages user resources and controls data access.) Pareto's principle to VMSECURE messages and error messages. A few different messages make up most of the traffic. Password prompting provides efficient, effective protection against unauthorized use of VMSECURE. Users of VMSECURE, when they receive an error messages, often re-enter the same, unsuccessful command again. Users of VMSECURE do not improve their error rates with experience, possible due to the low level of daily use they make of the product.

Viruses

Some Human Dimensions of Computer Virus Creation and Infection ANDY BISSETT, GERALDINE SHIPTON, International Journal of Human Computer Studies Vol. 52, No. 5, May 2000 ISSN: 1071-5819, pp. 899-913 (doi:10.1006/ijhc.1999.0361)

Misc

some yet to be filed citations

Last modified: 08.08.2000
rachna@sims.berkeley.edu