USABLE SECURITY
CS6204
Fall, 2009
Tuesday/Thursday, 9:30-10:45AM
McBryde 219
Dr. Dennis Kafura
kafura@cs.vt.edu
231-5568
Motivation (why learn about this?)
Controlling the disclosure of personal information is a
critical aspect of developing a sense of personal information privacy in a
world increasingly pervasive in its collection of information and potentially invasive
in its correlation, mining, and dissemination of this information. The broadly
perceived dangers are accentuated by reports of the threats of identity theft,
social and technical attacks aimed at ordinary persons or their computing
resources, and technology developments that imply a deeper penetration of
information gathering capabilities into the real world (via sensor nets) or the
cyber world.
The usability of security mechanisms that control
information disclosure is crucial. One of the four grand challenges in
trustworthy computing identified by the Computer Research Association
is: “For the dynamic, pervasive computing environments of
the future, give computing end-users security they can understand and
privacy
they can control.” Usability in this context refers less to the
fine
details of user interface design and more to the fundamental
representations,
models, and processes on which the system is founded and the degree to
which
these elements conform to their counterparts in the cognition of the
people
involved. The lack of a clearly understood encryption model was at the
root of
user’s inability to send mail securely. Similarly, it has been
observed there may be a decline in overall security when users
circumvent
security mechanisms that are incompatible with a user’s work
practices.
Key Topics (what is involved?)
In this course we will study issues related to providing security and
privacy for critical information domains in ways that are usable by
ordinary people in current and projected technology environments. The
goal of the course is to understand better the critical interaction of
systems issues and human-computer interaction issues in the domain of
usable security. Specific topics include:
- overview of usable security domain
- web privacy and security
- user preferences and preference policy authoring
- trust, privacy, and trust negotiation
- semantic web foundations
- semantic web technologies
- ubiquitous systems
- applications
- smart phones
- medical environments
- location-awareness
- frameworks
- survey
- principles
- example systems
- privacy and trust
- multimedia communications
- context and place
- social factors
- design
- guidelines
- spatial interfaces
- visualization
Course Format (what will we do?)
The course is based on two key components. First, participants
will be assigned to read, summarize, presents, and lead the
discussion of a related set of papers from among approximately 30-40
papers covering the key topics listed above. Each participant is
expected to read all of the papers and participate actively in the
discussion. Second, each participant must complete a major project. A
project may be an individual or small group effort. A number of
projects will be identified but participants may also propose projects
that are within the subject matter of the course and approved in
advance.
Prerequisites (should I take this course?)
A strong interest in the subject matter and a determined willingness to
become deeply engaged in the readings and are more important than any
particular prior coursework. Participants with backgrounds in systems
should expect to learn about the usability issues and those with
backgrounds in human-computer interactions should expect to learn about
practical systems issues. You can look at the example readings below to
self-assess your interest and preparation. These papers should be
readable with normal difficulty for a technical paper. Talk with the
course instructor if you have questions about your preparation.
Example Readings (what will it be like?) (accessible from ACM Portal or CiteSeerer)
Bauer, L., Cranor, L. F., Reiter, M. K., and Vaniea, K. 2007. Lessons
learned from the deployment of a smartphone-based access-control system.
In Proceedings of the 3rd Symposium on Usable Privacy and Security
(Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229.
ACM, New York, NY, 64-75.
Palen, L. and Dourish, P. 2003. Unpacking "privacy" for a networked world.
In Proceedings of the SIGCHI Conference on Human Factors in Computing
Systems (Ft. Lauderdale, Florida, USA, April 05 - 10, 2003). CHI '03.
ACM, New York, NY, 129-136.
Gavriloaie, R., et al., No registration needed: How to use declarative policies and negotiation to access sensitive resources on the semantic web, in 1st European Semantic Web Symposium (ESWS 2004). 2004: Heraklion, Greece. p. 342-356.
Adams, A. and M.A. Sasse, Users are not the enemy. Communications of the ACM, 1999. 42(12): p. 40-46.
Web Sites (what is out there?)
Symposium on Usable Privacy and Security
IEEE Symposium on Security and Privacy
World Wide Web Consortium Security Activity
National Science Foundation: Trustworthy Computing