100 likes | 105 Views
Explore the significance of standardized security practices for user privacy. Learn about setting baseline security context, promoting secure user interface presentation, and ensuring informed decision-making. Discover the potential gains, challenges, and crucial factors in achieving effective security standards.
E N D
Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less? Mary Ellen Zurko, IBM Maritza Johnson, Columbia University
Web Security Context Working Group • Specify a baseline set of security context information • Specify practices for the secure and usable presentation • Help users make decisions by providing them with the necessary information
Example WSC Conformance Statements • User agents MUST make identity information available to users in all cases (even when the only identity information available is that no identity information was supplied.) • A client MUST NOT submit passwords from an unsecure page (even if the form is in a "secure" frame) to a secure server. • Web User Agents MUST NOT display bitmaps controlled by Web Content in areas of the user interface that are intended or commonly used to communicate trust information to users • A user agent SHOULD allow users to view details of why a request or access to a site was blocked based on profile settings, including a description of which configuration setting or settings contributed to the site being blocked (but displayed only on request).
Existing Standards • Human-Centered Design Processes • Usability Testing and Reporting • Voting • Privacy Standards - P3P How do usable security standards relate?
Potential Gains • Increased interoperability and homogeneity • Raise the bar on minimum expectations • Motivate other work
Are we ready? • Results show what we’re doing wrong • Can we extrapolate a better solution? • Is stating what not to do better than nothing?
How do we avoid … • Enshrining the lowest common denominator • Introducing abstract or confusing options
Getting it Right • What’s the baseline? • How much improvement is enough? • What conditions should be tested and how much testing is enough? • What’s the balance for effectiveness, efficiency, and satisfaction?
Testing Validity • What level of assurance is necessary before a standard is suggested? • How to keep a variety of needs in mind while keeping testing manageable? • Is general testing possible while making specific recommendations?
Related links • Usability standards: • http://www.usabilitynet.org/tools/r_international.htm • http://www.stcsig.org/usability/topics/uistandards.html • http://zing.ncsl.nist.gov/uig_w3c/ • Voting and standards: • http://www.itl.nist.gov/ • http://vote.nist.gov/ • http://www.acm.org/usacm/Issues/EVoting.htm • W3C standards: • http://www.w3.org/P3P/ • http://www.w3.org/2006/WSC/