1 / 10

Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less?

Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less?. Mary Ellen Zurko, IBM Maritza Johnson, Columbia University. Web Security Context Working Group. Specify a baseline set of security context information

zyta
Download Presentation

Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less? Mary Ellen Zurko, IBM Maritza Johnson, Columbia University

  2. Web Security Context Working Group • Specify a baseline set of security context information • Specify practices for the secure and usable presentation • Help users make decisions by providing them with the necessary information

  3. Example WSC Conformance Statements • User agents MUST make identity information available to users in all cases (even when the only identity information available is that no identity information was supplied.) • A client MUST NOT submit passwords from an unsecure page (even if the form is in a "secure" frame) to a secure server. • Web User Agents MUST NOT display bitmaps controlled by Web Content in areas of the user interface that are intended or commonly used to communicate trust information to users • A user agent SHOULD allow users to view details of why a request or access to a site was blocked based on profile settings, including a description of which configuration setting or settings contributed to the site being blocked (but displayed only on request).

  4. Existing Standards • Human-Centered Design Processes • Usability Testing and Reporting • Voting • Privacy Standards - P3P How do usable security standards relate?

  5. Potential Gains • Increased interoperability and homogeneity • Raise the bar on minimum expectations • Motivate other work

  6. Are we ready? • Results show what we’re doing wrong • Can we extrapolate a better solution? • Is stating what not to do better than nothing?

  7. How do we avoid … • Enshrining the lowest common denominator • Introducing abstract or confusing options

  8. Getting it Right • What’s the baseline? • How much improvement is enough? • What conditions should be tested and how much testing is enough? • What’s the balance for effectiveness, efficiency, and satisfaction?

  9. Testing Validity • What level of assurance is necessary before a standard is suggested? • How to keep a variety of needs in mind while keeping testing manageable? • Is general testing possible while making specific recommendations?

  10. Related links • Usability standards: • http://www.usabilitynet.org/tools/r_international.htm • http://www.stcsig.org/usability/topics/uistandards.html • http://zing.ncsl.nist.gov/uig_w3c/ • Voting and standards: • http://www.itl.nist.gov/ • http://vote.nist.gov/ • http://www.acm.org/usacm/Issues/EVoting.htm • W3C standards: • http://www.w3.org/P3P/ • http://www.w3.org/2006/WSC/

More Related