Abstract
Ubiquitous and mobile technologies create new challenges for system security. Effective security solutions depend not only on the mathematical and technical properties of those solutions, but also on people’s ability to understand them and use them as part of their work. As a step towards solving this problem, we have been examining how people experience security as a facet of their daily life, and how they routinely answer the question, “is this system secure enough for what I want to do?” We present a number of findings concerning the scope of security, attitudes towards security, and the social and organizational contexts within which security concerns arise, and point towards emerging technical solutions.
Similar content being viewed by others
Notes
It should be noted here that these were the practices she used for managing outstanding work items, physical documents that had been finished with were stored under lock and key.
We are grateful to Mark Ackerman for pointing out this dualism.
References
Ackerman MS (2000) The intellectual challenge of CSCW: the gap between social requirements and technical feasibility. Hum Comput Interact 15(2–3):179–203
Adams A, Sasse MA (1999) Users are not the enemy: why users compromise security mechanisms and how to take remedial measures. Commun ACM 42(12):40–46
Adams A, Sasse MA, Lunt P (1997) Making passwords secure and usable. In: Thimbleby H, O’Connaill B, Thomas P (eds) Proceedings of the HCI’97 conference on people and computers XII, Bristol, UK, August 1997. Springer, Berlin Heidelberg New York, pp 1–19
Altman I (1975) The environment and social behavior: privacy, personal space, territory, and crowding. Brooks/Cole, Monterey, California
Balfanz D, Smetters D, Stewart P, Wong H (2002) Talking to strangers: authentication in ad-hoc wireless networks. In: Proceedings of the network and distributed system security symposium (NDSS 2002), San Diego, California, February 2002
Bernard HR (1988) Research methods in cultural anthropology. Sage, Newbury Park, California
Blaze M (1993) A cryptographic file system for UNIX. In: Proceedings of the 1st ACM conference on computer and communications security (CCS’93), Fairfax, Virginia, November 1993. ACM Press, New York, pp 9–16
Brostoff S, Sasse MA (2000) Are passfaces more usable than passwords? A field trial investigation. In: McDonald S, Waern Y, Cockton G (eds) Proceedings of the HCI 2000 conference on people and computers XIV—usability or else!, Sunderland, UK, September 2000. Springer, Berlin Heidelberg New York, pp 405–424
Dhamija R, Perrig A (2000) Deja vu: a user study using images for authentication. In: Proceedings of the 9th USENIX security symposium, Denver, Colorado, August 2000
Dourish P, Redmiles D (2002) An approach to usable security based on event monitoring and visualization. In: Proceedings of the ACM new security paradigms workshop (NSPW 2002), Virginia Beach, Virginia, September 2002. ACM Press, New York
Friedman B, Hurley D, Howe D, Felten E, Nissenbaum H (2002) Users’ conceptions of web security: a comparative study. In: Proceedings of the CHI 2002 conference on human factors in computing systems, Minneapolis, Minnesota, April 2002
Edwards WK, Newman MW, Sedivy JZ, Smith TF, Izadi S (2002) Challenge: recombinant computing and the speakeasy approach. In: Proceedings of the 8th annual ACM international conference on mobile computing and networking (MobiCom 2002), Atlanta, Georgia, September 2002. ACM Press, New York
Glaser B, Strauss A (1967) The discovery of grounded theory: strategies for qualitative research. Aldine, Chicago, Illinois
Grinter R, Paled L (2002) Instant messaging in teen life. In: Proceedings of the ACM conference on computer-supported cooperative work (CSCW 2002), New Orleans, Louisiana, November 2002. ACM Press, New York pp 21–30
Grinter R, Eldridge M (2003) Wan2tlk? Everyday text messaging. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003. ACM Press, New York
Henning R (1999) Security service level agreements: quantifiable security for the enterprise? In: Proceedings of the ACM new security paradigm workshop (NSPW’99), Ontario, Canada, September 1999. ACM Press, New York, pp 54–60
Irvine C, Levin T (2001) Quality of security service. In: Proceedings of the ACM new security paradigms workshop (NSPW 2001), Cloudcroft, New Mexico, September 2001. ACM Press, New York, pp 91–99
Johanson B, Fox A, Winograd T (2002) The interactive workspaces project: experiences with ubiquitous computing rooms. IEEE Pervasive Comput 1(2):67–75
Kindberg T, Zhang K (2003) Secure spontaneous device association. In: Proceedings of the 5th international conference on ubiquitous computing (Ubicomp 2003), Seattle, Washington, October 2003. Lecture notes in computer science LNCS 2864, Springer, Berlin Heidelberg New York
Moran T, Dourish P (eds) (2001) Special issue on context-aware computing. Hum Comput Interact 16(2–4):87
Palen L, Dourish P (2003) Unpacking “privacy” for a networked world. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003. ACM Press, New York
Rimmer J, Wakeman I, Sheeran L, Sasse MA (1999) Examining users’ repertoire of internet applications. In: Sasse MA, Johnson (eds) Proceedings of the 7th IFIP conference on human–computer interaction (Interact’99), Edinburgh, Scotland, August/September 1999
Sheehan K (2002) Towards a typology of internet users and online privacy concerns. Inf Soc 18:21–32
Sheeran L, Sasse A, Rimmer J, Wakeman I (2001) How web browsers shape users’ understanding of networks. Electron Libr 20(1):35–42
Smetters D, Grinter R (2002) Moving from the design of usable security technologies to the design of useful secure applications. In: Proceedings of the ACM new security paradigms workshop (NSPW 2002), Virginia Beach, Virginia, September 2002. ACM Press, New York
Spyropoulou E, Levin T, Irvine C (2000) Calculating costs for quality of security service. In: Proceedings of the 16th annual computer security applications conference (ACSAC 2000), New Orleans, Louisiana, December 2000
Stajano, F (2002) Security for ubiquitous computing. Wiley, New York
Thomsen D, Denz M (1997) Incremental assurance for multilevel applications. In: Proceedings of the 13th annual computer security applications conference (ACSAC’97), San Diego, California, December 1997
Weirich D, Sasse MA (2001) Pretty good persuasion: a first step towards effective password security for the real world. In: Proceedings of the ACM new security paradigms workshop (NSPW 2001), Cloudcroft, New Mexico, September 2001. ACM Press, New York, pp 137–143
Weiser M (1991) The computer for the 21st century. Sci Am 265(3):94–104
Weiser M (1993) Some computer science issues in ubiquitous computing. Commun ACM 36(7):74–83
Whitten A, Tiger JD (1999) Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 9th USENIX security symposium, Denver, Colorado, August 2000
Yee K-P (2002) User interaction design for secure systems. In: Proceedings of the 4th international conference on information and communications security (ICICS 2002), Singapore, December 2002
Zurko ME, Simon R (1996) User-centered security. In: Proceedings of the ACM new security paradigms workshop (NSPW’96), Lake Arrowhead, California, September 1996. ACM Press, New York
Acknowledgements
We would like to thank Mark Ackerman, Tom Berson, Brinda Dalal, Leysia Paled, David Redmiles, and Diana Smetters for their contributions to this research and this paper. We also gratefully acknowledge the patience and help of our interview subjects. This work has been supported in part by National Science Foundation awards IIS-0133749, IIS-0205724, and IIS-0326105, and by a grant from Intel Corp.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Dourish, P., Grinter, R.E., Delgado de la Flor, J. et al. Security in the wild: user strategies for managing security as an everyday, practical problem. Pers Ubiquit Comput 8, 391–401 (2004). https://doi.org/10.1007/s00779-004-0308-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-004-0308-5