Abstract
Effective security of a personal firewall depends on (1) the rule granularity and the implementation of the rule enforcement and (2) the correctness and granularity of user decisions at the time of an alert. A misconfigured or loosely configured firewall may be more dangerous than no firewall at all because of the user’s false sense of security. This study assesses effective security of 13 personal firewalls by comparing possible granularity of rules as well as the usability of rule set-up and its influence on security.
In order to evaluate usability, we have submitted each firewall to use cases that require user decisions and cause rule creation. In order to evaluate the firewalls’ security, we analysed the created rules. In addition, we ran a port scan and replaced a legitimate, network-enabled application with another program to assess the firewalls’ behaviour in misuse cases. We have conducted a cognitive walkthrough paying special attention to user guidance and user decision support.
We conclude that a stronger emphasis on user guidance, on conveying the design of the personal firewall application, on the principle of least privilege and on implications of default settings would greatly enhance both usability and security of personal firewalls.
Please use the following format when citing this chapter: Herzog, A. and Shahmehri, N., 2007, in IPIP International Federation for Information Processing, Volume 232, New Approaches for Security. Privacy amd Trust in Complex Environments, eds. Venter, H., Eloff, M, Labuschagne, L., Eloff, J., von Solms, R., (Boston: Springer), pp. 37–48.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
S. M. Furnell. Using security: easier said than done. Computer Fraud & Security, 2004(4):6–10, April 2004.
S. M. Furnell and S. Bolakis. Helping us to help ourselves: Assessing administrators’ use of security analysis tools. Network Security, 2004(2):7–12, February 2004.
S. M. Furnell, A. Jusoh, and D. Katsabas. The challenges of understanding and using security: A survey of end users. Computers & Security, 25:27–35, 2006.
S. L. Garfinkel. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD thesis, Massachusetts Institute of Technology, May 2005.
D. Gerd torn Markotten. Benutzbare Sicherheit in informationstechnischen Systemen. Rhombos Verlag, Berlin, 2004. ISBN 3-937231-06-4.
M. Hertzum, N. Jørgensen, and M. Nørgaard. Usable security and e-banking: Ease of use vis-à-vis security. In Proceedings of the Annual Conference of CHISIG (OZCHI’04). http://webhotel.ruc.dk/nielsj/research/papers/eBanking-ajis.pdf (visited 3-Aug-2005), November 2004.
A. Herzog and N. Shahmehri. A usability study of security policy managment. In S. Fischer-Hübner, K. Rannenberg, and S. L. Louise Yngström, editors, Security and Privacy in Dynamic Environments, Proceedings of the 21st International Information Security Conference (IFIP TC-11) (SEC’06), pages 296–306. Springer-Verlag, May 2006.
J. Johnston, J. H. P. Eloff, and L. Labuschagne. Security and human computer interfaces. Computers & Security, 22(8):675–684, December 2003.
S. Kamara, S. Fahmy, E. E. Schultz, F. Kerschbaum, and M. Frantzen. Analysis of vulnerabilities in Internet firewalls. Computers & Security, 22(3):214–232, April 2003.
N. Leveson. Safeware: System Safety and Computers. Addison Wesley, 1995.
J. Nielsen. Usability Engineering. Morgan Kaufmann Publishers, Inc, 1993.
M. Nilsson, A. Adams, and S. Herd. Building security and trust in online banking. In Proceedings of the Conference on Human Factors in Computing Systems (CHI’05), pages 1701–1704. ACM Press, April 2005.
B. Shneiderman and C. Plaisant. Designing the User Interface. Addison Wesley, 4th edition, 2004.
A. Whitten and J. D. Tygar. Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium (Security’99). Usenix, August 1999.
A. Wool. The use and usability of direction-based filtering in firewalls. Computers & Security, 23(6):459–468, September 2004.
K.-P. Yee. User interaction design for secure systems. In Proceedings of the International Conference on Information and Communications Security (ICICS’02), pages 278–290. Springer-Verlag, December 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Herzog, A., Shahmehri, N. (2007). Usability and Security of Personal Firewalls. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_4
Download citation
DOI: https://doi.org/10.1007/978-0-387-72367-9_4
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-72366-2
Online ISBN: 978-0-387-72367-9
eBook Packages: Computer ScienceComputer Science (R0)