Personal and Ubiquitous Computing

, Volume 8, Issue 6, pp 391–401 | Cite as

Security in the wild: user strategies for managing security as an everyday, practical problem

  • Paul Dourish
  • Rebecca E. Grinter
  • Jessica Delgado de la Flor
  • Melissa Joseph
Original Article

Abstract

Ubiquitous and mobile technologies create new challenges for system security. Effective security solutions depend not only on the mathematical and technical properties of those solutions, but also on people’s ability to understand them and use them as part of their work. As a step towards solving this problem, we have been examining how people experience security as a facet of their daily life, and how they routinely answer the question, “is this system secure enough for what I want to do?” We present a number of findings concerning the scope of security, attitudes towards security, and the social and organizational contexts within which security concerns arise, and point towards emerging technical solutions.

References

  1. 1.
    Ackerman MS (2000) The intellectual challenge of CSCW: the gap between social requirements and technical feasibility. Hum Comput Interact 15(2–3):179–203CrossRefGoogle Scholar
  2. 2.
    Adams A, Sasse MA (1999) Users are not the enemy: why users compromise security mechanisms and how to take remedial measures. Commun ACM 42(12):40–46CrossRefGoogle Scholar
  3. 2.
    Adams A, Sasse MA, Lunt P (1997) Making passwords secure and usable. In: Thimbleby H, O’Connaill B, Thomas P (eds) Proceedings of the HCI’97 conference on people and computers XII, Bristol, UK, August 1997. Springer, Berlin Heidelberg New York, pp 1–19Google Scholar
  4. 4.
    Altman I (1975) The environment and social behavior: privacy, personal space, territory, and crowding. Brooks/Cole, Monterey, CaliforniaGoogle Scholar
  5. 5.
    Balfanz D, Smetters D, Stewart P, Wong H (2002) Talking to strangers: authentication in ad-hoc wireless networks. In: Proceedings of the network and distributed system security symposium (NDSS 2002), San Diego, California, February 2002Google Scholar
  6. 6.
    Bernard HR (1988) Research methods in cultural anthropology. Sage, Newbury Park, CaliforniaGoogle Scholar
  7. 7.
    Blaze M (1993) A cryptographic file system for UNIX. In: Proceedings of the 1st ACM conference on computer and communications security (CCS’93), Fairfax, Virginia, November 1993. ACM Press, New York, pp 9–16Google Scholar
  8. 8.
    Brostoff S, Sasse MA (2000) Are passfaces more usable than passwords? A field trial investigation. In: McDonald S, Waern Y, Cockton G (eds) Proceedings of the HCI 2000 conference on people and computers XIV—usability or else!, Sunderland, UK, September 2000. Springer, Berlin Heidelberg New York, pp 405–424Google Scholar
  9. 9.
    Dhamija R, Perrig A (2000) Deja vu: a user study using images for authentication. In: Proceedings of the 9th USENIX security symposium, Denver, Colorado, August 2000Google Scholar
  10. 10.
    Dourish P, Redmiles D (2002) An approach to usable security based on event monitoring and visualization. In: Proceedings of the ACM new security paradigms workshop (NSPW 2002), Virginia Beach, Virginia, September 2002. ACM Press, New YorkGoogle Scholar
  11. 11.
    Friedman B, Hurley D, Howe D, Felten E, Nissenbaum H (2002) Users’ conceptions of web security: a comparative study. In: Proceedings of the CHI 2002 conference on human factors in computing systems, Minneapolis, Minnesota, April 2002Google Scholar
  12. 12.
    Edwards WK, Newman MW, Sedivy JZ, Smith TF, Izadi S (2002) Challenge: recombinant computing and the speakeasy approach. In: Proceedings of the 8th annual ACM international conference on mobile computing and networking (MobiCom 2002), Atlanta, Georgia, September 2002. ACM Press, New YorkGoogle Scholar
  13. 13.
    Glaser B, Strauss A (1967) The discovery of grounded theory: strategies for qualitative research. Aldine, Chicago, IllinoisGoogle Scholar
  14. 14.
    Grinter R, Paled L (2002) Instant messaging in teen life. In: Proceedings of the ACM conference on computer-supported cooperative work (CSCW 2002), New Orleans, Louisiana, November 2002. ACM Press, New York pp 21–30Google Scholar
  15. 15.
    Grinter R, Eldridge M (2003) Wan2tlk? Everyday text messaging. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003. ACM Press, New YorkGoogle Scholar
  16. 16.
    Henning R (1999) Security service level agreements: quantifiable security for the enterprise? In: Proceedings of the ACM new security paradigm workshop (NSPW’99), Ontario, Canada, September 1999. ACM Press, New York, pp 54–60Google Scholar
  17. 17.
    Irvine C, Levin T (2001) Quality of security service. In: Proceedings of the ACM new security paradigms workshop (NSPW 2001), Cloudcroft, New Mexico, September 2001. ACM Press, New York, pp 91–99Google Scholar
  18. 18.
    Johanson B, Fox A, Winograd T (2002) The interactive workspaces project: experiences with ubiquitous computing rooms. IEEE Pervasive Comput 1(2):67–75CrossRefGoogle Scholar
  19. 19.
    Kindberg T, Zhang K (2003) Secure spontaneous device association. In: Proceedings of the 5th international conference on ubiquitous computing (Ubicomp 2003), Seattle, Washington, October 2003. Lecture notes in computer science LNCS 2864, Springer, Berlin Heidelberg New YorkGoogle Scholar
  20. 20.
    Moran T, Dourish P (eds) (2001) Special issue on context-aware computing. Hum Comput Interact 16(2–4):87CrossRefGoogle Scholar
  21. 21.
    Palen L, Dourish P (2003) Unpacking “privacy” for a networked world. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003. ACM Press, New YorkGoogle Scholar
  22. 22.
    Rimmer J, Wakeman I, Sheeran L, Sasse MA (1999) Examining users’ repertoire of internet applications. In: Sasse MA, Johnson (eds) Proceedings of the 7th IFIP conference on human–computer interaction (Interact’99), Edinburgh, Scotland, August/September 1999Google Scholar
  23. 23.
    Sheehan K (2002) Towards a typology of internet users and online privacy concerns. Inf Soc 18:21–32CrossRefGoogle Scholar
  24. 24.
    Sheeran L, Sasse A, Rimmer J, Wakeman I (2001) How web browsers shape users’ understanding of networks. Electron Libr 20(1):35–42CrossRefGoogle Scholar
  25. 25.
    Smetters D, Grinter R (2002) Moving from the design of usable security technologies to the design of useful secure applications. In: Proceedings of the ACM new security paradigms workshop (NSPW 2002), Virginia Beach, Virginia, September 2002. ACM Press, New YorkGoogle Scholar
  26. 26.
    Spyropoulou E, Levin T, Irvine C (2000) Calculating costs for quality of security service. In: Proceedings of the 16th annual computer security applications conference (ACSAC 2000), New Orleans, Louisiana, December 2000Google Scholar
  27. 27.
    Stajano, F (2002) Security for ubiquitous computing. Wiley, New YorkGoogle Scholar
  28. 28.
    Thomsen D, Denz M (1997) Incremental assurance for multilevel applications. In: Proceedings of the 13th annual computer security applications conference (ACSAC’97), San Diego, California, December 1997Google Scholar
  29. 29.
    Weirich D, Sasse MA (2001) Pretty good persuasion: a first step towards effective password security for the real world. In: Proceedings of the ACM new security paradigms workshop (NSPW 2001), Cloudcroft, New Mexico, September 2001. ACM Press, New York, pp 137–143Google Scholar
  30. 30.
    Weiser M (1991) The computer for the 21st century. Sci Am 265(3):94–104Google Scholar
  31. 31.
    Weiser M (1993) Some computer science issues in ubiquitous computing. Commun ACM 36(7):74–83CrossRefGoogle Scholar
  32. 32.
    Whitten A, Tiger JD (1999) Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 9th USENIX security symposium, Denver, Colorado, August 2000Google Scholar
  33. 33.
    Yee K-P (2002) User interaction design for secure systems. In: Proceedings of the 4th international conference on information and communications security (ICICS 2002), Singapore, December 2002Google Scholar
  34. 34.
    Zurko ME, Simon R (1996) User-centered security. In: Proceedings of the ACM new security paradigms workshop (NSPW’96), Lake Arrowhead, California, September 1996. ACM Press, New YorkGoogle Scholar

Copyright information

© Springer-Verlag London Limited 2004

Authors and Affiliations

  • Paul Dourish
    • 1
  • Rebecca E. Grinter
    • 2
  • Jessica Delgado de la Flor
    • 1
  • Melissa Joseph
    • 1
  1. 1.School of Information and Computer ScienceUniversity of CaliforniaIrvineUSA
  2. 2.College of ComputingGeorgia Institute of TechnologyAtlantaUSA

Personalised recommendations