Security in the wild: user strategies for managing security as an everyday, practical problem

Abstract

Ubiquitous and mobile technologies create new challenges for system security. Effective security solutions depend not only on the mathematical and technical properties of those solutions, but also on people’s ability to understand them and use them as part of their work. As a step towards solving this problem, we have been examining how people experience security as a facet of their daily life, and how they routinely answer the question, “is this system secure enough for what I want to do?” We present a number of findings concerning the scope of security, attitudes towards security, and the social and organizational contexts within which security concerns arise, and point towards emerging technical solutions.

This is a preview of subscription content, access via your institution.

Notes

  1. 1.

    It should be noted here that these were the practices she used for managing outstanding work items, physical documents that had been finished with were stored under lock and key.

  2. 2.

    We are grateful to Mark Ackerman for pointing out this dualism.

References

  1. 1.

    Ackerman MS (2000) The intellectual challenge of CSCW: the gap between social requirements and technical feasibility. Hum Comput Interact 15(2–3):179–203

    Article  Google Scholar 

  2. 2.

    Adams A, Sasse MA (1999) Users are not the enemy: why users compromise security mechanisms and how to take remedial measures. Commun ACM 42(12):40–46

    Article  Google Scholar 

  3. 2.

    Adams A, Sasse MA, Lunt P (1997) Making passwords secure and usable. In: Thimbleby H, O’Connaill B, Thomas P (eds) Proceedings of the HCI’97 conference on people and computers XII, Bristol, UK, August 1997. Springer, Berlin Heidelberg New York, pp 1–19

    Google Scholar 

  4. 4.

    Altman I (1975) The environment and social behavior: privacy, personal space, territory, and crowding. Brooks/Cole, Monterey, California

    Google Scholar 

  5. 5.

    Balfanz D, Smetters D, Stewart P, Wong H (2002) Talking to strangers: authentication in ad-hoc wireless networks. In: Proceedings of the network and distributed system security symposium (NDSS 2002), San Diego, California, February 2002

  6. 6.

    Bernard HR (1988) Research methods in cultural anthropology. Sage, Newbury Park, California

    Google Scholar 

  7. 7.

    Blaze M (1993) A cryptographic file system for UNIX. In: Proceedings of the 1st ACM conference on computer and communications security (CCS’93), Fairfax, Virginia, November 1993. ACM Press, New York, pp 9–16

  8. 8.

    Brostoff S, Sasse MA (2000) Are passfaces more usable than passwords? A field trial investigation. In: McDonald S, Waern Y, Cockton G (eds) Proceedings of the HCI 2000 conference on people and computers XIV—usability or else!, Sunderland, UK, September 2000. Springer, Berlin Heidelberg New York, pp 405–424

  9. 9.

    Dhamija R, Perrig A (2000) Deja vu: a user study using images for authentication. In: Proceedings of the 9th USENIX security symposium, Denver, Colorado, August 2000

  10. 10.

    Dourish P, Redmiles D (2002) An approach to usable security based on event monitoring and visualization. In: Proceedings of the ACM new security paradigms workshop (NSPW 2002), Virginia Beach, Virginia, September 2002. ACM Press, New York

  11. 11.

    Friedman B, Hurley D, Howe D, Felten E, Nissenbaum H (2002) Users’ conceptions of web security: a comparative study. In: Proceedings of the CHI 2002 conference on human factors in computing systems, Minneapolis, Minnesota, April 2002

  12. 12.

    Edwards WK, Newman MW, Sedivy JZ, Smith TF, Izadi S (2002) Challenge: recombinant computing and the speakeasy approach. In: Proceedings of the 8th annual ACM international conference on mobile computing and networking (MobiCom 2002), Atlanta, Georgia, September 2002. ACM Press, New York

  13. 13.

    Glaser B, Strauss A (1967) The discovery of grounded theory: strategies for qualitative research. Aldine, Chicago, Illinois

    Google Scholar 

  14. 14.

    Grinter R, Paled L (2002) Instant messaging in teen life. In: Proceedings of the ACM conference on computer-supported cooperative work (CSCW 2002), New Orleans, Louisiana, November 2002. ACM Press, New York pp 21–30

  15. 15.

    Grinter R, Eldridge M (2003) Wan2tlk? Everyday text messaging. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003. ACM Press, New York

  16. 16.

    Henning R (1999) Security service level agreements: quantifiable security for the enterprise? In: Proceedings of the ACM new security paradigm workshop (NSPW’99), Ontario, Canada, September 1999. ACM Press, New York, pp 54–60

  17. 17.

    Irvine C, Levin T (2001) Quality of security service. In: Proceedings of the ACM new security paradigms workshop (NSPW 2001), Cloudcroft, New Mexico, September 2001. ACM Press, New York, pp 91–99

  18. 18.

    Johanson B, Fox A, Winograd T (2002) The interactive workspaces project: experiences with ubiquitous computing rooms. IEEE Pervasive Comput 1(2):67–75

    Article  Google Scholar 

  19. 19.

    Kindberg T, Zhang K (2003) Secure spontaneous device association. In: Proceedings of the 5th international conference on ubiquitous computing (Ubicomp 2003), Seattle, Washington, October 2003. Lecture notes in computer science LNCS 2864, Springer, Berlin Heidelberg New York

  20. 20.

    Moran T, Dourish P (eds) (2001) Special issue on context-aware computing. Hum Comput Interact 16(2–4):87

    Article  Google Scholar 

  21. 21.

    Palen L, Dourish P (2003) Unpacking “privacy” for a networked world. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003. ACM Press, New York

  22. 22.

    Rimmer J, Wakeman I, Sheeran L, Sasse MA (1999) Examining users’ repertoire of internet applications. In: Sasse MA, Johnson (eds) Proceedings of the 7th IFIP conference on human–computer interaction (Interact’99), Edinburgh, Scotland, August/September 1999

  23. 23.

    Sheehan K (2002) Towards a typology of internet users and online privacy concerns. Inf Soc 18:21–32

    Article  Google Scholar 

  24. 24.

    Sheeran L, Sasse A, Rimmer J, Wakeman I (2001) How web browsers shape users’ understanding of networks. Electron Libr 20(1):35–42

    Article  Google Scholar 

  25. 25.

    Smetters D, Grinter R (2002) Moving from the design of usable security technologies to the design of useful secure applications. In: Proceedings of the ACM new security paradigms workshop (NSPW 2002), Virginia Beach, Virginia, September 2002. ACM Press, New York

  26. 26.

    Spyropoulou E, Levin T, Irvine C (2000) Calculating costs for quality of security service. In: Proceedings of the 16th annual computer security applications conference (ACSAC 2000), New Orleans, Louisiana, December 2000

  27. 27.

    Stajano, F (2002) Security for ubiquitous computing. Wiley, New York

    Google Scholar 

  28. 28.

    Thomsen D, Denz M (1997) Incremental assurance for multilevel applications. In: Proceedings of the 13th annual computer security applications conference (ACSAC’97), San Diego, California, December 1997

  29. 29.

    Weirich D, Sasse MA (2001) Pretty good persuasion: a first step towards effective password security for the real world. In: Proceedings of the ACM new security paradigms workshop (NSPW 2001), Cloudcroft, New Mexico, September 2001. ACM Press, New York, pp 137–143

  30. 30.

    Weiser M (1991) The computer for the 21st century. Sci Am 265(3):94–104

    Google Scholar 

  31. 31.

    Weiser M (1993) Some computer science issues in ubiquitous computing. Commun ACM 36(7):74–83

    Article  Google Scholar 

  32. 32.

    Whitten A, Tiger JD (1999) Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 9th USENIX security symposium, Denver, Colorado, August 2000

  33. 33.

    Yee K-P (2002) User interaction design for secure systems. In: Proceedings of the 4th international conference on information and communications security (ICICS 2002), Singapore, December 2002

  34. 34.

    Zurko ME, Simon R (1996) User-centered security. In: Proceedings of the ACM new security paradigms workshop (NSPW’96), Lake Arrowhead, California, September 1996. ACM Press, New York

Download references

Acknowledgements

We would like to thank Mark Ackerman, Tom Berson, Brinda Dalal, Leysia Paled, David Redmiles, and Diana Smetters for their contributions to this research and this paper. We also gratefully acknowledge the patience and help of our interview subjects. This work has been supported in part by National Science Foundation awards IIS-0133749, IIS-0205724, and IIS-0326105, and by a grant from Intel Corp.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Paul Dourish.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Dourish, P., Grinter, R.E., Delgado de la Flor, J. et al. Security in the wild: user strategies for managing security as an everyday, practical problem. Pers Ubiquit Comput 8, 391–401 (2004). https://doi.org/10.1007/s00779-004-0308-5

Download citation

Keywords

  • Access Control
  • Ubiquitous Computing
  • Security Management
  • Email Message
  • Security Technology