User Interaction Design for Secure Systems
The security of any system that is configured or operated by human beings depends on the information conveyed by the user interface, the decisions of the users, and the interpretation of their actions. This paper establishes some starting points for reasoning about security from a user-centred perspective: it proposes to model systems in terms of actors and actions, and introduces the concept of the subjective actor-ability state. Ten principles for secure interaction design are identified; examples of real-world problems illustrate and justify the principles.
KeywordsDesign Principle Security Policy User Agent Interaction Design Intentional Stance
Unable to display preview. Download preview PDF.
- 1.A. Adams and M. A. Sasse. Users are Not the Enemy. In Communications of the ACM (Dec 1999), p. 40–46.Google Scholar
- 2.B. Bruce and D. Newman. Interacting Plans. In Readings in Distributed Artificial Intelligence. Morgan Kaufmann (1988), p. 248–267.Google Scholar
- 3.Combex. E and CapDesk: POLA for the Distributed Desktop. http://www.combex.com/tech/edesk.html.
- 4.D. Dennett. The Intentional Stance. MIT Press (1987).Google Scholar
- 5.ERights.org: Open Source Distributed Capabilities. http://www.erights.org/.
- 6.J. J. Gibson. The Ecological Approach to Visual Perception. Houghton Mifflin (1979), p. 127 (excerpt, http://www.alamut.com/notebooks/a/affordances.html).
- 7.S. Garfinkel and G. Spafford. Practical UNIX and Internet Security. O’Reilly (1996).Google Scholar
- 8.N. Hardy. The KeyKOS Architecture. In Operating Systems Review, 19(4)8–25.Google Scholar
- 9.N. Hardy. The Confused Deputy. In Operating Systems Review, 22(4)36–38.Google Scholar
- 10.U. Holmström. User-centered design of secure software. In Proceeedings of the 17th Symposium on Human Factors in Telecommunications (May 1999), Denmark.Google Scholar
- 11.D. Ingalls. Design Principles Behind Smalltalk. In BYTE Magazine (Aug 1981).Google Scholar
- 12.U. Jendricke and D. Gerd tom Markotten. Usability meets Security: The Identity-Manager as your Personal Security Assistant for the Internet. In Proceedings of the 16th Annual Computer Security Applications Conference (Dec 2000).Google Scholar
- 13.C.-M. Karat. Iterative Usability Testing of a Security Application. In Proceedings of the Human Factors Society 33rd Annual Meeting (1989).Google Scholar
- 14.K. Karvonen. Creating Trust. In Proceedings of the Fourth Nordic Workshop on Secure IT Systems (Nov 1999), p. 21–36.Google Scholar
- 15.M. S. Miller, C. Morningstar, and B. Frantz. Capability-Based Financial Instruments. In Proceedings of the 4th Conference on Financial Cryptography (2000).Google Scholar
- 16.W. S. Mosteller and J. Ballas. Usability Analysis of Messages from a Security System. In Proceedings of the Human Factors Society 33rd Annual Meeting (1989).Google Scholar
- 17.Microsoft. Bulletin MS98-010: Information on the “Back Orifice“ Program. http://www.microsoft.com/technet/security/bulletin/ms98-010.asp (Aug 1998).
- 18.J. Nielsen. Enhancing the explanatory power of usability heuristics. In Proceedings of the ACM CHI Conference (1994), p. 152–158.Google Scholar
- 19.D. A. Norman. The Psychology of Everyday Things. New York: Basic Books (1988).Google Scholar
- 20.C. Nass, J. Steuer, and E. Tauber. Computers are Social Actors. In Proceedings of the ACM CHI Conference (1994), p. 72–78 (see http://cyborganic.com/People/jonathan/Academia/Papers/Web/casa-chi-94.html).
- 21.J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, 63(9)1278–1308 (see http://web.mit.edu/Saltzer/www/publications/protection/).
- 22.J. Shapiro, J. Smith, and D. Farber. EROS: A Fast Capability System. In Proceedings of the 17th ACM Symposium on Op. Sys. Principles (Dec 1999).Google Scholar
- 23.M. Wertheimer. Untersuchungen zur Lehre von der Gestalt II. In Psychologische Forschung, 4, p. 301–350. Translation “Laws of organization in perceptual forms” in W. D. Ellis, A Sourcebook of Gestalt Psychology, Routledge & Kegan Paul (1938), p. 71–88 (see http://psychclassics.yorku.ca/Wertheimer/Forms/forms.htm).CrossRefGoogle Scholar
- 24.A. Whitten and J. D. Tygar. Why Johnny can’t encrypt. In Proceedings of the 8th USENIX Security Symposium (Aug 1999).Google Scholar
- 25.M. E. Zurko, R. Simon, and T. Sanfilippo. A User-Centered, Modular Authorization Service Built on an RBAC Foundation. In Proceedings of IEEE Symposium on Research in Security and Privacy (May 1999), p. 57–71.Google Scholar