Transcript Standardizing Usable Security and Privacy: Taking It To

Standardizing Usable Security and
Privacy: Taking It To the Next Level,
or Settling for Less?
Mary Ellen Zurko, IBM
Maritza Johnson, Columbia University
Web Security Context
Working Group



Specify a baseline set of security context
information
Specify practices for the secure and usable
presentation
Help users make decisions by providing them
with the necessary information
Example WSC Conformance
Statements

User agents MUST make identity information available to users
in all cases (even when the only identity information available is
that no identity information was supplied.)

A client MUST NOT submit passwords from an unsecure page
(even if the form is in a "secure" frame) to a secure server.

Web User Agents MUST NOT display bitmaps controlled by
Web Content in areas of the user interface that are intended or
commonly used to communicate trust information to users

A user agent SHOULD allow users to view details of why a
request or access to a site was blocked based on profile
settings, including a description of which configuration setting or
settings contributed to the site being blocked (but displayed only
on request).
Existing Standards




Human-Centered Design Processes
Usability Testing and Reporting
Voting
Privacy Standards - P3P
How do usable security standards relate?
Potential Gains



Increased interoperability and homogeneity
Raise the bar on minimum expectations
Motivate other work
Are we ready?



Results show what we’re doing wrong
Can we extrapolate a better solution?
Is stating what not to do better than
nothing?
How do we avoid …


Enshrining the lowest common
denominator
Introducing abstract or confusing
options
Getting it Right




What’s the baseline?
How much improvement is enough?
What conditions should be tested and
how much testing is enough?
What’s the balance for effectiveness,
efficiency, and satisfaction?
Testing Validity



What level of assurance is necessary
before a standard is suggested?
How to keep a variety of needs in mind
while keeping testing manageable?
Is general testing possible while making
specific recommendations?
Related links

Usability standards:




Voting and standards:




http://www.usabilitynet.org/tools/r_international.htm
http://www.stcsig.org/usability/topics/uistandards.html
http://zing.ncsl.nist.gov/uig_w3c/
http://www.itl.nist.gov/
http://vote.nist.gov/
http://www.acm.org/usacm/Issues/EVoting.htm
W3C standards:


http://www.w3.org/P3P/
http://www.w3.org/2006/WSC/