Standardizing Usable Security and Privacy: Taking It To
Download
Report
Transcript Standardizing Usable Security and Privacy: Taking It To
Standardizing Usable Security and
Privacy: Taking It To the Next Level,
or Settling for Less?
Mary Ellen Zurko, IBM
Maritza Johnson, Columbia University
Web Security Context
Working Group
Specify a baseline set of security context
information
Specify practices for the secure and usable
presentation
Help users make decisions by providing them
with the necessary information
Example WSC Conformance
Statements
User agents MUST make identity information available to users
in all cases (even when the only identity information available is
that no identity information was supplied.)
A client MUST NOT submit passwords from an unsecure page
(even if the form is in a "secure" frame) to a secure server.
Web User Agents MUST NOT display bitmaps controlled by
Web Content in areas of the user interface that are intended or
commonly used to communicate trust information to users
A user agent SHOULD allow users to view details of why a
request or access to a site was blocked based on profile
settings, including a description of which configuration setting or
settings contributed to the site being blocked (but displayed only
on request).
Existing Standards
Human-Centered Design Processes
Usability Testing and Reporting
Voting
Privacy Standards - P3P
How do usable security standards relate?
Potential Gains
Increased interoperability and homogeneity
Raise the bar on minimum expectations
Motivate other work
Are we ready?
Results show what we’re doing wrong
Can we extrapolate a better solution?
Is stating what not to do better than
nothing?
How do we avoid …
Enshrining the lowest common
denominator
Introducing abstract or confusing
options
Getting it Right
What’s the baseline?
How much improvement is enough?
What conditions should be tested and
how much testing is enough?
What’s the balance for effectiveness,
efficiency, and satisfaction?
Testing Validity
What level of assurance is necessary
before a standard is suggested?
How to keep a variety of needs in mind
while keeping testing manageable?
Is general testing possible while making
specific recommendations?
Related links
Usability standards:
Voting and standards:
http://www.usabilitynet.org/tools/r_international.htm
http://www.stcsig.org/usability/topics/uistandards.html
http://zing.ncsl.nist.gov/uig_w3c/
http://www.itl.nist.gov/
http://vote.nist.gov/
http://www.acm.org/usacm/Issues/EVoting.htm
W3C standards:
http://www.w3.org/P3P/
http://www.w3.org/2006/WSC/