Panel Session

Building Usable Security Systems

Abstract: This panel will review some of the human-factors issues encountered when building usable security systems. It will explore the roles and demands placed on users of security systems, and provide examples of design solutions that can assist in making security systems usable and effective. The goal of the panel is to bring awareness of human-factors issues to the conference community, build a network of interested people, discuss high priority areas for research and development, and explore opportunities for collaboration.

Moderator: Andrew Patrick, National Research Council of Canada

Panelist: Andrew Patrick, National Research Council of Canada
Topic: Usability and Acceptablity of Biometric Security Systems

Biometrics are receiving a lot of attention because of the potential to increase the accuracy and reliability of identification and authentication functions. A lot of research has been done to assess the performance of biometric systems, with an emphasis on false acceptances and rejections. Andrew Patrick will review research being done in his laboratory and in other laboratories that examines the usability and acceptability of biometric security systems. Factors that make biometrics usable include the ergonomics of the devices, the training and feedback that are provided, and the integration with target applications and services. Acceptability seems to be influenced by the perceived benefit of biometrics, which is often one of convenience rather than increased security, and the context of use.

Dr. Andrew Patrick is a Senior Scientist at the National Research Council of Canada. He is currently conducting research on the human factors of privacy protection, computer interface issues for trustable software agents, the human factors of security systems, and advanced collaboration environments. Dr. Patrick holds a Ph.D. in Cognitive Psychology from the University of Western Ontario.

Panelist: L. Jean Camp, Harvard University
Topic: Risk Perception Failures in Computer Security

Classic human failures with respect to risk perception influence the design of privacy and security enhancing systems. Classis risk perception failures that influence user risk perception of security and privacy technology include visibility of risks, lack of horror, and lack of an identifiable point source. Communicating risk accurately in terms of classic statistics is not adequate. Risk communication argues for a better understanding of the mental models of the non-expert user. Framing is a critical issue, yet a problematic one because framing can be used by companies offering better security, or simply more attractive design. Computer security can learn from studies of risk communication in environmental studies.

L. Jean Camp is a Professor at Harvard University's Kennedy School of Government. She integrates technical and social research into a designs that are optimized for the social situations for which they will be diffused. Professor Camp holds a doctorate in Engineering and Public Policy from Carnegie Mellon University.

Panelist: Bill Yurcik, NCSA, Univeristy of Illinois
Topic: Visualization Tools for Security Administrators

System Administrators are users too! In fact, they may have more effect on security than individual users since they manage larger systems on the behalf of many users. This presentation will describe several research projects which use interactive visualization to support security staff, and the initial results are very promising. Specifically Bill will look at security usability related to intrusion detection, network management, and cryptography scalability (PKI).

Bill Yurcik is Manager of Security Research at NCSA which is tightly coupled with operational security of NCSA's high performance computing and communications. Bill deals with computer network security events on a daily basis and develops tools to help incident response teams better understand and handle problems and especially leverage themselves with many demands. Bill has 14 years of professional experience in network management (especially security) for Verizon, US Navy, NASA, Mitre, and now NCSA. Prior to managing Security Research at NCSA, Bill managed operational security for NCSA. Bill has a BS in Electrical Engineering U of Maryland, MS in Electrical Engineering Johns Hopkins, MS in Computer Science Johns Hopkins, and PhD ABD University of Pittburgh. Lastly, Bill has 60+ peer-reviewed publications with a majority of these focused on security and have been a Visiting Professor at two universities (Illinois State and Illinois Wesleyan Universities).

Panelist: Ka-Ping Yee, NCSA, University of California, Berkeley
Topic: Principles of Secure Interaction Design

Since software is ultimately operated by end users, security vulnerabilities at the user level can be just as dangerous as implementation flaws. How should user interfaces be designed in order to support security goals? Do more secure systems have to be more complicated and harder to use? Ping will discuss ways to bring security and usability goals in line with each other and suggest a set of principles that can help guide the design of secure user interfaces. He will illustrate how you can use these principles to evaluate and improve the user interface of a real financial cryptography application.

Ka-Ping Yee is a graduate student in computer science at UC Berkeley, specializing in human-computer interaction. He has a B. A. Sc. in Computer Engineering from the University of Waterloo and has held an IBM Ph. D. Fellowship for the past two years. Ping has published in Communications of the ACM, at the ACM Conference on Human Factors in Computing Systems, and at the International Conference on Information and Communications Security.