Looking for trouble

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Looking for trouble: understanding end-user security management

Full text

Pdf (215 KB)

Source

Computer Human Interaction for the Management of Information Technology archive
Proceedings of the 2007 symposium on Computer human interaction for the management of information technology table of contents

Cambridge, Massachusetts

SESSION: Usability and security table of contents

Article No. 10

Year of Publication: 2007

ISBN:1-59593-635-6

Authors

Joshua B. Gross	The Pennsylvania State University
Mary Beth Rosson	The Pennsylvania State University

Sponsor

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): n/a, Downloads (12 Months): n/a, Citation Count: 3

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1234772.1234786 What is a DOI?

ABSTRACT

End users are often cast as the weak link in computer security; they fall victim to social engineering and tend to know very little about security technology and policies. This paper challenges this view as derogatory and unconstructive, arguing that users, as agents of organizations, often have sophisticated strategies regarding sensitive data, and are quite cautious. Existing work on user security practice has failed to consider how users view security; this paper provides content on and analysis of end user perspectives on security management. We suggest that properly designed systems would bridge the knowledge gap (where necessary) and mask levels of detail (where possible), allowing users to manage their security needs in synchrony with the needs of the organization. The evidence for our arguments comes from a set of in-depth interviews with users with no special training on, knowledge of, or interest in computer security. We conclude with guidelines for security and privacy tools that better leverage existing users knowledge.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Women in the Labor Force: A Databook. Labor, U.S.D.o. ed., 2005.
	2	Worm targets Macs via Bluetooth Cnn.com, 2006.
	3	Alessandro Acquisti , Jens Grossklags, Privacy and Rationality in Individual Decision Making, IEEE Security and Privacy, v.3 n.1, p.26-33, January 2005 [doi>10.1109/MSP.2005.22]
	4	Anne Adams , Ann Blandford, Bridging the gap between organizational and user perspectives of security in the clinical domain, International Journal of Human-Computer Studies, v.63 n.1-2, p.175-202, July 2005 [doi>10.1016/j.ijhcs.2005.04.022]
	5	R. Anderson, Why Information Security is Hard-An Economic Perspective, Proceedings of the 17th Annual Computer Security Applications Conference, p.358, December 10-14, 2001
	6	Frederick P. Brooks, Jr., No Silver Bullet Essence and Accidents of Software Engineering, Computer, v.20 n.4, p.10-19, April 1987 [doi>10.1109/MC.1987.1663532]
	7	John M. Carroll, Making Use: Scenario-Based Design of Human-Computer Interactions, MIT Press, Cambridge, MA, 2000
	8	Antonella De Angeli , Lynne Coventry , Graham Johnson , Karen Renaud, Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems, International Journal of Human-Computer Studies, v.63 n.1-2, p.128-152, July 2005 [doi>10.1016/j.ijhcs.2005.04.020]
	9	Rogério de Paula , Xianghua Ding , Paul Dourish , Kari Nies , Ben Pillet , David F. Redmiles , Jie Ren , Jennifer A. Rode , Roberto Silva Filho, In the eye of the beholder: a visualization-based approach to information system security, International Journal of Human-Computer Studies, v.63 n.1-2, p.5-24, July 2005 [doi>10.1016/j.ijhcs.2005.04.021]
	10	Rachna Dhamija , J. D. Tygar , Marti Hearst, Why phishing works, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada [doi>10.1145/1124772.1124861]
	11	Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania [doi>10.1145/1073001.1073009]
	12	Paul Dourish , E. Grinter , Jessica Delgado de la Flor , Melissa Joseph, Security in the wild: user strategies for managing security as an everyday, practical problem, Personal and Ubiquitous Computing, v.8 n.6, p.391-401, November 2004 [doi>10.1007/s00779-004-0308-5]
	13	Shirley Gaw , Edward W. Felten, Password management strategies for online accounts, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania [doi>10.1145/1143120.1143127]
	14	Holmstrom, U., User-centered design of secure systems. in Proceedings of Human Factors in Telecommunications, (Copenhagen, Denmark), 1999.
	15	Jeffs, T. and Smith, M. K. Informal Education: Conversation, Democracy and Learning. Education Now, 1996.
	16	Carlos Jensen , Colin Potts , Christian Jensen, Privacy practices of Internet users: self-reports versus observed behavior, International Journal of Human-Computer Studies, v.63 n.1-2, p.203-227, July 2005 [doi>10.1016/j.ijhcs.2005.04.019]
	17	Karat, C.-M., Iterative Usability Testing of a Security Application. in Human Factors, 1989.
	18	John Karat , Clare-Marie Karat , Carolyn Brodie , Jinjuan Feng, Privacy in information technology: designing to enable privacy policy management in organizations, International Journal of Human-Computer Studies, v.63 n.1-2, p.153-174, July 2005 [doi>10.1016/j.ijhcs.2005.04.011]
	19	David P. Kormann , Aviel D. Rubin, Risks of the passport single signon protocol, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.33 n.1-6, p.51-58, June 2000
	20	Kwan Min Lee , Clifford Nass, Designing social presence of social actors in human computer interaction, Proceedings of the SIGCHI conference on Human factors in computing systems, April 05-10, 2003, Ft. Lauderdale, Florida, USA [doi>10.1145/642611.642662]
	21	March, J. G. and Simon, H. A. Organizations, 1958.
	22	Mason, J. Qualitative Researching. SAGE Publications Ltd, London, UK, 1996.
	23	Roy A. Maxion , Robert W. Reeder, Improving user-interface dependability through mitigation of human error, International Journal of Human-Computer Studies, v.63 n.1-2, p.25-50, July 2005 [doi>10.1016/j.ijhcs.2005.04.009]
	24	Mitnick, K. D. The Art of Deception. John Wiley & Sons, New York, 2003.
	25	Mosteller, W. S. and Ballas, J., Usability Analysis of Messages from a Security System. in Human Factors, 1989.
	26	Wanda J. Orlikowski, Using Technology and Constituting Structures: A Practice Lens for Studying Technology in Organizations, Organization Science, v.11 n.4, p.404-428, July 2000 [doi>10.1287/orsc.11.4.404.14600]
	27	Volker Roth , Tobias Straub , Kai Richter, Security and usability engineering with particular attention to electronic mail, International Journal of Human-Computer Studies, v.63 n.1-2, p.51-73, July 2005 [doi>10.1016/j.ijhcs.2005.04.015]
	28	M. A. Sasse , S. Brostoff , D. Weirich, Transforming the 'Weakest Link' — a Human/Computer Interaction Approach to Usable and Effective Security, BT Technology Journal, v.19 n.3, p.122-131, July 2001 [doi>10.1023/A:1011902718709]
	29	Bruce Schneier, Secrets and Lies, Wiley-VCH, 2004
	30	Seely Brown, J. and Duguid, P. Organizational Learning and Communities-of-Practice: Toward a Unified View of Working, Learning, and Innovation. Organization Science, 2 (1), 1991, 40--57.
	31	Selber, S. A. Multiliteracies for a Digital Age. Southern Illinois University Press, 2004.
	32	Serazzi, G. and Zanero, S. Computer Virus Propagation Models. in Performance Tools and Applications to Networked Systems, Spring, 2004, 26--50.
	33	Siponen, M. T. A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8 (1), 2000, 31--41.
	34	Thomas, D. A. Security Threats and FBI Counterintrusion Efforts, Penn State, 2005.
	35	Julie Thorpe , P. C. van Oorschot, Towards Secure Design Choices for Implementing Graphical Passwords, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), p.50-60, December 06-10, 2004 [doi>10.1109/CSAC.2004.44]
	36	Watkins, K. E. and Marsick, V. J. Towards a Theory of Informal and Incidental Learning in Organizations. International Journal of Lifelong Education, 11 (4), 2001, 287--300.
	37	Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, PassPoints: design and longitudinal evaluation of a graphical password system, International Journal of Human-Computer Studies, v.63 n.1-2, p.102-127, July 2005 [doi>10.1016/j.ijhcs.2005.04.010]

CITED BY 3

	Lorrie Faith Cranor, A framework for reasoning about the human in the loop, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-15, April 14-14, 2008, San Francisco, California
	Joshua B. Gross , Mary Beth Rosson, End user concern about security and privacy threats, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
	Jeremy Goecks , W. Keith Edwards , Elizabeth D. Mynatt, Challenges in supporting end-user privacy and security management with social navigation, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California