Security in the wild: user strategies for managing security as an everyday, practical problem

Ubiquitous and mobile technologies create new challenges for system security. Effective security solutions depend not only on the mathematical and technical properties of those solutions, but also on people’s ability to understand them and use them as part of their work. As a step towards solving this problem, we have been examining how people experience security as a facet of their daily life, and how they routinely answer the question, “is this system secure enough for what I want to do?” We present a number of findings concerning the scope of security, attitudes towards security, and the social and organizational contexts within which security concerns arise, and point towards emerging technical solutions.

[1]  C. Brodsky The Discovery of Grounded Theory: Strategies for Qualitative Research , 1968 .

[2]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[3]  J. Freedman,et al.  Conceptions of Crowding. (Book Reviews: Crowding and Behavior; The Environment and Social Behavior. Privacy, Personal Space. Territory, Crowding) , 1975 .

[4]  H. Bernard Research Methods in Cultural Anthropology , 1988 .

[5]  Prasun Dewan,et al.  Access control for collaborative environments , 1992, CSCW '92.

[6]  Allan Collins,et al.  Assessment and technology , 1993, CACM.

[7]  Paul Dourish,et al.  Culture and Control in a Media Space , 1993, ECSCW.

[8]  Abigail Sellen,et al.  Design for Privacy in Ubiquitous Computing Environments , 1993, ECSCW.

[9]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[10]  Mark Weiser,et al.  Some computer science issues in ubiquitous computing , 1993, CACM.

[11]  Saul Greenberg,et al.  Real time groupware as a distributed system: concurrency control and its effect on the interface , 1994, CSCW '94.

[12]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[13]  Dan Thompson,et al.  Incremental assurance for multilevel applications , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[14]  Harold Thimbleby,et al.  People and computers XII : proceedings of HCI '97 , 1997 .

[15]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[16]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[17]  Ronda R. Henning,et al.  Security service level agreements: quantifiable security for the enterprise? , 1999, NSPW '99.

[18]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[19]  Ian Wakeman,et al.  Examining Users' Repertoire of Internet Applications , 1999, INTERACT.

[20]  Mark S. Ackerman,et al.  Privacy in e-commerce: examining user scenarios and privacy preferences , 1999, EC '99.

[21]  James H. Aylor,et al.  Computer for the 21st Century , 1999, Computer.

[22]  Mark S. Ackerman,et al.  Privacy critics: UI components to safeguard users' privacy , 1999, CHI Extended Abstracts.

[23]  Mark S. Ackerman,et al.  The Intellectual Challenge of CSCW: The Gap Between Social Requirements and Technical Feasibility , 2000, Hum. Comput. Interact..

[24]  Cynthia E. Irvine,et al.  Calculating costs for quality of security service , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[25]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[26]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[27]  Paul Dourish,et al.  Extending document management systems with user-specific active properties , 2000, TOIS.

[28]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[29]  Paul Dourish,et al.  Introduction to This Special Issue on Context-Aware Computing , 2001, Hum. Comput. Interact..

[30]  Cynthia E. Irvine,et al.  Quality of security service , 2001, NSPW '00.

[31]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[32]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[33]  Diana K. Smetters,et al.  Moving from the design of usable security technologies to the design of useful secure applications , 2002, NSPW '02.

[34]  Leysia Palen,et al.  Instant messaging in teen life , 2002, CSCW '02.

[35]  Mark Weiser,et al.  The computer for the 21st Century , 1991, IEEE Pervasive Computing.

[36]  Helen Nissenbaum,et al.  Users' conceptions of web security: a comparative study , 2002, CHI Extended Abstracts.

[37]  Kim Sheehan,et al.  Toward a Typology of Internet Users and Online Privacy Concerns , 2002, Inf. Soc..

[38]  Paul Dourish,et al.  An approach to usable security based on event monitoring and visualization , 2002, NSPW '02.

[39]  Ian Wakeman,et al.  How Web browsers shape users' understanding of networks , 2000, Electron. Libr..

[40]  Armando Fox,et al.  The Interactive Workspaces Project: Experiences with Ubiquitous Computing Rooms , 2002, IEEE Pervasive Comput..

[41]  Mark W. Newman,et al.  Challenge: recombinant computing and the speakeasy approach , 2002, MobiCom '02.

[42]  Rebecca E. Grinter,et al.  Wan2tlk?: everyday text messaging , 2003, CHI '03.

[43]  Paul Dourish,et al.  Unpacking "privacy" for a networked world , 2003, CHI '03.

[44]  Tim Kindberg,et al.  Secure Spontaneous Device Association , 2003, UbiComp.

[45]  Frank Stajano,et al.  Security for Ubiquitous Computing , 2002, ICISC.