Security system designers have long valued transparency as a feature of their technologies, on the assumption that transparent approaches can more easily be integrated with existing practices. However, we believe that transparent security mechanisms are, effectively, an extension of the discredited "security through obscurity" principle to the user interface; by obscuring the means through which security is achieved, they make it impossible for users to assess the security implications of their own actions. We believe that the complexity of using, monitoring and comprehending security technologies and their relationship to applications and tasks is a critical problem for improving effective security. Before computing can be trusted, it must be trustable. A trustable infrastructure is one that makes its actions observable and verifiable. Our concern is with the interactive resources that people need in order to trust the information infrastructures that they encounter. This is a matter for interface and infrastructure design. It is independent of the security model at work; it does not stipulate the use of mathematically verifiable cryptography, particular access control mechanisms or other local or global security policies. However, it is critical to the practical management of those policies. As Bruce Schneier cogently observed, "Security measures that aren't understood and agreed to by everyone don't work" (Schneier, 2000:373). Our work addresses this problem.

Our motivating observation is that the effectiveness of current security mechanisms, as encountered by end users in the software systems that they use on a daily basis, is compromised by fragmentation and lack of visibility. When users cannot understand these mechanisms, they cannot make effective decisions about how and when to use them. Our hypothesis is that a technical infrastructure which makes visible the configuration, activity, and implications of available security mechanisms will enable end users to make informed choices about their behavior; and that these informed choices, in turn, will yield more effective, more secure system use. To test this hypothesis, we propose to build a "trustable" infrastructure that makes information and security policy and configuration available to end users in ways that are visible, usable, and integrated with their normal activities.

Developing such an infrastructure poses a number of significant research challenges. These include the following:

• understanding the strategies that users employ to evaluate the threats and defenses available for their activities;
• creating informative and compelling graphical representations that inform users without overwhelming them;
• integrating information from a heterogeneous set of components, each of which contributes to the current security of the system;
• generating end-to-end understandings of security mechanisms; and
• providing information to users in real-time, integrated with their application activities.

Visual representations convey large amounts of complex data concisely. They are especially suited to problems involving large amounts of complex, multidimensional information. Visual Representations shift work from the human cognitive system to the perceptual system, exploiting people's a bility to detect patterns and anomalies, and to process large volumes of visual data quickly. These features make visual representations particularly well suited to the security domain. The complexity of the problem, the many dimensions and factors involved, and our concentration on assessment rather than automation all support our use of visualization. Moreover, we want to provide people with tools for understanding security in the context of their ongoing work, rather than tools for diagnosing unusual situations. The intent of these tools is to support a continuum of degrees of engagement, from a passive awareness of ongoing action to a detailed exploration of the current security state.

Continuous visualization requires that we gather continually information about current events from a variety of applications, services, and components. To achieve this, we draw on current research into event monitoring and distribution. Event-based architectures, support loosely-coupled distributed services that operate at an Internet scale. Building on previous research into the use of event-based systems for user interface monitoring and evaluation, we plan to exploit a similar approach to support real-time visualization of distributed security services.

This work is being conducted by the Institute for Software Research at the University of California, Irvine.

This material is based upon work sponsored by the Intel Corporation, and by the National Science Foundation under the Information Technology Research (ITR) program. The content of the information does not necessarily reflect the position or the policy of either organization and no official endorsement should be inferred.