Research approach

Our hypothesis is that a technical infrastructure which makes visible the configuration, activity, and implications of available security mechanisms will enable end users to make informed choices about their behavior; and that these informed choices, in turn, will yield more effective, more secure system use. To test this hypothesis, we propose to build a "trustable" infrastructure that makes information and security policy and configuration available to end users in ways that are visible, usable, and integrated with their normal activities.

Developing such an infrastructure poses a number of significant research challenges. These include the following:

understanding the strategies that users employ to evaluate the threats and defenses available for their activities;
creating informative and compelling graphical representations that inform users without overwhelming them;
integrating information from a heterogeneous set of components, each of which contributes to the current security of the system;
generating end-to-end understandings of security mechanisms; and
providing information to users in real-time, integrated with their application activities.

Our approach relies on two technical pillars: continuous visualization and event monitoring. Visual representations convey large amounts of complex data concisely. They are especially suited to problems involving large amounts of complex, multidimensional information. Visual Representations shift work from the human cognitive system to the perceptual system, exploiting people's a bility to detect patterns and anomalies, and to process large volumes of visual data quickly. These features make visual representations particularly well suited to the security domain. The complexity of the problem, the many dimensions and factors involved, and our concentration on assessment rather than automation all support our use of visualization. Moreover, we want to provide people with tools for understanding security in the context of their ongoing work, rather than tools for diagnosing unusual situations. The intent of these tools is to support a continuum of degrees of engagement, from a passive awareness of ongoing action to a detailed exploration of the current security state.

Continuous visualization requires that we gather continually information about current events from a variety of applications, services, and components. To achieve this, we draw on current research into event monitoring and distribution. Event-based architectures, support loosely-coupled distributed services that operate at an Internet scale. Building on previous research into the use of event-based systems for user interface monitoring and evaluation, we plan to exploit a similar approach to support real-time visualization of distributed security services.

We are exploring the design principle of "integration of configuration and action" as part of our theoretical approach. Conventional interfaces separate configuration and action both space and time, usually providing a separate control panel in which configuration is performed. Our design approach seeks to make configuration and action part of the same interactional space.

Research to date

Since our concern is with security as a matter of everyday practice, we conducted a brief empirical investigation of everyday user practices around security, interviewing a total of 20 users drawn from a number of distinct groups across two sites. We present a very brief outline here of some key results that have informed subsequent research investigation; Dourish et al. (2004) provides a fuller report on our methods.

Our goal in undertaking both a broad review of the literature and these empirical investigations has been to understand how best to approach the design of technologies supporting usable security. One design approach involves giving specific attention to the security features of a system, such as those components through which information encryption might be controlled, or through which privacy preferences might be expressed, and tackling the usability problems that typically beset those components. However, our empirical studies have suggested an alternative approach. Our investigations into usersecurity practices suggest that security concerns cannot be localized within those components of a system specifically designed to address security. In the everyday world, security is not a delineable set of actions, but rather is a pervasive aspect of the ways in which work gets done. Accordingly, our design approach has been to understand and support security as an intrinsic aspect of interactive systems.

Our investigations into user security practices suggest that security concerns cannot be localized within those components of a system specifically designed to address security. In the everyday world, security is not a delineable set of actions, but rather is a pervasive aspect of the ways in which work gets done. Accordingly, our design approach has been to understand and support security as an intrinsic aspect of interactive systems. In particular, our approach in Swirl is based on supporting informed decision-making. The central problem of security, for end users, is two-fold: it involves understanding the system’s configuration and state, and understanding their consequences for user action. People act through information technology, and so our goal is to help them understand how an information system might mediate their actions. This turns our attention away from traditional considerations of expression and enforcement and towards explication and engagement – how can we provide people with insight into the operation of a distributed system, and how can we couple those understandings to the actions that people take? We have been exploring these questions through a series of prototypes designed to uncover, demonstrate, and evaluate a range of principles and specific designs (de Paula et al., 2005). In this account, we focus in particular on two design principles – visualizing system activity and integrating configuration and action.

Our first prototype, a Network Activity Viewer was used only for demonstrations and internal activities; its function was not to be the basis of user trials, but rather to demonstrate the fundamental principle, and provide a test-bed for experimenting with implementation ideas. Although this was a very preliminary demonstration, the application was able to show its potential to uncover aspects of network activity otherwise hidden, such as the use of off-site images and “web bugs” to maintain records of web site visitor activity. By making visible the pattern of network activity that leads to a particular page rendering, this system could begin to help people understand the consequences of their actions. More than the specific application or the particular design of the visual tools, this was the initial goal. Although this application implemented a very elementary awareness mechanism, it served the purpose of helping us “visualize” aspects as well as patterns of the network activities that are usually hidden and unexplored.

Our second prototype is Impromptu, an ad-hoc peer-to-peer file sharing application for small group synchronous and collocated interaction. This prototype was designed and implemented to help us evaluate the concept of integrating action and configuration within the same GUI. We conducted a series of cognitive walkthrough activities within our research group in order to flag some initial interface problems. CW offered important information concerned the “usability” of Impromptu, but provided limited insights with respect to our primary concern with how users’ privacy and security could be demonstrated through and supported by the application. We then conducted a series of informal pilot studies where we observed pairs of individuals (drawn from our department) collaborating. Each pair was working on a self-selected task. Thus, they were highly motivated to complete tasks given their realism, and tasks varied in structure and type of collaboration required. Sessions lasted one hour each. Our observations underline the necessity of integrating action and configuration, as well as the usefulness of providing a real time visualization of activity. Results from the initial pilot studies can be found in (de Paula et al., 2005). For more information on the research described above, please see (de Paula et al., 2005b).

A formal user study for the Impromptu application was has been performed and the results are in the process are published in (Rode et al., 2006). The results of that study have prompted us to design a number of new visual extensions to the Impromptu framework, most of which focus on history and temporal consistency. These extensions are also described in the above paper.

Future work

We are now exploring new forms of awareness visualization that will allow users to perceive additional activities on the network. A well-discussed problem with awareness mechanisms is the tension between notification of important events and disruption. We do not intend to create yet another notification system, but to take advantage of the convergence of new wireless hand-held devices. For example, we are exploring the use of a PDA or a cell phone running Impromptu in support of activities taking place on one’s notebook – while users carry out their collaborative tasks on their computer, they will be able to change sharing levels of their files through the PDA as well as monitor who else might be “around.” By the same token, we are exploring the use of the environment as a situated and continuous awareness mechanism. The goal is to create mechanisms that increasingly match our everyday physical interactions with privacy andsecurity.


Swirl • Home • Research • People • Publications • Sponsors Projects • Impromptu • HistVis • NAV • Yancees • Vavoom Faculty • Paul Dourish • David Redmiles Intranet	Research approach Our hypothesis is that a technical infrastructure which makes visible the configuration, activity, and implications of available security mechanisms will enable end users to make informed choices about their behavior; and that these informed choices, in turn, will yield more effective, more secure system use. To test this hypothesis, we propose to build a "trustable" infrastructure that makes information and security policy and configuration available to end users in ways that are visible, usable, and integrated with their normal activities. Developing such an infrastructure poses a number of significant research challenges. These include the following: understanding the strategies that users employ to evaluate the threats and defenses available for their activities; creating informative and compelling graphical representations that inform users without overwhelming them; integrating information from a heterogeneous set of components, each of which contributes to the current security of the system; generating end-to-end understandings of security mechanisms; and providing information to users in real-time, integrated with their application activities. Our approach relies on two technical pillars: continuous visualization and event monitoring. Visual representations convey large amounts of complex data concisely. They are especially suited to problems involving large amounts of complex, multidimensional information. Visual Representations shift work from the human cognitive system to the perceptual system, exploiting people's a bility to detect patterns and anomalies, and to process large volumes of visual data quickly. These features make visual representations particularly well suited to the security domain. The complexity of the problem, the many dimensions and factors involved, and our concentration on assessment rather than automation all support our use of visualization. Moreover, we want to provide people with tools for understanding security in the context of their ongoing work, rather than tools for diagnosing unusual situations. The intent of these tools is to support a continuum of degrees of engagement, from a passive awareness of ongoing action to a detailed exploration of the current security state. Continuous visualization requires that we gather continually information about current events from a variety of applications, services, and components. To achieve this, we draw on current research into event monitoring and distribution. Event-based architectures, support loosely-coupled distributed services that operate at an Internet scale. Building on previous research into the use of event-based systems for user interface monitoring and evaluation, we plan to exploit a similar approach to support real-time visualization of distributed security services. We are exploring the design principle of "integration of configuration and action" as part of our theoretical approach. Conventional interfaces separate configuration and action both space and time, usually providing a separate control panel in which configuration is performed. Our design approach seeks to make configuration and action part of the same interactional space. Research to date Since our concern is with security as a matter of everyday practice, we conducted a brief empirical investigation of everyday user practices around security, interviewing a total of 20 users drawn from a number of distinct groups across two sites. We present a very brief outline here of some key results that have informed subsequent research investigation; Dourish et al. (2004) provides a fuller report on our methods. Our goal in undertaking both a broad review of the literature and these empirical investigations has been to understand how best to approach the design of technologies supporting usable security. One design approach involves giving specific attention to the security features of a system, such as those components through which information encryption might be controlled, or through which privacy preferences might be expressed, and tackling the usability problems that typically beset those components. However, our empirical studies have suggested an alternative approach. Our investigations into usersecurity practices suggest that security concerns cannot be localized within those components of a system specifically designed to address security. In the everyday world, security is not a delineable set of actions, but rather is a pervasive aspect of the ways in which work gets done. Accordingly, our design approach has been to understand and support security as an intrinsic aspect of interactive systems. Our investigations into user security practices suggest that security concerns cannot be localized within those components of a system specifically designed to address security. In the everyday world, security is not a delineable set of actions, but rather is a pervasive aspect of the ways in which work gets done. Accordingly, our design approach has been to understand and support security as an intrinsic aspect of interactive systems. In particular, our approach in Swirl is based on supporting informed decision-making. The central problem of security, for end users, is two-fold: it involves understanding the system’s configuration and state, and understanding their consequences for user action. People act through information technology, and so our goal is to help them understand how an information system might mediate their actions. This turns our attention away from traditional considerations of expression and enforcement and towards explication and engagement – how can we provide people with insight into the operation of a distributed system, and how can we couple those understandings to the actions that people take? We have been exploring these questions through a series of prototypes designed to uncover, demonstrate, and evaluate a range of principles and specific designs (de Paula et al., 2005). In this account, we focus in particular on two design principles – visualizing system activity and integrating configuration and action. Our first prototype, a Network Activity Viewer was used only for demonstrations and internal activities; its function was not to be the basis of user trials, but rather to demonstrate the fundamental principle, and provide a test-bed for experimenting with implementation ideas. Although this was a very preliminary demonstration, the application was able to show its potential to uncover aspects of network activity otherwise hidden, such as the use of off-site images and “web bugs” to maintain records of web site visitor activity. By making visible the pattern of network activity that leads to a particular page rendering, this system could begin to help people understand the consequences of their actions. More than the specific application or the particular design of the visual tools, this was the initial goal. Although this application implemented a very elementary awareness mechanism, it served the purpose of helping us “visualize” aspects as well as patterns of the network activities that are usually hidden and unexplored. Our second prototype is Impromptu, an ad-hoc peer-to-peer file sharing application for small group synchronous and collocated interaction. This prototype was designed and implemented to help us evaluate the concept of integrating action and configuration within the same GUI. We conducted a series of cognitive walkthrough activities within our research group in order to flag some initial interface problems. CW offered important information concerned the “usability” of Impromptu, but provided limited insights with respect to our primary concern with how users’ privacy and security could be demonstrated through and supported by the application. We then conducted a series of informal pilot studies where we observed pairs of individuals (drawn from our department) collaborating. Each pair was working on a self-selected task. Thus, they were highly motivated to complete tasks given their realism, and tasks varied in structure and type of collaboration required. Sessions lasted one hour each. Our observations underline the necessity of integrating action and configuration, as well as the usefulness of providing a real time visualization of activity. Results from the initial pilot studies can be found in (de Paula et al., 2005). For more information on the research described above, please see (de Paula et al., 2005b). A formal user study for the Impromptu application was has been performed and the results are in the process are published in (Rode et al., 2006). The results of that study have prompted us to design a number of new visual extensions to the Impromptu framework, most of which focus on history and temporal consistency. These extensions are also described in the above paper. Future work We are now exploring new forms of awareness visualization that will allow users to perceive additional activities on the network. A well-discussed problem with awareness mechanisms is the tension between notification of important events and disruption. We do not intend to create yet another notification system, but to take advantage of the convergence of new wireless hand-held devices. For example, we are exploring the use of a PDA or a cell phone running Impromptu in support of activities taking place on one’s notebook – while users carry out their collaborative tasks on their computer, they will be able to change sharing levels of their files through the PDA as well as monitor who else might be “around.” By the same token, we are exploring the use of the environment as a situated and continuous awareness mechanism. The goal is to create mechanisms that increasingly match our everyday physical interactions with privacy andsecurity.
Institute for Software Research University of California, Irvine Irvine, CA 92697-3455, USA swirl@dourish.com