Usability and Security
Conventional approaches to security regard it as a technical problem, to be solved by using mathematical techniques to provide provable cryptographic guarantees. However, we think of security differently. We think of it as a practical problem that people routinely encounter and solve every day.
From our perspective, the fundamental security problem is an everyday problem for people. It is the problem, "Is this system secure enough for what I want to do?" Every time someone types in their password (or decides not to), enters their credit card number (or decides not to), stores an important document (or decides not not), or carries out an electronic transation (or decides not to), they have encountered this problem and have come to some decision. The interesting research question is, first, how do they make this decision, and second, how can we help them to make it better?
We are especially interested in the resources that allow people to make these decisions. What cues or clues allow them to determine when an action is safe or not? Interestingly, many conventional, technical approaches to security actually make things worse. By making security a "transparent" feature of network access, we actually make it harder for people to assess the current level of security and its consequences for their actions.
We believe that, to understand this, we need to turn to analyses of real-world practice. Empirically, we have been conducting interviews to help understand people's mental models of application security. Mental models are, roughly, the internal pictures that people have of how the system works. These models are the basis on which they draw interpretations and conclusions. Analytically, we have been drawing on a second strand of research, investigating the foundations of privacy in electronically mediated environments.
Many of the interactive and collaborative systems that we deelop, especially in the domain of ubiquitous computing, depend on gathering, collating, and sharing information about individual and collective activities. They raise important privacy questions, but we currently lack an effective conceptial or design vocabulary for dealing with these. Along with Leysia Palen, I have been trying to address this problem, especially by turning to models of privacy management from social psychology. We have been using a model developed by Irwin Altman, who emphasizes that privacy is not simply a state of social withdrawal, but rather is a dynamic, dialectic process of boundary regulation, characterized as much by information sharing as by information hoarding. (More details on this were published in a paper at CHI 2003; see publications.)
We believe that this dynamic, dialectic approach has some important consequences for how we design security solutions; rather than applying security insights to privacy problems, we are attempting to apply privacy insights to security problems. We are developing technologies that let people see what's going on inside their computer system, to see these arise in context, and provide dynamic control over them. This work is based in part on the visual virtual machine, but extends it to higher-level forms of activity.
This work has been carried out with Leysia Palen (Colorado), David Redmiles, Jessica Delgado, and Melissa Joseph.