the cups blog


Technology transfer of successful usable security research into product

About 15 SOUPS attendees attended this discussion session (thanks to all of you!) While we spent plenty of time on the challenges of technology transfer, I’m recording the useful practices and forward looking ideas on the topic, to help inspire others. I apologize for not citing names and organizations; feel free to self declare parts that were “yours”! Also, feel free to include anything I missed.

  • Proof of usability enables tech transfer. Some people who transfer research ideas into deployment use personas, use case based modeling, and lots of usability testing. Research that does some of this for themselves and puts out the results may have an easier time making the transition.
  • Make the “real problems” known so academics can use them, in their own work, and in evaluating the work of others for funding and publication. Usability, scalability (e.g. 3 million enrollments), performance, deployment (e.g. client side install). A list or taxonomy or other framework might be helpful.
  • Product timelines are short. Techniques are needed to evaluate usable security ideas in a product context within the constraints of a product cycle timeline.
  • Intellectual property status is a big concern. Researchers interested in getting uptake on their ideas are encouraged to be very clear about its IP status. Particularly if you’re giving the idea away with no encumbrances.
  • Best practices can be easy to tech transfer. For example, guidance on how to make security or privacy mechanisms or artifacts usable.
  • Heterogeneous user population should be designed for. For example, user age range (13 – 97), low income (public terminal access)
  • Analysts can help make recommendations for technology transfer. Perhaps there should be more opportunities for outreach or discussions between the research community and analysts.
  • Results from experience of use can be harder to publish (since the conditions are not controlled) but very useful for justifying or motivating technology transfer, and can catch small problems with a big impact. One example is Google’s approach of trying out different designs and measuring their use.
  • Real world data is hard for researchers to get. More work in finding ways to share data sets safely would help. Or canonical data sets based on real world attributes.
  • A forum for new ideas can be incredible useful to people looking to find ideas to pull into their products or deployments. Even half based ones. One example is New Security Paradigms Workshop.