SOUPS 2006

July 12-14, 2006
Pittsburgh, PA

Symposium On Usable Privacy and Security

WORKSHOP: Psychological Acceptability and How to Design For It: Lessons Learned in Designing for Usable Security and Privacy

Title: Psychological Acceptability and How to Design For It

Workshop Length: Full Day

Target Audience: Anyone responsible for the "look and feel" of security and privacy

Ryan West - SAS Institute Inc. (ryan.west AT
Matt Bishop - University of California, Davis (bishop AT

Deadline for Position Papers: May 5, 2006

Workshop date: July 12, 2006


The Principle of Psychological Acceptability states that security mechanisms should not make systems and programs more difficult to use. The principle highlights the need to consider users and system administrators in the design, development, installation, and maintenance of security- and privacy-related software and systems. This workshop tries to address this need.

The Psychological Acceptability and How to Design For It Workshop will be a full day workshop at SOUPS 2006 on lessons learned and recommendations for the design of features and applications related to security or privacy.

This workshop is intended for interaction designers or non-designers who are responsible for feature or application design decisions regarding security or privacy. However, anyone who is interested in the topic is welcome to attend.

The goal of this workshop is to share experiences and success stories (and failures), and attempt to extrapolate themes and solutions that generalize to other user-security and privacy design problems.

Scope of Topic

By design, we refer to the visual appearance, user interaction, and workflow of the user's experience. Generally speaking, we are interested in concrete solutions that have been implemented or prototyped and surfaced in some fashion to a user. This includes, but is not limited to the following:

  • Tradeoffs made between usability, security, and privacy considerations
  • Solutions that address the complexity of security (ex. appropriate metaphors, visualizations, models, etc.)
  • General interaction models (ex. task-based vs. object-based interfaces, etc.)
  • Presentation of security or privacy related messages, instructions, or warnings
  • Icons and images
  • Design solutions that inherently foster security or privacy
  • Hardware design issues (ex. security tokens, smartcards, etc.)

This generally excludes discussion of solutions predominantly at the architectural level.

Requirements for Participation

The workshop is open to all conference attendees who are interested in hearing the experiences of others and sharing their own.

In addition, we invite position papers (5 pages maximum) that describe experiences or case studies in designing usable security or privacy features/applications and the best practices you recommend based on those experiences.

Position papers will be selected for presentation and discussion during the workshop. All papers will be made available prior to the workshop. Additionally, papers accepted for presentation will be included on the conference website and proceedings CD/DVD.

Position papers must address the following issues:

  1. What was the design problem you encountered? Were there tradeoffs you had to make regarding security, ease of use, or privacy and what were they?
  2. What design solution(s) did you attempt and/or finally arrive at?
  3. What best practice recommendations do you make based on your experience and why?

If you have questions about the appropriateness of a topic, please contact &


Position papers must be submitted to Ryan West ( no later than May 5, 2006.

Organizer Background

Matt Bishop is in the Department of Computer Science at the University of California at Davis, where he teaches and does research in computer security, and dabbles in other areas. His textbook Computer Security: Art and Science is widely used in advanced undergraduate and graduate classes. He received a PhD in computer science from Purdue University in 1984.

Ryan West is a user experience researcher who has studied enterprise-class systems administration at Microsoft and now the SAS Institute. He has conducted academic research in risk and decision-making and applied research in areas ranging from medical mistakes to computer security. Ryan has a PhD in cognitive psychology from the University of Florida.


SOUPS is sponsored by Carnegie Mellon CyLab.