INVITED TALK
Shortcuts, Habits and Sand Castles
Austin Hill, co-founder of Radialpoint, will share his insights on
usable security from a corporate perspective. He'll touch on where
security and usability intersected (often badly) in the past and why
the future of computer security relies on rethinking user interaction
points. In contrast, the usable security issues encountered in actual
live deployments drive and justify commercial investment in
understanding and fixing them. He'll focus on the large impact and
common problems that have driven work at Radialpoint in that area.
Austin Hill is co-founder of Radialpoint and acted as its President
from 1997 to 2001. He was previously the co-founder of TotalNet, one
of Canada's most successful Internet Service Providers, where he built
and maintained a national IP network and billing and support
system. Prior to TotalNet, he created Cyberspace Data Security, an
early network security consulting firm. An avid technologist and
passionate speaker, Austin is a leading lecturer and presenter on
security and privacy issues. He has spoken at COMDEX, the
International Conference on Privacy and Personal Data Protection, and
the Davos World Economic Forum, where he was named a Technology
Pioneer (2001). Austin also represented Canadian technology firms with
Industry Canada at the G8 summit on International Cybercrime, and has
presented to the Federal Trade Commission, the FCC, the US Department
of Homeland Security's Data Integrity and Privacy Advisory Committee,
and the Federal Bureau of Investigation and Communication Security
Association (Canada).
POSTERS
ANALYTICAL TOOLS FOR PRIVACY RISKS: ASSESSING EFFICACY ON VOTE
VERIFICATION TECHNOLOGIES
Rosa R. Heckle and Stephen H. Holden (UMBC)
CATEGORIZING RFID PRIVACY THREATS WITH STRIDE
Dale R. Thompson, Jia Di, Harshitha Sunkara, and Craig Thompson (University of Arkansas)
CONTEXT SENSITIVE PASSWORD
Anthony Y. Fu, Robert C. Miller, Greg Little, and Min Wu (Massachusetts Institute of Technology)
ENGENDERING TRUST: PRIVACY POLICIES AND SIGNATURES
Joshua B. Gross, Jessica Sheffield, Alice Anderson, and Nan Yu (Pennsylvania State University)
EXTENDING DESKTOP APPLICATIONS WITH POCKET-SIZE DEVICES
Roberto Silveira Silva Filho and David F. Redmiles (University of California, Irvine)
FOXTOR: ANONYMOUS WEB BROWSING
Sasha Romanosky and Cynthia Kuo (Carnegie Mellon University)
FUTURE DECRYPTION: SECURE THE TIME SENSITIVE INFORMATION
Bessie C. Hu, Anthony Y. Fu and Xiaotie Deng (City University of Hong Kong)
HITCHHIKING: A PRIVACY-PRESERVING FRAMEWORK FOR COLLECTING LOCATION-BASED DATA ON COMMODITY DEVICES
Karen P. Tang, James Fogarty, Pedram Keyani, Jason I. Hong (Carnegie Mellon University) and Anket Mathur (University of Texas - San Antonio)
HOW TO LOGIN FROM AN INTERNET CAFE WITHOUT WORRYING ABOUT KEYLOGGERS
Cormac Herley and Dinei Florencio (Microsoft Research)
HUMAN FRIENDLY CAPTCHAS - SIMPLE GAMES
Deapesh Misra and Kris Gaj (George Mason University)
IMPROVING THE PASSWORD SELECTION MECHANISM
Richard Conlan and Peter Tarasewich (Northeastern University CC&IS)
IMPROVING USER DECISIONS ABOUT OPENING POTENTIALLY DANGEROUS
ATTACHMENTS IN E-MAIL CLIENTS
Ricardo Villamarin-Salomon, Jose Carlos Brustoloni (University of Pittsburgh), Matthew DeSantis and
Ashley Brooks (Carnegie Mellon University)
INFORMATION REQUESTED BY WEB SITES AND USERS' COMPREHENSION OF PRIVACY
POLICIES
Robert W. Proctor, M. Athar Ali (Purdue University), and Kim-Phuong
L. Vu (California State University, Long Beach)
INFORMATION VISUALIZATION FOR RULE-BASED RESOURCE ACCESS CONTROL
Jaime Montemayor, Andrew Freeman, John Gersh, Thomas Llanso and Dennis
Patrone (Johns Hopkins University)
INITIAL ADOPTION OF A DISTRIBUTED ACCESS CONTROL SYSTEM
Kami Vaniea, Lujo Bauer, Lorrie Cranor and Mike Reiter (Carnegie Mellon University)
INVESTIGATING SECURITY-RELATED BEHAVIORS AMONG COMPUTER USERS WITH
MOTOR IMPAIRMENTS
John D'Arcy and Jinjuan Feng (Towson University)
MANAGING VISUAL PRIVACY WITHIN THE WEB BROWSER
Kirstie Hawkey and Kori M. Inkpen (Dalhousie University)
MEDIA CHARACTERIZATION FOR THE VISUALIZATION OF SECURE PATHS
Paul DiGioia and Paul Dourish (University of California, Irvine)
PROTECTING THE PRIVACY OF DISPLAYED INFORMATION
Peter Tarasewich, Jun Gong and Richard Conlan (Northeastern University)
ROLE-BASED ACCESS CONTROL FOR E-SERVICE INTEGRATION
Peter Lamb, Robert Power, Gavin Walker and Michael Compton (CSIRO ICT Centre)
SESAME: EXTENDING THE DESKTOP METAPHOR TO SUPPORT SECURITY DECISION
MAKING
Jennifer Stoll, Craig Tashman and W. Keith Edwards (Georgia Institute
of Technology)
SYMBOLS OF PRIVACY
Janice Tsai, Serge Egelman, Rachel Shipman, Kok-Chie Daniel Pu, Lorrie
Cranor and Alessandro Acquisti (Carnegie Mellon University)
WHY JOHNNY STILL CAN'T ENCRYPT: EVALUATING THE USABILITY OF EMAIL
ENCRYPTION SOFTWARE
Steve Sheng, Colleen Koranda, Jeremy Hyland and Levi Broderick (Carnegie Mellon University)
DISCUSSION SESSIONS
Johnny Can Obfuscate: Beyond Mother's Maiden Name
Moderator: Bill Cheswick, Lumeta
Challenge/response authentication is stronger than password
authentication, but has traditionally required a device for computing
the challenge. Though human computation is limited, people can compute
simple responses to challenges. If the challenge and the corresponding
response is obfuscated with decoy information, an authentication
scheme might be strong enough for a number of applications. The signs
used in major league baseball provide some interesting techniques for
obfuscation. We will brainstorm about obfuscation techniques that
might work for an authentication scheme and discuss the feasibility
of such a scheme.
Teaching Usable Privacy and Security
Moderators: Lorrie Cranor and Jason Hong, CMU
As interest in usable privacy and security grows, new courses are
being developed in this area. This discussion session will bring
together faculty members who have taught or are interested in teaching
courses related to usable privacy and security. Faculty members
interested in teaching modules on security/privacy as part of an HCI
course or modules on HCI/usability as part of a security course are
also encouraged to participate. We will discuss curricula, course
formats, readings, ideas for assignments and projects, etc. Faculty
members are encouraged to bring copies of their syllabus or other
course materials and/or pointers to their course web sites to share
with participants.
Lorrie Cranor and Jason Hong (along with their colleague Michael
Reiter) developed and taught a graduate Usable Privacy and Security
Course at Carnegie Mellon University in Spring 2006 (see
http://cups.cs.cmu.edu/courses/ups.html).
[slides]
Policy Management: A Central Theme for Usable Privacy and Security Systems
Moderator: John Karat, IBM T.J. Watson Research Center
In this session we will discuss the many ways in which policies may
have an impact on security and privacy. This will include discussion
of both individual concerns (e.g., what rules individuals might want
to express concerning the use of information about them),
organizational concerns (e.g., how to communicate and enforce the
policies they have for protecting personal data), and how technology
might evolve to allow dialogue or negotiation between parties
regarding security and privacy policies. While privacy and security
are not entirely about "setting rules and enforcing them," we do
believe that information system privacy and security do involve many
aspects of policy management, and that policy management is an
important aspect of making such systems usable. Some topics for
discussion include:
- What are the similarities and differences in security and privacy policies?
- How do standards contribute to development of privacy and security policies?
- How should security and privacy policies be authored?
- How do people know the policies in effect when interacting with a system?
- What is the connection between high level policies and enforcement in IT systems?
- How can IT policies be made easier for people to understand?
SOUPS is sponsored by Carnegie Mellon CyLab.
