Symposium On Usable Privacy and Security

Scope and Focus

Having recently received increasing attention, usable security is implicitly all about the end user who employs a computer system to accomplish security-unrelated business or personal goals. However, there is another aspect to usable security. IT professionals have to deal with the order of magnitude more difficult problem of managing security of large, complex enterprise systems, where an error could cost a fortune. IT security is distributed amongst various individuals and tools within the organization making the support IT security management tasks hard. The diversity of the tasks also contributes to the complexity of the issues:

• analysis of security and privacy regulations, requirements, and liabilities
• management of security and privacy policies
• design of security controls and procedures
• deployment, integration, modification, and maintenance of security solutions
• security configuration and monitoring of devices, systems, and applications
• collection, visualization, and analysis of security information
• detection, reporting, response to, investigation of, and recovery from security incidents
• management of user accounts and rights
• compliance with regulations
• patch management

Are the notions of usable security for end-users and IT professionals the same? What is unique about IT security management, and why should HCISec community care? What are the differences in the background, training, goals, tasks, constraints, and tools between end-users, IT security professionals, and other IT staff (e.g., network admins)? How do these differences affect the (perception of) usability of the security mechanisms and tools? Can the approaches to improving the security usability for end-users be directly applied to the domain of IT security management, and vice versa? With some of the modern-day systems, where users are largely responsible for their own security self-administration, where is the boundary between the end-users, power users, and IT security professionals? Can it be defined precisely or is it blurred?

USM'07 solicits short position papers from academia and industry about all aspects of IT security management usability. The workshop will provide an opportunity for interdisciplinary researchers and practitioners to discuss this fascinating and important topic. Those interested in presenting at the workshop should submit a position paper of up to four pages along with a cover letter describing their research interests, experience, and background in the area of usable IT security management. Workshop papers will be posted on the SOUPS website and distributed to attendees on the SOUPS 2007 CD. However, workshop papers will not be formally published, and therefore may include work the authors plan to publish elsewhere.

Submissions

Important Dates

• Position papers deadline: April 13
• Notification of acceptance: May 11
• Camera ready final versions of the papers due: June 5
• Workshop: July 18

Workshop Organizers

Program

9:00 - 9:05 Introductions and logistics - Konstantin Beznosov and John Karat, workshop organizers

9:10 - 9:55 Opening session

INVITED TALK

Sioux Fleming - The New Challenges Malware Attacks Present to IT Security staff

How is IT security with respect to malware different from other IT tasks and what challenges does this pose? Malware outbreaks are nothing new to IT security staff, but recent changes in the ways malware is propagated as well as the motivation for this propagation have changed the situation. For IT security, this means determining when automated outbreak response systems are sufficient and when additional measures are required to prevent major disruptions to business continuity or security breaches. Network perimeter security, email, Internet use, user rights, password policies, software updates and physical security all play a role in determining whether or not malware can enter and spread, and each is often handled by different IT group or department. The amount of information coming in all these systems can be overwhelming, even if centralized security information management tools are in place. When developing security information systems and strategies to handle such threats, what groups in IT need to be involved? This talk will give real-world examples of outbreaks at large corporations and discuss what security information is needed to develop an efficient IT security strategy to prevent them.

Sioux Fleming is a director of product management for eTrust security management at CA, responsible for enterprise threat management evangelism. She joined CA as part of its acquisition of PestPatrol, where she served as group product manager. Sioux has a wide range of experience in the security tools industry, including antivirus and encryption security in addition to anti-spyware. She also has prior experience in the software industry in media asset management tools, enterprise PC migration tools and other system utilities at companies such as Central Point Software and Symantec. Sioux holds a bachelor of science degree in physics from Lewis and Clark College in Portland, Oregon.