Symposium On Usable Privacy and Security

INVITED TALK

Ross Anderson - Towards a science of security and human behaviour

PANEL

Testing for Usable Security - What Relationship, If Any, Does It Have To Product Design?

The CHI community has had long debates about the place of usability testing during product design. Recently, Greenberg and Buxton published an article titled "Usability Evaluation Considered Harmful (Some of the Time)", where they concluded that usability evaluation is appropriate some of the time, and non-empirical methods ("design critiques, design alternatives, case studies, cultural probes, reflection, design rationale") are appropriate other times. In addition, they state that a combination of methods will "triangulate and enrich the discussion of a system's validity". More specifically, they state that evaluation done too early can kill promising design ideas, and that it ignores cultural adoption and use.

This panel moves beyond these conclusions to specifically discuss usable security. The kinds of questions panelists will address questions such as:

• What are the appropriate ways to validate one's work when the work is usable security? When the goal is something other than published research, such as product or standards, how do the validation methods change?
• What is the roll, and limitation, for laboratory based usability research and other design techniques when making real-life design and standards decisions?

Each panelist will take a specific position on the topic and include at least one specific recommendation for future changes in this area.

POSTERS

DISCUSSION SESSIONS

Understanding PCI Regulations and Applying Strategies to Ensure Cardholder Privacy

Moderator: Eric Offenberg, IBM

The PCI DSS (Payment Card Industry Data Security Standard) is hailed as one of the most specific privacy guidelines for protecting the sensitive information held by corporations that store, process or transmit cardholder data. However, to fully comply with PCI 12 multi-faceted requirements, companies need to implement strategies and technologies to ensure that effective privacy safeguards are in place. Join this interactive panel discussion on how companies are addressing PCI requirements, and learn about solutions that support compliance initiatives. Discussion topics will include:

• Understanding how safeguarding customer data protects a company’s bottom line
• Assessing the impact of PCI requirements on retailers, merchants, banks, and other affected corporations.
• Overcoming the fears associated with implementing technologies to become/remain compliant with PCI
• Discovering how PCI compliance can be leveraged to reduce costs and improve operational efficiency

Eric Offenberg, CIPP and Product Marketing Manager at IBM, has established himself as a thought leader on data governance, database archiving, enterprise data management and data privacy. With nearly 10 years of technology marketing experience across industries, Eric is a regular speaker in live Webinars, industry events and with media and analysts on behalf of IBM. He holds an MBA with a concentration in marketing from Rider University and a BA degree in communications with a concentration in public relations from Rutgers University.

Metrics for Characterizing Research Participants' Technical Knowledge

Moderators: Serge Egelman and Ponnurangam Kumaraguru, Carnegie Mellon University

User studies can only contribute to human knowledge if they are generalizable across a known population. Thus, the sample for a given user study needs to be describable so that it can be generalized to a larger population. In many user studies, a user's technical prowess can have a profound impact on the results of the study. The ability to quantify (or at least classify) a user's technical knowledge is becoming increasingly necessary in order to generalize studies across populations as well as compare the results of one study to another. Some examples that researchers have used in the past are: (1) Educational background, (2) Internet usage, (3) Computer usage, and (4) Security knowledge. But, these metrics are not consistently used in all the studies. In this discussion session we plan to examine various metrics that can be used to quantify or classify technical knowledge. We plan to present the metrics that have been used in previous studies and plan to get some consensus on the metrics during the session.

Serge Egelman is a PhD candidate in the School of Computer Science at Carnegie Mellon University. His research is on usable privacy and security, and his dissertation focuses on creating more effective web browser security indicators. His recent paper, "You've Been Warned: An Empirical Study of The Effectiveness of Web Browser Phishing Warnings," received an honorable mention at CHI this year. Serge has interned at Xerox PARC and Microsoft Research. His hobbies include building things, taking things apart, and trying to graduate.

Ponnurangam Kumaraguru (PK) is a Ph.D. candidate in the COS (Computation Organization and Society) program within the School of Computer Science at Carnegie Mellon University. His research interests include building system to educate users to make better trust decisions, trust modeling and international cyber security and privacy issues (specifically in India). PK is currently working on a NSF funded project - Supporting Trust Decisions. PK's current research aims at modeling trust behavior of users while using the Internet and making use of the model to build training systems such as "PhishGuru" and "Anti-Phishing Phil."

HCI-SEC Research, Private Data, and complying with the Common Rule

Moderator: Simson Garfinkel, Naval Postgraduate School

Even if you aren't working with living breathing human subjects, your work into security and usability could easily require that you involve your organization's Institutional Review Board (IRB). That's because 45 CFR 46, the Common Rule, covers not just the use of humans in experimental research but the use of data generated by humans under many circumstances. In this discussion we will explore some of the ways that federal regulations may read on research, alternative interpretations, and formulate an agenda for change.

Simson L. Garfinkel is an Associate Professor at the Naval Postgraduate School in Monterey, California, and a fellow at the Center for Research on Computation and Society at Harvard University. His research interests include computer forensics, the emerging field of usability and security, personal information management, privacy, information policy and terrorism. He is also a member of the NPS IRB.

Balancing Security, Usability and Cost

Moderator: Ehab Al-Shaer, DePaul University

The main objective of deploying security in IT networks is to minimize risks of compromising or interrupting network services. However, deploying effective security requires dealing with number of critical trade offs including risk, flexibility, performance and cost. For instance, unbalanced security may cause unnecessary restriction in service deployment or user accessibility, high increase of networks delay and/or unjustified budget cost. Thus, due to lack of theoretical foundations, experimentations in this area, achieving cost-effective security configuration is very challenging. As a result, most of the existing practice by even expert IT administrator is ad hoc, causing errors and instability. This panel will address many of important related issues and others in this area:

• What are the main factors of security risk? How to define and measure them objectively?
• How to consider exiting counter measures in estimating residual risk? - Although performance is well-defined, defining metrics for flexibility and cost are not far from being realized.
• How to optimize security configuration to achieve balanced cost-effective security? Is there a scalability issues here? - How security configuration can be automatically optimized to track dynamic changing in risk?
• How a solution will be envision in a multi-domain networks where they often have conflicting objectives and independent administration?
• How this framework will be interfaced to end-user to enable easy to use and manage?

Ehab Al-Shaer is an Associate Professor and the Director of the Security & Multimedia Networking Research Lab (SMNLAB) in the School of Computer Science, Telecommunications and Information System at DePaul University. His primary research areas are Firewalls, configuration management, and fault diagnosis. Prof. Al-Shaer is Co-Editor of 6 books in the area of automated configuration management, multimedia networking, and end-to-end monitoring. He has published more than 80 refereed chapters, journal articles, and conference papers. Prof. Al-Shaer has served as a Program Co-chair for number of well-established conferences in his research area including Automated Network Management (ANM-INFOCOM 2008), POLICY 2008, Integrated Management (IM 2007), MMNS 2001, and E2EMON 2004-2005. He is also the General Chair for 16th ACM Conference on Computer and Communication Security (CCS) held in Chicago 2009 and 2010. Prof. Al-Shaer has been actively involved in many conferences in his area including CCS, INFOCOM, ICNP, IM/NOMS, POLICY, and others. His research is supported by NSF, Intel, Cisco and Sun Microsystems.