Symposium On Usable Privacy and Security

Workshop on Usable Security Indicator Conventions

July 20, 2011

Organizers: Ellen Cram Kowalczyk, Mary Ellen Zurko, Diana Smetters

People use software from a wide variety of sources. A great many of the affordances they see are defined by the UI framework, be it OS, browser or other platform. They know to look to the upper corner for close/minimize, and drop downs are usually indicated by a little triangle of some sort. These conventions, often built on the desktop metaphor, help shape expectations, and enable learning, exploration and discovery. In security, they get little such help. Dialogs can seem stuck in the nineties with jargon and expectations of understandings of the technical underpinnings of PKI, viruses and buffer overflows. The complexity and variation are at odds with learning. This workshop would start a discussion on the potential creation and unification of industry-wide usable security models to provide consistency across the online experience. It will then delve into specific conventions for security indicators, such as graphics, icons, and text in warning dialogs, browser and email client chrome, and secure desktops. Invited talks, panel discussions and working groups will take on the question of whether it is possible to come up with effective UX conventions around security, and if so, what those conventions should be and how to get them deployed. This workshop will bring together academics studying the effectiveness of security UIs with the industry players who create and deploy them.

Workshop participants are invited to bring a statement on your position on Usable Security Conventions. Statements may be about any aspect of this topic, such as what areas would benefit from security conventions, security indicator conventions that should be adopted, how conventions should be adopted, or how such conventions might be counter-productive. Statements should be 3-5 minutes in length, and may but are not required to cite papers or other work. Please reserve a spot to speak and submit slides if you wish to use them by July 11 to ellencr@microsoft.com.

Schedule:

9:00-9:30: Opening Remarks and Logistics

9:30-10:30: Intros, Position Statements and Short Talks from the Group

10:30-10:45 Break

10:45-11:15: Survey and Classification of Potential Security UX Conventions
Rob Reeder

Abstract: What types of user interface (UI) elements do we have to work with as we discuss potential security user experience (UX) conventions? Icons, colors, text, fonts, layout, and timing are types of UX elements we can leverage as we develop conventions. Indeed, past examples of usable security indicators have used these types as conventions within products; for example, the lock icon has become an informal convention for indicating secure Web connections. These different types of UX elements each have advantages and disadvantages as usable security conventions; for example, using red to indicate danger is consistent with conventions already in place, but is not accessible to colorblind people. To enable understanding of these advantages and disadvantages, I will discuss desirable properties in security UX conventions and give examples of existing or past conventions that are effective or not-as-effective at achieving each of these properties.

Bio: Rob Reeder works on the Usable Security (and Privacy) team at Microsoft. He works closely with Microsoft product groups to ensure that security-related user experiences in Microsoft products inspire confidence while helping customers stay safe. As part of these efforts, Rob drove the creation of guidance to help busy software engineers design good security warnings. This guidance is now in use by major Microsoft product groups. Rob earned a PhD in 2008 in Computer Science from Carnegie Mellon University's Cylab Usable Privacy and Security (CUPS) lab, and has published numerous paper on usable security topics including access control and authentication.

11:15-12:00: Panel: Limitations of UX Indicators
Panelists: Andrew Patrick (moderator), Patrick Kelley, Serge Egelman, Stuart Schechter, Kosta Beznosov

Limitations of UX Indicators Studies suggest that current security indicators have at best limited effectiveness. Proposing conventions or even standards for security indicators presupposes that we have indicators that are worth standardizing on. This is only made more difficult by the rapid rise of mobile devices with limited screen real estate and even less patience for security indicators -- does finally coming up with an effective "lock icon" for a desktop web browser help much when everyone is accessing their data via mobile phones? This panel brings together researchers in the field of security indicators, to discuss the good, the bad, and the ugly -- what works, and whether or not we should have hope. It will also touch on research results that lend insight into the question of whether having consistency and conventions makes any difference at all to the effectiveness of security indicators.

12-1: Lunch (Newell-Simon Atrium)

1:00-1:45: Panel: Obstacles to Adopting UX Indicators as Conventions/Standards Panelists: Adam Shostack (Moderator, Microsoft), Carrie Gates (CA Technologies), Diana Smetters (Google), Mary Ellen Zurko (IBM), Tim McKay (Kaiser Permanente)

How does industry arrive at their security UX? What influence does research have on what end users actually see? This panel brings together a selection of industry opinions on the potential for and usefulness of conventions around security UX, and how best to engage research in ways that improves the security experience for users. Topics covered may include how UX conventions get into products, product teams' relationship to research output and researchers, blockers that keep existing research from making it into products, what would make research relevant to products in this area, and the competing priorities that help or hinder the adoption of conventions around Security UX.

1:45-2:30: Focus Groups: How Academia and Industry Partner on Furthering UX Indicator Conventions/Standards

2:30-2:45: Break

2:45-3:30: Report out and group discussion on results from How Academia and Industry Partner on Furthering UX Indicator Conventions/Standards

3:30-3:45 Closing

SOUPS 2011 is sponsored by Carnegie Mellon CyLab