ABSTRACT
We introduce the Expandable Grid, a novel interaction technique for creating, editing, and viewing many types of security policies. Security policies, such as file permissions policies, have traditionally been displayed and edited in user interfaces based on a list of rules, each of which can only be viewed or edited in isolation. These list-of-rules interfaces cause problems for users when multiple rules interact, because the interfaces have no means of conveying the interactions amongst rules to users. Instead, users are left to figure out these rule interactions themselves. An Expandable Grid is an interactive matrix visualization designed to address the problems that list-of-rules interfaces have in conveying policies to users. This paper describes the Expandable Grid concept, shows a system using an Expandable Grid for setting file permissions in the Microsoft Windows XP operating system, and gives results of a user study involving 36 participants in which the Expandable Grid approach vastly outperformed the native Windows XP file-permissions interface on a broad range of policy-authoring tasks.
- X. Cao and L. Iverson. Intentional access management: Making access control usable for end-users. In Proc. of the Second Symposium on Usable Privacy and Security (SOUPS 2006), pages 20--31, 2006. Google ScholarDigital Library
- N. S. Good and A. Krekelberg. Usability and privacy: a study of Kazaa P2P file-sharing. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems(CHI 2003), pages 137--144, New York, NY, April 2003. Google ScholarDigital Library
- J. Karat, C.-M. Karat, C. Brodie, and J. Feng. Privacy in information technology: Designing to enable privacy policy management in organizations. International Journal of Human--Computer Studies, 63(1-2):153--174, July 2005. Google ScholarDigital Library
- B. W. Lampson. Protection. Operating Systems Review, 8(1):18--24, January 1974. Reprint of the original from Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems (Princeton University, March, 1971), 437--443.Google ScholarDigital Library
- R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies, 63(1-2):25--50, July 2005. Google ScholarDigital Library
- M. C. Mont, R. Thyne, and P. Bramhall. Privacy enforcement with HP Select Access for regulatory compliance. Technical Report HPL-2005-10, HP Laboratories Bristol, Bristol, UK, January 2005. Available at http://www.hpl.hp.com/techreports/2005/HPL-2005-10.pdf. Accessed on January 10, 2008.Google Scholar
- J. Rode, C. Johansson, P. DiGioia, R. S. Filho, K. Nies, D. H. Nguyen, J. Ren, P. Dourish, and D. Redmiles. Seeing further: Extending visualization as a basis for usable security. In Proceedings of the Second Symposium on Usable Privacy and Security (SOUPS 2006), pages 145--155, 2006. Google ScholarDigital Library
- The Open Group Research Institute. Adage system overview. Available at http://www.memesoft.com/adage/SystemSpec.ps. Accessed on September 20, 2006.Google Scholar
- U.S. Senate Sergeant at Arms. Report on the investigation into improper access to the Senate Judiciary Committee's computer system, March 2004. Available at http://judiciary.senate.gov/testimony.cfm?id=1085&wit_id=2514. Accessed on January 10, 2008.Google Scholar
- M. E. Zurko. Adage usability testing results: Formal testing affinity mapping and questionnaire. Available at http://www.memesoft.com/adage/affinity.ps. Accessed on September 20, 2006.Google Scholar
- M. E. Zurko, R. Simon, and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. In Proceedings 1999 IEEE Symposium on Security and Privacy, pages 57--71, Los Alamitos, CA, May 1999.Google ScholarCross Ref
Index Terms
- Expandable grids for visualizing and authoring computer security policies
Recommendations
A user study of the expandable grid applied to P3P privacy policy visualization
WPES '08: Proceedings of the 7th ACM workshop on Privacy in the electronic societyDisplaying website privacy policies to consumers in ways they understand is an important part of gaining consumers' trust and informed consent, yet most website privacy policies today are presented in confusing, legalistic natural language. Moreover, ...
Usability challenges in security and privacy policy-authoring interfaces
INTERACT'07: Proceedings of the 11th IFIP TC 13 international conference on Human-computer interaction - Volume Part IIPolicies, sets of rules that govern permission to access resources, have long been used in computer security and online privacy management; however, the usability of authoring methods has received limited treatment from usability experts. With the rise ...
Comments