ABSTRACT
User-centered security has been identified as a grand challenge in
information security and assurance. It is on the brink of becoming an
established subdomain of both security and human/computer interface (HCI)
research, and an influence on the product development lifecycle. Both security
and HCI rely on the reality of interactions with users to prove the utility and
validity of their work. However, the relationship each of these disciplines has
to the user emphasizes almost oppositional aspects.
As practitioners and researchers in those areas, we still face major issues
when applying even the most foundational tools used in either of these fields
across both of them. As a synthesis of existing subjects, user centered
security provides new insights and new solutions, and the meeting place for
some of our thorniest problems. I will discuss the systemic roadblocks at the
social, technical, and practical levels that user centered security must
overcome to make substantial breakthroughs. Existing and ongoing research can
be brought to bear on some of them; new thinking, new disciplines, and new
paradigms will be needed for others.
This talk was originally given as an invited essay at ACSAC 2005.
BIOGRAPHY
Mary Ellen Zurko leads security architecture and strategy for Lotus
Workplace, Portal, and Collaboration Software at IBM. She defined the field of
User-Centered Security in 1996. She is on the steering committee for New
Security Paradigms Workshop and the International World Wide Web Conference
series. She has worked in security since 1986, at The Open Group Research
Institute and Digital Equipment Corporation, as well as IBM. She is a
contributor to the O'Reilly book, "Security and Usability: Designing Secure
Systems that People Can Use".