User Interaction Design for Secure Systems
(Professor Marti A. Hearst --SIMS)
The security of any system that is configured or operated by
human beings depends on the information conveyed by the user
interface, the decisions of the users, and the interpretation
of their actions. This work establishes some starting points
for reasoning about security from a user-centered perspective:
it proposes to model systems in terms of actors and actions,
and introduces the concept of the subjective actor-ability state.
Ten principles for secure interaction design are identified;
examples of real-world problems illustrate and justify the
The results of this work come from discussing design
challenges and user experiences at length with designers
and users of software intended to be secure. After much
debate and several iterations of refinement, we have formed
the following set of design principles:
Path of least resistance:
the most natural way to do any task should also
be the most secure way.
the interface should expose, and the system should
enforce, distinctions between objects and between actions along boundaries that matter to the user.
a user's authorities must only be provided to other
actors as a result of an explicit user action that is understood to imply granting.
Visibility: the interface should allow the user to easily review
any active actors and authority relationships that would
affect security-relevant decisions.
Revocability: the interface should allow the user to easily
revoke authorities that the user has granted,
wherever revocation is possible.
Expected ability: the interface must not give the user the
impression that it is possible to do something that cannot
actually be done.
Trusted path: the interface must provide an unspoofable
and faithful communication channel between the user and any entity
trusted to manipulate authorities on the user's behalf.
Identifiability: the interface should enforce that distinct
objects and distinct actions have unspoofably identifiable and
Expressiveness: the interface should provide enough expressive
power to (a) describe a safe security policy without undue
diffiulty and (b) allow users to express security policies
in terms that fit their goals.
the effect of any security-relevant action must be clearly
apparent to the user before the action is taken.
More information (http://zesty.ca/) or
Send mail to the author : (email@example.com)
Edit this abstract