Abstract
Security policy management is a difficult and security-critical task. We have evaluated Java’s policytool with a usability study to see how well it can support users in setting up an appropriate security policy. The Java policytool is a graphical user interface tool integrated into Sun Microsystem Inc.’s Java 5.0 distribution for setting up security policies that can enable e.g. applets with more permissions than the default sandbox.
Results show that policytool is in line with other security tools, namely usability is poor. Policytool provides a certain degree of syntax help to novice users but it does not help with semantics, does not cater to expert users and actually does promote the accidental set-up of too lenient a policy. We show specific usability problems in policytool, comment on the differences in the policy files created by our study users, explore ways of solving the error-prone task of setting up a Java policy and relate this to the general subject of usability of security tools.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Furnell, S.M.: Using security: easier said than done. Computer Fraud & Security 2004(4) (2004) 6–10
Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX Security Symposium (Security’99), Usenix (1999)
Sun Microsystems Inc.: Policy tool—policy file creation and management tool. http://java.sun.com/j2se/l.5.0/docs/tooldocs/solaris/policytool.html (2002)
Nielsen, J.: Usability Engineering. Morgan Kaufmann Publishers, Inc (1993)
Oaks, S.: Java Security. 2nd edn. O’Reilly & Associates, Inc. (2001)
Faulkner, X.: Usability Engineering. Macmillan Press Ltd (2000)
Shneiderman, B., Plaisant, C: Designing the User Interface. 4th edn. Addison Wesley (2004)
Gerd tom Markotten, D.: Benutzbare Sicherheit in informationstechnischen Systemen. Rhombos Verlag, Berlin (2004) ISBN 3-937231-06-4.
Hauswirth, M., Kerer, C., Kurmanowytsch, R.: A secure execution framework for Java. In: Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS’00), ACM Press (2000) 43–52
Koved, L., Pistoia, M., Kershenbaum, A.: Access rights analysis for Java. In: Proceedings of the 17th ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’02), ACM Press (2002) 359–372
Mehta, N.V., Sollins, K.R.: Expanding and extending the security features of Java. In: Proceedings of the 7th USENIX Security Symposium (Security’98), Usenix (1998)
Corradi, A., Montanari, R., Lupu, E., Sloman, M., Stefanelli, C.: A flexible access control service for Java mobile code. In: Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC’00), IEE (2000) 356–365
Venkatakrishnan, V., Peri, R., Sekar, R.: Empowering mobile code using expressive security policies. In: Proceedings of the New Security Paradigms Workshop (NSPW’02), ACM Press (2002) 61–68
Hertzum, M., Jørgensen, N., Nørgaard, M.: Usable security and e-banking: Ease of use visà-vis security. In: Proceedings of the Annual Conference of CHISIG (OZCHI’04). (2004)
Nilsson, M., Adams, A., Herd, S.: Building security and trust in online banking. In: Proceedings of the Conference on Human Factors in Computing Systems (CHI’05), ACM Press (2005) 1701–1704
Furnell, S.M.: Why users cannot use security. Computers & Security 24(4) (2005) 274–279
Johnston, J., Eloff, J.H.P., Labuschagne, L.: Security and human computer interfaces. Computers & Security 22(8) (2003) 675–684
Wool, A.: The use and usability of direction-based filtering in firewalls. Computers & Security 23(6) (2004) 459–468
Sandhu, R.S.: Good-enough security. IEEE Internet Computing 7(1) (2003) 66–68
Smetters, D., Grinter, R.E.: Moving from the design of usable security technologies to the design of useful secure applications. In: Proceedings of the New Security Paradigms Workshop (NSPW’02), ACM Press (2002) 82–89
Whitten, A., Tygar, J.: Safe staging for computer security. In: Proceedings of the CHI2003 Workshop on Human-Computer Interaction and Security Systems. (2003)
DiGioia, P., Dourish, P.: Social navigation as a model for usable security. In: Proceedings of the Symposium on usable privacy and security (SOUPS’05), ACM Press (2005) 101–108
Yee, K.P.: Guidelines and strategies for secure interaction design. [26]
Leveson, N.: Safeware: System Safety and Computers. Addison Wesley (1995)
Garfinkel, S.L.: Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD thesis, Massachusetts Institute of Technology (2005)
Cranor, L.F., Garfinkel, S.L.: Security and Usability. O’Reilly & Associates, Inc (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 International Federation for Information Processing
About this paper
Cite this paper
Herzog, A., Shahmehri, N. (2006). A Usability Study of Security Policy Management. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds) Security and Privacy in Dynamic Environments. SEC 2006. IFIP International Federation for Information Processing, vol 201. Springer, Boston, MA. https://doi.org/10.1007/0-387-33406-8_25
Download citation
DOI: https://doi.org/10.1007/0-387-33406-8_25
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-33405-9
Online ISBN: 978-0-387-33406-6
eBook Packages: Computer ScienceComputer Science (R0)