Abstract
Policies, sets of rules that govern permission to access resources, have long been used in computer security and online privacy management; however, the usability of authoring methods has received limited treatment from usability experts. With the rise in networked applications, distributed data storage, and pervasive computing, authoring comprehensive and accurate policies is increasingly important, and is increasingly performed by relatively novice and occasional users. Thus, the need for highly usable policy-authoring interfaces across a variety of policy domains is growing. This paper presents a definition of the security and privacy policy-authoring task in general and presents the results of a user study intended to discover some usability challenges that policy authoring presents. The user study employed SPARCLE, an enterprise privacy policy-authoring application. The usability challenges found include supporting object grouping, enforcing consistent terminology, making default policy rules clear, communicating and enforcing rule structure, and preventing rule conflicts. Implications for the design of SPARCLE and of user interfaces in other policy-authoring domains are discussed.
Chapter PDF
Similar content being viewed by others
References
Karat, J., Karat, C.-M., Brodie, C., Feng, J.: Privacy in information technology: Designing to enable privacy policy management in organizations. International Journal of Human-Computer Studies 63(1-2), 153–174 (2005)
Cao, X., Iverson, L.: Intentional access management: Making access control usable for end-users. In: Proceedings of the Second Symposium on Usable Privacy and Security (SOUPS 2006), pp. 20–31. ACM Press, New York (2006)
Good, N.S., Krekelberg, A.: Usability and privacy: a study of Kazaa P2P file-sharing. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems(CHI 2003), April 2003, pp. 137–144. ACM Press, New York (2003)
Maxion, R.A., Reeder, R.W.: Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies 63(1-2), 25–50 (2005)
Cranor, L.F., Guduru, P., Arjula, M.: User interfaces for privacy agents. ACM Transactions on Computer-Human Interaction 13(2), 135–178 (2006)
U.S. Senate Sergeant at Arms: Report on the investigation into improper access to the Senate Judiciary Committee’s computer system (2004), available at http://judiciary.senate.gov/testimony.cfm?id=1085&wit_id=2514
Karat, C.-M., Karat, J., Brodie, C., Feng, J.: Evaluating interfaces for privacy policy rule authoring. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems(CHI 2006), pp. 83–92. ACM Press, New York (2006)
Lederer, S., Mankoff, J., Dey, A.K., Beckmann, C.P.: Managing personal information disclosure in ubiquitous computing environments. Technical Report UCB-CSD-03-1257, University of California, Berkeley, Berkeley, CA (2003), available at http://www.eecs.berkeley.edu/Pubs/TechRpts/2003/CSD-03-1257.pdf
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Architecture Language (EPAL 1.2). W3C Member Submission 10-Nov-2003 (2003), available at http://www.w3.org/Submission/EPAL
Al-Shaer, E.S., Hamed, H.H.: Firewall Policy Advisor for anomaly discovery and rule editing. In: Marshall, A., Agoulmine, N. (eds.) MMNS 2003. LNCS, vol. 2839, pp. 17–30. Springer, Heidelberg (2003)
Ericsson, K.A., Simon, H.A.: Protocol Analysis: Verbal Reports as Data. MIT Press, Cambridge, MA (1993)
Brodie, C., Karat, C.M., Karat, J.: An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench. In: Proceedings of the 2006 Symposium on Usable Privacy and Security (SOUPS 2006), July 2006, pp. 8–19. ACM Press, New York (2006)
Agrawal, D., Giles, J., Lee, K.-W., Lobo, J.: Policy ratification. In: Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), June 2005, pp. 223–232. IEEE Computer Society Press, Los Alamitos (2005)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Inverardi, P., Jazayeri, M. (eds.) ICSE 2005. LNCS, vol. 4309, pp. 196–205. Springer, Heidelberg (2006)
Lederer, S., Hong, J.I., Jiang, X., Dey, A.K., Landay, J.A., Mankoff, J.: Towards everyday privacy for ubiquitous computing. Technical Report UCB-CSD-03-1283, University of California, Berkeley, Berkeley, CA (2003), available at http://www.eecs.berkeley.edu/Pubs/TechRpts/2003/CSD-03-1283.pdf
Cranor, L.F.: Web Privacy with P3P. O’Reilly, Sebastopol, CA (2002)
Zurko, M.E., Simon, R., Sanfilippo, T.: A user-centered, modular authorization service built on an RBAC foundation. In: Proceedings 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 57–71. IEEE Computer Society Press, Los Alamitos (1999)
Molich, R., Nielsen, J.: Improving a human-computer dialogue. Communications of the ACM 33(3), 338–348 (1990)
Lederer, S., Hong, J., Dey, A.K., Landay, J.: Personal privacy through understanding and action: Five pitfalls for designers. Personal and Ubiquitous Computing 8(6), 440–454 (2004)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 IFIP International Federation for Information Processing
About this paper
Cite this paper
Reeder, R.W., Karat, CM., Karat, J., Brodie, C. (2007). Usability Challenges in Security and Privacy Policy-Authoring Interfaces. In: Baranauskas, C., Palanque, P., Abascal, J., Barbosa, S.D.J. (eds) Human-Computer Interaction – INTERACT 2007. INTERACT 2007. Lecture Notes in Computer Science, vol 4663. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74800-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-74800-7_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74799-4
Online ISBN: 978-3-540-74800-7
eBook Packages: Computer ScienceComputer Science (R0)