A User-Centered Model for Usable Security and Privacy

Feth, Denis; Maier, A. A.; Polst, Svenja

doi:10.1007/978-3-319-58460-7_6

Cited by 15 publications

(36 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It concerns granular and usable information, as well as informed privacy protection decision support [20]. The active involvement of the user targets the user capability of building an individual mental model of the control mechanism and the preservation of privacy [21,22]. This model decides whether a user trusts or mistrusts a system.…”

Section: User Engagement and Self-determinationmentioning

confidence: 99%

Motivating Users to Manage Privacy Concerns in Cyber-Physical Settings—A Design Science Approach Considering Self-Determination Theory

Oppl

Stary

2022

Sustainability

View full text Add to dashboard Cite

Connectivity is key to the latest technologies propagating into everyday life. Cyber-Physical Systems (CPS) and Internet-of-Things (IoT) applications enable users, machines, and technologically enriched objects (‘Things’) to sense, communicate, and interact with their environment. Albeit making human beings’ lives more comfortable, these systems collect huge quantities of data that may affect human privacy and their digital sovereignty. Engaging in control over individuals by digital means, the data and the artefacts that process privacy-relevant data can be addressed by Self-Determination Theory (SDT) and its established instruments. In this paper, we discuss how the theory and its methodological knowledge can be considered for user-centric privacy management. We set the stage for studying motivational factors to improve user engagement in identifying privacy needs and preserving privacy when utilizing or aiming to adapt CPS or IoT applications according to their privacy needs. SDT considers user autonomy, self-perceived competence, and social relatedness relevant for human engagement. Embodying these factors into a Design Science-based CPS development framework could help to motivate users to articulate privacy needs and adopt cyber-physical technologies for personal task accomplishment.

show abstract

Section: User Engagement and Self-determinationmentioning

confidence: 99%

Motivating Users to Manage Privacy Concerns in Cyber-Physical Settings—A Design Science Approach Considering Self-Determination Theory

Oppl

Stary

2022

Sustainability

View full text Add to dashboard Cite

show abstract

“…In this way, evaluators are supported by concrete, complementary information that support the evaluation of the heuristics. For a detailed description of the integration of our approach into HCD, please refer to [10]. In the following sections, we present the heuristics, the model, their combination and the tool support for our approach.…”

Section: Overall Approachmentioning

confidence: 99%

“…To simplify the handling and explanation, we divided the model into three (overlapping) perspectives: "System Security", "System and User Context", and "System Design", which are described in this chapter. A description of the integration in the human centered design process is described in [10].…”

Section: Usability and Security Modelmentioning

confidence: 99%

See 1 more Smart Citation

Heuristics and Models for Evaluating the Usability of Security Measures

Feth

Polst

2019

Proceedings of Mensch Und Computer 2019

Self Cite

View full text Add to dashboard Cite

Security mechanisms are nowadays part of almost every software. At the same time, they are typically sociotechnical and require involvement of end users to be effective. The usability of security measures is thus an essential factor. Despite this importance, this aspect often does not receive the necessary attention, for example due to short resources like time, budget, or usability experts. In the worst-case, users reject or circumvent even strong security measures and technically secure systems become insecure. To tackle the problem of unusable security measures, we developed a heuristics-based usability evaluation and optimization approach for security measures. In order to make heuristics applicable also for non-usability experts, we enrich them with information from a joint model for usability and security. In particular, this approach allows developers and administrators to perform usability evaluations and thus enables an early tailoring to the user, complementary to expert or user reviews. In this paper, we present our approach, including an initial set of heuristics, a joint model for usability and security and a set of mapping rules that combine heuristics and model. We evaluated the applicability of our approach, which we present in this paper. CCS CONCEPTS • Security and Privacy → Usability in security and privacy; • Human-centered computing → HCI theory, concepts and models; Heuristic evaluations.

show abstract

“…However, manual rules do not scale and can be a burden to users in larger and more complex smart spaces. In this case, it is necessary to support fine-grained access control and user activity automation requirements in a transparent manner, [50] without explicit user input. Therefore, devices will be automat- ically selected based on their ability to fulfil a user activity, which is represented as a workflow of user activity function requirements.…”

Section: Introductionmentioning

confidence: 99%

Fine-grained Access Control for Internet of Things Smart Spaces Driven by User Inputs

Al-Shaboti¹

2021

Preprint

View full text Add to dashboard Cite

The increasing use of Internet of Things (IoT) devices raises security and privacy concerns. In smart spaces, multiple IoT devices are simultaneously used to fulfil user activity functions. However, these devices exhibit several security vulnerabilities that can compromise smart space security and privacy. The ability of fine-grained control network access in IoT devices and application messages can significantly reduce the risk resulting from the exploitation of IoT vulnerabilities due to unauthorised access, thereby improving smart space security. A well-recognised approach in the literature for IoT access control is to use pre-defined access policies to allow the necessary connections for a device to function correctly. However, these policies allow access to all device functions (i.e. coarse-grained access) including those functions that are not used by any user activity. The overall goal of this thesis is to develop an access control framework and techniques to achieve fine-grained access policies by using user inputs. The user inputs will be utilised to select devices to fulfil user activities aiming to build an access policy from the minimum access required for each device function. In this thesis, the use of user inputs to meet user security and privacy requirements in single- and multi-user smart spaces is studied. The main contributions are as follows: first, an access control framework that enables users to tailor IoT device policies to meet their security and privacy requirements is proposed. Validation results of the framework show the effectiveness of integrating user access rules into the existing security countermeasures (i.e. pre-defined policies and intrusion detection systems – IDS) to enforce user security and privacy. Second, the problem of selecting preferable devices to fulfil user activity functions is formulated as an optimisation problem. The optimisation problem is then solved by local and global optimisation searching algorithms that are guided by a developed user preference quantified model. The results show that global optimisation search algorithms such as Genetic Algorithm (GA) find the solution more effectively and efficiently than local search algorithms such as simulated annealing and hill-climbing. Third, sharing access control for multi-user smart spaces is proposed. Traditional access control that considers a single user is not suitable for multi-user smart spaces, where users share their IoT devices. The sharing between multiple users poses challenges different than in single-user access control. For example, users may abuse using shared devices and use vulnerable ones. This thesis addresses these two challenges through two contributions. First, it proposes a novel sharing policy language that enables users to precisely define their sharing policy. Second, this thesis formulates the sharing policies as constraints in the context of an optimisation problem with the objective function that maximises the use of secure devices. Results show that the IoT sharing issue can naturally be translated into an integer linear programming (ILP) problem and effectively solved using off-the-shelf ILP solvers. Fourth, this thesis explores the feasibility and practicality of the fine-grained access policy enforcement through a smart home case study. A case study is built using a hub-based architecture that uses Web of Things (WoT) technology. WoT provides a device semantic description that includes device functions with the corresponding Uniform Resource Identifier (URI) which is used to build access control policies. The case study results show that policy enforcement can be effectively achieved by directing network traffic through a device proxy for each IoT device to enforce application access control without introducing statistically significant overhead on the user activity running time. In summary, this thesis studies the use of user inputs to derive fine-grained access control in smart spaces. For a single-user access control system, this thesis considers using manual rules and user preferences in small and dense smart spaces, respectively. For a multi-user access control system, this thesis proposes a secure sharing system supported by a sharing policy language to share and use IoT devices securely. For each scenario analysed, user input is utilised to derive fine-grained access policies. Enforcement of these policies has been explored by implementing a smart space case study using WoT technology. The overall results show that user preferences and sharing policies can be used to derive fine-grained access policies that are transparent to users and meet their security and privacy requirements.

show abstract

A User-Centered Model for Usable Security and Privacy

Cited by 15 publications

References 22 publications

Motivating Users to Manage Privacy Concerns in Cyber-Physical Settings—A Design Science Approach Considering Self-Determination Theory

Motivating Users to Manage Privacy Concerns in Cyber-Physical Settings—A Design Science Approach Considering Self-Determination Theory

Heuristics and Models for Evaluating the Usability of Security Measures

Fine-grained Access Control for Internet of Things Smart Spaces Driven by User Inputs

Contact Info

Product

Resources

About