In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
» Openaccess proceedings » International Conference on Human Aspects of Information Security & Assurance (HAISA 2007)
International Conference on Human Aspects of Information Security & Assurance (HAISA 2007)
Title: Usable Set-up of Runtime Security Policies
Author(s): Almut Herzog, Nahid Shahmehri
Keywords: Security policy management, access control, usability, Java, application surveillance
Abstract: Setting up runtime security policies as required for firewalls or as envisioned by policy languages for the Semantic Web is a difficult task, especially for lay users who have little knowledge in the security domain. While technical solutions for runtime protection and advanced security policy languages abound, little effort has so far been spent on enabling users to actually use these systems to set up a security policy, and certainly not at runtime.
To start filling this gap, we give concrete and verified guidelines for designers that are faced with the task of delegating security decisions to lay users. We advocate, for example, that security policies be set up at runtime, not off-line, that the principle of least privilege be enforced and that alert windows be compact but still contain information about the consequences of a chosen action.
These guidelines have emerged from our own and others’ research on usability and security. They are further strengthened through the implementation of the prototype JPerM, which follows our guidelines. JPerM is used for the runtime set-up of security policies for Java applications. Its specific design and evaluation are described in this work and serve as an illustration of the presented guidelines.
Download count: 776
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.