Section 17.5. Conclusion

17.5. Conclusion

Users need awareness of their computer security environmentbut just the right level of awareness. An interface that gives the user too much information about security, or gives the information at the wrong time, or in the wrong way, will be confusing or annoying, or both, and the user will turn it off. On the other hand, if awareness information is too subtle, the user will be oblivious when the situation is dangerous. Like Goldilocks' porridge, the level of awareness has to be "just right."

As discussed in other chapters,^[16] too many controls can overwhelm users and prevent them from effectively setting their preferences. However, controls that are too simple may also fail if they do not allow users enough flexibility to express their security needsfor example, the High, Medium, and Low security settings in Internet Explorer are too simplistic for some users. As with awareness, the complexity of controls has to be just right.

^[16] In particular, see Lorrie Cranor, Chapter 22, this volume.

Most application developers are not experts in security and usability. Tools such as widget libraries and graphical user interface builders are available for helping them with usability, and libraries exist for fundamental security primitives such as encryption. However, the field of usable security is too new for us to know yet what abstractions application developers need. Development of applications that incorporate usable security will help us understand what they need.

Chameleon provides a simple means to partition data and applications from each other to reduce the harm suffered by typical desktop computer users from malware. User studies with prototypes of Chameleon indicate that many users desire more protection and like the Chameleon model. We believe that it will continue to be a fruitful framework for exploring issues in usable security.