34.7. Related WorkWe have found very little published research to date on the problem of usability for security. Of what does exist, the most prominent example is the Adage project ,[21], [22] which is described as a system designed to handle authorization policies for distributed applications and groups. Usability was a major design goal in Adage, but it is intended for use by professional system administrators who already possess a high level of expertise, and as such it does not address the problems posed in making security effectively usable by a more general population. Work has also been done on the related issue of usability for safety-critical systems,[23] like those that control aircraft or manufacturing plants, but we may hope that unlike the users of personal computer security, users of those systems will be carefully selected and trained.
Ross Anderson discusses the effects of user noncompliance on security,[24] and Don Davis analyzes the unrealistic expectations that public key-based security systems often place on users.[25] Beyond that, we know of only one paper on usability testing of a database authentication routine,[26] and some brief discussion of the security and privacy issues inherent in computer-supported collaborative work.[27] John Howard's thesis[28] provides interesting analyses of the security incidents reported to CERT[29] between 1989 and 1995, but focuses more on the types of attacks than on the causes of the vulnerabilities that those attacks exploited, and represents only incidents experienced by entities sophisticated enough to report them to CERT.
|