Designing for Users Security in Multi-User Systems Susan O. Omodafe Federal Polytechnic Auchi, Edo State, Nigeria
[email protected]
Stephen U. Egarievwe NASA Centre – ICS Lab, Fisk University 1000 17th Ave N, Nashville, TN 37208, USA
[email protected]
ABSTRACT
A basic concern for human-computer interaction (HCI) designs is to enable the user to make well-informed decisions. With the increase in the number of Internet users and applications in e-commerce, education, and communications, users security has become an important HCI issue. Our preliminary studies show that providing sufficient information for users is not adequate in handling user-related security issues (such as privacy). More than a quarter of 27 cyber-café users surveyed sometimes do not log-off their email account before timeout. On such occasions, their email accounts are accessible to the next user that logs in immediately. In this paper, we explore security issues that are of concern to users, and approach to user-security oriented designs for multi-user systems. Some useful approaches include eventbased actions and security status report features. Author Keywords
Users security, privacy, multi-user systems, event-based actions, time-out windows, HCI designs. INTRODUCTION
Many security issues considered in human-computer interaction (HCI) are those that tend to protect server-side systems and services providers. On the user/client side, the major security issues considered are privacy and spam, which are related to e-commerce and email services. Very little consideration is given to other security issues that concern the everyday user (DTI-UK, 2002), many of whom access the Internet through multi-user systems in cyber-café, public libraries, and community Internet centres. This group of users is the focus of our studies. In the following sections, we present our preliminary work that summarizes 1) user-related security issues for HCI designs, 2) planned investigations to identify areas of shortcomings in systems/software encountered by the everyday user, and 3) some approaches to user-security oriented designs for multi-user systems. USER-RELATED SECURITY ISSUES FOR HCI DESIGNS
The major concerns of information security encountered by the everyday user are confidentiality (access by rightful persons only), integrity (modifications by authorized persons only), and availability (accessible to persons that need it and when needed) (Omodafe et al., 2004). These security issues can easily be compromised by a cyber-café time-out session, which does not give the user the chance to close windows and logout email/e-commerce accounts afterwards. Such opened windows and email accounts are accessible to the next user that signs into the machine, thus compromising confidentiality. The user could change the email account settings and even reply to some of the emails, or send emails from that account – this compromises integrity. Replies to emails sent by this intruder could use up the memory size allocated, and thus prevent the reception of expected emails (compromising availability). Confidentiality ensures that access is by rightful persons only, and this relates to user privacy. Interesting questions here are 1) is the user aware of all information being collected on him/her, 2) who and what software system has access to his/her information, 3) how much control does the user have over the previous two questions, and 4) does the user understand the privacy issues? Other very costly security issues for uses are spam and popup windows/advertisements. Spam (unsolicited email) could use up memory space and lead to financial loses. Popup windows/advertisements lead to distractions and waste of time. IDENTIFYING SHORTCOMINGS OF EVRYDAY-USED INTERACTIVE SYSTEMS
We have planned systematic investigations aimed at identifying the shortcomings of interactive systems encountered by the everyday Internet user. These include three major types of multi-user systems: 1) Operating system and server-side systems (e.g. cyber-café time-out windows and Microsoft Windows operating systems), 2) Internet/web browser software (e.g. Explorer and Netscape), 3) email account provider systems (e.g. Yahoo and Hotmail), and 4) e-commerce systems (such as shopping and banking). The first stage of the investigations involves survey of users, to understand their usability of these interactive systems and the effectiveness of such system in addressing the security concerns of the users. Figure 1 shows some results of a preliminary survey. The second stage will map HCI elements for addressing user security issues in these systems to the results from stage 1. Stage three of our work will develop approaches to addressing user security issues in HCI designs for multi-user systems. 1
How often do you log onto a computer or your email w hile other people are looking at you or looking over your shoulder?
How often do you log-off from your email account before leaving the computer or before time-out in a cyber-cafe? 74.1%
60.0% 40.0%
Percentage
Percentage
80.0%
25.9%
20.0%
0.0%
0.0% Always
Sometimes
70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0%
63.0%
18.5%
Alw ays
Never
18.5%
Som etimes
Never
Figure 1. Some preliminary survey results showing the vulnerability of users to security breach. These could be addressed by effective user-security oriented HCI designs. APPROACH TO USERS-SECURITY ORIENTED DESIGN FOR MULTI-USER SYSTEMS
Since our work is in its preliminary stage, we present general factors to be considered on developing approaches to user-security oriented design, rather that details and specific approaches. These factors can be grouped into two categories, namely goals to be accomplished and effecting features. Goals for Users-Security Oriented HCI Designs
The security issues that concern and affect users must be included in all phases of an interactive interface (design, costbenefit analysis, implementation, and usability tests). In the cost-benefit analysis phase, the benefits to users must be considered in terms of making them more secured. The security issues should be made visible and understandable to the users. As examples, 1) users should know whenever information on them is being collected, and what the information will be used for, and 2) users should know the security status of their computer/Internet session when they are timed-out or when a screen saver comes on. Users should be given control over all security-related actions that affects them. As an example, a user should have the means of disabling popup windows/advertisements. Effecting Features in Users-Security Oriented HCI Designs
Some of the general methods of providing solutions to HCI problems in complex/dynamic systems, where nonprofessionals may need to update and modify a webpage/interface, include 1) centralized approval processes, 2) standardized templates, 3) style guides, and 4) design patterns (Spool, 2003). In any of these methods, effecting features need to have the capability of providing adequate and sufficient security information to users, and also employ some kind of artificial intelligent approach to effect event-based actions that protect users. CONCLUSION
This paper has presented a summary of security issues that affect interactive interface users, and the need to design for users security. Our preliminary investigation showed that time-out interfaces and screen savers expose multi-user systems to intruders that could compromise security issues such as confidentiality (including privacy), integrity, availability, and spam. We have identified some of the essential goals for user-security oriented HCI designs to include security visibility, awareness, and control by users. To accomplish these goals, event-based and artificial intelligence based features need to be used. Our future work will map HCI elements for addressing user security issues in commonly used systems such as web browsers, email services, and e-commerce. This will provide valuable information for developing approaches that effectively address user security issues in HCI designs for multi-user systems. ACKNOWLEDGEMENT
This work is partially supported by United States Department of Energy through DOE-AMP Grant # DE-FG0202ER25544; by NASA through the Fisk University NASA Centre for Photonic Materials and Devices; and by the UNCF/Prudential Faculty Development Curriculum Research Grant. REFERENCES
DTI-UK. (2002) “Information Security Breaches Survey 2002.” United Kingdom’s Department of Trade and Industry Technical Report. Avail. from: http://www.dti.gov.uk/industry_files/pdf/sbsreport_2002.pdf
Omodafe, S. O., Chiemeke, S. C., and Egarievwe, S. U. (2004) “Becoming a Secured Internet User.” AITEC WEST AFRICA, June 1-3, 2004. Avail. from: http://www.egarievwe.org/institute/publications/SecuredInternetUser.ppt Spool, J. M. (2003) “Design Patterns: An Evolutionary Step to Managing Complex Sites.” User Interface Engineering. Avail. from: http://www.uie.com/articles/design_patterns/ 2
