Mary Ellen Zurko ; Steve Chan ; Greg Conti ; Konstantin Beznosov

16 October 2005

Abstract: Having recently received increasing attention, usable security is implicitly all about the end user who employs a computer system to accomplish security-unrelated business or personal goals. However, there is another aspect to usable security. Security administrators have to deal with the order of magnitude more difficult problem of administering large-scale complex enterprise systems, where an error could cost a fortune. Is the notion of usable security for end-users and security administrators the same? What are the differences in the background, training, goals, constraints, and tools between the administrators and end-users? How do these differences affect the (perception of) usability of the protection mechanisms and other security tools? Can the approaches to improving the security usability for end-users be directly applied to the domain of security administration, and vice versa? With some of the modern-day systems, where users are largely responsible for their own security self-administration, where is the boundary between the end-users and administrators? Can it be defined precisely or is it blurred? Panelists: Konstantin Beznosov, University of British Columbia (moderator) Mary Ellen Zurko, IBM Steve Chan, Lawrence Berkeley National Laboratory and School of Information Management and Systems at UC Berkeley Greg Conti, United States Military Academy

Keyword(s): security usability ; usability of security administration ; Usability of End-user Security ; Usable Security

Published in: Mary Ellen Zurko, Steve Chan, Greg Conti, Konstantin Beznosov, "Usability of Security Administration vs. Usability of End-user Security," slides of the corresponding panel at the Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, USA, 8 July, 2005, pp.35.: