Flexible data-driven security for android

Android allows users to cancel the installation of apps whenever requested permissions to resources seem inappropriate from their point of view. Since permissions can neither be granted individually nor changed after installation, this results in rather coarse, and often too liberal, access rules. We propose a more fine-grained security system beyond the standard permission system. With our system, it is possible to enforce complex policies that are built on temporal, cardinality, and spatial conditions ("notify if data is used after thirty days","blur data outside company's premises", etc.). Enforcement can be done by means of modification or inhibition of certain events and the execution of additional actions. Leveraging recent advances in information flow tracking technology, our policies can also pertain to data rather than single representations of that data. For instance, we can prohibit a movie from being played more than twice even if several copies have beencreated. We present design and implementation of the system and provide a security and performance analysis

Usable security policy specification

Security policies determine which security requirements have to be met in a domain and how they are implemented organizationally and/or technically. However, their specification at run-time poses a challenge for policy authors (e.g., IT administrators or end users), especially if they are inexperienced in this task. Thus, specification interfaces have to guide the policy author during the specification process. However, matching appropriate specification processes to the policy authors' individual needs is challenging due to a high variability in the authors' skill levels and security perceptions. In this paper, we identify existing specification approaches, derive generic specification paradigms and show the feasibility of one of them in an industrial case study

A framework for generating user- and domain-tailored security policy editors

In modern enterprises, incorrect or inconsistent security policies can lead to massive damage, e.g., through unintended data leakage. As policy authors have different skills and background knowledge, usable policy editors have to be tailored to the author's individual needs and to the corresponding application domain. However, the development of individual policy editors and the customization of existing ones is an effort consuming task. In this paper, we present a framework for generating tailored policy editors. In order to empower user friendly and less error-prone specification of security policies, the framework supports multiple platforms, policy languages, and specification paradigms

A User-Centered Model for Usable Security and Privacy

Security, privacy and usability are vital quality attributes of IT systems and services. Users and legal authorities demand that systems are secure and preserve privacy. At the same time, security and privacy mechanisms should not complicate workflows and must be transparent for the user. In order to master this challenge, a close involvement of the users is necessary - both at development and at run-time. In this paper, we present a user-centered model for usable security and privacy that is aligned with user-centered design guidelines [34] and the Human-Centered Design process [28]. Based on this model, we present an initial method for the design of usable security systems. Through active involvement of the user, the model and the method are meant to help developers to identify and solve shortcomings of their security and privacy echanisms. We motivate our work and present our results based on an Internet of Things / smart home scenario. Due to the amount of private data and strong data protection laws, both usability and privacy are of major importance in this domain. However, our model and method are not limited to the smart home domain, but can be applied whenever usable security and privacy are of particular interest for a system under development

Usable Specification of Security and Privacy Demands: Matching User Types to Specification Paradigms

However, formulating their own abstract data protection requirements is already a challenge for them. The mapping of these requirements to concrete setting options in an application is even more challenging—partially because the user interfaces for data protection settings are not tailored to the needs of different user types. This is one of the reasons why only few users make data protection settings regularly and purposefully. In this paper, we describe different specification paradigms for privacy settings and evaluate which paradigm best suits different user types. We investigate with which paradigm a certain user type achieves the best results in terms of objective and perceived correctness, efficiency and satisfaction

9. Usable Security und Privacy Workshop

Ziel der neunten Ausgabe des wissenschaftlichen Workshops "Usable Security und Privacy" auf der Mensch und Computer 2023 ist es, aktuelle Forschungs- und Praxisbeiträge auf diesem Gebiet zu präsentieren und mit den Teilnehmer:innen zu diskutieren. Getreu dem Konferenzmotto "Building Bridges" soll mit dem Workshop ein etabliertes Forum fortgeführt und weiterentwickelt werden, in dem sich Expert:innen, Forscher:innen und Praktiker:innen aus unterschiedlichen Domänen transdisziplinär zum Thema Usable Security und Privacy austauschen können. Das Thema betrifft neben dem Usability- und Security-Engineering unterschiedliche Forschungsgebiete und Berufsfelder, z. B. Informatik, Ingenieurwissenschaften, Mediengestaltung und Psychologie. Der Workshop richtet sich an interessierte Wissenschaftler:innen aus all diesen Bereichen, aber auch ausdrücklich an Vertreter:innen der Wirtschaft, Industrie und öffentlichen Verwaltung