User centered security has been identified as a grand challenge in information security and assurance. It is on the brink of becoming an established subdomain of both security and human/computer interface (HCI) research, and an influence on the product development lifecycle. Both security and HCI rely on the reality of interactions with users to prove the utility and validity of their work. However, the relationship each of these disciplines has to the user emphasizes almost oppositional aspects.

As practitioners and researchers in those areas, we still face major issues when applying even the most foundational tools used in either of these fields across both of them. As a synthesis of existing subjects, user centered security provides new insights and new solutions, and the meeting place for some of our thorniest problems. I will discuss the systemic roadblocks at the social, technical, and practical levels that user centered security must overcome to make substantial breakthroughs. Existing and ongoing research can be brought to bear on some of them; new thinking, new disciplines, and new paradigms will be needed for others.

Mary Ellen Zurko leads security architecture and strategy for Lotus Workplace, Portal, and Collaboration Software at IBM. She defined the field of User-Centered Security in 1996. She is on the steering committee for New Security Paradigms Workshop and the International World Wide Web Conference series. She has worked in security since 1986, at The Open Group Research Institute and Digital Equipment Corporation, as well as IBM. She is a contributor to the upcoming O.Reilly book, .Security and Usability: Designing Secure Systems that People Can Use..

View Paper (in PDF)

View Slides (in PDF)