Tara Whalen

User experiences with sharing and access control

The sharing of network-based information is a key component of recreational and professional interaction, from email attachments to P2P networks. However, people need to accommodate technical challenges in successful and secure content sharing. In particular, people have to manage access control policies that are both social and technical: deciding what to share and who to share it with, and how to technically effect their decisions. In this paper, we focus on the usability of access control: how people manage file sharing among various groups, organizations, and tasks. We present survey and interview data regarding content sharing and content protection, and discuss the implications for the design of networked collaboration tools.

The proximity factor: impact of distance on co-located collaboration

Groups collaborating around a large wall display can do so in a variety of arrangements, positioning themselves at different distances from the display and from each other. We examined the impact of proximity on the effectiveness and enjoyment of co-located collaboration. Our results revealed collaborative benefits when participants were positioned close together, and interaction with the display was felt to be more effective when participants were close to the display. However, clear tradeoffs were evident for these configurations. When at a distance to the display, the choice of direct versus indirect interaction revealed that interactions were easier when using direct input but the effectiveness of the collaboration was compromised.

It's a jungle out there: practical considerations for evaluation in the city

An essential aspect of mobile and ubiquitous computing research is evaluation within the expected usage context, including environment. When that environment is an urban center, it can be dynamic, expansive, and unpredictable. Methodologies that focus on genuine use in the environment can uncover valuable insights, although they may also limit measurement and control. In this paper, we present our experiences applying traditional experimental techniques for field research in two separate projects set in urban environments. We argue that although traditional methods may be difficult to apply in cities, the challenges are surmountable, and this kind of field research can be a crucial component of evaluation.

Information displays for managing shared files

Within the workplace setting, people need to provide sufficient access to files to allow collaboration, without inadvertently exposing sensitive files. Evidence suggests that file sharing problems exist, and decrease security and interfere with collaboration. A potential solution for managing these problems is to present the user with clear information about file sharing settings and activities. Current file managers either hide the information or simply do not provide it. Using an awareness framework, we identified the core information that users need to be aware of for file sharing situations, performed two studies to determine how to best represent those concepts as labels and icons, and developed a prototype for a file manager that reveals file sharing activity. The results of these design activities can be adopted for other file sharing applications, improving their security and collaborative usability.

A Psychological Profile of Defender Personality Traits

The security community has used psychological research on attacker personalities, but little work has been done to investigate the personalities of the defenders. One instrument currently dominating personality research is the Five Factor Model, a taxonomy that identifies five major domains of personal traits, composed of sets of facets. This model can be used within an organizational or vocational capacity to reveal dominant tendencies, such as openness to new experiences. Within a security context, this tool could show what patterns professionals exhibit, which may reveal areas of insufficient diversity and “blind spots” in defenses. We surveyed 43 security professionals using a Five Factor Model-based test (the IPIP-NEO) to reveal common dominant traits. We found that our sampled security population demonstrated that they were highly dutiful, achievement-striving, and cautious; in addition, they were high in morality and cooperation, but low in imagination. We note that many of these characteristics seem to be appropriate for security professionals, although the low scores in the “openness to experience” domain may indicate difficulties in devising new security defense methods and in anticipating new forms of attack. This finding implies that security professionals might be more reactive to security threats, rather than proactive in discovering them before they are used by adversaries. This lack of anticipation could potentially leave large organizations vulnerable to attacks that might have otherwise been prevented.

Profiling the defenders

Psychological research in the security arena has focused on understanding the attacker, with little work done on understanding the defender. This paper presents a pilot study undertaken to determine if there are trends within the defender community, or if we represent a more diverse group with varying approaches to the problem. We surveyed 76 security professionals, using the Myers-Briggs Type Indicator as a tool to indicate similarities and differences in problem approaches. We find that the security community consists disproportionately of INTJs, and is especially disproportionate in the intuitive end of the intuitive-sensing dichotomy. This is not only in contrast to the general population of the United States, but also to engineers, software engineers and computer scientists (who are predominately ISTJ). We conclude that homogeneity amongst the defenders may not be a good strategy, and that further study be undertaken to determine the extent and effect of this homogeneity.

Watching the watchers: “voluntary monitoring” of infosec employees

Purpose – While many papers discuss the privacy implications of workplace monitoring, the purpose of this paper is to describe the positive aspects to voluntary monitoring in the workplace.Design/methodology/approach – These aspects were identified through in‐depth qualitative interviews with employees of various organizations chosen for the invasiveness of their monitoring procedures. Specifically, the authors worked with individuals who had high‐level government clearances, working in information security (infosec), who were subjected to comprehensive monitoring both before being employed and during the term of their employment.Findings – Through these interviews, the paper identifies four positive results of employee monitoring, four procedural issues that affected employee perception of the monitoring, and two secondary aspects that are specific benefits of holding a clearance, as opposed to benefits from the monitoring itself.Research limitations/implications – The research reported here is gathered ...

Defender personality traits

The security community has used psychological research on attacker personalities, but little work has been done to investigate the personalities of the defenders. We surveyed 43 security professionals using a Five Factor Model-based test to reveal common dominant traits. We found that our sampled population demonstrated that they were highly dutiful, achievement-striving, and cautious; in addition, they were high in morality and cooperation, but low in imagination. We conclude that many of these characteristics are appropriate for security professionals, although the low scores in the “openness to experience” domain may indicate difficulties in devising new security defense methods and in anticipating new forms of attack. This potentially leaves large organizations and nation-states vulnerable to attacks.