Editor:Carl E. Landwehr, email@example.com
conference, which was organized bythe CMU Usable Privacy and Secu-rity (CUPS) Lab with sponsorshipfrom Carnegie Mellon CyLab.Clare-Marie Karat from IBM T.J.Watson Research and Diana Smettersof the Palo Alto Research Center (PARC) served as chairs for the tech-nical paper sessions.The conference’s ﬁrst dayopened with a security-related user studies workshop and poster ses-sion. The user-study constructionkits discussed in the workshopprovided useful examples for researchers developing security-related user studies.
Cranor and Richard Pethia, codirec-tor of Cylab, welcomed the confer-ence participants. Cranor started her remarks with an anecdote aboutNigerian scammers who had tried toregister for the conference with stolencredit-card information, illustratingthe prevalence of phishing scams,which are now even trying to targetsecurity and privacy researchers.Austin Hill, one of the co-founders of RadialPoint (formerlyZero-Knowledge), delivered akeynote address that shared his expe-riences in trying to make securityand privacy usable for everydayusers. Unfortunately, Hill discoveredthat users hadn’t yet reached a “crisispoint” to push them to protect their security and privacy. He explainedthat it’s increasingly difﬁcult to se-cure a computer and recommendedbuilding security and privacy ser-vices into the main access channel, asISPs are starting to do.
Technical paper sessions
Attendees presented 14 papers infour sessions covering access control,password management, phishing,and risk transparency.
Alex DeWitt from Brunel Univer-sity, London, started the ﬁrst paper session with his talk on a usabilitystudy ofPolaris, software for limit-ing the privileges available to com-puter viruses. The study’s resultsshowed that Polaris wasn’t easily us-able and didn’t provide systemprotection. The study’s authorsconcluded that to encourage usersto adopt and use security softwaresuch as Polaris, it should providehigh integration, low time invest-ment, few decision points, obviousperceived beneﬁts, strong visual in-dicators, and no error messages. John Karat of IBM T.J. WatsonResearch Center spoke about a pol-icy management workbench called
nablement (Sparcle),which is designed to let nontechnicalpolicymakers write rules in a familiar natural language format. Speciﬁcally,the IBM team examined the accu-racy rates Sparcle’s natural languageparser achieved in detecting struc-tural elements from rules written innatural language. Sparcle yielded ac-curacy rates between 82–100percent, with an average parsing pre-cision of94 percent.Lee Iverson from the UniversityofBritish Columbia spoke about hiswork on intentional access manage-ment. He argued that most access-control interfaces are written at toolow a level for most users involvedin collaborative information-shar-ing tasks. Thus, Iverson and histeam built and tested a frameworkand system for specifying users’resource-sharing intentions for anyunderlying access-control mecha-nism that implements users’ high-level intentions in the lower-levelaccess-control mechanism.
Ka-Ping Yee from the University of California, Berkeley, kicked off thepassword session by introducingPasspet, his password-managementtool that provides users with an ani-mal image in the Firefox toolbar anda mechanism for creating personallabels for each Web site that theyvisit. Clicking on the animalprompts the user for a master pass-word, which generates a site-speciﬁcpassword based on the user’s label for that page. To log in to a Web site,users must always click on their ani-mal image. Thus users rely on some-thing they’ve made (the label) for
he second annual Symposium on Usable Privacy andSecurity (SOUPS 2006) was held at Carnegie Mel-lon University (CMU) 12–14 July 2006. Lorrie Cra-nor, an
associate research professor with CMU’sInstitute for Software Research International
, chaired the
PUBLISHED BY THE IEEE COMPUTER SOCIETY
1540-7993/06/$20.00 © 2006IEEE
IEEE SECURITY & PRIVACY