CyLab Seminar Series Notes: Lujo Bauer Shares Glimpse into CyLab Research on Usable Privacy & Security in the Digital Home

[NOTE: CyLab's weekly seminar series provides a powerful platform for highlighting vital research. The physical audience in the auditorium is composed of Carnegie Mellon University faculty and graduate students, but CyLab's corporate partners also have access to both the live stream and the archived content via the World Wide Web. From time to time, CyBlog wets your appetite by offering brief glimpses into these talks. Here are some of my notes on a talk delivered by CyLab researcher Lujo Bauer on 2-1-10. At the end of this post you will find links to other issues of CyLab Seminar Series Notes as well as two editions of CyLab Chronicles that highlight Bauer's work. -- Richard Power

CyLab Seminar Series Notes: Lujo Bauer Shares Glimpse into CyLab Research on Usable Privacy & Security in Home Computing

According to Lujo Bauer, “Usability” is often seen as the last phase in system design.
“One of the problems in the way we build systems is that first we build the system, and then perhaps we start thinking about how to best design the interfaces that we dress the system up in ...”
The thesis for Bauer’s seminar: “Creating usable systems often requires not just the help of usability experts, but that the system architects are usability experts.”
“Usability is something that we should pay attention to, and start building into our systems from the design phase onward; and not something that can just be always tacked on at the end.”
Bauer supported his thesis with three examples from his personal experience in research. Two of the examples were based on user studies, from which was learned something important to the very initial phases of system design. The third example was from an instance where the research team tried to make a system more usable after it was deployed, and learned something about features needed.
One of these examples involved the Expandable Grid, a robust interface that shows effective policy instead of policy rules, as well as both user and file hierarchies (groups), and also displays the entire policy on the screen; another involved Grey, a smartphone-based, end-user-driven access control system for physical and virtual resources deployed in Carnegie Mellon’s Collaborative Innovation Center (CIC); and the third example, the one we will focus on here, involved the “Future Digital Home,” and highlights not only the CyLab research thrust into “Usable Privacy and Security” but also the CyLab research thrust into “Securing the Digital Home.”
“Most of us already have a bunch of gadgets at home: digital cameras, maybe a network drive, a TV that can stream Netflix, things like that. In the near future, this will become much more extreme. We will have dozens of devices in our home, which will either gather information or store information that we put on them, or will be used for viewing information. Think of this information as being media, whether its music, or video, or home surveillance; you can also think of it as being files, e.g., tax records, or homework, or papers; you can think of it as your current shopping list, or the content of your refrigerator. Your refrigerator is going to have a little computer built into it and it is going to keep track of how much milk is left, and you are going to want to use your phone every once in awhile to ask your refrigerator how much milk there is because you are going to be walking by a grocery store, and wondering if you should pick up milk.”

“So there are exciting new capabilities from the user perspective, but on the other hand, there are also big questions, and one of the big questions is who handles security and reliability? In this environment, with many devices in my home that all somehow talk to each other and share data, I want to make it the case that I can always access all the information, confidential or otherwise, and I can also let any of my friends, or specific friends, to gain access to some of this information, but at the same time I might have really confidential data in the system, and it could be terrible if the wrong person got access.”
“We’re also dealing with people who are not professional system administrators. They only people in the home are the people that love there. They don’t take classes in system administration; so the interfaces that they use to configure the system correctly, or tell the system what they want it to do, have to be somehow specifically tailored to them. These interfaces can’t require much expertise.”
The goal of the research that the CyLab team working in this area is to provide usable security for digital home storage, e.g., enable users to effectively specify and understand policies, and to use and trust mechanisms.
“Having learned something from previous projects that we had done, we decided to start out with some user studies. Technical researchers are notoriously bad judges of what end users do … “
The first study done was based on in-situ, semi-structured interviews of subjects recruited via Craigslist and the distribution of fliers. The study subjects were limited to non-programmer households. There were thirty-three users (from eight to fifty-nine years of age) in fifteen households, these households ranged from families to couples to roommates.
“We also covered a wide range of expertise: even though there were no programmer households, we had people whose households had as many as twenty-something digital devices for two people, or as few as four or five digital devices for a family of three or four.”
House maps were used as reference points in the interviews.
“We had the participants draw maps of their households, and on these maps indicate where various digital devices might live. And we used these maps later to make sure that when we talked about the various digital devices and types of data, we could actually cover all the devices that they had."

The study yielded some insightful findings:
Current methods are not working: Although almost all of the people worry about sensitive data, access control mechanisms varied and were often ad-hoc.
Policy needs are complex: Fine-grained divisions of people and files are needed (e.g., distinguishing between “public” and “private” aren’t enough), dimensions beyond “person” are needed (e.g., “presence” proved important to most and “location” proved important to many), and of course, there was wide variation across participants (e.g., in definitions of what most private and who is most trusted).
A-priori policy isn’t enough: People want to be asked permission (even if they have assigned it), they want to know not only who is accessing files but why, and they want the capability to review access and revise policy.
Mental models do not equal system realities: Mismatches between current systems and users’ mental models may lead those users astray.
From these findings, Bauer and his fellow researchers distilled a set of useful guidelines for anybody building such a system:
Allow fine-grained control
Plan for lending devices
Include reactive policy creation and usable logs
Reduce or eliminate up-front complexity
Acknowledge social conventions
Support iterative policy specification
Account for users’ mental models

Related CyLab Chronicles

CyLab Chronicles: Q&A with Lujo Bauer (2009)

CyLab Chronicles: Q&A with Lujo Bauer (2008)

Other CyLab Seminar Notes

CyLab Seminar Series Notes: The Evolution of A Hacking Tool, Moxie Marlinspike on SSLstrip

CyLab Seminar Series Notes: User-Controllable Security and Privacy -- Norman Sadeh asks, "Are Expectations Realistic?"

CyLab Seminar Series: Of Frogs, Herds, Behavioral Economics, Malleable Privacy Valuations, and Context-Dependent Willingness to Divulge Personal Info

CyLab Seminar Series Notes: Why do people and corporations not invest more in security?

CyLab Research Update: Basic Instincts in the Virtual World?

For information on the benefits of partnering with CyLab, contact Gene Hambrick, CyLab Director of Corporate Relations: hambrick at andrew.cmu.edu

Video Record of CyLab's Alessandro Acquisti on "The Dish: It's All in the Numbers - Privacy, Math, and Social Security" at Koshland Museum

Our cashless, information-sharing society has made identity theft easier and ... In the long run, we should think about using better tools, which by the way, we already have ..." -- Alessandro Acquisti

Video Record of CyLab's Alessandro Acquisti on "The Dish: It's All in the Numbers - Privacy, Math, and Social Security" at Koshland Museum

In Washington, D.C. on January 20, 2010, CyLab's Alessandro Acquisti spoke on The Dish: It's All in the Numbers - Privacy, Math, and Social Security at the National Academy of Science's Koshland Science Museum's Science Cafe. This program was held in collaboration with Proceedings of the National Academy of Sciences.

Part 1



Part 2



Related Posts

Read Alessandro Acquisti on Nudging Privacy (IEEE Security & Privacy), Hear Him Speak, 1/20/10, at National Academy of Science's Koshland Museum

Not Just Yesterday's Headlines, But the Day After Tomorrow's As Well

There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide

CyLab Seminar Series: Of Frogs, Herds, Behavioral Economics, Malleable Privacy Valuations, and Context-Dependent Willingness to Divulge Personal Info

-- Richard Power

Vital to Cyber Security in 2010 & Beyond: Mission Understanding & Mission Assurance

2009 had all the makings to be a banner year for cybersecurity: The need had been identified, guidance was promised, appointments were planned and mandates were discussed. Unfortunately, 2009 will be remembered as the year that wasn't, and the challenge facing us now is to make sure 2010 doesn't follow suit. Keith Rhodes, Cybersecurity: Make It Work This Year, Defense News, 1-11-10

Cybersecurity begins with disciplined, methodical risk analysis. Each business or agency needs a clear mission profile. Its decision-makers need a comprehensive analysis of their assets that includes an understanding of vulnerabilities and dependencies. First-hand, experiential mission knowledge helps ensure analytical accuracy. Keith Rhodes, Cybersecurity must start with mission assurance, Washington Technology, 1-15-10

Vital to Cyber Security in 2010 & Beyond: Mission Understanding & Mission Assurance

By Richard Power

In his years with the U.S. General Accounting Office (GAO), which was eventually re-named U.S. Government Accountability Office, Keith Rhodes was responsible for some very important assessments the profound implications of which have yet to be adequately addressed. During his career in government, he served as the first director for the GAO's Center for Technology and Engineering. Currently, Rhodes is Senior Vice President and Chief Technology Officer (CTO) for QinetiQ North America' Mission Solutions Group. (QinetiQ is one of CyLab's corporate partners.)

Rhodes has written two compelling Op-Ed pieces on cyber security in 2010 and beyond.

His insights are invaluable.

Here are some excerpts, with links to the full texts.

In his Defense News Op-Ed, Rhodes outlines "four ways in which cyber defense can move forward," including three that many of us think we understand better than we actually do, "Education," "Communication," and "Partnerships," and a fourth that is rarely grokked thoroughly, "Mission Understanding."

Mission Understanding ... is the most important piece of the puzzle. Without knowing what needs to be done, we cannot know what needs to be protected. Mission understanding needs to be the fabric that cybersecurity is made out of. Information isn't protected just because it exists, it is protected because it is necessary to a mission." Keith Rhodes, Cybersecurity: Make It Work This Year, Defense News, 1-11-10

In his Washington Technology Op-Ed, Rhodes articulates the companion concept of "Mission Assurance" and its relationship to cyber security.

I would argue that cybersecurity cannot be understood, much less addressed, except as part of a larger mission assurance whole. You want cybersecurity because you want to be able to use information to get something done. And you want to protect that information because you want to prevent others from damaging your ability to get things done. So the point is really mission assurance; that’s the holistic context in which cybersecurity makes sense. Keith Rhodes, Cybersecurity must start with mission assurance, Washington Technology, 1-15-10

Read Alessandro Acquisti on Nudging Privacy (IEEE Security & Privacy), Hear Him Speak, 1/20/10, at National Academy of Science's Koshland Museum

Alessandro Acquisti on CNN, July, 2009


What is it that pushes us to seek fame by misconduct or publicity by sharing embarrassing information with strangers? How do we reconcile these desires with the apparent need for privacy that surveys keep finding so widespread among the American population? In short, what drives individuals to reveal, and to hide, information about themselves to and from others? decision-making and promising initial results. They might be able to reconcile the human need for publicity with our ostensible desire for privacy. Nudging Privacy, the Behavioral Economics of Personal Information, IEEE Security and Privacy, November-December 2009

Our cashless, information-sharing society has made identity theft easier and far more common than ever before. New research conducted by Alessandro Acquisti (Carnegie Mellon University) shows how thieves can accurately guess your Social Security number with a few easily obtainable facts. At this science café, Acquisti will have a conversation with the audience about his findings and their ideas for protecting privacy in an increasingly public world. The Dish: It's All in the Numbers - Privacy, Math, and Social Security, Koshland Science Museum Science Cafe, 1-20-10

Read Alessandro Acquisti on Nudging Privacy (IEEE Security & Privacy), Hear Him Speak, 1/20/10, at National Academy of Science's Koshland Museum

CyLab researcher Alessandro Acquisti rocked the realms of privacy and security in 2009, with the release of his blockbuster paper on predicting social security numbers (co-authored with Ralph Goss, also of Carnegie Mellon).

If you don't remember the story, or happened to be taking core samples at the North Pole during that news cycle, see There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide and Not Just Yesterday's Headlines, But the Day After Tomorrow's As Well for a refresher.

News of the two researchers' revelations even made it through the overgrown thicket that insulates the halls of government from the outside world; see Significant Contribution of Carnegie Mellon Privacy Research Cited in Congressional Hearing.

Well, just to keep you current --

In the November-December 2009 issue of IEEE's Security and Privacy, Acqusti published a paper entitled "Nudging Privacy, the Behavioral Economics of Personal Information."

Here is a brief excerpt, followed by a link to a .pdf of the full text:

The idea behind soft paternalism is to design systems so that they enhance (and sometimes influence) individual choice to increase individual and societal welfare. To do so, behavioral economists might even design systems to “nudge” individuals, sometimes exploiting the very fallacies and biases they uncover, turning them around in ways that don’t diminish users’ freedom but offer them the option of more informed choices. Hence, nudging privacy—that is, using soft paternalism to address and improve security and privacy decisions—might be an appealing concept for policy makers and technology designers. This concept goes beyond concurrent attempts at making our computer systems more “usable.” Alessandro Acquisti, IEEE Security and Privacy, November-December 2009

If you are in Washington, D.C. on January 20, 2010, you can join Alessandro Acquisti at the National Academy of Science's Koshland Science Museum's Science Cafe, from 6:30 p.m. to 8 p.m., for his talk on The Dish: It's All in the Numbers - Privacy, Math, and Social Security. This program will be held in collaboration with Proceedings of the National Academy of Sciences. Please RSVP to ksm@nas.org or call 202-334-1201, including number of guests.

-- Richard Power

Nicolas Christin: "... see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime"

"More and more attacks are motivated by financial gain, so it makes sense to try to see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime." -- Nicolas Christin, CyLab Chronicles, 2010

Nicolas Christin: "... see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime"

CyLab Chronicles is an ongoing feature of CyLab's online presence; it provides periodic interviews with CyLab researchers, and offers insights into vital issues and trends.

Here is a brief excerpt from the latest CyLab Chronicles, an Q and A with Nicolas Christin, a link to the full text follows:

CyLab Chronicles: Many security professionals are looking for answers to important questions, and know that some of those answers can be found in Economics, but most of them would probably find it difficult to get their minds around how mathematical models that can be used to uncover them. Tell us about your research into this area? How can mathematical models be used to analyze security and privacy risks in organizations and prescribe mechanisms for mitigating such risks?

Nicolas Christin: Mathematical models are a useful abstraction that enables us to reason about security in organizations. Having a model of organizational security allows us to test different intervention scenarios on that model and predict which effects they would have on the overall security of the organization. Let me give you an example. Consider you manage a hospital. Obviously, you have to maintain the confidentiality of all of your patients' records. But if you treat a celebrity, for instance, there may be some perverse incentives for some of your staff to sell juicy bits of information to the tabloids. So, you want to put in place some sort of monitoring infrastructure to ensure people do not commit such violations, but at the same time, you cannot monitor everything and everybody, all the time -- it would simply be too expensive, not to mention probably detrimental to employee productivity. How to strike the right balance in practice is a very difficult problem. Now, if I can come up with a reasonable mathematical abstraction for the problem, I can probably show you which strategies are most likely to be effective, so in the end I can provide a formal justification of which policy makes most sense. Having a formal basis on which to reason is really indispensable to make the right decisions. Also, the beauty of mathematical models is that they tend to rid you of political or other considerations that may hamper your judgment. If your model is sound, and if your assumptions are valid, then the model tells you exactly what is going to happen. It can be a powerful predictive tool. CyLab Chronicles: Q & A with Nicolas Christin (2010)

For an archive of all CyLab Chronicles, click here.

-- Richard Power

CSO Magazine: The Digital Trail of the Maltese Falcon - Private Investigations in the Information Age

Dashiell Hammett, author of the Maltese Falcon, The Thin Man and Continental Op


Psycholinguistics uses insights from the field of psychology to help gain a better understanding about the intent and state-of-mind of people through their communications. This is important because much of the law is focused on whether or not there was "intent" associated with the actions of individuals. Intent is a critical element that must be be established in most litigation. Ed Stroz of Stroz and Friedberg in CSO Magazine, 1-5-10

The Digital Trail of the Maltese Falcon: Private Investigations in the Information Age

By Richard Power

My latest piece for CSO Magazine is now available on-line. It features an interview with Ed Stroz of Stroz and Freiberg. Stroz is a global leader in the field of corporate cyber security investigations, and his insights on this vital issue are invaluable.

Here is one of the seven questions I posed to him, follow the link below to read the rest of the interview:

Richard Power: The ways in which the shift from the Industrial Age to the Information Age has revolutionized different fields of expertise and endeavors related to risk, security, privacy, etc. is of great interest to us all; and few are as fascinating as what the Information Age has meant to the field of private investigations for both for the corporation and the individual. It is something that I have been tracking for almost two decades, and that you and I have been discussing throughout. So for our CSO readers, give us your overview of where the field of private investigations was, technically and professionally, when you went into it after your years with the FBI, and where it is today, technically and professionally?

Ed Stroz: Private investigations are more important than ever, both for their private party clients, and for the government. Investigative skill is needed to address areas where suspicions or allegations have been made, but they also are being used for additional due diligence and assurance in the wake of financial scandals like that of Bernard Madoff. But today, private investigation requires updated skills.

As recently as the early 1990s, expertise in computerized technology was viewed as a tactical skill set within private investigative services. Today computer expertise is part of the necessary knowledge base in crafting an investigative strategy. For example, if a client thinks they are being "bugged" at home or work you would be remiss if all you did was "sweep" the office for listening devices. Today's investigator should have an understanding of spyware and sniffer technologies to even decide how to approach that type of engagement.

Another major change is brought about by the legal and practical limitations on government investigations. While the government has tremendous technological resources and expertise, those resources cannot be brought to bear in every investigation. And, putting technological prowess aside, the government is often restricted in what it is allowed to possess or view.

For example, a recent court case in the Ninth circuit limited the government's ability to examine a single computer device seized under search warrant because of the intermingled information contained within that device. In other words, the government agents may have had legitimate rights to see some of the contents in a given device, but maybe not all of it. In those situations, a safe way to proceed and honor the valid interests of government and the valid interests of private parties, is to have a carefully structured procedural protocol executed by competent private investigators, complete with an audit trail. Those services will increasingly be provided by the private sector in my opinion.

Richard Power, The Digital Trail of the Maltese Falcon - Private Investigations in the Information Age, CSO Magazine, 1-5-10

Report from the Launch of the Northrop Grumman Cybersecurity Research Consortium

"We require leap-ahead technology developments to improve the position of defenders. Our NGCRC is all about creating leap-ahead technologies to implement on a large-scale."

Report from the Launch of the Northrop Grumman Cybersecurity Research Consortium

By Richard Power

At the National Press Club in Washington, D.C., Northrop Grumman announced the formation of its Cybersecurity Research Consortium (NGCRC), which involves three of the leading programs in the field: Carnegie Mellon's CyLab as well as Purdue University's CERIAS and M.I.T.'s CSAIL.

In his remarks, Robert F. Brammer, VP for Advanced Technology and CTO for Northrop Grumman Information Systems cited the motivating factors behind the Consortium:

"First, the values of information systems and networks have never been greater. Second, cybersecurity threats have never been greater."

"We are moving from an internet of people and computers to an internet of things. This technology will transform electric power, automobiles, real estate, home appliances, health care, and other industries."

"We require leap-ahead technology developments to improve the position of defenders. Our NGCRC is all about creating leap-ahead technologies t0 implement on a large-scale."

Following Brammer's opening statement, representatives from the three academic research programs offered glimpses into what some of that "leap-ahead" technology will look like.

Dr. Howard Shrobe, Principal Research Scientist at M.I.T. CSAIL (Computer Science and Artificial Intelligence Lab) spoke on his "Meta-Computing" project:

"Computers are vulnerable because they have no idea what they're doing; they can't tell right from wrong ... Our fix to this is to design a new style of computer architecture ..."

Dr. Adrian Perrig, CyLab's Technical Director briefly outlined the seven major CyLab research thrusts and then highlighted work being done in the area of Trustworthy Computing Platforms & Devices.

This research focuses on the Trusted Platform Module (TPM). In 2008, over 100 million laptops & desktops shipped with TPM; in 2010, it is estimated to be over 200 million. But, as of today, it is an under-utilized opportunity to deepen security. CyLab is working on numerous projects that provide means to establish trustworthy computing in an insecure environment. The challenge is in an increasingly virtual world, how can we obtain assurance WHO and WHICH DEVICE we are communicating with? CyLab is developing easy-to-understand and intuitive mechanisms for secure device pairing and personal trust setup mechanisms: e.g., Perspectives, TrustVisor, Flicker and SPATE.

Perrig also offered a brief overview of three research projects CyLab will be pursuing as its contribution to the NGCRC:

"Detection Mechanisms for Integrity Attacks on Sensing & Control Software Systems" will be led by Dr. Bruno Sinopli. The work is aimed at detecting integrity attacks on distributed control software systems. Has software on embedded devices been modified? Are there discrepancies between sensed & expected behavior? What do they indicate?

"Towards Minimizing the Attack Window for Exploitable Bugs" will be led by Dr. David Brumley. It aims at developing techniques, attack models, & theoretical foundations for finding new bugs, for prioritizing bugs by their exploitability, & for safely distributing patches that fix exploitable bugs

"Real-Time Execution Trace Recording & Analysis" is led by Dr. Perrig himself along with Amit Vasudevan. It aims at enabling real-time forensics, which would otherwise be impossible. Did attackers exploit vulnerability to compromise systems; if yes, what operations did they perform?

Dr. Eugene Spafford Executive Director of CERIAS (Center for Education and Research in Information Assurance and Security) spoke of four NGCRC projects:

"Fast Forensics"

"Watermarking and Provenance of Data Streams for the Cyber-Range"

"Partitioning Network Experiments for the Cyber-Range"

"Context-Based, Adaptable Defense Against Collaborative Attacks in Service-Oriented Architectures"

"In the Fast Forensics," Spafford explained, "we will be investigating how to provide investigators in the field with timely support to examine cellphones, PDAs, and other portable devices containing evidence of criminal activity."

Spafford described the NGCRC as a "unique opportunity for the community to work together looking ahead to the future for a change instead of being reactive serve as an example for other organizations to step forward and take the threat more seriously."

As a long-time champion of academic research into cybersecurity, I concur.

Academic research into cybersecurity is vital to national security and global security.

Partnerships with industry and government are vital to the success of academic research into cybersecurity.

Bringing Northrop-Grumman, CyLab, CERIAS & MIT together in this consortium is an opportunity to advance both of these vital agendas.

The aim of all such collaborations is to accelerate the development of security technologies and strategies.Our work can make such technologies and strategies available sooner than they would have been otherwise.

Related Links:

Carnegie Mellon University Press Release

Northrop Grumman Press Release