Privacy and Security in Software and Things: A Human Perspective

软件和事物的隐私和安全：人类的视角

• 批准号: RGPIN-2021-03808
• 负责人: Assal, Hala
• 金额: $ 1.75万
• 依托单位: Carleton University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2021
• 资助国家: 加拿大
• 起止时间: 2021-01-01 至 2022-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=742726
• 关键词: Privacy; Security; Software; Things; Human

Technology continues to fail users when it comes to privacy and security. Years of scientific research demonstrate that building systems that seamlessly integrate privacy and security is challenging. From a human-centric perspective, I will conceptualize the two "victims" involved in this challenge as the "software producer": all those involved in the production of software, and the "software consumer": the end-user. Software producers often lack security expertise, they follow standard security practices that fails to consider under-represented user groups, and are generally unaware of practices to protect users' privacy. On the consumer side, users' incomplete mental models of privacy and security can lead to serious errors. Importantly, a bridge is missing between both sides; producers need to have a proper understanding of their consumers to build technologies that match users' expectations and in turn help further their mental models of the technology. This research takes a holistic view that, for the first time, captures the interplay between software producers and consumers, with the overarching goal of facilitating the development of secure software, and giving users control over their personal data. We will tackle three research themes: We will work towards identifying actors that influence the state of security and privacy in software, and assessing the degree of influence of each actor. These actors may include individuals involved in the Software Development Lifecycle (SDLC), standardization bodies, software development processes, and security best practices. Upon identifying the set of actors, we will devise new methodologies to study the degree by which each of the actors influences software security and privacy. We will work towards identifying critical instances in the SDLC where we can encourage collaboration and knowledge sharing between developers and privacy and security experts. We will devise evaluation parameters to gauge the usefulness of these opportunities to the developer, and how disruptive they are to the experts. We will then iteratively design tools to support these opportunities, employing large multitouch screens to facilitate collaboration, incorporating visualization techniques to enable exploration and knowledge sharing, as well as experimenting with techniques to distribute efforts to avoid experts' burnout. Users typically have poor mental models of privacy and security, which often leads them to dismiss protective measures, or to inadvertently circumvent them. We will work on identifying design patterns for future technologies to help users cope with evolving technology and improve their privacy and security mental models. We will iteratively design and build tools, employing these design patterns to allow users to manage data accessed by software they use. We will also research simple yet effective methods to communicate data access and privacy leaks to users while avoiding user habituation.

在隐私和安全方面，技术继续让用户失望。多年的科学研究表明，构建无缝集成隐私和安全的系统是一项挑战。从以人为中心的角度来看，我将把这一挑战中涉及的两个“受害者”概念化为“软件生产者”：所有参与软件生产的人，以及“软件消费者”：最终用户。软件生产商通常缺乏安全专业知识，他们遵循标准的安全实践，没有考虑到代表性不足的用户群体，并且通常没有意识到保护用户隐私的做法。在消费者方面，用户不完整的隐私和安全心理模型可能导致严重的错误。重要的是，双方之间缺少一座桥梁;生产者需要正确理解他们的消费者，以构建符合用户期望的技术，从而帮助他们进一步发展技术的心理模型。这项研究采取了一个整体的观点，第一次捕捉到软件生产商和消费者之间的相互作用，其总体目标是促进安全软件的开发，并让用户控制他们的个人数据。我们将解决三个研究主题：我们将努力确定影响软件安全和隐私状态的参与者，并评估每个参与者的影响程度。这些参与者可能包括参与软件开发管理局（SDLC）、标准化机构、软件开发过程和安全最佳实践的个人。在确定的演员集，我们将设计新的方法来研究的程度，每个演员影响软件的安全性和隐私。 我们将努力在SDLC中确定关键实例，在这些实例中，我们可以鼓励开发人员与隐私和安全专家之间的协作和知识共享。我们将设计评估参数来衡量这些机会对开发人员的有用性，以及它们对专家的干扰程度。然后，我们将迭代设计工具来支持这些机会，采用大型多点触摸屏来促进协作，结合可视化技术来实现探索和知识共享，以及尝试分配工作以避免专家倦怠的技术。用户通常对隐私和安全性的心理模型很差，这往往导致他们忽视保护措施，或无意中绕过它们。我们将致力于确定未来技术的设计模式，以帮助用户科普不断发展的技术，并改善他们的隐私和安全心理模型。我们将迭代地设计和构建工具，使用这些设计模式来允许用户管理他们使用的软件访问的数据。我们还将研究简单而有效的方法，向用户传达数据访问和隐私泄露，同时避免用户习惯。