Almut Herzog, Nahid Shahmehri:
Usable Set-up of Runtime Security Policies.

Complete Text [
.pdf, 161KB]
In: Proceedings of International Symposium on Human Aspects of Information Security & Assurance (HAISA 2007), Plymouth, UK (10th July 2007), 99-113, July 2007
© University of Plymouth

Setting up runtime security policies as required for firewalls or as envisioned by policy languages for the Semantic Web is a difficult task, especially for lay users who have little knowledge in the security domain. While technical solutions for runtime protection and advanced security policy languages abound, little effort has so far been spent on enabling users to actually use these systems to set up a security policy, and certainly not at runtime. To start filling this gap, we give concrete and verified guidelines for designers that are faced with the task of delegating security decisions to lay users. We advocate, for example, that security policies be set up at runtime, not off-line, that the principle of least privilege be enforced and that alert windows be compact but still contain information about the consequences of a chosen action. These guidelines have emerged from our own and others’ research on usability and security. They are further strengthened through the implementation of the prototype JPerm, which follows our guidelines. JPerm is used for the runtime set-up of security policies for Java applications. Its specific design and evaluation are described in this work and serve as an illustration of the presented guidelines.



	author = {Almut Herzog and Nahid Shahmehri},
	title = {Usable Set-up of Runtime Security Policies},
	booktitle = {Proceedings of International Symposium on Human Aspects of Information Security & Assurance, Plymouth, UK (10th July 2007)},
	year = {2007},
	pages = {99--113},
	url = {}