No Authorization Without Representation: Conveying the authority applications require users to grant as a condition of installation

Friday, November 6^th, 2009 from 12-1 pm in GHC 4303.

Jennifer Tam, CSD

Computer operating systems, and now websites that serve as application platforms, are increasingly adopting stricter application security models; they restrict the resources applications can access to those authorized by the user. Users authorize access to these resources either when the application is installed or when the application rst requires access to an unauthorized resource. While the security of users systems and data increasingly rests on their ability to make these authorization decisions, there is little research to guide those designing these authorization experiences.

We performed a laboratory study to evaluate different designs for representing the actions and resources to be authorized as a condition of installing an application. We used a within-participants design to observe thirty-three Facebook users ability to absorb and search information in seventeen different representations, all of which were presented in the context of a fictional Facebook application. Four of these representations conveyed only a set of resources to be authorized, such as contacts or friends. The other thirteen representations paired resources with different actions that could be performed on them, such as seeing information, changing information, or adding new information.

We find that participants overwhelmingly prefer representations in which resources are presented visually, using icons or pictures. We also find strong evidence that users are able to search presentations containing icons more quickly than those that do not. Finally, we found that participants performed better when authorization information was organized by actions, and followed by the various resources on which the actions would be authorized, than when information was grouped by the resources.

Joint work with Stuart Schechter (MSR) and Robert Reeder (Microsoft)

(Presented in Partial Fulfillment of the CSD Speaking Skills Requirement.)

Fall 2009 Schedule

Sep 8	GHC 4303		Expired
Sep 11	GHC 4303	Terrill L. Frantz	CEMAP: An Architecture and Specifications to Facilitate the Harvesting of Real-World Network Data
Sep 15	GHC 4303		Expired
Sep 18	GHC 4303		Expired
Sep 22	GHC 4303		Expired
Sep 25	GHC 4303		Expired
Sep 29	GHC 4303		Expired
Oct 2	GHC 4303		Expired
Oct 6	GHC 4303		Expired
Oct 9	GHC 4303		Expired
Oct 13	GHC 4303	Fan Guo	BBM: Bayesian browsing model from petabyte-scale data
Oct 16	GHC 4303		Expired
Oct 20	GHC 4303	Terrill L. Frantz	Identifying Social Network Subgroups using ORA
Oct 23	GHC 4303	Indrayana Rustandi	Integrating Multiple-Subject Multiple-Study fMRI Datasets Using Canonical Correlation Analysis
Oct 27	GHC 4303		Expired
Oct 30	GHC 4303	Terrill L. Frantz	Simulating Organizational Networks using Construct
Nov 3	GHC 4303		Expired
Nov 6	GHC 4303	Jennifer Tam	No Authorization Without Representation: Conveying the authority applications require users to grant as a condition of installation
Nov 10	GHC 4303		Expired
Nov 13	GHC 4303		Expired
Nov 17	GHC 4303	Stephanie Rosenthal	Usability and Utility of Robots that Ask for Help
Nov 20	GHC 4303		Expired
Nov 24	GHC 4303	Thanksgiving Week	By request only
Dec 1	GHC 4303		AVAILABLE
Dec 4	GHC 4303	Amar Phanishayee	TBD
Dec 8	GHC 4303		AVAILABLE
Dec 11	GHC 4303	Indrayana Rustandi	TBD

General Info

The Student Seminar Series is an informal research seminar by and for SCS graduate students from noon to 1 pm on Fridays. Lunch is provided by the Computer Science Department (personal thanks to Sharon Burks and Debbie Cavlovich!). At each meeting, a different student speaker will give an informal, 40 minute talk about his/her research, followed by questions/suggestions/brainstorming. We try to attract people with a diverse set of interests, and encourage speakers to present at a very general, accessible level.

So why are we doing this and why take part? In the best case scenario, this will lead to some interesting cross-disciplinary work among people in different fields and people may get some new ideas about their research. In the worst case scenario, a few people will practice their public speaking and the rest get together for a free lunch.

This page is updated roughly once a week, usually on Fridays.

Guideline & Speaking Requirement Need-to-Know

Note: Step #1 and #3 below are applicable to ALL SSS speakers.

SSS is an ideal forum for SCS students to give presentations that count toward fulfilling their speaking requirements. The specifics, though, vary with each department. For instance, students in CSD will need to be familiar with the notes in Section 8 of the Ph.D. document and follow the instructions outlined on the Speakers Club homepage. Roughly speaking, these are the steps:

1. Schedule a talk with SSS, first checking this page for available slots, then emailing sss@cs at least SIXTEEN DAYS before your scheduled talk. You can schedule AT MOST THREE talks per semester.
2. After you are confirmed with your SSS slot, go to the Speakers Club Calendar and schedule your talk at least three weeks in advance of the talk date.
   
3. Send your talk title, abstract, additional info (like "Joint work with..." or "In Partial Fulfillment of the Speaking Requirement"), and a picture of yourself (preferably jpeg) to sss@cs, at the latest, TEN DAYS before your scheduled talk.
4. On the day of your talk, make sure you print Speakers Club evaluation forms for your evaluators to use.

Students outside of CSD will need to check with their respective departments regarding the procedure. As another example, ISRI students fulfill their speaking requirements by attending a semesterly Software Research Seminar and giving X number of presentations per school year. If you have experience with your department that might help others in your department, please feel free to contribute your knowledge by emailing us. Thank you!

SSS Co-ordinators

Fan Guo, WebMaster
Dafna Shahaf, PosterMaster