Security as Experience & Practice
Supporting Everyday Security
Paul Dourish
Donald Bren School of Information and Computer Sciences
&
California Institute for Telecommunications and Information Technology
UC Irvine
jpd@ics.uci.edu
privacy and security
• alternative formulation of security “problem”
– one that people routinely encounter and solve
• the question is, how?
• usual approach:
– use security ideas to tackle privacy problems
• P3P, ACLs,
• alternative approach:
– use privacy ideas to tackle security problems
• focus on ongoing management and situated practice
altman’s model
• borrowed a model from irwin altman
– altman’s primary concern is f2f interaction
• management of interpersonal space, etc
• three key ideas
– a dialectic…
– … and dynamic process of …
– … boundary regulation
privacy as a process
• privacy is not rule-governed
• an optimization
– continuum of degrees of openness and closedness
– managing against conflicting goals
– personal, interpersonal, organizational, institutional
• systemic
– many regulatory behavioral mechanisms
– operate as a system
• a collective response to circumstances and needs
managing boundaries
• the destablizing effect of technology
– disrupting the regulation of boundaries
• by setting up new boundaries or replacing existing ones
• by transforming the ways in which actions are mediated
• etc…
• a look at three of these boundaries
– disclosure
– identity
– temporality
empirical investigation
• studies of everyday security practices
– security as a barrier
• homogeneous treatment of “threats”
– spammers, hackers, stalkers and marketers
– delegating security
•
•
•
•
to
to
to
to
technology
individuals
organizations
institutions
– security as a problem
our approach
• moving away from normative models
– inherently contingent
• moving away from abstract descriptions
– resolved in-the-moment
• practical action and decision-making
– always part and parcel of the same setting
– social, organizational, cultural, temporal context
technical approach
• supporting informed decision-making
– providing a context for security actions
– seeing the consequences of your actions
• a twin approach
– visualization
• continual visual monitoring
• exploit ability to perceive structure and regularities
– event-based architectures
• integrate information from many sources
• balance individual and holistic accounts
• event inference and analysis
scenario architecture
View
View
View
Application being
monitored
Application
Vavoom
loader
YANCEES
elvin
router
publishes
JVM
events
siena
JVM
events
routed
Sequence
detection
summary
• security as an everyday phenomenon
• grounding
– empirical
• investigations of real-world security practices
– analytic
• development of Altman’s model
• technological implications
– non-normative stance
– integrating decision-making and action