[cap-talk] getting authorization from the user and the great insight

Stiegler, Marc D marc.d.stiegler at hp.com
Thu Oct 4 19:01:56 EDT 2007 

> > >     There is strong evidence from IDS/IPS research that this 
> > > approach has definite flaws and dangers. The most obvious and 
> > > significant one is that a poorly informed or trained user 
> - or more 
> > > insidiously, a malicious insider - will continually perform 
> > > inappropriate actions that are soon interpreted as normal and 
> > > appropriate and quietly embodied as policy by the UI.
> 
> <and result in inappropriate authorizations> ...  and that 
> thread continued.
> 
> I believe this suggests an answer to John's question.
> To me it seems that the answer is that user actions that 
> result in authorizations should be carefully clarified in the 
> UI and made known to the user.

This general rule, carefully clarifying all the time, would lure one
into thinking you need big dialog boxes full of detailed explanations
everywhere. I think David's more important answer, elided from your
excerpt, is that we make the user actions result in authorizations that
fit the user's intuitions about what authority will be needed to fulfill
those actions. Then the user is not surprised, either by the
authorizations or by any dialogs full of stuff (which will be quite
rare, and will usually signal that the app is malicious, which is very
different from today, when the dialog boxes are quite common, and
usually signal that the app is honorably trying to do something
sensible).

Sometimes some explanation is needed, but the better we can fit the
user's intuitions, the less explanation is required, the more seemless
and smooth the system is. The goal should be dialog-and-explanation-free
computing. That goal is unattainable, but striving for that goal means
your software will be better than it would be if the goal were weaker.

All solutions -- with big explanations, with intuitive model-matching,
with anything else we invent -- can only begin to work if we can teach
users that the time of submissive despair is over, and that warnings and
dialog boxes explaining about dangers should be assessed carefully
because they will be rare and important, and the default answer should
be No rather than Yes. Unless we can teach them this, then they will
robotically continue to do what traditional security has trained them to
do -- just click ok for everything. 

This may mean starting over with children in kindergarten, anyone older
than that has already been hammered into submissive despair. The other
alternative is to introduce success on a different platform, like the
cell phone, of which people have not yet been taught to submissively
despair.

--marcs

More information about the cap-talk mailing list