DOCSLIB.ORG

Security Usability Fundamentals an Important Consideration When You’Re Building an Application Is the Usability of the Security Features That You’Ll Be Employing

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Usability Fundamentals an Important Consideration When You’Re Building an Application Is the Usability of the Security Features That You’Ll Be Employing Security (Un-)Usability 17 Security Usability Fundamentals An important consideration when you’re building an application is the usability of the security features that you’ll be employing. Security experts frequently lament that security has been bolted onto applications as an afterthought, however the security community has committed the exact same sin in reverse, placing usability considerations in second place behind security, if they were considered at all. As a result, we spent the 1990s building and deploying security that wasn’t really needed, and now that we’re experiencing widespread phishing attacks with viruses and worms running rampant and the security is actually needed, we’re finding that no-one can use it. To understand the problem, it’s necessary to go back to the basic definition of functionality and security. An application exhibits functionality if things that are supposed to happen, do happen. Similarly, an application exhibits security if things that aren’t supposed to happen, don’t happen. Security developers are interested in the latter, marketers and management tend to be more interested in the former. Ensuring that things that aren’t supposed to happen don’t happen can be approached from both the application side and from the user side. From the application side, the application should behave in a safe manner, defaulting to behaviour that protects the user from harm. From the user side, the application should act in a manner in which the user’s expectations of a safe user experience are met. The following sections look at some of the issues that face developers trying to create a user interface for a security application. Security (Un-)Usability Before you start thinking about potential features of your security user interface, you first need to consider the environment into which it’ll be deployed. Now that we have 10-15 years of experience in (trying to) deploy Internet security, we can see, both from hindsight and because in the last few years people have actually started testing the usability of security applications, that a number of mechanisms that were expected to Solve The Problem don’t really work in practice [1]. The idea behind security technology is to translate a hard problem (secure/safe communication and storage) into a simpler problem, not just to shift the complexity from one layer to another. This is an example of Fundamental Truth No.6 of the Twelve Networking Truths, “It is easier to move a problem around than it is to solve it” [2]. Security user interfaces are usually driven by the underlying technology, which means that they often just shift the problem from the technical level to the human level. Some of the most awkward technologies not only shift the complexity but add an extra level of complexity of their own (IPsec and PKI spring to mind). Figure 1: Blaming the user for security unusability The major lesson that we’ve learned from the history of security (un-)usability is that technical solutions like PKI and access control don’t align too well with usability conceptual models. As a result, calling in the usability people after the framework of the application’s user interface measures have been set in concrete by purely 18 Security Usability Fundamentals technology-driven considerations is doomed to failure, since the user interface will be forced to conform to the straightjacket constraints imposed by the security technology rather than being able to exploit the full benefits of years of usability research and experience. Blaming security problems on the user when they’re actually caused by the user interface design (Figure 1) is equally ineffective. This chapter covers some of the issues that affect security user interfaces, and looks at various problems that you’ll have to deal with if you want to create an effective user interface for your security application. Theoretical vs. Effective Security There can be a significant difference between theoretical and effective security. In theory, we should all be using smart cards and PKI for authentication. However, these measures are so painful to deploy and use that they’re almost never employed, making them far less effectively secure than basic usernames and passwords. Security experts tend to focus exclusively on the measures that provide the best (theoretical) security, but often these measures provide very little effective security because they end up being misused, or turned off, or bypassed. Worse yet, when they focus only on the theoretically perfect measures, they don’t even try to get lesser security measures right. For example passwords are widely decried as being insecure, but this is mostly because security protocol designers have chosen to make them insecure. Both SSL and SSH, the two largest users of passwords for authentication, will connect to anything claiming to be a server and then hand over the password in plaintext after the handshake has completed. No attempt is made to provide even the most trivial protection through some form of challenge/response protocol, because everyone knows that passwords are insecure and so it isn’t worth bothering to try and protect them. This problem is exemplified by the IPsec protocol, which after years of discussion still doesn’t have any standardised way to authenticate users based on simple mechanisms like one-time passwords or password-token cards. The IETF even chartered a special working group, IPSRA (IPsec Remote Access), for this purpose. The group’s milestone list calls for an IPsec “user access control mechanism submitted for standards track” by March 2001, but six years later its sole output remains a requirements document [3] and an expired draft. As the author of one paper on effective engineering of authentication mechanisms points out, the design assumption behind IPsec was “all password-based authentication is insecure; IPsec is designed to be secure; therefore, you have to deploy a PKI for it” [4]. The result has been a system so unworkable that both developers and users have resorted to doing almost anything to bypass it, from using homebrew (and often insecure) “management tunnels” to communicate keys to hand-carrying static keying material to IPsec endpoints to avoiding IPsec altogether and using mechanisms like SSL-based VPNs, which were never designed to be used for tunnelling IP traffic but are being pressed into service because users have found that almost anything is preferable to having to use IPsec (this has become so pressing that there’s now a standard for transporting TLS over UDP to allow it to fill the gap that IPsec couldn’t, datagram TLS or DTLS [5]). More than ten years after SSL was introduced, support for a basic password-based mutual authentication protocol was finally (reluctantly) added, although even there it was only under the guise of enabling use with low-powered devices that can’t handle the preferred PKI-based authentication and lead to prolonged arguments on the SSL developers list whenever the topic of allowing something other than certificates for user authentication came up [6]. SSH, a protocol specifically created to protect passwords sent over the network, still operates in a manner in which the recipient ends up in possession of the plaintext password instead of having to perform a challenge-response authentication in its standard mode of authentication. This practice, under the technical label of a tunnelled authentication protocol, is known to be insecure [7][8][9] and is explicitly warned against in developer documentation like Apple’s security user interface guidelines, which instruct developers to avoid “handing [passwords] off to another program unless you can verify that the other Theoretical vs. Effective Security 19 program will protect the data” [10], and yet both SSL and SSH persist in using it. What’s required for proper password-based security for these types of protocols is a cryptographic binding between the outer tunnel and the inner authentication protocol, which TLS’ recently-added mutual authentication finally performs, but to date very few TLS implementations support it. A nice example of the difference between theory and practice from the opposite point of view is what its author describes as “the most ineffective CAPTCHA of all time” [11]. Designed to protect his blog from comment spam, it requires submitters to type the word “orange” into a text box when they provide a blog comment. This trivial speed-bump, which would horrify any (non-pragmatist) security expert, has been effective in stopping virtually all comment spam by changing the economic equation for spammers, who can no longer auto-post blog spam as they can for unprotected or monoculture-CAPTCHA protected blogs [12][13]. On paper it’s totally insecure, but it works because spammers would have to expend manual effort to bypass it, and keep expending effort when the author counters their move, which is exactly what spam’s economic model doesn’t allow. A lot of this problem arises from security’s origin in the government crypto community. For cryptographers, the security must be perfect — anything less than perfect security would be inconceivable. In the past this has lead to all-or-nothing attempts at implementing security such as the US DoD’s “C2 in ‘92” initiative (a more modern form of this might be “PKI or Bust”), which resulted in nothing in ’92 or at any other date — the whole multilevel-secure (MLS) operating system push could almost be regarded as a denial-of-service attack on security, since it largely drained security funding in the 1980s and was a significant R&D distraction. As security god Butler Lampson observed when he quoted Voltaire, “The best is the enemy of the good” (“Le mieux est l’ennemi du bien”) — a product that offers generally effective (but less than perfect) security will be panned by security experts, who would prefer to see a theoretically perfect but practically unattainable or unusable product instead [14].
Load more

Recommended publications
  • Childnodes 1
    Index Home | Projects | Docs | Jargon Bugzilla | LXR | Tree Status | Checkins Feedback | FAQ | Search A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z Index Symbols _content 1 A addEventListener 1 alert() 1 align 1 alinkColor 1 anchors 1 appCodeName 1 appendChild 1 applets 1 appName 1 appVersion 1 attributes 1, 2 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (1 de 20) [09/06/2003 9:55:09] Index availLeft 1 availTop 1 availWidth 1 B back() 1 bgColor 1 blur 1 blur() 1 body 1 C captureEvents() 1 characterSet 1 childNodes 1 clear 1 clearInterval() 1 clearTimeout() 1 click 1 cloneContents 1 cloneNode 1 cloneRange 1 close 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (2 de 20) [09/06/2003 9:55:09] Index close() 1 closed 1 collapse 1 collapsed 1 colorDepth 1 commonAncestorContainer 1 compareBoundaryPoints 1 Components 1 confirm() 1 contentDocument 1, 2 contentWindow 1, 2 controllers 1 cookie 1 cookieEnabled 1 createAttribute 1 createDocumentFragment 1 createElement 1 createRange 1 createTextNode 1 crypto 1 cssRule 1 cssRule Object 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (3 de 20) [09/06/2003 9:55:09] Index cssRules 1 cssText 1 D defaultStatus 1 deleteContents 1 deleteRule 1 detach 1 directories 1 disabled 1 dispatchEvent 1 doctype 1 document 1 documentElement 1 DOM 1, 2 DOM 2 Range Interface 1 DOM window Interface 1 domain 1 dump() 1 E Elements Interface 1 embeds 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (4 de 20) [09/06/2003 9:55:09]
    [Show full text]
  • A Task-Based Taxonomy of Cognitive Biases for Information Visualization
    A Task-based Taxonomy of Cognitive Biases for Information Visualization Evanthia Dimara, Steven Franconeri, Catherine Plaisant, Anastasia Bezerianos, and Pierre Dragicevic Three kinds of limitations The Computer The Display 2 Three kinds of limitations The Computer The Display The Human 3 Three kinds of limitations: humans • Human vision ️ has limitations • Human reasoning 易 has limitations The Human 4 ️Perceptual bias Magnitude estimation 5 ️Perceptual bias Magnitude estimation Color perception 6 易 Cognitive bias Behaviors when humans consistently behave irrationally Pohl’s criteria distilled: • Are predictable and consistent • People are unaware they’re doing them • Are not misunderstandings 7 Ambiguity effect, Anchoring or focalism, Anthropocentric thinking, Anthropomorphism or personification, Attentional bias, Attribute substitution, Automation bias, Availability heuristic, Availability cascade, Backfire effect, Bandwagon effect, Base rate fallacy or Base rate neglect, Belief bias, Ben Franklin effect, Berkson's paradox, Bias blind spot, Choice-supportive bias, Clustering illusion, Compassion fade, Confirmation bias, Congruence bias, Conjunction fallacy, Conservatism (belief revision), Continued influence effect, Contrast effect, Courtesy bias, Curse of knowledge, Declinism, Decoy effect, Default effect, Denomination effect, Disposition effect, Distinction bias, Dread aversion, Dunning–Kruger effect, Duration neglect, Empathy gap, End-of-history illusion, Endowment effect, Exaggerated expectation, Experimenter's or expectation bias,
    [Show full text]
  • The Art of Thinking Clearly
    For Sabine The Art of Thinking Clearly Rolf Dobelli www.sceptrebooks.co.uk First published in Great Britain in 2013 by Sceptre An imprint of Hodder & Stoughton An Hachette UK company 1 Copyright © Rolf Dobelli 2013 The right of Rolf Dobelli to be identified as the Author of the Work has been asserted by him in accordance with the Copyright, Designs and Patents Act 1988. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means without the prior written permission of the publisher, nor be otherwise circulated in any form of binding or cover other than that in which it is published and without a similar condition being imposed on the subsequent purchaser. A CIP catalogue record for this title is available from the British Library. eBook ISBN 978 1 444 75955 6 Hardback ISBN 978 1 444 75954 9 Hodder & Stoughton Ltd 338 Euston Road London NW1 3BH www.sceptrebooks.co.uk CONTENTS Introduction 1 WHY YOU SHOULD VISIT CEMETERIES: Survivorship Bias 2 DOES HARVARD MAKE YOU SMARTER?: Swimmer’s Body Illusion 3 WHY YOU SEE SHAPES IN THE CLOUDS: Clustering Illusion 4 IF 50 MILLION PEOPLE SAY SOMETHING FOOLISH, IT IS STILL FOOLISH: Social Proof 5 WHY YOU SHOULD FORGET THE PAST: Sunk Cost Fallacy 6 DON’T ACCEPT FREE DRINKS: Reciprocity 7 BEWARE THE ‘SPECIAL CASE’: Confirmation Bias (Part 1) 8 MURDER YOUR DARLINGS: Confirmation Bias (Part 2) 9 DON’T BOW TO AUTHORITY: Authority Bias 10 LEAVE YOUR SUPERMODEL FRIENDS AT HOME: Contrast Effect 11 WHY WE PREFER A WRONG MAP TO NO
    [Show full text]
  • Two Case Studies of Open Source Software Development: Apache and Mozilla
    Two Case Studies of Open Source Software Development: Apache and Mozilla AUDRIS MOCKUS Avaya Labs Research ROY T FIELDING Day Software and JAMES D HERBSLEB Carnegie Mellon University According to its proponents, open source style software development has the capacity to compete successfully, and perhaps in many cases displace, traditional commercial development methods. In order to begin investigating such claims, we examine data from two major open source projects, the Apache web server and the Mozilla browser. By using email archives of source code change history and problem reports we quantify aspects of developer participation, core team size, code ownership, productivity, defect density, and problem resolution intervals for these OSS projects. We develop several hypotheses by comparing the Apache project with several commercial projects. We then test and refine several of these hypotheses, based on an analysis of Mozilla data. We conclude with thoughts about the prospects for high-performance commercial/open source process hybrids. Categories and Subject Descriptors: D.2.9 [Software Engineering]— Life cycle, Productivity, Pro- gramming teams, Software process models, Software Quality assurance, Time estimation; D.2.8 [Software Engineering]— Process metrics, Product metrics; K.6.3 [Software Management]— Software development, Software maintenance, Software process General Terms: Management, Experimentation, Measurement, Human Factors Additional Key Words and Phrases: Open source software, defect density, repair interval, code ownership, Apache, Mozilla This work was done while A. Mockus and J. D. Herbsleb were members of software Production Research Department at Lucent Technologies’ Bell Laboratories. This article is a significant extension to the authors’ paper, “A case study of open source software development: the Apache server,” that appeared in the Proceedings of the 22nd International Con- ference on Software Engineering, Limerick, Ireland, June 2000 (ICSE 2000), 263-272.
    [Show full text]
  • A Review of XML-Compliant User Interface Description Languages
    ÊÚÛ Ó ÅĹ ÓÑÔÐÒØ Í×Ö ÁÒØÖ ×ÖÔØÓÒ ÄÒÙ× ÆØÐ ËÓÙÓÒ Ò ÂÒ ÎÒÖÓÒØ ÍÒÚÖ×Ø Ø ÓÐÕÙ ÄÓÙÚ Ò¸ ÁÒ×ØØÙØ ³ÑÒ×ØÖ ØÓÒ Ø ×ØÓÒ ÈÐ × ÓÝÒ׸ ½ ¹ ¹½¿ ! ÄÓÙÚ Ò¹Ð ¹ÆÙÚ¸ Ð#ÙÑ ×ÓÙÓÒ¸ Ú Ò Ö ÓÒ Ø×Ý׺Ùк º ×ØÖغ ÖÚÛ Ó% &ÅĹ ÓÑÔÐ ÒØ Ù×Ö ÒØÖ% × ÖÔØÓÒ Ð Ò¹ #Ù #× × ÔÖÓ Ù Ø Ø ÓÑÔ Ö× ×#Ò¬ ÒØ×Ð ØÓÒÓ%Ú ÖÓÙ× Ð Ò¹ #Ù #× Ö××Ò# «ÖÒØ #Ó Ð׸ ×Ù ×ÑÙÐعÔÐ Ø%ÓÖÑ Ù×Ö ÒØÖ% ׸ Ú ¹ÒÔ ÒÒ ¸ ÓÒØÒØ ÐÚÖݸ Ò Ù×Ö ÒØÖ% × ÚÖØÙ ÐÐÝ ¹ ¬Òº Ì Ö × - Ò ÐÓÒ# ×ØÓÖÝ Ò ØÖ ØÓÒ ØÓ ØØÑÔØ ØÓ ÔØÙÖ Ø ××Ò Ó% Ù×Ö ÒØÖ% × Ø Ú ÖÓÙ× ÐÚÐ× Ó% -×ØÖ ØÓÒ %ÓÖ «Ö¹ ÒØ ÔÙÖÔ Ó×׺ Ì ÖØÙÖÒ Ó% Ø × ÕÙ×ØÓÒ ØÓ Ý # Ò× ÑÓÖ ØØÖ ØÓÒ¸ ÐÓÒ# ÛØ Ø ××ÑÒ ØÓÒ Ó% &ÅÄ Ñ Ö.ÙÔ Ð Ò#Ù #׸ Ò #Ú× -ÖØ ØÓ Ñ ÒÝ ÔÖÓÔ Ó× Ð× %ÓÖ ÒÛ Ù×Ö ÒØÖ% × ÖÔØÓÒ Ð Ò#Ù #º /ÓÒ×¹ ÕÙÒØÐݸ Ø Ö × Ò ØÓ ÓÒÙ Ø Ò Ò¹ÔØ Ò ÐÝ×× Ó% % ØÙÖ× Ø Ø Ñ . ÐÐ Ø × ÔÖÓÔ Ó× Ð× × ÖÑÒ ÒØ Ò ÔÔÖÓÔÖ Ø %ÓÖ ÒÝ×Ô ¬ ÔÙÖÔ Ó׺ Ì ÖÚÛ × ÜØÒ×ÚÐÝ ÓÒÙ Ø ÓÒ ×#Ò¬ ÒØ ×Ù-×Ø Ó% ×Ù Ð Ò#Ù #× - × ÓÒ Ò Ò ÐÝ×× #Ö Ò Ù×Ö ÒØÖ% × Ø Ø Û ØÖ ØÓ ÑÔÐÑÒØ ÖÓ×× Ø × Ð Ò#Ù #׺ ½ ÁÒØÖÓ Ù Ø ÓÒ ÓÖ ÝÖ׸ ÀÙÑÒ¹ÓÑÔÙØÖ ÁÒØÖØÓÒ ´ÀÁµ ÛØÒ×× Ô ÖÒÒÐ Ö ÓÖ Ø ÙÐØÑØ Í×Ö ÁÒØÖ ´ÍÁµ ×ÖÔØÓÒ ÄÒÙ ØØ ÛÓÙÐ ÐÐÝ Ô¹ ØÙÖ Ø ××Ò Ó ÛØ ÍÁ ÓÙÐ ÓÖ ×ÓÙÐ º ÍÁ ×ÖÔØÓÒ ÄÒÙ ´ÍÁĵ ÓÒ××Ø× Ó ¹ÐÚÐ ÓÑÔÙØÖ ÐÒÙ ÓÖ ×ÖÒ ÖØÖ×¹ Ø× Ó ÒØÖ×Ø Ó ÍÁ ÛØ Ö×Ô Ø ØÓ Ø Ö×Ø Ó Ò ÒØÖØÚ ÔÔÐØÓÒº ËÙ ÐÒÙ ÒÚÓÐÚ× ¬ÒÒ ×ÝÒØÜ ´ºº ÓÛ Ø× ÖØÖ×Ø× Ò ÜÔÖ×× Ò ØÖÑ× Ó Ø ÐÒÙµ Ò ×ÑÒØ× ´ºº¸ ÛØ Ó Ø× ÖØÖ¹ ×Ø× ÑÒ Ò Ø ÖÐ ÛÓÖеº ÁØ Ò ÓÒ×Ö × ÓÑÑÓÒ ÛÝ ØÓ ×Ô Ý ÍÁ ÒÔ ÒÒØÐÝ Ó ÒÝ ØÖØ ÐÒÙ ´ºº¸ ÔÖÓÖÑÑÒ ÓÖ ÑÖÙÔµ ØØ ÛÓÙÐ ×ÖÚ ØÓ ÑÔÐÑÒØ Ø× ÍÁº Ì ××Ù Ó ÍÁÄ Û× ¬Ö×Ø Ö× ÛÒ Ø Û× ÖÕÙÖ ØÓ ÚÐÓÔ ÍÁ Ð ÑÓ ÙÐ Ó Ò ÒØÖØÚ ÔÔÐØÓÒ ÖØÖ ØÒ ÑÖÐÝ ×Ö× Ó ÐÒ× Ó ×º ÌÒ¸ Ø× ××Ù Û× ÖÒÓÖ ÛÒ Ø ×Ö ÔÔ Ö× ØÓ ÑÓ Ð ÍÁ Ý×ØÓ ×Ô ¬ØÓÒ× ×Ó ×
    [Show full text]
  • Visual Validation of SSL Certificates in the Mozilla Browser Using Hash Images
    CS Senior Honors Thesis: Visual Validation of SSL Certificates in the Mozilla Browser using Hash Images Hongxian Evelyn Tay [email protected] School of Computer Science Carnegie Mellon University Advisor: Professor Adrian Perrig Electrical & Computer Engineering Engineering & Public Policy School of Computer Science Carnegie Mellon University Monday, May 03, 2004 Abstract Many internet transactions nowadays require some form of authentication from the server for security purposes. Most browsers are presented with a certificate coming from the other end of the connection, which is then validated against root certificates installed in the browser, thus establishing the server identity in a secure connection. However, an adversary can install his own root certificate in the browser and fool the client into thinking that he is connected to the correct server. Unless the client checks the certificate public key or fingerprint, he would never know if he is connected to a malicious server. These alphanumeric strings are hard to read and verify against, so most people do not take extra precautions to check. My thesis is to implement an additional process in server authentication on a browser, using human recognizable images. The process, Hash Visualization, produces unique images that are easily distinguishable and validated. Using a hash algorithm, a unique image is generated using the fingerprint of the certificate. Images are easily recognizable and the user can identify the unique image normally seen during a secure AND accurate connection. By making a visual comparison, the origin of the root certificate is known. 1. Introduction: The Problem 1.1 SSL Security The SSL (Secure Sockets Layer) Protocol has improved the state of web security in many Internet transactions, but its complexity and neglect of human factors has exposed several loopholes in security systems that use it.
    [Show full text]
  • Communication Science to the Public
    David M. Berube North Carolina State University ▪ HOW WE COMMUNICATE. In The Age of American Unreason, Jacoby posited that it trickled down from the top, fueled by faux-populist politicians striving to make themselves sound approachable rather than smart. (Jacoby, 2008). EX: The average length of a sound bite by a presidential candidate in 1968 was 42.3 seconds. Two decades later, it was 9.8 seconds. Today, it’s just a touch over seven seconds and well on its way to being supplanted by 140/280- character Twitter bursts. ▪ DATA FRAMING. ▪ When asked if they truly believe what scientists tell them, NEW ANTI- only 36 percent of respondents said yes. Just 12 percent expressed strong confidence in the press to accurately INTELLECTUALISM: report scientific findings. ▪ ROLE OF THE PUBLIC. A study by two Princeton University researchers, Martin TRENDS Gilens and Benjamin Page, released Fall 2014, tracked 1,800 U.S. policy changes between 1981 and 2002, and compared the outcome with the expressed preferences of median- income Americans, the affluent, business interests and powerful lobbies. They concluded that average citizens “have little or no independent influence” on policy in the U.S., while the rich and their hired mouthpieces routinely get their way. “The majority does not rule,” they wrote. ▪ Anti-intellectualism and suspicion (trends). ▪ Trump world – outsiders/insiders. ▪ Erasing/re-writing history – damnatio memoriae. ▪ False news. ▪ Infoxication (CC) and infobesity. ▪ Aggregators and managed reality. ▪ Affirmation and confirmation bias. ▪ Negotiating reality. ▪ New tribalism is mostly ideational not political. ▪ Unspoken – guns, birth control, sexual harassment, race… “The amount of technical information is doubling every two years.
    [Show full text]
  • Computer-Supported Cooperative Work: History and Focus
    Computer-Supported Cooperative Work: Historv and Focus d Jonathan Grudin, University of California, Irvine en years ago, hen Greif of MIT and Paul Cashman of Digital Equipment Corporation organized a workshop that had far-reaching effects. Twenty people from different fields -but with a shared interest in how people work -gathered to explore technology’s role in the work environment and coined the term “computer-supported cooperative work” to describe it. Since then, thousands of researchers and developers have responded to this ini- tiative. Although the first CSCW conferences were held in the United States, the topic was picked up immediately in Europe and Asia, where related work and seri- ous interest already existed. This article describes the people and the work found under the CSCW umbrella. Why i984? An earlier approach to group support, called “office automation,” had run out of steam by 1984. OA’s primary problem was not technical, although technical chal- lenges certainly existed; it was in understanding system requirements. In the mid- CSCW and groupware 1960s, tasks such as filling seats on airplane flights or printing payroll checks had emerged in the 1980s been translated into requirements that resulted (with some trial and error) in suc- cessful mainframe systems. In the mid-l970s, minicomputers promised to support from shared interests groups and organizations in more sophisticated, interactive ways, and OA was born. OA tried to extend and integrate single-user applications, such as word processors and among product spreadsheets, to support groups and departments. But what were the precise re- developers and quirements for such systems? Building technology was not enough.
    [Show full text]
  • Social Computing-Driven Activism in Youth Empowerment Organizations: Challenges and Opportunities Farnaz Irannejad Bisafar1, Lina Itzel Martinez2, Andrea G
    Social Computing-Driven Activism in Youth Empowerment Organizations: Challenges and Opportunities Farnaz Irannejad Bisafar1, Lina Itzel Martinez2, Andrea G. Parker1,2 1College of Computer and Information Science 2Bouvé College of Health Sciences Northeastern University 360 Huntington Ave. Boston, MA 02115 Boston, United States [email protected], [email protected], [email protected] ABSTRACT significantly higher rates of health problems (e.g., diabetes) Throughout the world, organizations empower youth to than more affluent communities [17,29,44]. Previous work participate in civic engagement to impact social change, has examined how youth-led activism can be effective in and adult-youth collaborations are instrumental to the addressing these challenges and affecting social change success of such initiatives. However, little is known about [9,47]. In fact, throughout the world, many organizations how technology supports this activism work, despite the have created youth-led programs with the goals of solving fact that tools such as Social Networking Applications community problems and empowering youth to educate (SNAs) are increasingly being leveraged in such contexts. their peers about issues of concern [33]. These We report results from a qualitative study of SNA use organizations provide youth with resources needed to run within a youth empowerment organization. Using the social action initiatives (e.g., support for collective analytical lens of object-oriented publics, our findings organizing). As adult staff work together with youth, they reveal opportunities and challenges that youth and staff face create an environment that nurtures youth’s confidence that when they use SNAs. We describe the illegibility of youth they can take on social problems.
    [Show full text]
  • More Than Writing Text: Multiplicity in Collaborative Academic Writing
    More Than Writing Text: Multiplicity in Collaborative Academic Writing Ida Larsen-Ledet Ph.D. Thesis Department of Computer Science Aarhus University Denmark More Than Writing Text: Multiplicity in Collaborative Academic Writing A Thesis Presented to the Faculty of Natural Sciences of Aarhus University in Partial Fulfillment of the Requirements for the Ph.D. Degree. by Ida Larsen-Ledet November 2, 2020 Abstract This thesis explores collaborative academic writing with a focus on how it is medi- ated by multiple technologies. The thesis presents findings from two empirical stud- ies with university students and researchers: The first combined semi-structured interviews with visualizations of document editing activity to explore transitions through co-writers’ artifact ecologies along with co-writers’ motivations for per- forming these transitions. The second study was a three-stage co-design workshop series that progressed from dialog through ideation to exploration of a prototype for a shared editor that was based on the participants’ proposed features and designs. The contribution from the second study to this thesis is the analysis of participants’ viewpoints and ideas. The analyses of these findings contribute a characterization of co-writers’ practical and social motivations for using multiple tools in their collaborations, and the chal- lenges this poses for sharing and adressing the work. Multiplicity is also addressed in terms of co-writers bringing multiple and diverse needs and preferences into the writing, and how these may be approached in efforts to design and improve support for collaborative writing. Additionally, the notion of text function is introduced to describe the text’s role as a mediator of the writing.
    [Show full text]
  • Infographic I.10
    The Digital Health Revolution: Leaving No One Behind The global AI in healthcare market is growing fast, with an expected increase from $4.9 billion in 2020 to $45.2 billion by 2026. There are new solutions introduced every day that address all areas: from clinical care and diagnosis, to remote patient monitoring to EHR support, and beyond. But, AI is still relatively new to the industry, and it can be difficult to determine which solutions can actually make a difference in care delivery and business operations. 59 Jan 2021 % of Americans believe returning Jan-June 2019 to pre-coronavirus life poses a risk to health and well being. 11 41 % % ...expect it will take at least 6 The pandemic has greatly increased the 65 months before things get number of US adults reporting depression % back to normal (updated April and/or anxiety.5 2021).4 Up to of consumers now interested in telehealth going forward. $250B 76 57% of providers view telehealth more of current US healthcare spend % favorably than they did before COVID-19.7 could potentially be virtualized.6 The dramatic increase in of Medicare primary care visits the conducted through 90% $3.5T telehealth has shown longevity, with rates in annual U.S. health expenditures are for people with chronic and mental health conditions. since April 2020 0.1 43.5 leveling off % % Most of these can be prevented by simple around 30%.8 lifestyle changes and regular health screenings9 Feb. 2020 Apr. 2020 OCCAM’S RAZOR • CONJUNCTION FALLACY • DELMORE EFFECT • LAW OF TRIVIALITY • COGNITIVE FLUENCY • BELIEF BIAS • INFORMATION BIAS Digital health ecosystems are transforming• AMBIGUITY BIAS • STATUS medicineQUO BIAS • SOCIAL COMPARISONfrom BIASa rea• DECOYctive EFFECT • REACTANCEdiscipline, • REVERSE PSYCHOLOGY • SYSTEM JUSTIFICATION • BACKFIRE EFFECT • ENDOWMENT EFFECT • PROCESSING DIFFICULTY EFFECT • PSEUDOCERTAINTY EFFECT • DISPOSITION becoming precise, preventive,EFFECT • ZERO-RISK personalized, BIAS • UNIT BIAS • IKEA EFFECT and • LOSS AVERSION participatory.
    [Show full text]
  • Organizational Search in Email Systems Sruthi Bhushan Pitla Western Kentucky University, [email protected]
    Western Kentucky University TopSCHOLAR® Masters Theses & Specialist Projects Graduate School 5-2012 Organizational Search in Email Systems Sruthi Bhushan Pitla Western Kentucky University, [email protected] Follow this and additional works at: http://digitalcommons.wku.edu/theses Part of the Databases and Information Systems Commons Recommended Citation Pitla, Sruthi Bhushan, "Organizational Search in Email Systems" (2012). Masters Theses & Specialist Projects. Paper 1161. http://digitalcommons.wku.edu/theses/1161 This Thesis is brought to you for free and open access by TopSCHOLAR®. It has been accepted for inclusion in Masters Theses & Specialist Projects by an authorized administrator of TopSCHOLAR®. For more information, please contact [email protected]. ORGANIZATIONAL SEARCH IN EMAIL SYSTEMS A Thesis Presented to The Faculty of the Department of Mathematics and Computer Science Western Kentucky University Bowling Green, Kentucky In Partial Fulfillment Of the Requirements for the Degree Master of Science By Sruthi Bhushan Pitla May 2012 ACKNOWLEDGMENTS It was a great pleasure working under my graduate advisor, Dr. Guangming Xing, who provided me with everything I need to succeed. His inspiration and guidance at each and every step made this Master of Science degree so rewarding and satisfactory. He always encouraged my work in every possible way and also gave me the freedom to express and implement my ideas without any restrictions. I feel very fortunate and proud to have been his student and really think the experience which I gained working under him is invaluable. I would like to whole heartedly thank Dr. Xing for the immense trust and patience he has over me.
    [Show full text]