International Conference on Dependable Systems & Networks: Yokohama, Japan, 28 June - 01 July 2005 User Interface Dependability through Goal-Error Prevention Robert W. Reeder and Roy A. Maxion [email protected] and [email protected] Dependable Systems Laboratory Computer Science Department Carnegie Mellon University Pittsburgh, Pennsylvania 15213 / USA Abstract human error leads people off the path of correctly complet- ing a task and on to lengthy delays or partial or total task User interfaces form a critical coupling between humans failure. Thus, it is imperative for interface designers to un- and computers. When the interface fails, the user fails, and derstand the common types and causes of human error and the mission is lost. For example, in computer security appli- the ways in which they may be prevented. When interfaces cations, human-made configuration errors can expose en- are designed to eliminate the conditions that lead humans to tire systems to various forms of attack. make mistakes, interfaces will be more dependable. To avoid interaction failures, a dependable user inter- One domain in which user interface accuracy is critically face must facilitate the speedy and accurate completion of important is computer security. Inaccurate security settings user tasks. Defects in the interface cause user errors (e.g., can have a high cost – they can make sensitive data vul- goal, plan, action and perception errors), which impinge on nerable, or they can leave an entire system open to attack. speed and accuracy goals, and can lead to mission failure. Adding to this cost, security problems have what Whitten One source of user error is poor information represen- and Tygar [20] have called the “barn door property” – once tation in the interface. This can cause users to commit a a system has had a vulnerability for any length of time, there specific class of errors – goal errors. A design principle may be no way to know if the vulnerability has been ex- (anchor-based subgoaling) for mitigating this cause was ploited, so the system will have to be considered compro- formulated. The principle was evaluated in the domain of mised, whether it has been or not. setting Windows file permissions. The native Windows XP The present work investigates user interface dependabil- file permissions interface, which did not support anchor- ity and human error in the security context of setting file based subgoaling, was compared to an alternative, called permissions under Microsoft’s Windows XP operating sys- Salmon, which did. In an experiment with 24 users, Salmon tem, which uses Microsoft’s NT file system (NTFS). A sig- achieved as much as a four-fold increase in accuracy for a nificant amount of anecdotal evidence suggests that setting representative task and a 94% reduction in the number of NTFS file permissions is a particularly error-prone task. goal errors committed, compared to the XP interface. For example, there is the so-called “Memogate” scandal, in which staffers from one party on the United States Sen- ate Judiciary Committee stole confidential memos from the 1 Introduction opposing party [19]. The memos were stored on a shared One locus of vulnerability in a computer system is the NTFS server. The theft was possible in part because an in- user interface. Undependable interfaces are those that do experienced system administrator had failed to set permis- not meet their specifications in terms of the speed and ac- sions correctly on the shared server. As another example, curacy with which users should complete tasks. One rea- a Windows network administrator at Carnegie Mellon Uni- son why some user interfaces fail to meet their speed and versity reports that many users want to share their files so accuracy specifications is human error. Researchers have they can access them both at work and at home; they ac- long recognized that human error has causes and manifes- cidentally make their private files accessible to all (several tations similar across all domains of human endeavor, from hundred) users on the network, because it is too confusing to aviation, to power plant operation, to making a cup of tea set permissions as actually desired [18]. Finally, Microsoft [13, 15, 17, 21]. In the domain of software user interfaces, publishes a list of “best practices” for NTFS security that 0-7695-2282-3/05 $20.00 c 2005 IEEE 60 DSN 2005: Reeder & Maxion International Conference on Dependable Systems & Networks: Yokohama, Japan, 28 June - 01 July 2005 advises users not to use several of the features of the NTFS Specifically, information that was necessary to complete permissions model, such as negative (i.e., DENY) permis- tasks accurately was hidden or was entirely missing from sions [10]. Use of these features “... could cause unexpected the interface. Cognitive theory suggests that without ready access problems or reduce security.” Providing access to access to necessary information, users are likely to commit features which are apparently problematic is bound to lead goal errors (see Section 5.1). A solution was proposed to to errors. reduce the occurrence of goal errors. This solution, called As these anecdotes indicate, setting and checking per- anchor-based subgoaling, led to the following hypothesis: missions cannot always be left to expert system adminis- trators – users in many environments need or want to take Use of anchor-based subgoaling in user interface responsibility for protecting their own data. Nevertheless, design reduces the likelihood that users will com- setting file permissions is not an everyday task; it may need mit goal errors, and task accuracy rates should im- to be done only every few weeks or months. Thus, those prove when goal errors are reduced. setting file permissions will often not be expert system ad- ministrators – they will be novice or occasional users, who, This hypothesis was tested by implementing an interface, from time to time, want to restrict access to files or grant ac- Salmon, designed in accordance with the anchor-based sub- cess to a limited number of associates. They will not readily goaling procedure, and by conducting a laboratory user remember arcane details about how to operate a permission- study comparing the XPFP interface to Salmon. Task suc- setting interface. The present work adopts the position that cess rates and goal-error occurrences were compared be- permission-setting interfaces should accommodate novice tween XPFP and Salmon to determine whether anchor- and occasional users. based subgoaling as implemented in Salmon was an effec- This paper reports an investigation into, and a solution tive means of improving successful task completion and re- for, one type of human error encountered in permission- ducing goal errors. setting interfaces. An existing interface for setting NTFS 3 Related work permissions, the Windows XP File Permissions interface File permissions are an instance of the broader area of (hereafter abbreviated XPFP), was shown to have accuracy access control in which several authors have published re- rates as low as 25% on permission-setting tasks. Errors lated work. Those who have evaluated interfaces for setting made by users of the XPFP interface were identified and file access include Good and Krekelberg [7], Long et al. [9] categorized into types according to an established human- and Zurko et al. [24]. Zurko et al. conducted a user study error framework. Goal errors, the failures of users to under- on the Visual Policy Builder, a graphical user interface for stand what to do, were identified as the dominant type of specifying access control policies for their Adage system. error. A primary cause of goal errors, namely a poor exter- Good and Krekelberg showed that the Kazaa peer-to-peer nal representation of the information needed to complete the file-sharing service’s interface misled many users into unin- user’s root goal – a representation that is sometimes called tentionally sharing confidential files. Long et al. evaluated a an anchor (for concepts held in human memory) – was iden- preliminary, paper-based interface for limiting applications’ tified. A design principle, anchor-based subgoaling, was access to system resources. While these three interface eval- proposed to reduce goal errors, and was implemented in a uations were interesting in their specific task domains, none new interface, called Salmon, for setting NTFS file permis- appear to lead to any conclusion about design principles for sions. The design principle was evaluated in a laboratory security interfaces in a larger context. user study comparing Salmon to XPFP. Salmon achieved Other work in usable access control in various domains a success rate of 100% on the task on which XPFP had includes Balfanz [2], Sampemane et al. [16], and Dewan achieved a 25% accuracy rate, and showed a 94% reduc- and Shen [5]. With the exception of the Adage project and tion in the number of goal errors users made on the same Long et al., work in this area involves outlining access con- task. trol models, not evaluating access control interfaces, as the 2 Problem and approach present work sets out to do. The objective of the present work is to understand the In the broader human-computer interaction and security causes of user error in user interfaces generally, and in literature (an emerging field known as HCISEC), those who XPFP in particular, and to determine what can be done to have proposed principles for better security interface de- mitigate or eliminate them. It is a further objective to find sign include Whitten and Tygar [20], Adams and Sasse [1], a design principle that can be applied to new generations of Besnard and Arief [3], Zurko and Simon [25], and Yee [23]. user interfaces so that the same user errors are not encoun- These authors propose ideas for making security tasks eas- tered again and again in future user interfaces.