Abstract
Security policy management is a difficult and security-critical task. We have evaluated Java's policytool with a usability study to see how well it can support users in setting up an appropriate security policy. The Java policytool is a graphical user interface tool integrated into Sun Microsystem Inc.'s Java 5.0 distribution for setting up security policies that can enable e.g. applets with more permissions than the default sandbox. Results show that policytool is in line with other security tools, namely usability is poor. Policytool provides a certain degree of syntax help to novice users but it does not help with semantics, does not cater to expert users and actually does promote the accidental set-up of too lenient a policy. We show specific usability problems in policytool, comment on the differences in the policy files created by our study users, explore ways of solving the error-prone task of setting up a Java policy and relate this to the general subject of usability of security tools.

URL:
http://rewerse.net/publications/rewerse-publications.html#REWERSE-RP-2006-021

BibTeX:

@inproceedings{REWERSE-RP-2006-021,
	author = {Almut Herzog and Nahid Shahmehri},
	title = {A Usability Study of Security Policy Management},
	booktitle = {Proceedings of 21st IFIP TC-11 International Information Security Conference, Karlstad, Sweden (22nd--24th May 2006)},
	year = {2006},
	volume = {201},
	organization = {IFIP TC-11},
	series = {IFIP},
	pages = {296--306},
	url = {http://rewerse.net/publications/rewerse-publications.html#REWERSE-RP-2006-021}
}