Usability of Security Administration vs. Usability of End-user Security

Having recently received increasing attention, usable security is implicitly all about the end user who employs a computer system to accomplish security-unrelated business or personal goals. However, there is another aspect to usable security. Security administrators have to deal with the order of magnitude more difficult problem of administering large-scale complex enterprise systems, where an error could cost a fortune. Is the notion of usable security for end-users and security administrators the same? What are the differences in the background, training, goals, constraints, and tools between the administrators and end-users? How do these differences affect the (perception of) usability of the protection mechanisms and other security tools? Can the approaches to improving the security usability for end-users be directly applied to the domain of security administration, and vice versa? With some of the modern-day systems, where users are largely responsible for their own security self-administration, where is the boundary between the end-users and administrators? Can it be defined precisely or is it blurred? Panelists: Konstantin Beznosov, University of British Columbia (moderator) Mary Ellen Zurko, IBM Steve Chan, Lawrence Berkeley National Laboratory and School of Information Management and Systems at UC Berkeley Greg Conti, United States Military Academy