278 ;;Quote: security depends on the user perspective, whatever the user wants; e.g, deleting files is often OK

279 ;;Quote: security and usability should be complementary; both want computers to correctly do what users want

281 ;;Quote: efficiency and safety of real world actions are often difficult to discern; must be learned; tools can help

281 ;;Quote: path of least resistance--default settings are secure, avoid accidents, make security easy

282 ;;Quote: physical, design, and intentional stance; simple objects predicted by physical laws, designed objects modelled by their purpose, other people modelled by beliefs and intentions

283 ;;Quote: a system is secure for a user if it only does what the user believes it can do

283 ;;Quote: users build a model of a system by interacting with the system, not by talking with the designer

284 ;;Quote: define security boundaries that matter to the user, with different security policies

285 ;;Quote: users should explicitly authorize all unexpected behavior; things can't become unsafe by themselves

285 ;;Quote: selecting a file grants a program authority to open the file for reading

286 ;;Quote: a user should know that things are safe by knowing how each actor is limited; visible authorities

286+;;Quote: view the actor-ability state in terms of granting actions

286 ;;Quote: revoke authorities to keep the actor-ability state manageable

287 ;;Quote: users should know their abilities within a security system; e.g., granting an authority that can not be revoked

287 ;;Quote: users require a trusted path to the security manager; e.g., ctrl-alt-del

287 ;;Quote: users must securely identify objects and actions; if not, an untrusted program can spoof a trusted one

287+;;Quote: identification requires continuity of identity and discrimination of distinct items

288 ;;Quote: need expressive language for setting security policy and understanding the consequences of security-related decisions