Integrating a usable security protocol into user

authenticationservices design process First

Edition Braz download

https://textbookfull.com/product/integrating-a-usable-security-
protocol-into-user-authenticationservices-design-process-first-
edition-braz/

Download more ebook instantly today - get yours now at textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit textbookfull.com
to discover even more!

Design and analysis of security protocol for

communication First Edition Dinesh Goyal

https://textbookfull.com/product/design-and-analysis-of-security-
protocol-for-communication-first-edition-dinesh-goyal/

Guidelines for Integrating Process Safety Into

Engineering Projects 1st Edition Center For Chemical
Process Safety

https://textbookfull.com/product/guidelines-for-integrating-
process-safety-into-engineering-projects-1st-edition-center-for-
chemical-process-safety/

Dot Com Design The Rise Of A Usable Social Commercial

Web Megan Sapnar Ankerson

https://textbookfull.com/product/dot-com-design-the-rise-of-a-
usable-social-commercial-web-megan-sapnar-ankerson/

Integrating nutrition into practice 1st Edition Mary J.

Marian

https://textbookfull.com/product/integrating-nutrition-into-
practice-1st-edition-mary-j-marian/
Building Design Systems: Unify User Experiences through
a Shared Design Language Sarrah Vesselov

https://textbookfull.com/product/building-design-systems-unify-
user-experiences-through-a-shared-design-language-sarrah-
vesselov/

The UX book process and guidelines for ensuring a

quality user experience Hartson

https://textbookfull.com/product/the-ux-book-process-and-
guidelines-for-ensuring-a-quality-user-experience-hartson/

Integrating Biological Control into Conservation

Practice 1st Edition R. Van Driesche

https://textbookfull.com/product/integrating-biological-control-
into-conservation-practice-1st-edition-r-van-driesche/

Petroleum Refining Design and Applications Handbook

Rules of Thumb Process Planning Scheduling and
Flowsheet Design Process Piping Design Pumps
Compressors and Process Safety Incidents A Kayode Coker
https://textbookfull.com/product/petroleum-refining-design-and-
applications-handbook-rules-of-thumb-process-planning-scheduling-
and-flowsheet-design-process-piping-design-pumps-compressors-and-
process-safety-incidents-a-kayode-coker/

Integrating Educational Technology into Teaching:

Transforming Learning Across Disciplines, 9th Edition
Hughes

https://textbookfull.com/product/integrating-educational-
technology-into-teaching-transforming-learning-across-
disciplines-9th-edition-hughes/
 Integrating a Usable
Security Protocol into User
Authentication Services
Design Process
 Integrating a Usable
Security Protocol into User
Authentication Services
Design Process

By
Christina Braz
Ahmed Seffah
Bilal Naqvi
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742

© 2019 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-1-138-57768-8 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have
been made to publish reliable data and information, but the author and publisher cannot assume responsibility for
the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the
copyright holders of all material reproduced in this publication and apologize to copyright holders if permission
to publish in this form has not been obtained. If any copyright material has not been acknowledged please write
and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted,
or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including
photocopying, microfilming, and recording, or in any information storage or retrieval system, without written
permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com
(http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive,
Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration
for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system
of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only
for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com
Contents

Why this Book?...................................................................................................xi

Acknowledgments.............................................................................................. xv
1 Usability and Security: Conflicts and Interdependencies.......................1
1.1 Introduction.......................................................................................1
1.1.1 The Interplay between Usability and Security as Key
Quality Factors......................................................................5
1.1.2 Background...........................................................................6
1.1.2.1 How Security Engineers Addressed Usability/
HCI Concerns?.......................................................6
1.1.2.2 The Lack of Deep Usability/HCI Studies on
Security in the HCI Community............................7
1.1.3 Objectives and Practical Outcomes of Usable Security
Research.................................................................................8
1.1.4 Assumptions and Hypotheses Concerning Usable
Security Research.................................................................10
1.1.5 Progress beyond the State-of-the-Art....................................11
1.1.5.1 Service-Oriented and Model-Driven Engineering.......11
1.1.5.2 User-Experience-Driven Design............................13
1.1.5.3 Metrics-Based Usability and Security Evaluation.........15
1.1.5.4 Usable Secure Design Patterns and
Pattern-Oriented Design.......................................18
2 Panoramic Overview of User Authentication Techniques.....................21
2.1 The Context of Authentication in Computer Security......................22
2.2 User Authentication Market.............................................................23
2.3 User Authentication Use Cases.........................................................26
2.3.1 Endpoint Access...................................................................26
2.3.2 Workforce Local Access.......................................................26
2.3.3 Workforce Remote Access....................................................26
2.3.4 External Users’ Remote Access.............................................27
2.4 Elements of User Authentication......................................................27
2.5 Architectural Design Patterns in Authentication..............................28
2.6 Authentication Factors......................................................................29
vi ◾ Contents

2.7 User Authentication Methods...........................................................32

2.7.1 Passwords and Personal Identification Numbers (PINs).......32
2.7.2 Security Questions.............................................................. 34
2.7.3 Authentication (Security) Tokens.........................................35
2.7.3.1 Disconnected Tokens............................................36
2.7.3.2 Connected Tokens................................................43
2.7.4 Digest Access Authentication...............................................45
2.7.5 Out-of-Band Authentication (OOBA)................................ 46
2.7.6 Risk-Based Authentication (RBA)........................................48
2.7.7 Public Key Authentication...................................................48
2.7.7.1 Encryption............................................................51
2.7.7.2 Digital Signatures.................................................51
2.7.8 Single Sign-On (SSO)..........................................................51
2.7.9 Biometrics............................................................................52
2.7.9.1 How Does the Biometric Authentication
Process Work?.......................................................53
2.7.9.2 Unimodal and Multimodal Biometrics Systems........55
2.7.9.3 Fingerprint Recognition........................................57
2.7.9.4 Optical Recognition..............................................59
2.7.9.5 Facial Recognition................................................59
2.7.9.6 Voice Recognition.................................................59
2.7.9.7 Signature Recognition...........................................60
2.7.9.8 Keystroke Recognition..........................................62
2.7.9.9 Advanced User Authentication Methods...............62
2.7.10 Kerberos...............................................................................67
3 Usable Security Concerns Related to Authentication
Methods.................................................................................................69
3.1 Usability Concerns with Knowledge-Based Authentication (KBA)........70
3.1.1 Passwords.............................................................................70
3.1.2 Security Questions...............................................................73
3.2 Usability Concerns with Single Sign-On..........................................74
3.3 Usability Concerns with CAPTCHAs.............................................74
3.4 Usability Concerns with Public Key Authentication.........................74
3.5 Usability Concerns with Advanced Biometrics.................................76
3.5.1 GlanceID.............................................................................76
3.5.2 Usability Concerns with Biometrics.....................................78
3.6 Comparative Analysis of User Authentication Methods...................79
4 Fundamentals of the Usable Security Protocol for User
Authentication.......................................................................................85
Summary....................................................................................................85
4.1 Introduction.....................................................................................85
 Contents ◾ vii

4.2 The Goals, Operators, Methods, and Selection Rules (GOMS)

Model...............................................................................................86
4.2.1 GOMS: A Method for Cognitive Task Analysis...................87
4.2.2 How to Develop a GOMS Model........................................89
4.2.2.1 Identify User’s Goals.............................................89
4.2.2.2 Define Methods................................................... 90
4.2.2.3 Define Operators.................................................. 90
4.2.2.4 Selection Rules......................................................91
4.2.3 Natural GOMS Language (NGOMSL)...............................92
4.2.3.1 Cognitive Complexity Theory...............................93
4.2.3.2 NGOMSL Steps Development Process.................95
4.2.4 Learning Time Predictions..................................................95
4.2.5 Execution Time Predictions.................................................97
4.2.6 NGOMSL Methodology.....................................................97
4.2.7 GOMS Limitations..............................................................98
4.3 Usability Evaluation Methods..........................................................98
4.3.1 General Usability Principles (“Heuristics”) for User
Interface Design...................................................................99
4.3.2 Cognitive Walkthrough.....................................................102
4.3.3 GOMS Model....................................................................103
4.3.4 Additional User Research and Usability Evaluation
Methods.............................................................................105
4.4 Usable Security Principles and Guidelines......................................106
4.4.1 Computer Security Design Principles................................107
4.4.2 Design Guidelines for Security Management Systems.......109
4.4.3 Guidelines and Strategies for Secure Interaction Design...... 111
4.4.4 Design Principles and Patterns for Aligning Security
and Usability......................................................................112
4.4.5 Criteria for Security Software to be Usable........................113
4.4.6 Additional Criteria for Security Software to Be Usable......... 114
4.4.7 General Security Usability Principles (Identity
Management)..................................................................... 114
5 The Usable Security Protocol Methodology: Define, Identify,
and Develop......................................................................................... 117
Summary.................................................................................................. 117
5.1 Methodology and Architecture....................................................... 117
5.2 Define the Mission and the Conceptual Design Objective.............120
5.2.1 Formalize a Usable Security Definition..............................120
5.2.2 Define Task Scenario, Usability Scenario, and Security
Scenario.............................................................................120
5.2.2.1 Types of Scenarios...............................................120
5.2.3 Identify Users and Working Contexts................................122
viii ◾ Contents

5.3 Identify the Most Representative User Authentication Methods

Categories.......................................................................................123
5.3.1 Understand the User Authentication Method....................123
5.3.2 Carry out a Classification Analysis.....................................123
5.3.3 Comparative Analysis of User Authentication Methods.....124
5.3.4 Select the Most Representative User Authentication
Methods and Their Categories...........................................124
5.4 Develop the Natural GOMS Language (NGOMSL).....................124
5.4.1 Classify and Prioritize the Cognitive Processes
Generated by the NGOMSL Model..................................125
5.4.1.1 Standard Primitive External Operators...............125
5.4.1.2 Standard Primitive Mental Operators.................125
5.4.1.3 Analyst-Defined Mental Operators.....................126
5.4.2 Understand the Total Execution Time and Total
Learning Time...................................................................127
5.4.2.1 The Total Execution Time ..................................127
5.4.2.2 The Total Learning Time ...................................128
5.4.2.3 Example of TET and TLT..................................130
5.4.3 Calculate Total Execution Time and Total Learning
Time for Tasks Scenarios...................................................132
5.4.3.1 TASK: Check Business Email.............................132
5.4.3.2 TASK: Update the SecurID Token User
Interface Specification.........................................136
5.4.3.3 TASK: Make an Electronic Funds Transfer........142
5.4.3.4 TASK: Access a File on a Personal Laptop...........150
5.4.4 Time-Level Analysis of NGOMSL.................................... 153
5.5 A Concluding Remark.................................................................... 155
6 The Usable Security Protocol Methodology: Assess and Generate......157
6.1 Develop the Authentication Risk-Assessment Matrix..................... 157
6.1.1 Common Security Exploits Method..................................165
6.2 Generate the Usable Security Principles..........................................172
6.2.1 Introduce Cognitive Ergonomics.......................................175
6.2.1.1 Methods..............................................................177
6.2.1.2 The Cognitive Approach.....................................177
6.2.2 Identify and Explain the Main Cognitive Areas of
Focus Relating to User Authentication...............................178
6.2.2.1 Perception...........................................................178
6.2.2.2 Memory..............................................................179
6.2.2.3 Storage................................................................180
6.2.2.4 Information Retrieval..........................................184
6.2.2.5 Password Memorability Issues.............................186
6.2.2.6 Mental Models....................................................189
 Contents ◾ ix

6.2.3 Develop the Cognitive Model of User Authentication

(CMUA)............................................................................ 191
6.2.3.1 Why Use a Cognitive Architecture?.................... 191
6.2.3.2 GLEAN3 (GOMS Language Evaluation and
Analysis)..............................................................192
6.2.3.3 SOAR (State Operator and Result) Cognitive
Architecture........................................................193
6.2.3.4 Cognitive Model of User Authentication
(CMUA) Cognitive Architecture........................195
6.2.4 Define the Usable Security Principles and Develop a
Cross-Cognitive Analysis.................................................. 200
7 The Usable Security Protocol Methodology: Formulate.....................205
7.1 Formulate the Usable Security Symmetry.......................................205
7.1.1 Security as a Usability Characteristic................................ 206
7.1.2 Usability Factors and Usability Criteria Mapping............. 208
7.1.2.1 User Authentication Use Cases...........................210
7.1.2.2 Demonstrating the Usable Security Symmetry
Inspection Method using a Multifunction
Teller Machine....................................................210
7.1.2.3 The Usable Security Symmetry Inspection
Method...............................................................224
7.2 Conclusion.....................................................................................287
8 The Usable Security Protocol Methodology: Demonstrate.................291
8.1 Introduction...................................................................................291
8.1.1 The Demonstration of One-Time Password
Authentication...................................................................292
8.1.1.1 Wireless Local Area Network (WLAN)..............292
8.1.1.2 Hardware Token With OTP Functionality.........293
8.1.1.3 Personal Identification Number (PIN)................294
8.1.1.4 Tokencode...........................................................295
8.1.2 How the OTP Demonstration Works................................295
8.1.3 One-Time Password Usability Testing...............................299
8.1.3.1 Terms and Definitions........................................299
8.1.3.2 Objectives Of The OTP Usability Testing......... 300
8.1.3.3 Testing Tools.......................................................301
8.1.3.4 Testing Session....................................................301
8.1.3.5 Testing Methods: Participant Tasks....................301
8.1.4 Data Results.......................................................................302
8.1.5 Findings Summary............................................................303
8.2 One-Time Password Usability Issues: Discussion............................303
8.2.1 Convenient Form Factor....................................................303
x ◾ Contents

8.2.2 Reliable Authentication Solution....................................... 304

8.2.2.1 Usability Criterion: Minimal Action...................305
8.2.2.2 Usability Criterion: Minimal Memory Load...... 306
8.2.2.3 Usability Criterion: Resource Safety................... 306
8.2.2.4 Usability Criterion: Load Time.......................... 306
8.2.2.5 Usability Criterion: Operability......................... 306
8.2.2.6 Usability Criterion: Security...............................307
Appendix 1: Authentication Risk-Assessment Matrix..................................309
Appendix 2: Usability Severity Ratings and Recommendations
for MTM......................................................................................................321
Appendix 3: Security Severity Ratings and Recommendations
for MTM......................................................................................................347
Additional Reading......................................................................................365
References....................................................................................................367
Index............................................................................................................383
Why this Book?

Most often, security technology and service development don’t do user research.
We often hear people say things like: “The most important issue is the powerful-
ness of the technology to secure systems and information.” Or: “Usability research
limits or is wasting time.” And: “It’s not even necessary because the developers are
themselves part of the community of users and thus instinctively empathetic to
what those other users find useful or usable.”
You, clearly, think otherwise. You think it’s important to know who is using
the products you’re making. And, you know, you’re right. Finding out who your
customers are, what they want, and what they need is the start of figuring out how
to give it to them. Your customers are not you. They don’t look like you, they don’t
think like you, they don’t do the things that you do, and they don’t share your
expectations, assumptions, and aspirations. If they did, they wouldn’t be your cus-
tomers; they’d be your competitors.
This book is designed to help you bridge the gap between what you think you
know about your users and who they really are. It’s not an academic treatise. It’s
a toolbox of concepts to understand how people experience products and services.
The techniques – taken from the worlds of human–computer interaction, market-
ing, and many of the social sciences – help you know who your users are, to walk
in their shoes for a bit.
In addition, the book is about the business of creating usable products. It
acknowledges that product development exists within the complexities of a busi-
ness venture, where the push and pull of real-world constraints do not always allow
for an ideal solution. User research is a dirty business, full of complexities, uncer-
tainties, and politics. This book will, if it serves its purpose, help you take some
of that chaos. It will help you gain some clarity and insight into how to make the
world a little better by making products and services more thoughtfully.

Who Are You?

This book was written for people who are responsible, in some way, for their prod-
ucts’ user experience. In today’s digital product and service development world, this
could be any number of people in the trenches. In fact, the responsibility may shift

xi
xii ◾ Why this Book?

from person to person as a project progresses. Basically, if you’ve ever found yourself
in a position where you are answering for how the end users are going to see the
thing you’re making, or how they’re going to interact with it – or even what they’re
supposed to do with it – this book is for you.
This means that you could be:

◾◾ A program manager who wants to know how to prioritize a team’s efforts

◾◾ A designer who needs to create and refine new ways to interact with and
through digital information
◾◾ A marketing manager who wants to know what people find most valuable in
your products
◾◾ An information architect who needs to pick an organizational scheme
◾◾ A programmer creating a user interface, trying to interpret an ambiguous
spec
◾◾ A consultant trying to make your clients’ products better
◾◾ An inventor who wants to make a product people will use

Regardless of your title, you’re someone who wants to know how the people
who use the product you’re making perceive it, what they expect from it, what they
need from it, and whether they can use what you’ve made for them.

What’s in This Book?

This book is divided into three major sections. The first section (Chapters 1
through 3) describes why end user research is good, how business tensions tug at the
user experience, and presents the state-of-the-art of user authentication methods.
The second section (Chapters 4 through 6) presents a philosophy for creating
useful, desirable, usable, and successful products. It also contains a short chapter on
a technique that will teach you in 15 minutes everything you need to know to start
doing usability research tomorrow. Really. It is also a cookbook with a dozen tech-
niques for understanding people’s needs, desires, and abilities. Some of the chapters
are completely self-contained, such as the chapters on surveys and usability tests.
Others describe supplementary activities, such as collage and map making, to use
in conjunction with other techniques. We don’t expect you to read these chapters in
one sitting, in order. Far from it! We assume that you will pick up the book when
you need it, reading chapters to answer specific questions.
The third section (Chapters 7 and 8) describes how to take your results and
use them to change how your company works. It gives you ideas about how to sell
your company. Best practices in research change quickly, as do preferred tools. We
have moved much of the reference material in the previous edition to the book’s
website.
 Why this Book?  ◾ xiii

What’s Not in This Book?

This book is, first and foremost, about defining problems. All the techniques are
geared toward getting a better understanding of people and their problems. It’s not
about how to solve those problems. Sure, sometimes a good problem definition
makes the solution obvious, but that’s not the primary goal of this text.
We strongly believe that there are no hard and fast rules about what is right and
what is wrong when designing experiences. Every product exists within a different
context that defines what is “right” for it. A toy for preschoolers has a different set
of constraints than a stock portfolio management application. Attempting to apply
the same rules to both of them is absurd. That is why there are no guides for how
to solve the problems that these techniques help you to define. There are no “top-
10” lists, there are no “laws,” and there are no universally reliable heuristics. Many
excellent books have good ideas about how to solve interaction problems and astute
compilations of solutions that are right much of the time, but this book isn’t one
of them.
Acknowledgments

We’ d like to thank the companies who provided material, some previously unpub-
lished, for case studies: Adaptive Path, Food on the Table, Get Satisfaction,
Gotomedia, Lextant, MENA, Design Research, PayPal, Portigal Consulting, User
Insight, and Users Know. We would especially like to thank our reviewers: Todd
Harple, Cyd Harrell, Tikva Morowati, and Wendy Owen. We’ d also like to thank
the people who have generously given us advice and help, including Elizabeth
Churchill and Steve Portigal.
And, of course, our families, who put up with us throughout the very long writ-
ing and revision process.

xv
Chapter 1

Usability and Security:

Conflicts and
Interdependencies

1.1 Introduction
In many software products, systems, and services, human users are a critical part of
the security process; for example, they create and use passwords, follow or have to
follow security protocols, and share data that can impact a system’s security, both
positively and negatively. However, most often, many security concerns are designed
with little or no attention paid to the usability concerns or to the human user’s cog-
nitive abilities, user experiences, workflow, and tasks. As a result, people find ways
around the security obstacles that get in the way of their work.
It is increasingly being identified from both academic research as well as indus-
try practices that usability and security are intimately linked quality attributes. The
linkage between the two is mutually antagonistic or, in other words, conflicting.
Despite the increasing awareness and identification of conflicts between the two
attributes, the state-of-the-art is not well aligned due to many factors.
Firstly, the lack of commitment to usability in the early design stage has been
reported by several studies. As a matter of fact, Theofanos (2006) reported two
examples of software project failure due to usability problems. One example is a
$46 million computer system by the US General Services Administration (GSA)
regional offices in Denver and Philadelphia in 2004. The new system that was
designed to improve financial management was unnecessarily complicated to
use. For example, due to security concerns, instead of being able to save a file

1
2 ◾ Integrating a Usable Security Protocol

with a few clicks, employees were required to learn 15 steps. The second example
is a similar experience in a UK passport office. After installing a new system for
issuing passports, a backlog of passports started building up and it led to a delay
of up to three months to obtain a passport. The authors report that reasons for loss
of productivity included the large number of keystrokes and onscreen operations
required. Constantine and Lockwood (1999), in their seminal book Software for
Use, also provided several examples that highlighted a major problem with current
usability methods.
Secondly, software and user interface designs are developed in a haphazard way,
based on tens to hundreds of imprecise and conflicting usability guidelines, heu-
ristics, and thousands of design “tips or guesses”, with few of them drawn from
empirical evidence or formal proofs. Usability evaluation is not only performed late
in the design process, but it is also expensive, time-consuming, and the results are
sometimes rough and qualitative. Thus, the refinements made to the original design
are highly controversial; in addition, they make designers reluctant to explore inno-
vative but risky alternative design solutions. What is needed is a model that predicts
how users perceive the design usability in real life, thereby giving designers imme-
diate feedback on their early design concepts and the ability to compare between
different design alternatives.
Thirdly, it has been reported that software technology alone will not provide all
of the solutions to security problems. Human factors (usability first and foremost)
play an important role in keeping systems secure, and it is important for security
and privacy experts to have an understanding of how people will interact with, use,
and abuse the systems they develop.
The questions that rise in this concern are, can we – software security develop-
ers, usability, and human experiences designers – predict usability of security fea-
tures from the early design artifacts and models such as low-fidelity user interface
prototypes, specifications of software architecture, use cases, etc.? Can we define
objective predictive measures to evaluate usability in the early software develop-
ment stages? Can the measures of usability prediction be correlated with the results
of evaluations made by experts using criteria that are most of the time inconsistent,
difficult to understand, by developers who have not been trained in human–com-
puter interaction (HCI)?
The practical context of this book can be seen in the future Internet – mean-
ing the Internet of information and services, the Internet of things, the Internet of
people and online communities, as well as the underlying cloud computing infra-
structure. The Internet today is becoming the integrated infrastructure for support-
ing people in their everyday life and work, as well as companies in their everyday
business. Within this proposal, cloud computing is defined and understood as a
paradigm shift from traditional installable applications to web-based software,
where applications live on the Web as services. They consist of data, code, and
other resources that can be located anywhere in the world, on remote servers “in
the cloud”. Cloud computing is a step toward the future vision that computing will
 Usability and Security ◾ 3

be a utility similar to water, electricity or telephony (Buyya et al., 2009). We have

adopted the National Institute of Standards and Technology definition of cloud
and Web services (NIST, 2011):

The capability provided to the consumers, users, and stakeholders to use the
provider’s applications running on a cloud infrastructure. The applications
are accessible from various client devices through a thin client interface
such as a web browser (e.g. web-based email). The consumer does not man-
age or control the underlying cloud infrastructure including network, serv-
ers, operating systems, storage, or even individual application capabilities,
with the possible exception of limited user-specific application configuration
settings.

In the context of the future Internet, companies are spending millions of dollars
on security technology such as firewalls, encryption, and secure access devices, but
most of the time they forget to address issues related to the weakest link in security
engineering: the human experience and the usability concerns. The front end of
the service showing to the user should be designed so that it is suitable to the risk
involved and as easy to use as possible. Applying too low a level of security might
compromise the integrity of the company’s process. But applying too high a level
for a low-risk process means the process will be too hard to use and will confront
low usability rates. As stated by Nagel et al. from Forrester (2008), the key criteria
when assessing secure system features are ease of use, portability, cost, security,
manageability, and cross-channel utility.
Figure 1.1 portrays the intimate cause–effect relationships between usability
and security. One typical situation that illustrates this intimate relationship is
the user authentication service, which is one of the basic services incorporated in

Figure 1.1 The Usability and Security required trade-off.

4 ◾ Integrating a Usable Security Protocol

today’s Web and cloud platforms (citizen online services, e-commerce websites,
online community tools, etc.). Indeed, security and usability are both essential
in user authentication and the underlying identity management services. One of
the biggest challenges facing heterogeneous organizations is providing usable and
secure access, authentication (“who do you claim to be”), and authorization (“we
will grant you these rights”) of users to systems. Another particular concern in
authentication according to Cranor and Garfinkel (2005) is that authentication
technologies do not fail gracefully. Failing gracefully means that even if authentica-
tion fails (e.g. user forgets his/her username but gets the password right) the system
can give him/her partial access to the service or secure and fast support in getting
login data to a safe place.
This common human-centric vision of the future Internet, which needs much
more than just reliable and secure back end applications and communication pro-
tocol; it requires that the designers will have to develop and adapt the front end
services to the experiences, capabilities, behaviors and usability needs of the stake-
holders and end-users of the services. The belief that security and usability are
two opposed quality factors has to be avoided. Even if security and usability are
related to different components of a system or a service (UI and the functionality)
(Cranor and Garfinkel, 2005; Jøsang et al., 2007; Nielsen, 2000) and even if the
security and usability can be engineered by two separate teams, mainly software
engineering and human–computer interaction teams, there are several cases in
which security and usability should be enhanced by modeling their intimate
mutual relationships. Typical examples include online payment and e-banking
services, supervision systems of critical industrial infrastructures, crisis manage-
ment, and rescue services. More attention should be paid to the front end of these
solutions that have to be very secure, i.e. how they show to the user directly and
indirectly. Usability cannot be treated separately from the security engineering of
the whole system.
Our perspective is also grounded in the field of human-centered software
engineering that looks at avenues for closing the gaps between HCI and software
engineering (Seffah, 2006; Seffah et al., 2008, 2009). User interface developers
and service engineers should have the same knowledge in HCI and user-centric
design, and tools for implementing designs correctly. This knowledge will result
in usable front end design, reduction of the number of security bugs, and lower
development cost per service. Both user interface designers and service develop-
ers should be assigned responsibility for the accurate implementation of front end
design, as well as back end service functionality. We think that service develop-
ers should understand user interface issues sufficiently well to know when to raise
design issues during implementation, rather than disregarding them or implement-
ing them inaccurately.
The problem is not just about the usability of the user interfaces of security
tools, but security requirements, user experiences design and, most importantly,
user involvement in security design and engineering. According to Whitten and
 Usability and Security ◾ 5

Tygar (1999), most of the research focuses are on providing better UIs, but it is
obvious that usability problems with secure systems are more than only UIs and the
need of HCI factors and design methodology. The authors claim that using conven-
tional methods for usability evaluation only assess the usability impact on security
effectiveness. Both analytical and empirical evaluation was performed in testing
the usability goals of Pretty Good Privacy (PGP) (Whitten and Tygar, 1998), a
public key encryption program. A number of usability problems causing security
failures were discovered in the study, providing the foundation in case that specific
usability goals are needed for usability evaluation of security mechanisms (Whitten
and Tygar, 1999).

1.1.1 The Interplay between Usability and

Security as Key Quality Factors
Security and usability are quality characteristics that affect the quality of software
products. The term usability refers to multiple concepts such as execution time,
performance, user satisfaction, comprehensibility, security, ease of learning, under-
standability and so on. There are several existing standards related to usability, and
they can be classified into four different categories (Abran, Khelifi, Seffah et al.,
2003): Product effect (output, efficiency, and satisfaction in the moment of using
the product), product attributes (interface and interaction), the process used to
develop the product and organizational capacity.
The benefits of usability have been also explicitly demonstrated for the Internet
(Bias and Mayhiew, 2002). These include improving productivity, reducing the
costs of the training period and to develop documentation, increasing user sat-
isfaction, etc. According to Donahue (2001), the cost–benefit ratio for usability
is valuable because every dollar invested in usability gets $30.25. Over the years,
the HCI community has developed many design techniques to ensure usability.
However, these techniques have mostly been developed separately from software
engineering community, which makes it difficult to utilize the approaches. Seffah
and Metzker (2004) mentioned that there are five major obstacles from the per-
spective of both the software engineering community and from the community of
usability engineering:

1. User-centered (UCD) and usability engineering techniques are not connected

with the lifecycle of software development.
2. There is an important cultural gap between the practices of software engi-
neering and usability engineering.
3. Software developers do not use usability engineering tools but develop their
own, resulting in many cases in the reinvention of existing tools.
4. It is necessary to train professionals in usability and software to work together.
5. We need a framework to promote and improve the techniques of UCD and
software engineering proposals in the two communities.
6 ◾ Integrating a Usable Security Protocol

Computer security has been a field that has grown tremendously since the ’70s,
leading to a lot of techniques, models, protocols, etc., which have been also accom-
panied by a pronounced activity of international standardization and certification
organizations. In fact, as stated by the International Telecommunication Union
(ITU), there are many international standardization organizations that have pro-
duced a complex structure of standards relating to computer security issues, which
change and are updated very frequently. This makes security’s definition somewhat
confusing.
One traditional definition is from Castano et al., (1995), which defines it as
“protection of information processed by a computer against unauthorized access,
modifications, improper or lack of availability of a service in a given time”.
Another classical definition is that offered by the International Organization for
Standardization (ISO)9241–210:2010, which considers security as a sub-factor of
software quality and defines it as “the ability of software products to protect data
and information against unauthorized access or modifications, ensuring the access
is not denied to authorized users”. More recently, the ISO 27000 series of standards
have been specifically reserved by ISO for information security matters (ISO/IEC
27001, 2013). Security has been defined as the inability of its environment to have
an undesired effect on the system. The preservation of confidentiality, integrity,
and availability of information, in addition to other properties such as authenticity,
accountability, non-repudiation, and reliability, can also be involved.
While security has been interpreted as a purely technical aspect in software
development methodologies, some authors think it is much more than that, taking
instead a strategic dimension, resulting in one of the most important criteria in the
governance of ICT (Posthumus and Solms, 2004). Additionally, there are many
security-related concepts (models, techniques, policies, services, requirements, etc.),
which often intermingle and increase the complexity of their understanding, and in
many cases the same term may be applied many different ways.
All these advances in terms of perceptions and models of security and usability
are very important, but they are most often completely independent from each
other. That is why it is necessary to make an effort to develop a unifying model that
describes the intimate relationship between usability and security.

1.1.2 Background
1.1.2.1 How Security Engineers Addressed
Usability/HCI Concerns?
One reason that explains the failure of security specialists to address usability as
perceived and defined by the HCI community issues is that security and usabil-
ity have historically evolved independently or have been considered as two oppo-
sites factors. Another historical explanation is that researchers were driven more by
 Usability and Security ◾ 7

technology rather than by user problems and perceptions of security. For example,
the development of identity management technologies was so demanding in terms
of security that it left little time and money for usability and the human factors in
general.
A second factor that may be advocated is the industry’s behavior in being more
driven by bug fixing rather than trying to examine and consider the context and
the user experiences in which the bugs occur. Therefore, most industry efforts
have been on automating the process of reporting and handling bugs rather than
looking for human experiences and how they can promote more secure operations
overall.
Another reason that demonstrates the lack of alignment between security and
usability is the design and innovation approach leading to new security technolo-
gies. Most often, the innovation is initiated by a company developing an “in-house
technology” that addresses a specific problem which occurs in a specific project.
Other groups in the same company or in other companies may develop their own
versions of these solutions. This makes it difficult to ensure the usability of these
in-house solutions and several versions of them when changing the original context
of their applicability. Firewalls, junk mail filters, spyware, and antivirus are good
examples.
Finally, the lack of HCI skills required for conducting effective user studies
is a serious obstacle. This is because it makes the results of the studies done by
the academic research security community highly questionable. In industry, user
studies are highly difficult to conduct because they have to take into account the
regulations/laws that govern the use of human subjects in experiments related to
the safety and security of systems and services.

1.1.2.2 The Lack of Deep Usability/HCI Studies

on Security in the HCI Community
The term usability has been defined in different ways in the literature, which makes
it a confusing concept. To illustrate this point, some broad definitions of usability
from two different standards are listed next:

◾◾ The capability of the software product to be understood, learned, used, and

also be attractive to the user, when used under specified conditions (ISO/IEC
9126-1, 2001).
◾◾ The extent to which a product can be used by specified users to achieve speci-
fied goals with effectiveness, efficiency, and satisfaction in a specified context
of use (ISO 9241−11, 1998).

There are also varying definitions across different sets of standards or authors
concerning more specific attributes (facets, aspects, factors) of usability. Recently,
8 ◾ Integrating a Usable Security Protocol

the usability question has been linked with security in numerous sources. The first
book (Cranor and Garfinkel, 2005) combining these two issues was published in
2005. The first Symposium on Usable Privacy and Security (SOUPS) was held
the same year, and since then security and usability have been seen as a suggested
topic for papers in many security- and HCI-related conferences. However, the main
research in this area has been done on the usability of certain security-related appli-
cations, the first example of those being Whitten and Tygar (1999).

1.1.3 Objectives and Practical Outcomes

of Usable Security Research
The domain considering the human aspects related to security and the integration of
usability into security features is referred to as usable security (Garfinkel and Lipford,
2014). The overall objective of usable security research can be stated as follows:

Identify and model the intimate relationships between usability and

security characteristics in Web and cloud services, and develop concepts,
metrics, patterns, methods, and tools all embedded into an integrative
human-centric design framework to supporting rich user experience and
usability without compromising the security of the overall services system.

Our position is that there is a need to consider this intrinsic conflict between
creating Web and cloud services that are usable and designing underlying systems
and cloud computing platforms that are secure. The main focus needs to be on
early design phases to make the security and usability interplay an outcome of the
requirements definition and concept design phase.
This overall goal can be depicted in the following specific objectives addressed
by the different work packages:

◾◾ Setting concrete targets for the user/stakeholder experiences with services.

◾◾ Detailing and modeling the related user activities and tasks, services, and the
usability/security symmetry.
◾◾ Discovering and documenting design solutions and patterns that mitigate
the usability security problem identified, a proven solution, and the different
user–service interactions in which the problem occurs.
◾◾ Providing metrics and tools to assess objectively the level of security and
usability as quality factors.
◾◾ Integrating the four previously-listed objectives into an integrative human-
centric framework.
◾◾ Instantiating this framework to different case studies.
◾◾ Ensuring the standardization and the long-term sustainability in industry of
the integrative framework as well as the avenues of its integration into indus-
try design methods and tools.
 Usability and Security ◾ 9

The practical measurable consequences include:

◾◾ Finding the right trade-off between security and usability as early as possible
in the design and engineering lifecycle. Usability problems in secure Web
systems can lead to security vulnerabilities which can consequently impact
a company’s bottom line. One of the difficulties in developing human inter-
faces to security systems is anticipating the response of users to the huge
space of possible system states and design options. The representation of
user activities and tasks with related user experience targets will allow the
designer to simulate user responses to a diverse range of situations and
design options.
◾◾ Establishing a solid theoretical ground for characterizing the usability security sym-
metry. This should start with a robust and well-defined specification of security
usability symmetry, proven solutions, task and service models; it should then
move on to their usage as driving artifacts from which the implementation of
the service is generated, the way it is deployed and tested.
◾◾ Providing proven solutions as practical and standardized patterns and mea-
sures for the design and evaluation of usable secure services. Even if the HCI
and security engineering research communities have been gradually devel-
oping a good body of work in usable security, most of them are general
guidelines which are not easy to apply for specific problems. Contrary
to general usability design guidelines, which are mostly descriptive, and
simply specify “nice to have” general design features, there is a need to
develop design patterns enriched with measures, user experiences, and task
models that together will provide proven solutions on how a problem can
be solved.
◾◾ Developing robust design tools and methods. The security and usability
requirements and design phase is an important prelude to extracting and
gathering the user requirements. It is especially important because it defines
the problem that the stakeholder is trying to solve, no matter what model
of software development process is adopted (e.g. waterfall, iterative, agile,
model-driven, service-oriented, etc.). It is broadly held that gathering and
agreeing on requirements and design is crucial in the whole development
and also important to any successful project. The software quality commu-
nity should aim at developing robust design tools that influence the whole
development process and bring security and usability together earlier in
this process.
◾◾ Integrating the measures, patterns, models, tools, and methods into a human-cen-
tric design and engineering framework as well as an open platform for supporting
the standardization, integration and sustainability. The developed tools should
be available on an open platform for collaboration and open source dissemina-
tion. The standardization action and the open source platform are two ingre-
dients for ensuring the sustainability and evolution.
Discovering Diverse Content Through
Random Scribd Documents
 - 3^5 — E 'gni tanto cercava d'agguantali a in der tramente
stava sola a lletto, pe' ffacce er commidaccio suo. Ve potete
immagginà', lo spavento de quela pòra ciorcinata ! Nun ciaveva ppiù
'na góccia de sangue in de le vene. La madregna (che la madre
bbòna j 'era morta da un pezzo) aveva da vede e ria mmosca; si
uno, amara lei ! Consijorno a la Bella Cenci de fa un raormoriale ar
papa d'allora, su li cattivi trattamenti de su' padre ; lei lo fece ; ma
avete avuto risposta voi che nu' je l'avete fatto? Accusi Ilei. Intanto
le persecuzione de quer puzzone der padre, de quer cannibbole, nun
spicciavano mai. La cosa era ita puro a l'orecchia de' regazzo de la
Bella Cenci ; e vve potete immagginà', ccome ce magnava l'ajo, e
cche odio se sentiva in petto pe' quer puzzone der padre. E li ferri
s'ariscallorno ar punto, che ddecise, la prima vorta che je capitava a
ppóllo, de faje la pellaccia. I' mmodo che quanno la Bella Cenci la
notte se chiudeva in de la su' stanzia per annasséne a ddormi', e'
regazzo je faceva la guardia d' anniscosto, pe' vvede si er Marco
ciappizzava. E nun te dubbità' che una notte, vidde er padre mezzo
ignudo, usci' quatto quatto da la su' stanzia ; lui je se messe a le
tacche a le tacche, e lo vedde entra5 in de la stanzia de la Bbella
Cenci.
 Lui allora sguainò lo stòcco, e mmentre quer puzzóne
scopriva la fija che ddormiva, je zzompò addosso, j'infirzò lo stòcco
in de la schina, e lo stese freddo accanto a' lletto de quela povera
innocente. Poi la svejò e je fece: — Finarmente me lo so' llavorato !
E j'insegnò er padre longo stecchito sur pavimento, in uno sguazzo
de sangue. Ve potete immagginà' lo spavento de la fija e dde la
madre ! Ma er còrpo era fatto e nun c'era arimedio. Bisognava
pensa' a ssarvasse da la ggiustizia. Allora, 111 ppe' Ili, ttutti
d'accordo, arzònno de' péso er cadavere der morto e lo bbuttorno da
una loggétta che ddava su la campagna, pe' ffa' vvede come si er
mòrto se fusse bbuttato da la finestra. E' regazzo de la Bbella Cenci,
poi, pensò subbito a ppijà' ll'erba fumaria a ll'èstro. E ttutto sarebbe
ito a ffinì' bbene si la Bbella Cenci fussi stata una poveretta ; ma li
quatrini che cciaveva fumo la cavusa de' la su' rovina. Défatti, er
papa che cc'era allora, pensò de pijà' quer protesto pe' manna ttutti
li Cènci a mmorte, e de impossessasse de tutti li bbeni che
assommàveno a quarche ccentinaro e ccentinaro de mijara de scudi.
Detto fatto, fu arestata la madregna, la Bbella Cenci e tutti li fratelli,
je fu ffatto er processo e fumo tutti condannati a mmorte e a èsse
tena 
 — 367 — jatie squartati, infinenta un fratelluccio de la
Bbella Cenci che nun ciaveva nemmanco dodici anni. Dice che quello
che nun fece l'avvocato Farinaccia pe' ssarvà' armanco quela povera
fija, nun ve ne potete immagginà' ! All'urtimo momento er papa se
degnò (vvarda spregone!) a ffa' la grazzia a' regazzino cor patto che
stasse sur parco a ggodésse tutta quela po' po' de carnificina fatta a
la madre, a la sorella e a li fratelli, e ppoi se facessi castra' cconv un
gattino. Dice ch'er giorno de la ggiustizia a Roma ce fu bburiana
forte. Ouanno comparì' sur parco quela povera fija de la Bbella
Cenci, successe un tumurto. Mastro Titta dovette mette mano a la
dirlindana pe' ssarvasse la pelle. Tutto er popolo voleva pe' fforza
sarvà' la Bbella Cenci ; e si nun fussino stati li sordati je sarebbe
ariuscito. Ma fu ttutto inutile, perchè ggiustizia fu ffatta ; a quela
pòra fija, pe' ggrazia speciale je fu sortanto tajata la testa. Dice che
Ilei prima de morì', ffece sape' ar papa che ssi je sarvava la vita,
averebbe fatto rifa' ttutto de novo co' la chiara de ll'òva, Ponte Rotto.
Ma er papa, ora sorda ! ; nun intese gnente ; e ddoppo fatta la
carnificina se scirpò ttutti li bbeni de la famija Cènci, e cciaricchì la
su' famija.
 - 368 Dice che ffra la robba che ss'aranciò cc'era puro Villa
Bborghese. Anzi la maggior parte de queli bbeni agnédeno a ffini'
ttutti in mano de li principi Bborghesi che èreno, nun so pe' pparte
de chi, pparenti der papa. E vvonno dì' che l'eredi de la Bbella Cenci
tutti l'anni mànneno una citazione a la famija Bborghese, p'ariavé li
bbeni de loro. E dicheno puro, che 'na vorta, a 'na gran festa da
bballo che ddiede de carnovale una principessa Bborghese, una
parente de la Cènci je s'appresentò in mezzo a la sala, tutta
ammascherata da Bbella Cenci. E ddice che la principessa che quela
sera portava addosso tutte le ggioje de la famija Cenci, ner vede'
quela mmaschera, se ne vieni' mmeno da lo spavento, e nu' je prese
un accidente perché Ddio nun vòrse.
 XI. La Fornarina Era chiamata la Fornarina, perchè era hja
d'un fornaro che ttienéva er forno in quel a casetta tanta antica,
vicina a quell'antro che ffa ccantóne tra la via de Santa Dorotea e
pporta Sittimiàna. Dunque era tresteverina, e bbella come un sole.
Un giorno ner mentre stava a la finestra a ppettinasse, passò dde Uà
un bravo dipintore, un certo Raffaelle che Uavorava Ili vvicino a la
Fernesina, e, vvedella, e innammoràssene cotto, fu u' mmoménto. E
ssiccóme puro lui era un ber ggiovine, ;t Ilei j'agnede a gègno, e sse
mésseno a ria' l'amore. Ma celie amore ! Quello se chiamava amore
pe' ddavéro ! Dice che llui 'gni tantino piantava e' llavoro per annalla
a vvede ; e ttutt'e ddua se daveno l'appuntamento e sse n'annaveno,
come du' regazzini, sotto fiume, a ddiscore. Anzi dice ch'er padrone
de la Fernesina, quanno nu' lo vedeva, mannava quarcuno sotto
fiume a ccercallo, e Uà era sicuro che lo trovava assieme a la su'
Fornarina. 24
The text on this page is estimated to be only 23.57%
accurate

Quanno dipigneva min voleva antra modella che Ilei, sicché

echi lo sa s'in quanti mai de li su' quadri Pavera ddipinta. Figuràmese
dunque in quante cchiese starà ssù Tartari a fifa dda Madonna! E
ppensà cche la ggente che la vanno a ppregà', min sanno che hanno
da fa' cor una povera fija d'un fornaro J
The text on this page is estimated to be only 25.95%
accurate

XII. La funtana de piazza Tartaruga Tanto tempo fa, a

Roma c'era un certo Duca Mattei (i) che nun faceva antro che ggioc
l'animaccia sua notte e ggiorno ; ar punto che uria notte per un 4,
un 5 e un 6, perse innnenta er su' palazzo. (;) I Duelli Mattei sono
discendenti degli antichi Papareschi di Trastevere : De Domo
Paparescortim, le cui torri erano nel sec. XV in vicinanza di S. .Maria
in Trastevere, la quale chiesa Innocenzo II, della famiglia dei
Papareschi, aveva con molta magnificenza re> tali rato.
 Saputa 'sta cosa, er padre de la su' innammorata, je marinò
a ddì' che sse fussi trova puro un'antra spòsa, perchè llui nun voleva
più dda' la su' fija a uno scioperato e spiantato de quela fatta. Er
Duca Mattei, nun vorse antro : figurative che ppaturgne je preseno
ner sentisse affibbia' dde lo spiantato ! E cche tte fece ? In d'una
nottata, pe' ffa' vvede ar padre de la regazza, che incora era ricco
abbastanza, fece frabbicà' su la piazza Tartaruga (Piazza Mattei, ove
il palazzo risiede) quela bbella funtana co' le tartarughe, che l'ingresi
che sse n'arintènneno, dicheno che vale tant*oro pe' quanto pesa.
La mmatina appresso poi invitò ner su' palazzo la su' regazza e er
padre de lei, e tutt' in d' un botto uprì la finestra che sta de sguincio
ar palazzo e che ddà su la piazzetta, li fece affaccia' tutt'e ddua, e je
disse: — Vardate un po' uno spiantato come che mine, ssi cche
robba è stato bbòno a ffa' ttirà' su in d'una nottata ? ! Padre e ffija
arimaseno de pietra pomicia, a vvede quela magnificenzia de
funtana ! Er padre chiese scusa ar Duca Mattei, e j 'aridiede pe'
spòsa la fija. Da quer giorno in poi, i' ricordanzia de quer fatto, er
Duca Mattei fece ammurà' quela finestra, indove nun vorse che cce
se fusse più affacciata anima viva. E la finestra, ammurata, incora se
vede.
 C'è ppuro chi aricconta ch'er Duca Mattei pe' ffa' vvede' ar
padre de la sposa che sse ne bbuscarava de la dota che j'aveva
portata la moje, l'impiegò ttutta pe' fìfacce fabbrica' quela funtana.
Ma sii un po' ccome se sii, er fatto sta, celie ssi a Roma ciavemo
quela bbella funtana. la dovemo a 'sto fatto che vv' ho ariccontato.
 XIII. La torre de Nerone E quela torre che sta ppe' la salita
de Montemagnanapoli. Se chiama de Nerone perchè fu llui che la
fece frabbicà' a spese sue; e quanno quer cannibbole, se prese er
gusto de da' fiòco a ttutta quanta Roma sana, che ffece ? Se prese la
ghitarra, e ss'agnede a ggode lo spettacolo der fòco, da llassù. E
mentre che la città era divorata da le tiare de fòco, e li poveri
romani, spaventati, scappavano da le case de loro pe' min fa' la fine
de San Lorenzo ; lui, che bbisogna dì' ch'era un matto bbirbone,
cantava da povèta e ss'accómpaonava da sé eco' la ghitarra. Che
ccore ! ma ggià min faceva spece a gnisuno : ciaveva avuto er
barbero coraccio d'ammazza' la madre, e ttant'abbasta.
 XIV. Micchelangelo e Raffaelle Dice che in der mentre
Raffaelle dipignéva drente» a la Fernesina, era tanto ggeloso der su'
lavoro, che min voleva che gnisuno lo vedesse. E ddice, che qnanno
lui usciva, dava ordine ar guardiano, che intratanto che lini stava via,
gnisuno se fussi azzardato d'entra' drento a la stanzia che
ddipignéva. In quer tempo Ha cc'era puro un antro bravo pittore
come che Raffaelle che sse chiamava Micchelangelo, e ddice, che fra
dde loro dua, come succede sempre, c'era un po' de ggelosia de
mestiere. 'Sto Micchelangelo se moriva da la voja d'annà' a vvede in
de la Fernesina li lavori che ddipignéva Raffaelle ; ma ppe' quanto
aveva fatto nu' j'era mai ariuscito d'imbucaccese drento. Un giorno,
che ria ? Pe' min fasse ariconosce e nun dà in de ll'occhio ar
guardiano, se traveste da fusajaro, e sse ne va Hocco locco a la
Fernesina. Se mette li ddefòra a ssede facenno infinta de venne le
fusaje; e ccòrto er momento ch'er guardiano nun abbadava a lini,
entrò ddrento
 a la stanzia indove dipigneva Raffaelle, la guardò bbene
bbene, e ppoi Ili ppe' Ili, cor un pezzo de carbone, sopra un muro de
la stanzia medema, ce disegnò una bbella testa. Fatto questo, prese
su er portante e sse squajò ccom'era entrato. Rechete che ariva
Raffaelle. Entra, monta sur ponte, pija la tavolozza, li pennelli, va
ppe' ddipigne,
 — 37§ E ccome riconosce' Hi ppe' Ili chi l'aveva fatta!
Perchè ddisse subbito: — Questo è llavoro de' Michelangelo. E invece
de strilla' ar guardiano e ddomannaje mBHH^ISHHHHII^HI^HHIH
com'era entrato e ccome nun era entrato, come averessimo fatto
uno de noi, se stiede nun solo zzitto, ma vvorse che quela testa
dipinta nun fusse scassata perchè un tesoro accusi aveva da èsse
mantienuto. E ddefatti, si annate a vvede la Fernesina, quela testa
de Micchelangelp incora ce se trova.
 XV. Er palazzo de la Scimmia 'Sto palazzo sta a vvia de S.
Antonino de Portoghesi : si cce fate caso, la notte su in cima a la
torre der palazzo, ce sta ssempre acceso u' llume davanti a 'na
Madonna. Mo' vve dico er perchè. Dice che ttanto tempo fa. Ili
cciabbitavtmo certi signori che tieneveno pe' ccasa una
scimmiaccia'Sta scimmia, come ce ll'hanno pe' vvizzio, rifaceva tutto
quello che fifaceveno li padroni. Si, ppiL-semp'o, vedeva er padrone
fasse la bbarba, quanno lui aveva finito, annava lei de Uà in
cammera e sse faceva la bbarba puro Ilei, e accusi vvia discurenno.
Dice, che 'sta scimmiaccia stava ogni sempre a gguardà' la bbalia
quanno sfasciava e arinfasciava la cratura de la signora, e min se sa
che averebbe pagato pe' sfascialla puro lei e spupazzalla ! E min te
dubbità', che una vorta che li padroni uscirno assieme a la bbalia, e
llassorno la cratura a ddormì'j figurateve si la scimmia min ce vorse
prova'.
 — 38o Defatti agnede a la cunnòla se prese in braccio er
pupo o la pupa che ssia, se prese er canestrello de l'infascio, e ppe'
min èsse disturbata, indovinate s'indove se n'agnede? Propio in cima
in cima e se messe a ssede in pizzo in pizzo aicantone de la torre. E
Ili , come si ffusse stata a ssede in portrona principiò a sfascia' e
arinfascià' la cratura, manco si sse fusse trattato de 'na pupazza.
Figura te v e le pene e le smagne de la povera madre, quanno in der
torna' a ccasa e in del'arzà' cche ffece l'occhi su pper aria, te vidde
quer tibbi de funzione! Nu' ]e prese un sarvognóne, perchè Ddio min
vorse. Fece li scalini de casa a quattro a quattro, salì ssu a ccasa, e
ppe' nu' spaventa' la scimmia, se messe in ginocchio davanti a la
Madonna, e je fece er voto, che*si la scimmia, j'ariportava drento
casa la cratura sana e ssarva, lei in quer posto medemo indove stava
la scimmia co' la cratura,
 - 38i ciaverebbe fatto fa' un artarino a la Madonna co' 'na
lampena accesa tutta la notte. Defatti la Madonna bbenedetta
l'esavudì, e dda quer giorno in poi llassù, in pizzo a la torre der
palazzo, ce se' vede incora un' immaggina indove tutte le notte ce
sta ssempre u' llume acceso.
 XVI. Er Marchese der Grillo Era un gran signore tanto ricco
che li quatrini je da\ e io in testa. E llui, per ammazza' er tempo, se
divertiva come poteva, facènno scherzi, libarle e ddispetti a echi je
capitava. L' aveva speciarmente co' •queli poveri disgraziati de li
ggiudii. (i) Del Marchese del Grillo ha pubblicato anche parecchi
aneddoti il prof. Raffaello Giovagnoli, e molti altri inediti ne
possedeva il bravo, quanto modesto, scrittore in dialetto, prof.
Chiappini. Io però tenni conto solo di »|iiei pochi che generalmente
si raccontano nel pi >polo. La storiella del Carbonaio Baciccia, resa
popolare dopo la pubblicazione del Giovagnoli, non era conosciuta
dal popolo, e quindi non ho creduto di riportarla qui. Ho poi trovato
che parecchie di queste storielle attribuite al Marchese del drillo altri
ne fanno autore un altro originale di quell'epoca, certo Marchese-
Ghigi di Siena. 11 nostro Marchese è sepolto a' SS. Onirico e Giolita.
all'Arco de' Pantani.
 ;8 Dice che quanno prese moje, la prima notte de lo
sposalizio, siccome torse la moje se sarà vvergognata, se n'agnede a
lletto co' la camicia, la polacca, insomma, come dicheno le signore,
fece la toletta da notte. Er Marchese der Grillo, vedenno quela
funzione, fece : — Aspetta ! E ppuro lui s'agnede a vvestì' e dde ppiù
sse messe li stivali, li -peroni, er frustino, e vvestito accusi sse
n'agnede a lletto. V'ho ggià ddttto ch'er Marchese der Grillo aveva
preso de mira li ggiudii. Defatti come je passaveno a ttiro sotto le
finestre der su' palazzo, lui pijava e je tirava sur cocciólóne la prima
cosa che je capitava in mano. .mattoni e orinalate de tutte sorte de
grazziededdio. Oueli poveracci se lamentonno tanto, infinenta eh' er
Cacàmme de Ghetto agnede a ricramà' ar Guverno. Er papa allora
mannò subbito a cchiama er Marchese der Grillo, che flussi schizzo-
fatto ito su a ppalazzo. Lui ciagnéde ; min negò de tiene' sur naso li
ggiudii. e nnemmanco de li dispetti che je taceva.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com