Least Surprise

Name Least Surprise
Sources (Garfinkel, 2005)
Synonyms Least Astonishment (Anderson and Brady, 2004)(Saltzer and Kaashoek, 2005)
Intent Ensure that the system acts in accordance with the user’s expectations.
Motivation Saltzer and Schroeder introduced the “psychological acceptability” in 1975 (Saltzer and Schroeder, 1975). Since then the principle has generally been recast as a Principle (or rule) of “Least Surprise” or “Least Astonishment.” The Least Surprise asserts that the system should match the user’s experience, expectations, and mental models. In the context of computer security, this principle means that the computer should not perform an action in a manner that is not secure when the user expects the computer to be behaving in a secure manner.
Examples For example, if the user fills out a form on a web page that was fetched with SSL, the browser should warn if the form’s POST operation causes the data to be sent without encryption to another web server. Likewise, if the user instructs the computer to delete a file and the file disappears from the computer’s list of files, then the file should actually be deleted.
Guidelines None
Tags Expectation Conformity
Log history [02/14/2016]: Added to repository

References

Anderson, T., Brady, D., 2004. Least astonishment. Oregon Pattern Repository.

Garfinkel, S.L., 2005. Design principles and patterns for computer systems that are simultaneously secure and usable (PhD thesis). Massachusetts Institute of Technology.

Saltzer, J.H., Kaashoek, M.F., 2005. Topics in the engineering of computer systems (working title).

Saltzer, J.H., Schroeder, M.D., 1975. The protection of information in computer systems, in: Proceedings of the IEEE 63-9.