The Design and Development of an Interactive Story for Security Education: A Case Study on Password Managers

Password managers allow us to generate unique passwords that ultimately protect our accounts and improve our password management. Despite being one of the most common security advice, adaption of password managers remain low. The complexity and magnitude of security advice leave users pondering about the best decision to keep themselves safe online. Indeed, it is generally better to learn concepts through a feedback loop, where we are informed, make a decision, and ultimately experience the consequences of our decisions. This feedback loop is absent in the traditional way security advice is given. In this thesis, I explore the potential of using interactive stories (Choose-Your-Own Adventure stories) to simulate security consequences to convey lessons and risks. Through participatory design, survey methods, interviews, and learning science principles, I developed and validated a comprehensive and effective interactive story to be used in security education. The results of this thesis show a promising approach of using interactive stories in the security education ecosystem.Master of ScienceInformation, School ofUniversity of Michiganhttp://deepblue.lib.umich.edu/bitstream/2027.42/162553/1/Sugatan_Carlo_Final_MTOP_Thesis_20200429.pd

MIGRANT : modeling smartphone password manager adoption using migration theory

Password manager applications have the potential to alleviate password pain and improve password strength, yet they are not widely adopted. Password managers are dissimilar to other kinds of software tools, given that the leakage of the credentials they store could give a hacker access to all the individual's online accounts. Moreover, adoption requires a deliberate switch away from an existing (manual) password management routine. As such, traditional technology adoption models are unlikely to model password manager adoption accurately. In this paper, we propose and explain how we validated a theoretical model of smartphone password manager adoption. We commenced by carrying out exploratory interviews with 30 smartphone owners to identify factors that influence adoption. These were used to develop a model that reflects the password manager adoption process, building on migration theory. The proposed model, MIGRANT (MIGRation pAssword maNager adopTion), was validated and subsequently refined in a week-long study with 198 smartphone owners, combining self-report and observation to measure constructs. This study contributes to the information security behavioral literature by isolating the main factors that encourage or deter password manager adoption, and those that moor smartphone owners in their current practices, hindering switching. With this investigation, we introduce migration theory as a reference theory for future studies in the information security behavioral field

"If You Can't Beat them, Join them": A Usability Approach to Interdependent Privacy in Cloud Apps

Cloud storage services, like Dropbox and Google Drive, have growing ecosystems of 3rd party apps that are designed to work with users' cloud files. Such apps often request full access to users' files, including files shared with collaborators. Hence, whenever a user grants access to a new vendor, she is inflicting a privacy loss on herself and on her collaborators too. Based on analyzing a real dataset of 183 Google Drive users and 131 third party apps, we discover that collaborators inflict a privacy loss which is at least 39% higher than what users themselves cause. We take a step toward minimizing this loss by introducing the concept of History-based decisions. Simply put, users are informed at decision time about the vendors which have been previously granted access to their data. Thus, they can reduce their privacy loss by not installing apps from new vendors whenever possible. Next, we realize this concept by introducing a new privacy indicator, which can be integrated within the cloud apps' authorization interface. Via a web experiment with 141 participants recruited from CrowdFlower, we show that our privacy indicator can significantly increase the user's likelihood of choosing the app that minimizes her privacy loss. Finally, we explore the network effect of History-based decisions via a simulation on top of large collaboration networks. We demonstrate that adopting such a decision-making process is capable of reducing the growth of users' privacy loss by 70% in a Google Drive-based network and by 40% in an author collaboration network. This is despite the fact that we neither assume that users cooperate nor that they exhibit altruistic behavior. To our knowledge, our work is the first to provide quantifiable evidence of the privacy risk that collaborators pose in cloud apps. We are also the first to mitigate this problem via a usable privacy approach.Comment: Authors' extended version of the paper published at CODASPY 201

Unpacking security policy compliance: The motivators and barriers of employees’ security behaviors

The body of research that focuses on employees’ information Security Policy compliance is problematic as it treats compliance as a single behavior. This study explored the underlying behavioral context of information security in the workplace, exploring how individual and organizational factors influence the interplay of the motivations and barriers of security behaviors. Investigating factors that had previously been explored in security research, 20 employees from two organizations were interviewed and the data was analyzed using framework analysis. The analysis indicated that there were seven themes pertinent to information security: Response Evaluation, Threat Evaluation, Knowledge, Experience, Security Responsibility, Personal and Work Boundaries, and Security Behavior. The findings suggest that these differ by security behavior and by the nature of the behavior (e.g. on- and offline). Conclusions are discussed highlighting barriers to security actions and implications for future research and workplace practice

Stop the Consent Theater

The current web pesters visitors with consent notices that claim to "value" their privacy, thereby habituating them to accept all data practices. Users' lacking comprehension of these practices voids any claim of informed consent. Market forces specifically designed these consent notices in their favor to increase users' consent rates. Some sites even ignore users' decisions entirely, which results in a mere theatrical performance of consent procedures designed to appear as if it fulfills legal requirements. Improving users' online privacy cannot rely on individuals' consent alone. We have to look for complementary approaches as well. Current online data practices are driven by powerful market forces whose interests oppose users' privacy expectations - making turnkey solutions difficult. Nevertheless, we provide a bird's-eye view on privacy-improving approaches beyond individuals' consent