105 research outputs found
Usable Security. A Systematic Literature Review
Usable security involves designing security measures that accommodate users’ needs and behaviors. Balancing usability and security poses challenges: the more secure the systems, the less usable they will be. On the contrary, more usable systems will be less secure. Numerous studies have addressed this balance. These studies, spanning psychology and computer science/engineering, contribute diverse perspectives, necessitating a systematic review to understand strategies and findings in this area. This systematic literature review examined articles on usable security from 2005 to 2022. A total of 55 research studies were selected after evaluation. The studies have been broadly categorized into four main clusters, each addressing different aspects: (1) usability of authentication methods, (2) helping security developers improve usability, (3) design strategies for influencing user security behavior, and (4) formal models for usable security evaluation. Based on this review, we report that the field’s current state reveals a certain immaturity, with studies tending toward system comparisons rather than establishing robust design guidelines based on a thorough analysis of user behavior. A common theoretical and methodological background is one of the main areas for improvement in this area of research. Moreover, the absence of requirements for Usable security in almost all development contexts greatly discourages implementing good practices since the earlier stages of development
An Empirical Study & Evaluation of Modern CAPTCHAs
For nearly two decades, CAPTCHAs have been widely used as a means of
protection against bots. Throughout the years, as their use grew, techniques to
defeat or bypass CAPTCHAs have continued to improve. Meanwhile, CAPTCHAs have
also evolved in terms of sophistication and diversity, becoming increasingly
difficult to solve for both bots (machines) and humans. Given this
long-standing and still-ongoing arms race, it is critical to investigate how
long it takes legitimate users to solve modern CAPTCHAs, and how they are
perceived by those users.
In this work, we explore CAPTCHAs in the wild by evaluating users' solving
performance and perceptions of unmodified currently-deployed CAPTCHAs. We
obtain this data through manual inspection of popular websites and user studies
in which 1,400 participants collectively solved 14,000 CAPTCHAs. Results show
significant differences between the most popular types of CAPTCHAs:
surprisingly, solving time and user perception are not always correlated. We
performed a comparative study to investigate the effect of experimental context
-- specifically the difference between solving CAPTCHAs directly versus solving
them as part of a more natural task, such as account creation. Whilst there
were several potential confounding factors, our results show that experimental
context could have an impact on this task, and must be taken into account in
future CAPTCHA studies. Finally, we investigate CAPTCHA-induced user task
abandonment by analyzing participants who start and do not complete the task.Comment: Accepted at USENIX Security 202
Incorporating Cognitive Neuroscience Techniques to Enhance User Experience Research Practices
User Experience (UX) involves every interaction that customers have with products, and it plays a crucial role in determining the success of a product in the market. While there are numerous methods available in literature for assessing UX, they often overlook the emotional aspect of the user\u27s experience. As a result, cognitive neuroscience methods are gaining popularity, but they have certain limitations such as difficulty in collecting neurophysiological data, potential for errors, and lengthy procedures. This article aims to examine the most effective research practices using cognitive neuroscience techniques and develop a standardized procedure for conducting UX research. To achieve this objective, the study conducts a comprehensive review of UX research that employs cognitive neuroscience methods published between 2017 and 2022
SoK: The Ghost Trilemma
Trolls, bots, and sybils distort online discourse and compromise the security
of networked platforms. User identity is central to the vectors of attack and
manipulation employed in these contexts. However it has long seemed that, try
as it might, the security community has been unable to stem the rising tide of
such problems. We posit the Ghost Trilemma, that there are three key properties
of identity -- sentience, location, and uniqueness -- that cannot be
simultaneously verified in a fully-decentralized setting. Many
fully-decentralized systems -- whether for communication or social coordination
-- grapple with this trilemma in some way, perhaps unknowingly. We examine the
design space, use cases, problems with prior approaches, and possible paths
forward. We sketch a proof of this trilemma and outline options for practical,
incrementally deployable schemes to achieve an acceptable tradeoff of trust in
centralized trust anchors, decentralized operation, and an ability to withstand
a range of attacks, while protecting user privacy.Comment: 22 pages with 1 figure and 8 table
Jornadas Nacionales de InvestigaciĂłn en Ciberseguridad: actas de las VIII Jornadas Nacionales de InvestigaciĂłn en ciberseguridad: Vigo, 21 a 23 de junio de 2023
Jornadas Nacionales de InvestigaciĂłn en Ciberseguridad (8ÂŞ. 2023. Vigo)atlanTTicAMTEGA: Axencia para a modernizaciĂłn tecnolĂłxica de GaliciaINCIBE: Instituto Nacional de Cibersegurida
CAPTCHA Types and Breaking Techniques: Design Issues, Challenges, and Future Research Directions
The proliferation of the Internet and mobile devices has resulted in
malicious bots access to genuine resources and data. Bots may instigate
phishing, unauthorized access, denial-of-service, and spoofing attacks to
mention a few. Authentication and testing mechanisms to verify the end-users
and prohibit malicious programs from infiltrating the services and data are
strong defense systems against malicious bots. Completely Automated Public
Turing test to tell Computers and Humans Apart (CAPTCHA) is an authentication
process to confirm that the user is a human hence, access is granted. This
paper provides an in-depth survey on CAPTCHAs and focuses on two main things:
(1) a detailed discussion on various CAPTCHA types along with their advantages,
disadvantages, and design recommendations, and (2) an in-depth analysis of
different CAPTCHA breaking techniques. The survey is based on over two hundred
studies on the subject matter conducted since 2003 to date. The analysis
reinforces the need to design more attack-resistant CAPTCHAs while keeping
their usability intact. The paper also highlights the design challenges and
open issues related to CAPTCHAs. Furthermore, it also provides useful
recommendations for breaking CAPTCHAs
How WEIRD is Usable Privacy and Security Research? (Extended Version)
In human factor fields such as human-computer interaction (HCI) and
psychology, researchers have been concerned that participants mostly come from
WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This
WEIRD skew may hinder understanding of diverse populations and their cultural
differences. The usable privacy and security (UPS) field has inherited many
research methodologies from research on human factor fields. We conducted a
literature review to understand the extent to which participant samples in UPS
papers were from WEIRD countries and the characteristics of the methodologies
and research topics in each user study recruiting Western or non-Western
participants. We found that the skew toward WEIRD countries in UPS is greater
than that in HCI. Geographic and linguistic barriers in the study methods and
recruitment methods may cause researchers to conduct user studies locally. In
addition, many papers did not report participant demographics, which could
hinder the replication of the reported studies, leading to low reproducibility.
To improve geographic diversity, we provide the suggestions including
facilitate replication studies, address geographic and linguistic issues of
study/recruitment methods, and facilitate research on the topics for non-WEIRD
populations.Comment: This paper is the extended version of the paper presented at USENIX
SECURITY 202
HEALING COMMUNITIES. What if we collectively had the capacity to overcome any crisis in a matter of days? A method for teams of teams to: listen to each other, agree on priorities, put in commons resources, create few but essential and freely adaptable solutions.
Ever since I was young, I have sought to find how to contribute meaningfully to the community, while being fully myself. Called to different interests than my peers, I began to explore the mysteries of group dynamics. Many cycles of study and practice led me to an awareness: suffering, misery (physical and spiritual), violence, are often generated by stories we learn as children, and pass on through generations.
I became convinced that, within months, we could ensure that all people could live decently and in harmony, if we dared to listen – literally and symbolically – to our Heart, to the Other’s. We would commit ourselves to a path that celebrates our Humanity, connects us to Nature within and beyond, and nourishes our Souls.
Indeed, tackling complex, wicked challenges requires abandoning the logic of a machine-body, the illusion of technical solutions built without personal commitment, so that we can raise our collective, human consciousness. This means providing ways for the whole population to listen to their different realities, and to quickly reach a popular consensus on how to overcome these challenges in ways that strengthen solidarity.
According to the creator of Captcha tests, a million people could translate Wikipedia into a new language in 80 hours. Let us imagine what such a group could achieve if they had the capacity to sincerely agree on essential common projects, and implement them in a matter of days – free/libre and open source knowledge and infrastructures that could easily be adopted, reproduced and enriched across territories?
This five-part thesis documents six years of intense creation and research that enabled me to design how such a process could unfold.
* * *
First, I present my journey to the PhD, and how my research took shape through cycles of prototyping. I introduce the idea of the commons, which is to understand that people – not corporations or the state – have all the resources needed to overcome the challenges we face. This builds on the oeuvre of Elinor Ostrom, who showed that ordinary people can self-organise efficiently to preserve resources, and Stefano Rodotà , who pledged that any resource that meets basic needs must be managed in a participatory way, regardless of who owns it.
Secondly, I talk about Breathing Games, a commons I co-founded to make respiratory health fun. I show how this initiative, which initially objectified the children concerned – by thinking their health in their place –, then opened up a space for young people to share their subjective experience in a playful way that was beneficial to their comrades. I share how an ethic and aesthetic of commoning enabled us to engage over 450 volunteers, and mutualise resources from Canada, Switzerland, France, Italy, and South Korea.
Thirdly, I propose four levers to build solidarity-driven ecosystems. We need to:
— bring diverse people together for ludic events to overcome loneliness. For example, the online hackathons that mobilised 150,000 people at the start of the crown-crisis.
— generate collective value to overcome material limitations. For example, the autonomous networks of makers, who shared designs and manufactured over 48 million medical supplies while industry was at a standstill.
— facilitate agreements across teams of teams to overcome power games. For example, the Emerging Change, developed in Quebec schools and a Swiss multinational, enables teams to thrive and excel by establishing a ritual dialogue between the whole team and its leader, thus avoiding competition between individuals.
— revisit collective narratives to break free from self-servitude. For example, challenging the belief that an authority – parent, teacher, employer, politician, caregiver – can take care of our needs better than we can.
Fourthly, I present the Geneva festival ’taking care together’, a nine-day event created in 122 days thanks to 115 co-hosts. I quantify the collective value created by the Breathing Games and the festival at 2.2 million Swiss francs, 4/5 of which was generated by volunteer contributions.
Next, I provide a step-by-step facilitation method that could help thousands of people coordinate their efforts around a limited number of modular projects. I then outline how this model could re-create education, eradicate systemic corruption, resurrect democracy, and heal our dis-ease when we over-invest in the mind.
Finally, I summarise what I have learnt, and list about 600 references that inspired me. This creation-as-research can be freely reproduced and enriched (Creative Commons BY-SA licence, editable LaTeX format).
Concordia Salus
Learning Outcomes of Classroom Research
Personal pronouns are a linguistic device that is used to engage students at various educational levels. Personal pronouns are multifunctional, and their functions range from inclusion to exclusion, and include establishing of rapport with students. In this chapter, we compare the use of personal pronouns at university and secondary school levels. Our previous study (Yeo & Ting, 2014) showed the frequent use of you in lecture introductions (2,170 instances in the 37,373-word corpus) to acknowledge the presence of students. The arts lecturers were more inclusive than the science lecturers, reflected in the less frequent use of exclusive-we and we for one, as well as the frequent use of you-generalised. We have also compiled and analysed a 43,511-word corpus from 15 English lessons in three Malaysian secondary schools. This corpus yielded 2,019 instances of personal pronoun use. The results showed that you was the most frequently used personal pronoun, followed by we and I. You-audience was used more than you-generalised, and the main function was to give instructions to students. The teachers appeared to be more directive than the lecturers in the previous study, who sometimes used the inclusive-we for you and I and we for I to lessen the social distance with students, indicating that the discourse functions of personal pronouns vary with the educational context. The findings suggest that educators can be alerted to the versatility of personal pronouns, for example, for engaging students in the lesson and for asserting authority in the subject matter.
Keywords: student engagement; personal pronouns; lecture; classroom; teache
4th. International Conference on Advanced Research Methods and Analytics (CARMA 2022)
Research methods in economics and social sciences are evolving with the increasing availability of Internet and Big Data sources of information. As these sources, methods, and applications become more interdisciplinary, the 4th International Conference on Advanced Research Methods and Analytics (CARMA) is a forum for researchers and practitioners to exchange ideas and advances on how emerging research methods and sources are applied to different fields of social sciences as well as to discuss current and future challenges. Due to the covid pandemic, CARMA 2022 is planned as a virtual and face-to-face conference, simultaneouslyDoménech I De Soria, J.; Vicente Cuervo, MR. (2022). 4th. International Conference on Advanced Research Methods and Analytics (CARMA 2022). Editorial Universitat Politècnica de València. https://doi.org/10.4995/CARMA2022.2022.1595
- …