2,436 research outputs found
Nudging folks towards stronger password choices:providing certainty is the key
Persuading people to choose strong passwords is challenging. One way to influence password strength, as and when people are making the choice, is to tweak the choice architecture to encourage stronger choice. A variety of choice architecture manipulations i.e. “nudges”, have been trialled by researchers with a view to strengthening the overall password profile. None has made much of a difference so far. Here we report on our design of an influential behavioural intervention tailored to the password choice context: a hybrid nudge that significantly prompted stronger passwords.We carried out three longitudinal studies to analyse the efficacy of a range of “nudges” by manipulating the password choice architecture of an actual university web application. The first and second studies tested the efficacy of several simple visual framing “nudges”. Password strength did not budge. The third study tested expiration dates directly linked to password strength. This manipulation delivered a positive result: significantly longer and stronger passwords. Our main conclusion was that the final successful nudge provided participants with absolute certainty as to the benefit of a stronger password, and that it was this certainty that made the difference
How WEIRD is Usable Privacy and Security Research? (Extended Version)
In human factor fields such as human-computer interaction (HCI) and
psychology, researchers have been concerned that participants mostly come from
WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This
WEIRD skew may hinder understanding of diverse populations and their cultural
differences. The usable privacy and security (UPS) field has inherited many
research methodologies from research on human factor fields. We conducted a
literature review to understand the extent to which participant samples in UPS
papers were from WEIRD countries and the characteristics of the methodologies
and research topics in each user study recruiting Western or non-Western
participants. We found that the skew toward WEIRD countries in UPS is greater
than that in HCI. Geographic and linguistic barriers in the study methods and
recruitment methods may cause researchers to conduct user studies locally. In
addition, many papers did not report participant demographics, which could
hinder the replication of the reported studies, leading to low reproducibility.
To improve geographic diversity, we provide the suggestions including
facilitate replication studies, address geographic and linguistic issues of
study/recruitment methods, and facilitate research on the topics for non-WEIRD
populations.Comment: This paper is the extended version of the paper presented at USENIX
SECURITY 202
The role of effort in security and privacy behaviours online
As more and more aspects of users’ lives go online, they can interact with each other, access services and purchase goods with unprecedented convenience and speed. However, this also means that users’ devices and data become more vulnerable to attacks. As security is often added to tools and services as an after-thought, it tends to be poorly integrated into the processes and part of the effort of securing is often offloaded onto the user. Users are goal-driven and they go online to get things done, protecting their security and privacy might therefore not be a priority. The six studies described in this dissertation examine the role of effort in users’ security and privacy behaviours online. First, two security studies use authentication diaries to examine the user effort required for authentication to organisational and online banking systems respectively. Second, two further studies are laboratory evaluations of proposed mechanisms for authentication and verification. Third, two privacy studies examine the role of effort in users’ information disclosure in webforms and evaluate a possible solution that could help users manage how much they disclose. All studies illustrate the different coping strategies users develop to manage their effort. They show that demanding too much effort can affect productivity, cause frustration and undermine the security these mechanisms were meant to offer. The work stresses the importance of conducting methodologically robust user evaluations of both proposed and deployed mechanisms in order to improve user satisfaction and their security and privacy
The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities
In spite of the growing importance of software security and the industry
demand for more cyber security expertise in the workforce, the effect of
security education and experience on the ability to assess complex software
security problems has only been recently investigated. As proxy for the full
range of software security skills, we considered the problem of assessing the
severity of software vulnerabilities by means of a structured analysis
methodology widely used in industry (i.e. the Common Vulnerability Scoring
System (\CVSS) v3), and designed a study to compare how accurately individuals
with background in information technology but different professional experience
and education in cyber security are able to assess the severity of software
vulnerabilities. Our results provide some structural insights into the complex
relationship between education or experience of assessors and the quality of
their assessments. In particular we find that individual characteristics matter
more than professional experience or formal education; apparently it is the
\emph{combination} of skills that one owns (including the actual knowledge of
the system under study), rather than the specialization or the years of
experience, to influence more the assessment quality. Similarly, we find that
the overall advantage given by professional expertise significantly depends on
the composition of the individual security skills as well as on the available
information.Comment: Presented at the Workshop on the Economics of Information Security
(WEIS 2018), Innsbruck, Austria, June 201
Driving {2FA} Adoption at Scale: {O}ptimizing Two-Factor Authentication Notification Design Patterns
How Physicality Enables Trust: A New Era of Trust-Centered Cyberphysical Systems
Multi-agent cyberphysical systems enable new capabilities in efficiency,
resilience, and security. The unique characteristics of these systems prompt a
reevaluation of their security concepts, including their vulnerabilities, and
mechanisms to mitigate these vulnerabilities. This survey paper examines how
advancement in wireless networking, coupled with the sensing and computing in
cyberphysical systems, can foster novel security capabilities. This study
delves into three main themes related to securing multi-agent cyberphysical
systems. First, we discuss the threats that are particularly relevant to
multi-agent cyberphysical systems given the potential lack of trust between
agents. Second, we present prospects for sensing, contextual awareness, and
authentication, enabling the inference and measurement of ``inter-agent trust"
for these systems. Third, we elaborate on the application of quantifiable trust
notions to enable ``resilient coordination," where ``resilient" signifies
sustained functionality amid attacks on multiagent cyberphysical systems. We
refer to the capability of cyberphysical systems to self-organize, and
coordinate to achieve a task as autonomy. This survey unveils the cyberphysical
character of future interconnected systems as a pivotal catalyst for realizing
robust, trust-centered autonomy in tomorrow's world
Understanding Social Insider Intrusions to Personal Computing Devices
We examined the characteristics of social insider intrusions to personal computing devices. Social insider intrusions are situations in which one person physically accesses the device of someone they know, without permission. With devices like smartphones becoming hubs for social interaction, social insider intrusions also became a central challenge to interpersonal privacy. Through a series of quantitative and qualitative empirical studies, we sought to better understand intrusions. Our analysis indicates that the frequency of intrusions is substantially higher than previously thought, and even prevalent among younger segments of the populations we analyzed. We found recurring patterns in how intrusions unfold, including a variety of motivations and access strategies, often successful despite the presence of security technologies, like device locks. Our analysis offers both a snapshot in time, and insight onto foundational challenges that arise from technologies mediating interpersonal relationships
- …