How WEIRD is Usable Privacy and Security Research? (Extended Version)

In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.Comment: This paper is the extended version of the paper presented at USENIX SECURITY 202

Applications of Context-Aware Systems in Enterprise Environments

In bring-your-own-device (BYOD) and corporate-owned, personally enabled (COPE) scenarios, employees’ devices store both enterprise and personal data, and have the ability to remotely access a secure enterprise network. While mobile devices enable users to access such resources in a pervasive manner, it also increases the risk of breaches for sensitive enterprise data as users may access the resources under insecure circumstances. That is, access authorizations may depend on the context in which the resources are accessed. In both scenarios, it is vital that the security of accessible enterprise content is preserved. In this work, we explore the use of contextual information to influence access control decisions within context-aware systems to ensure the security of sensitive enterprise data. We propose several context-aware systems that rely on a system of sensors in order to automatically adapt access to resources based on the security of users’ contexts. We investigate various types of mobile devices with varying embedded sensors, and leverage these technologies to extract contextual information from the environment. As a direct consequence, the technologies utilized determine the types of contextual access control policies that the context-aware systems are able to support and enforce. Specifically, the work proposes the use of devices pervaded in enterprise environments such as smartphones or WiFi access points to authenticate user positional information within indoor environments as well as user identities

Government as a platform, orchestration, and public value creation: the Italian case

E-Government literature has discussed how the adoption of the Government as a Platform (GaaP) can help public administration to produce more efficient public services. However, since little attention has been given to the impact of GaaP on public value creation more research is needed to analyse whether the GaaP is effective to help the government to deliver public services that fulfil social expectations and, hence, public value. Indeed, effi-ciency does not guarantee public value. Besides efficiency, public value incorporates citizens' variegated ex-pectations and needs that change over time and that are sometimes rival. For these reasons, the delivery of public value is often challenging for public agencies. The aim of this paper is to explain how the GaaP config-uration can help public administration to deliver public value better. The paper finds that the modularity of the platform configuration and different ecosystems that support public agencies need to be orchestrated to support the effective creation of public value. The authors analyse the case of the Italian GaaP initiative to discuss the importance of the orchestration of the GaaP characteristics to improve the coordination among public agencies and enable the co-production of services with external actors, in order to deliver public value better. The findings show that the orchestration of the GaaP configuration characteristics can enable Italian public administration to deliver public value, but also that, if the GaaP is not properly orchestrated, it can constrain the creation of public value

The Dilemma of Security Smells and How to Escape It

A single mobile app can now be more complex than entire operating systems ten years ago, thus security becomes a major concern for mobile apps. Unfortunately, previous studies focused rather on particular aspects of mobile application security and did not provide a holistic overview of security issues. Therefore, they could not accurately understand the fundamental flaws to propose effective solutions to common security problems. In order to understand these fundamental flaws, we followed a hybrid strategy, i.e., we collected reported issues from existing work, and we actively identified security-related code patterns that violate best practices in software development. We further introduced the term ``security smell,'' i.e., a security issue that could potentially lead to a vulnerability. As a result, we were able to establish comprehensive security smell catalogues for Android apps and related components, i.e., inter-component communication, web communication, app servers, and HTTP clients. Furthermore, we could identify a dilemma of security smells, because most security smells require unique fixes that increase the code complexity, which in return increases the risk of introducing more security smells. With this knowledge, we investigate the interaction of our security smells with the 192 Mitre CAPEC attack mechanism categories of which the majority could be mitigated with just a few additional security measures. These measures, a String class with behavior and the more thorough use of secure default values and paradigms, would simplify the application logic and at the same time largely increase security if implemented appropriately. We conclude that application security has to focus on the String class, which has not largely changed over the last years, and secure default values and paradigms since they are the smallest common denominator for a strong foundation to build resilient applications. Moreover, we provide an initial implementation for a String class with behavior, however the further exploration remains future work. Finally, the term ``security smell'' is now widely used in academia and eases the communication among security researchers

The Dilemma of Security Smells and How to Escape It

A single mobile app can now be more complex than entire operating systems ten years ago, thus security becomes a major concern for mobile apps. Unfortunately, previous studies focused rather on particular aspects of mobile application security and did not provide a holistic overview of security issues. Therefore, they could not accurately understand the fundamental flaws to propose effective solutions to common security problems. In order to understand these fundamental flaws, we followed a hybrid strategy, i.e., we collected reported issues from existing work, and we actively identified security-related code patterns that violate best-practices in software development. Based on these findings, we compiled a list of security smells, i.e., security issues that could potentially lead to a vulnerability. As a result, we were able to establish comprehensive security smell catalogues for Android apps and related components, i.e., inter-component communication, web communication, app servers, and HTTP clients. Furthermore, we could identify a dilemma of security smells, because most security smells require unique fixes that increase the code complexity, which in return increases the risk of introducing more security smells. With this knowledge, we investigate the interaction of our security smells with the 192 Mitre CAPEC attack mechanism categories of which the majority could be mitigated with just a few additional security measures. These measures, a String class with behavior and the more thorough use of secure default values and paradigms, would simplify the application logic and at the same time largely increase security if implemented appropriately. We conclude that application security has to focus on the String class, which has not largely changed over the last years, and secure default values and paradigms since they are the smallest common denominator for a strong foundation to build resilient applications. Moreover, we provide an initial implementation for a String class with behavior, however the further exploration remains future work. Finally, the term "security smell" is now widely used in academia and eases the communication among security researchers

Socio-Cognitive and Affective Computing

Social cognition focuses on how people process, store, and apply information about other people and social situations. It focuses on the role that cognitive processes play in social interactions. On the other hand, the term cognitive computing is generally used to refer to new hardware and/or software that mimics the functioning of the human brain and helps to improve human decision-making. In this sense, it is a type of computing with the goal of discovering more accurate models of how the human brain/mind senses, reasons, and responds to stimuli. Socio-Cognitive Computing should be understood as a set of theoretical interdisciplinary frameworks, methodologies, methods and hardware/software tools to model how the human brain mediates social interactions. In addition, Affective Computing is the study and development of systems and devices that can recognize, interpret, process, and simulate human affects, a fundamental aspect of socio-cognitive neuroscience. It is an interdisciplinary field spanning computer science, electrical engineering, psychology, and cognitive science. Physiological Computing is a category of technology in which electrophysiological data recorded directly from human activity are used to interface with a computing device. This technology becomes even more relevant when computing can be integrated pervasively in everyday life environments. Thus, Socio-Cognitive and Affective Computing systems should be able to adapt their behavior according to the Physiological Computing paradigm. This book integrates proposals from researchers who use signals from the brain and/or body to infer people's intentions and psychological state in smart computing systems. The design of this kind of systems combines knowledge and methods of ubiquitous and pervasive computing, as well as physiological data measurement and processing, with those of socio-cognitive and affective computing

INNOVATIVE DIGITAL START-UPS AND THEIR VENTURE CREATION PROCESS WITH ENABLING DIGITAL PLATFORMS

Start-ups have gained media attention since Google, Facebook and Amazon were launched in the 1990s. The book Lean Start-up, published in 2011, was another important milestone for digital start-up literature. As unicorn companies emerge around the world, topics highlighted in the news include the vast amount of capital that digital start-ups are raising, the ways in which these digital ventures are disrupting industries, and their global impact on digital economy. However, digital start-ups, digital venture ideas, and their venture creation process lack a unified venture creation model, as there is a gap in the re-search on entrepreneurial processes in a digital context. This research is an explorative study of the venture creation process of innovative digital start-ups that examines what is missing from entrepreneurial process models in a digital technology context and investi-gates how early stage digital start-ups conduct the venture creation process, starting with the pre-phase of antecedents and ending with the launch and scaling of the venture. The research proposes a novel process model of innovative digital start-up venture crea-tion and describes the nature and patterns of the process. A conceptual model was devel-oped based on the entrepreneurship, information systems, and digital innovation litera-ture and empirically assessed with a multi-method qualitative research design. The data collected from semi-structured interviews, internet sources, and observation field notes covered 34 innovative digital start-ups and their founders. Interviews were conducted in-ternationally in high-ranking start-up ecosystems, and the data were analysed with the-matic analysis and fact-checked by triangulating internet data sources. The contribution to entrepreneurship theory is a new illustrative model of the venture creation process of innovative digital start-ups, including the emergent outcome of the process having a digi-tal artefact at its core (e.g., mobile apps, web-based solutions, digital platforms, software solutions, and digital ecosystems). Digital platforms and their multiple roles in the process are presented, as well as the role of critical events as moderators of the process which trigger new development cycles. During the venture creation process, the recombining of digital technologies, modules, and components enabled by digital infrastructures, plat-forms, and ecosystem partners represent digital technology affordances. This recombina-tion provides opportunities for asset-free development of digital venture ideas

What People Leave Behind

This open access book focuses on a particular but significant topic in the social sciences: the concepts of “footprint” and “trace”. It associates these concepts with hotly debated topics such as surveillance capitalism and knowledge society. The editors and authors discuss the concept footprints and traces as unintended by-products of other (differently focused and oriented) actions that remain empirically imprinted in virtual and real spaces. The volume therefore opens new scenarios for social theory and applied social research in asking what the stakes, risks and potential of this approach are. It systematically raises and addresses these questions within a consistent framework, bringing together a heterogeneous group of international social scientists. Given the multifaceted objectives involved in exploring footprints and traces, the volume discusses heuristic aspects and ethical dimensions, scientific analyses and political considerations, empirical perspectives and theoretical foundations. At the same time, it brings together perspectives from cultural analysis and social theory, communication and Internet studies, big-data informed research and computational social science. This innovative volume is of interest to a broad interdisciplinary readership: sociologists, communication researchers, Internet scholars, anthropologists, cognitive and behavioral scientists, historians, and epistemologists, among others

What People Leave Behind

This open access book focuses on a particular but significant topic in the social sciences: the concepts of “footprint” and “trace”. It associates these concepts with hotly debated topics such as surveillance capitalism and knowledge society. The editors and authors discuss the concept footprints and traces as unintended by-products of other (differently focused and oriented) actions that remain empirically imprinted in virtual and real spaces. The volume therefore opens new scenarios for social theory and applied social research in asking what the stakes, risks and potential of this approach are. It systematically raises and addresses these questions within a consistent framework, bringing together a heterogeneous group of international social scientists. Given the multifaceted objectives involved in exploring footprints and traces, the volume discusses heuristic aspects and ethical dimensions, scientific analyses and political considerations, empirical perspectives and theoretical foundations. At the same time, it brings together perspectives from cultural analysis and social theory, communication and Internet studies, big-data informed research and computational social science. This innovative volume is of interest to a broad interdisciplinary readership: sociologists, communication researchers, Internet scholars, anthropologists, cognitive and behavioral scientists, historians, and epistemologists, among others