On the usability of authentication security communication

Information technology has become more and more ubiquitous in recent times, and it affects almost all aspects of modern life. To protect this technology and its underlying resources, the relevance of computer security has increased as well. However, the past has shown that in many regards, computer security not only depends on secure software and strong cryptography, but is also highly influenced by how humans interact with it. Therefore, usable security and privacy has emerged as a novel research area. It ex- amines how users understand security tooling and measures, and how they interact with them. Furthermore, its main goal is to improve security and related processes to make them easy to understand or use even for novices. In consequence, communication of security risks and potential mitigations is a major factor of usable security. In this thesis, I examine how security is communicated in different areas and between different stakeholders, with the overarching goal of evaluating in which ways communication can be improved, and what consequences a lack of communication can have. In my presented research, I evaluate the usability of authentication measures as a prime example of security measures that are both highly relevant for every type of users, and highly damaging when security is breached. Therefore, I present three peer-reviewed papers in this thesis: In the first, I investigate the setup process of password managers, a tedious task in which users ideally add all passwords at once, while updating them to stronger alternatives. I examine both the onboarding features that password managers provide, and survey end users to inquire how they handled the task of setting up their password managers. In the second work, I examine the communication of multi-factor authentication, especially regarding its recovery after the additional factors become inaccessible. Therefore, I collected authentication and recovery methods mentioned on websites, and conduct a user experience study to gauge whether the described processes are accurate. In the final one, I examine an expert cohort by conducting interviews with open- source contributors, asking them about their individual security measures, such as usage of password managers, and how individual security is communicated to and between contributors. Overall, I find that communication is lacking in various areas: In my research, service providers failed to clearly communicate their policies by either not providing guidance or not updating it, leading to a confusing status quo and insecure decision-making. In other areas, developers preferred to not communicate their security measures and best practices, leading to a volatile environment of unspoken expectations. The results of my research suggest that a more precise and clear communication of both risks and their mitigations can achieve a higher understanding, and in consequence, adoption of security measures. What needs to be communicated or enforced to reach people and increase their authentication security varies, however, with more research and diligence, these challenges can be overcome

The German Revised version of the Niigata PPPD Questionnaire (NPQ-R): Development with patient interviews and an expert Delphi consensus.

BackgroundPersistent postural-perceptual dizziness (PPPD) is a functional disorder of the nervous system and currently one of the most common types of chronic dizziness. Currently existing questionnaires do not fully assess patients' specific symptoms of PPPD. The Japanese Niigata PPPD Questionnaire (NPQ) was recently developed following consensus-based diagnosis criteria. The aim of this study was to translate it into German, evaluate its content with the help of experts and patients and, if necessary, revise the original version to allow for a comprehensive assessment of patients' PPPD-related symptoms.MethodsA 3-round expert Delphi survey and semi-structured patient interviews were conducted. 28 experts from Switzerland, Germany and Austria working in hospitals or outpatient centres were asked to complete a first questionnaire on various aspects of PPPD, on the translated, original NPQ and their own related experiences (Round one), a second questionnaire with statements regarding PPPD they could agree or disagree with using a 6-point Likert-scale (Round two), and a third survey to finally reach a consensus on statements to be integrated into the NPQ. In addition, eleven patients (mean age of 64.6±12.6 years; 6 females) were selected according to the criteria for the diagnosis of PPPD proposed by the Bárány Society and participated in a semi-structured interview asking for their opinion on the content of the original NPQ. All collected data were analysed using a descriptive evaluation and a qualitative content analysis based on verbatim transcripts.ResultsSeven new items were added to the NPQ based on expert and patient comments and ratings. Its revised version (NPQ-R) comprises 19 items divided into five subscales using a 7-point Likert-scale with two additional subscales relating to associated symptoms and symptom behaviour in PPPD. The new maximal score is 114 points compared to 72 for the NPQ.ConclusionThe NPQ-R is the first patient-reported outcome measurement for patients with PPPD in German. It should help to provide a comprehensive assessment of the intensity of PPPD in affected patients