A User-Focused Reference Model for Wireless Systems Beyond 3G

This whitepaper describes a proposal from Working Group 1, the Human Perspective of the Wireless World, for a user-focused reference model for systems beyond 3G. The general structure of the proposed model involves two "planes": the Value Plane and the Capability Plane. The characteristics of these planes are discussed in detail and an example application of the model to a specific scenario for the wireless world is provided

Better the Devil You Know: A User Study of Two CAPTCHAs and a Possible Replacement

CAPTCHAs are difficult for humans to use, causing frustration. Alternatives have been proposed, but user studies equate usability to solvability. We consider the user perspective to include workload and context of use. We assess traditional text-based CAPTCHAs alongside PlayThru, a 'gamified' verification mechanism, and NoBot, which uses face biometrics. A total of 87 participants were tasked with ticket-buying across three conditions: (1) all three mechanisms in comparison, and NoBot three times (2) on a laptop, and (3) on a tablet. A range of quantitative and qualitative measurements explored the user perspective. Quantitative results showed that participants completed reCAPTCHAs quickest, followed by PlayThru and NoBot. Participants were critical of NoBot in comparison but praised it in isolation. Despite reporting negative experiences with reCAPTCHAs, they were the preferred mechanism, due to familiarity and a sense of security and control. Although slower, participants praised NoBot's completion speeds, but regarded using personal images as invading privacy

"I don’t like putting my face on the Internet!": An acceptance study of face biometrics as a CAPTCHA replacement

Biometric technologies have the potential to reduce the effort involved in securing personal activities online, such as purchasing goods and services. Verifying that a user session on a website is attributable to a real human is one candidate application, especially as the existing CAPTCHA technology is burdensome and can frustrate users. Here we examine the viability of biometrics as part of the consumer experience in this space. We invited 87 participants to take part in a lab study, using a realistic ticket-buying website with a range of human verification mechanisms including a face biometric technology. User perceptions and accep- tance of the various security technologies were explored through interviews and a range of questionnaires within the study. The results show that some users wanted reassurance that their personal image will be protected or discarded af- ter verifying, whereas others felt that if they saw enough people using face biometrics they would feel assured that it was trustworthy. Face biometrics were seen by some par- ticipants to be more suitable for high-security contexts, and by others as providing extra personal data that had unac- ceptable privacy implications

Transmission of primary resistance mutation K103N in a cluster of Belgian young patients from different risk groups

Background: We analysed the distribution of an HIV-1 subtype B strain resistant to efavirenz and nevirapine among incident infections in the Belgian population. Method: The Belgian AIDS reference laboratories searched their databases for HIV-1 subtype B sequences harbouring the K103N mutation in the reverse transcriptase (RT) or the C67S and V77I mutations in the protease (PR). We included the earliest RT sequence available of drug-naïve patients as well as sequences related to treatment failure. Fifty sequences were aligned omitting the codon 103 and submitted to phylogenetic analysis. Epidemiological data were collected through the Institute of Public Health national database. In addition, three sequences from the cluster were analysed by deep sequencing using the Roche GS Junior platform. Results: Phylogenetic analysis revealed the presence of a 24 virus sequences cluster. All except one of those sequences resulted from patients who were ARV-naïve at the time of sampling, and 21 had the K103N mutation. Two thirds of the clustered patients were infected through homosexual or bisexual contacts while the others were heterosexuals. No case was related to migrants contaminated abroad. Fifteen of the clustered patients were diagnosed between January 2011 and June 2012; 87% of them were aged between 20 and 29 at the time of diagnosis. Interestingly, 60% of them reside in the province of Namur. Deep sequencing analysis of 3 individuals sampled near seroconversion revealed no other resistance mutations at a frequency > 1% than those already picked up by Sanger sequencing (RT A98S, K103N; PR V77I), except the RT V90I. Conclusion: We identified a transmission cluster of drug resistant HIV-1 variants mainly including homo- and heterosexual young adults. Most individuals are of Belgian origin and are living around the city of Namur (Belgium). The K103N mutation had no apparent impact on transmission fitness as its spread raised during the last years. These observations may impact on local prevention and ARV prophylaxis strategies

Towards robust experimental design for user studies in security and privacy

Background: Human beings are an integral part of computer security, whether we actively participate or simply build the systems. Despite this importance, understanding users and their interaction with security is a blind spot for most security practitioners and designers. / Aim: Define principles for conducting experiments into usable security and privacy, to improve study robustness and usefulness. / Data: The authors’ experiences conducting several research projects complemented with a literature survey. Method: We extract principles based on relevance to the advancement of the state of the art. We then justify our choices by providing published experiments as cases of where the principles are and are not followed in practice to demonstrate the impact. Each principle is a discipline specific instantiation of desirable experiment-design elements as previously established in the domain of philosophy of science. / Results: Five high-priority principles – (i) give participants a primary task; (ii) incorporate realistic risk; (iii) avoid priming the participants; (iv) perform doubleblind experiments whenever possible and (v) think carefully about how meaning is assigned to the terms threat model, security, privacy, and usability. / Conclusion: The principles do not replace researcher acumen or experience, however they can provide a valuable service for facilitating evaluation, guiding younger researchers and students, and marking a baseline common language for discussing further improvements

Applying Cognitive Control Modes to Identify Security Fatigue Hotspots

Security tasks can burden the individual, to the extent that security fatigue promotes habits that undermine security. Here we revisit a series of user-centred studies which focus on security mechanisms as part of regular routines, such as two-factor authentication. By examining routine security behaviours, these studies expose perceived contributors and consequences of security fatigue, and the strategies that a person may adopt when feeling overburdened by security. Behaviours and strategies are framed according to a model of cognitive control modes, to explore the role of human performance and error in producing security fatigue. Security tasks are then considered in terms of modes such as unconscious routines and knowledge-based ad-hoc approaches. Conscious attention can support adaptation to novel security situations, but is error-prone and tiring; both simple security routines and technology-driven automation can minimise effort, but may miss cues from the environment that a nuanced response is required

Dead on Arrival: Recovering from Fatal Flaws in Email Encryption Tools

Background. Since Whitten and Tygar’s seminal study of PGP 5.0 in 1999, there have been continuing efforts to produce email encryption tools for adoption by a wider user base, where these efforts vary in how well they consider the usability and utility needs of prospective users. Aim. We conducted a study aiming to assess the user experience of two open-source encryption software tools – Enigmail and Mailvelope. Method. We carried out a three-part user study (installation, home use, and debrief) with two groups of users using either Enigmail or Mailvelope. Users had access to help during installation (installation guide and experimenter with domain-specific knowledge), and were set a primary task of organising a mock flash mob using encrypted emails in the course of a week. Results. Participants struggled to install the tools – they would not have been able to complete installation without help. Even with help, setup time was around 40 minutes. Participants using Mailvelope failed to encrypt their initial emails due to usability problems. Participants said they were unlikely to continue using the tools after the study, indicating that their creators must also consider utility. Conclusions. Through our mixed study approach, we conclude that Mailvelope and Enigmail had too many software quality and usability issues to be adopted by mainstream users. Methodologically, the study made us rethink the role of the experimenter as that of a helper assisting novice users with setting up a demanding technology

Usable biometrics for an ageing population

In this chapter, we examine the implications of ageing for the usability of biometric solutions. We first set out what usability means, and which factors need to be considered when designing a solution that is ‘usable’. We review usability successes and issues with past biometric techniques, in the context of a set of solutions, before considering how usability will be affected for ageing users because of the physical and cognitive changes they undergo. Finally, we identify the opportunities and challenges that ageing presents for researchers, developers and operators of biometric systems

Considering the User in the Wireless World

The near future promises significant advances in communication capabilities, but one of the keys to success is the capability understanding of the people with regards to its value and usage. In considering the role of the user in the wireless world of the future, the Human Perspective Working Group (WG1) of the Wireless World Research Forum has gathered input and developed positions in four important areas: methods, processes, and best practices for user-centered research and design; reference frameworks for modeling user needs within the context of wireless systems; user scenario creation and analysis; and user interaction technologies. This article provides an overview of WG1's work in these areas that are critical to ensuring that the future wireless world meets and exceeds the expectations of people in the coming decades

The Security Blanket of the Chat World: An Analytic Evaluation and a User Study of Telegram

The computer security community has advocated widespread adoption of secure communication tools to protect personal privacy. Several popular communication tools have adopted end-to-end encryption (e.g., WhatsApp, iMessage), or promoted security features as selling points (e.g., Telegram, Signal). However, previous studies have shown that users may not understand the security features of the tools they are using, and may not be using them correctly. In this paper, we present a study of Telegram using two complementary methods: (1) a labbased user study (11 novices and 11 Telegram users), and (2) a hybrid analytical approach combining cognitive walk-through and heuristic evaluation to analyse Telegram’s user interface. Participants who use Telegram feel secure because they feel they are using a secure tool, but in reality Telegram offers limited security benefits to most of its users. Most participants develop a habit of using the less secure default chat mode at all times. We also uncover several user interface design issues that impact security, including technical jargon, inconsistent use of terminology, and making some security features clear and others not. For instance, use of the end-to-end-encrypted Secret Chat mode requires both the sender and recipient be online at the same time, and Secret Chat does not support group conversations