The simpler, the better? Presenting the COPING Android permission-granting interface for better privacy-related decisions

One of the great innovations of the modern world is the Smartphone app. The sheer multitude of available apps attests to their popularity and general ability to satisfy our wants and needs. The flip side of the functionality these apps offer is their potential for privacy invasion. Apps can, if granted permission, gather a vast amount of very personal and sensitive information. App developers might exploit the combination of human propensities and the design of the Android permission-granting interface to gain permission to access more information than they really need. This compromises personal privacy. The fact that the Android is the globally dominant phone means widespread privacy invasion is a real concern. We, and other researchers, have proposed alternatives to the Android permission-granting interface. The aim of these alternatives is to highlight privacy considerations more effectively during app installation: to ensure that privacy becomes part of the decision-making process. We report here on a study with 344 participants that compared the impact of a number of permission-granting interface proposals, including our own (called the COPING interface — COmprehensive PermIssioN Granting) and two Android interfaces. To conduct the comparison we carried out an online study with a mixed-model design. Our main finding is that the focus in these interfaces ought to be on improving the quality of the provided information rather than merely simplifying the interface. The intuitive approach is to reduce and simplify information, but we discovered that this actually impairs the quality of the decision. Our recommendation is that further investigation is required in order to find the “sweet spot” where understandability and comprehensiveness are maximised

What did I really vote for? On the usability of verifiable e-voting schemes

E-voting has been embraced by a number of countries, delivering benefits in terms of efficiency and accessibility. End-to-end verifiable e-voting schemes facilitate verification of the integrity of individual votes during the election process. In particular, methods for cast-as-intended verification enable voters to confirm that their cast votes have not been manipulated by the voting client. A well-known technique for effecting cast-as-intended verification is the Benaloh Challenge. The usability of this challenge is crucial because voters have to be actively engaged in the verification process. In this paper, we report on a usability evaluation of three different approaches of the Benaloh Challenge in the remote e-voting context. We performed a comparative user study with 95 participants. We conclude with a recommendation for which approaches should be provided to afford verification in real-world elections and suggest usability improvements

User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn

We propose a concept called TORPEDO to improve phish detection by providing just-in-time and just-in-place trustworthy tooltips. These help people to identify phish links embedded in emails. TORPEDO's tooltips contain the actual URL with the domain highlighted. Link activation is delayed for a short period, giving the person time to inspect the URL before they click on a link. Furthermore, TORPEDO provides an information diagram to explain phish detection. We evaluated TORPEDO's effectiveness, as compared to the worst case “status bar” as provided by other Web email interfaces. People using TORPEDO performed significantly better in detecting phishes and identifying legitimate emails (85.17% versus 43.31% correct answers for phish). We then carried out a field study with a number of TORPEDO users to explore actual user experiences of TORPEDO. We conclude the paper by reporting on the outcome of this field study and suggest improvements based on the feedback from the field study participants

Addressing Misconceptions About Password Security Effectively

Nowadays, most users need more passwords than they can handle. Consequently, users have developed a multitude of strategies to cope with this situation. Some of these coping strategies are based on misconceptions about password security. In such cases, the users are unaware of their insecure password practices. Addressing the misconceptions is vital in order to decrease insecure coping strategies. We conducted a systematic literature review with the goal to provide an overview of the misconceptions about password security. Our literature review revealed that misconceptions exist in basically all aspects of password security. Furthermore, we developed interventions to address these misconceptions. Then, we evaluated the interventions\u27 effectiveness in decreasing the misconceptions at three small and medium sized enterprises (SME). Our results show that the interventions decrease the overall prevalence of misconceptions significantly in the participating employees

Ver-/Misstrauen Schaffende Maßnahme beim e-Voting

Eine wichtige Voraussetzung für die Einführung von e-Voting und insbesondere von Online-Wahlen ist die Transparenz und das Vertrauen in das eingesetzte System. Durch die Verlagerung der Kontrolle vom Wahlvorstand zur Technik werden zusätzliche Verifikationsmöglichkeiten gefordert, damit sich der Wahlvorstand, die Wähler sowie die Kandidaten davon überzeugen können, dass die Wahl ordnungsgemäß abgelaufen ist. Dieser Beitrag zeigt, dass einige der Überprüfungstechniken zwingend eingesetzt werden müssen, andere sinnvoll sind aber wieder andere zu Misstrauen schaffenden Maßnahmen werden können und auch aus Benutzerfreundlichkeitsgründen indiskutabel sind.&nbsp

Exploring Mental Models Underlying PIN Management Strategies

PINs have been around for half a century and many insecure PIN-related practices are used. We attempted to mitigate by developing two new PIN memorial assistance mechanisms that we tested in an online study. We were not able to show an improvement in memorability, mostely because people did not use the memorial aids. We realised that a greater insight into PIN Management mental models was needed, in order to better formulate mitigation approaches. We proceeded to study PIN-related mental models, and we present our finding in this paper. The insights we gained convinced us that security researchers should not presume that people want, or need, our advice or help in any security context; they might well prefer to continue with their usual trusted practices. Yet advice should indeed still be offered, for those who do want it, and we give some suggestions about how this advice should look like in the PIN context

Efficiency Comparison of Various Approaches in E-Voting Protocols

In order to ensure the security of remote Internet voting, the systems that are currently proposed make use of complex cryptographic techniques. Since these techniques are often computationally extensive, efficiency becomes an issue. Identifying the most efficient Internet voting system is a non-trivial task -- in particular for someone who does not have a sufficient knowledge on the systems that currently exist, and on the cryptographic components that constitute those systems. Aside from these components, the efficiency of Internet voting also depends on various parameters, such as expected number of participating voters and ballot complexity. In this paper we propose a tool for evaluating the efficiency of different approaches for an input scenario, that could be of use to election organizers deciding how to implement the voting system