Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes (SOUPS ’16)

Abstract Computer security problems often occur when there are disconnects between users’ understanding of their role in computer security and what is expected of them. To help users make good security decisions more easily, we need insights into the challenges they face in their daily computer usage. We built and deployed the Security Behavior Observatory (SBO) to collect data on user behavior and machine configurations from participants’ home computers. Combining…

Information Disclosure Concerns in The Age of Wearable Computing (USEC ’16)

Abstract Wearable devices, or “wearables,” bring great benefits but also potential information disclosure risks that could expose users’ activities without their awareness or consent. We surveyed 1,782 Internet users about various data associated with the capabilities of popular wearable devices on the market to identify the data disclosure scenarios that users find most concerning. Our study relatively ranks potential data capture scenarios enabled by wearables and investigates the impact of…

Keep on Lockin’ in the Free World: A Multi-National Comparison of Smartphone Locking (CHI ’16)

Abstract We present the results of an online survey of smartphone unlocking (N=8,286) that we conducted in eight different countries. The goal was to investigate differences in attitudes towards smartphone unlocking between different national cultures. Our results show that there are indeed significant differences across a range of categories. For instance, participants in Japan considered the data on their smartphones to be much more sensitive than those in other countries,…

Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS) (CHI ’16)

Abstract The Security Behavior Intentions Scale (SeBIS) measures the computer security attitudes of end-users. Because intentions are a prerequisite for planned behavior, the scale could therefore be useful for predicting users’ computer security behaviors. We performed three experiments to identify correlations between each of SeBIS’s four sub-scales and relevant computer security behaviors. We found that testing high on the awareness sub-scale correlated with correctly identifying a phishing website; testing high…

The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens (CHI ’16)

Abstract To prevent unauthorized parties from accessing data stored on their smartphones, users have the option of enabling a “lock screen” that requires a secret code (e.g., PIN, drawing a pattern, or biometric) to gain access to their devices. We present a detailed analysis of the smartphone locking mechanisms currently available to billions of smartphone users worldwide. Through a month-long field study, we logged events from a panel of users…

The Myth of the Average User: Improving Privacy and Security Systems through Individualization (NSPW ’15)

Abstract While individual differences in decision-making have been examined within the social sciences for several decades, they have only recently begun to be applied by computer scientists to examine privacy and security attitudes (and ultimately behaviors). Specifically, several researchers have shown how different online privacy decisions are correlated with the “Big Five” personality traits. In this paper, we show that the five factor model is actually a weak predictor of…

Android Permissions Remystified: A Field Study on Contextual Integrity (USENIX Sec ’15)

Abstract We instrumented the Android platform to collect data regarding how often and under what circumstances smartphone applications access protected resources regulated by permissions. We performed a 36-person field study to explore the notion of “contextual integrity,” i.e., how often applications access protected resources when users are not expecting it. Based on our collection of 27M data points and exit interviews with participants, we examine the situations in which users…

Predicting Privacy and Security Attitudes (ACM CAS)

Abstract While individual differences in decision-making have been examined within the social sciences for several decades, this research has only recently begun to be applied by computer scientists to examine privacy and security attitudes (and ultimately behaviors). Specifically, several researchers have shown how different online privacy decisions are correlated with the “Big Five” personality traits. However, in our own research, we show that the five factor model is actually a…

Somebody’s Watching Me? Assessing the Effectiveness of Webcam Indicator Lights (CHI ’15)

Abstract Most laptops and personal computers have webcams with LED indicators to notify users when they are recording. Because hackers use surreptitiously captured webcam recordings to extort users, we explored the effectiveness of these indicators under varying circumstances and how they could be improved.  We observed that, on average, fewer than half of our participants (45%) noticed the existing indicator during computer-based tasks.  When seated in front of the computer…

Is This Thing On? Crowdsourcing Privacy Indicators for Ubiquitous Sensing Platforms (CHI ’15)

Abstract We are approaching an environment where ubiquitous computing devices will constantly accept input via audio and video channels: kiosks that determine demographic information of passersby, gesture controlled home entertainment systems and audio controlled wearable devices are just a few examples. To enforce the principle of least privilege, recent proposals have suggested technical approaches to limit third-party applications to receiving only the data they need, rather than entire audio or…