Empirical Measurement of Systemic 2FA Usability (USENIX Sec ’20)

AbstractTwo-Factor Authentication (2FA) hardens an organization against user account compromise, but adds an extra step to organizations’ mission-critical tasks. We investigate to what extent quantitative analysis of operational logs of 2FA systems both supports and challenges recent results from user studies and surveys identifying usability challenges in 2FA systems. Using tens of millions of logs and records kept at two public universities, we quantify the at-scale impact on organizations and…

“You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild (SOUPS ’20)

AbstractOrganizational security teams have begun to specialize, and as a result, the existence of red, blue, and purple teams have been used as signals for an organization’s security maturity. There is also now a rise in the use of third-party contractors who offer services such as incident response or penetration testing. Additionally, bug bounty programs are not only gaining popularity, but also are perceived as cost-effective replacements for internal security…

Nudge Me Right: Personalizing Online Security Nudges to People’s Decision-Making Styles (CHB ’20)

AbstractNudges are simple and effective interventions that alter the architecture in which people make choices in order to help them make decisions that could benefit themselves or society. For many years, researchers and practitioners have used online nudges to encourage users to choose stronger and safer passwords. However, the effects of such nudges have been limited to local maxima, because they are designed with the “average” person in mind, instead…

Conducting Privacy-Sensitive Surveys: A Case Study of Civil Society Organizations (CHI Workshops ’20)

AbstractCompared to other organizations, civil society organizations (CSOs) often operate in elevated-risk contexts, and attacks against them carry much greater ramifications, including threats to freedom of expression, liberty, and life. We aim to capture the factors that affect the attitudes and intentions of CSO employees to engage in security and privacy behaviors by using a survey-based study to collect data about employees working at US-based civil society groups. In this…

A Promise Is A Promise: The Effect Of Commitment Devices On Computer Security Intentions (CHI ’19)

AbstractCommitment devices are a technique from behavioral economics that have been shown to mitigate the effects of present bias—the tendency to discount future risks and gains in favor of immediate gratifications. In this paper, we explore the feasibility of using commitment devices to nudge users towards complying with varying online security mitigations. Using two online experiments, with over 1,000 participants total, we offered participants the option to be reminded or…

The Accuracy of the Demographic Inferences Shown on Google’s Ad Settings (WPES ’18)

AbstractGoogle’s Ad Settings shows the gender and age that Google hasinferred about a web user. We compare the inferred values to theself-reported values of 501 survey participants. We find that Googleoften does not show an inference, but when it does, it is typicallycorrect. We explore which usage characteristics, such as using privacyenhancing technologies, are associated with Google’s accuracy,but found no significant results. CitationMichael Carl Tschantz, Serge Egelman, Jaeyoung Choi, Nicholas…

Better Late(r) than Never: Increasing Cyber-Security Compliance by Reducing Present Bias (WEIS ’18)

Abstract Despite recent advances in increasing computer security by eliminating human involvement and error, there are still situations in which humans must manually perform computer security tasks, such as enabling automatic updates, rebooting machines to apply some of those updates, or enrolling in two-factor authentication. We argue that present bias—the tendency to discount future risks and gains in favor of immediate gratifications—could be the root cause explaining why many users…

Quantifying Users’ Beliefs about Software Updates (USEC ’18)

AbstractSoftware updates are critical to the performance, compatibility, and security of software systems. However, users do not always install updates, leaving their machines vulnerable to attackers’ exploits. While recent studies have highlighted numerous reasons why users ignore updates, little is known about how prevalent each of these beliefs is. Gaining a better understanding of the prevalence of each belief may help software designers better target their efforts in understanding what…

An Experience Sampling Study of User Reactions to Browser Warnings in the Field (CHI ’18)

Abstract Web browser warnings should help protect people from malware, phishing, and network attacks. Adhering to warnings keeps people safer online. Recent improvements in warning design have raised adherence rates, but they could still be higher. And prior work suggests many people still do not understand them. Thus, two challenges remain: increasing both comprehension and adherence rates. To dig deeper into user decision making and comprehension of warnings, we performed…

A Usability Evaluation of Tor Launcher (PETS ’17)

Abstract Although Tor has state-of-the art anti-censorship measures, users in heavily censored environments will likely not be able to connect to Tor because they cannot make the correct decisions during the configuration process. We perform the first usability evaluation of Tor Launcher, the graphical user interface (GUI) that Tor Browser uses to configure connections to Tor. Our study shows that 79% (363 of 458) of user attempts to connect to…