Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat (CCS ’17)

Abstract Text passwords—a frequent vector for account compromise, yet still ubiquitous—have been studied for decades by researchers attempting to determine how to coerce users to create passwords that are hard for attackers to guess but still easy for users to type and memorize. Most studies examine one password or a small number of passwords per user, and studies often rely on passwords created solely for the purpose of the study…

Personalized Security Messaging: Nudges for Compliance with Browser Warnings (EuroUSEC ’17)

Abstract Decades of psychology and decision-making research show that everyone makes decisions differently; yet security messaging is still one-size-fits-all. This suggests that we can improve outcomes by delivering information relevant to how each individual makes decisions. We tested this hypothesis by designing messaging customized for stable personality traits—specifically, the five dimensions of the General Decision-Making Style (GDMS) instrument. We applied this messaging to browser warnings, security messaging encountered by millions…

The Teaching Privacy Curriculum (SIGCSE ’16)

Abstract A basic understanding of online privacy is essential to being an informed digital citizen, and therefore basic privacy education is becoming ever more necessary. Recently released high school and college computer science curricula acknowledge the significantly increased importance of fundamental knowledge about privacy, but do not yet provide concrete content in the area. To address this need, over the past two years, we have developed the Teaching Privacy Project…

Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes (SOUPS ’16)

Abstract Computer security problems often occur when there are disconnects between users’ understanding of their role in computer security and what is expected of them. To help users make good security decisions more easily, we need insights into the challenges they face in their daily computer usage. We built and deployed the Security Behavior Observatory (SBO) to collect data on user behavior and machine configurations from participants’ home computers. Combining…

Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS) (CHI ’16)

Abstract The Security Behavior Intentions Scale (SeBIS) measures the computer security attitudes of end-users. Because intentions are a prerequisite for planned behavior, the scale could therefore be useful for predicting users’ computer security behaviors. We performed three experiments to identify correlations between each of SeBIS’s four sub-scales and relevant computer security behaviors. We found that testing high on the awareness sub-scale correlated with correctly identifying a phishing website; testing high…

The Myth of the Average User: Improving Privacy and Security Systems through Individualization (NSPW ’15)

Abstract While individual differences in decision-making have been examined within the social sciences for several decades, they have only recently begun to be applied by computer scientists to examine privacy and security attitudes (and ultimately behaviors). Specifically, several researchers have shown how different online privacy decisions are correlated with the “Big Five” personality traits. In this paper, we show that the five factor model is actually a weak predictor of…

Predicting Privacy and Security Attitudes (ACM CAS)

Abstract While individual differences in decision-making have been examined within the social sciences for several decades, this research has only recently begun to be applied by computer scientists to examine privacy and security attitudes (and ultimately behaviors). Specifically, several researchers have shown how different online privacy decisions are correlated with the “Big Five” personality traits. However, in our own research, we show that the five factor model is actually a…

Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) (CHI ’15)

Abstract Despite the plethora of security advice and online education materials offered to end-users, there exists no standard measurement tool for end-user security behaviors.  We present the creation of such a tool.  We surveyed the most common computer security advice that experts offer to end-users in order to construct a set of Likert scale questions to probe the extent to which respondents claim to follow this advice.  Using these questions,…

Fingerprinting Web Users through Font Metrics (FC ’15)

Abstract We describe a web browser fingerprinting technique based on measuring the onscreen dimensions of font glyphs. Font rendering in web browsers is affected by many factors—browser version, what fonts are installed, and hinting and antialiasing settings, to name a few—that are sources of fingerprintable variation in end-user systems. We show that even the relatively crude tool of measuring glyph bounding boxes can yield a strong fingerprint, and is a threat to users’ privacy. Through a…

The importance of being earnest [in security warnings] (FC ’13)

Abstract In response to the threat of phishing, web browsers display warnings when users arrive at suspected phishing websites. Previous research has offered guidance to improve these warnings. We performed a laboratory study to investigate how the choice of background color in the warning and the text describing the recommended course of action impact a user’s decision to comply with the warning. We did not reveal to participants that the…