HCI Bibliography Home | HCI Conferences | SOUPS Archive | Detailed Records | RefWorks | EndNote | Hide Abstracts
SOUPS Tables of Contents: 0506070809101112131415

Proceedings of the 2013 Symposium on Usable Privacy and Security

Fullname:Proceedings of the Ninth Symposium on Usable Privacy and Security
Editors:Lorrie Faith Cranor; Lujo Bauer; Konstantin Beznosov
Location:Newcastle, United Kingdom
Dates:2013-Jul-24 to 2013-Jul-26
Standard No:ISBN: 978-1-4503-2319-2; ACM DL: Table of Contents; hcibib: SOUPS13
Links:Conference Website
  1. Authentication and authorization
  2. SOUPS de jour
  3. Privacy
  4. Mobile devices
  5. Passwords

Authentication and authorization

When it's better to ask forgiveness than get permission: attribution mechanisms for smartphone resources BIBAFull-Text 1
  Christopher Thompson; Maritza Johnson; Serge Egelman; David Wagner; Jennifer King
Smartphone applications pose interesting security problems because the same resources they use to enhance the user experience may also be used in ways that users might find objectionable. We performed a set of experiments to study whether attribution mechanisms could help users understand how smartphone applications access device resources. First, we performed an online survey and found that, as attribution mechanisms have become available on the Android platform, users notice and use them. Second, we designed new attribution mechanisms; a qualitative experiment suggested that our proposed mechanisms are intuitive to understand. Finally, we performed a laboratory experiment in which we simulated application misbehaviors to observe whether users equipped with our attribution mechanisms were able to identify the offending applications. Our results show that, for users who notice application misbehaviors, these attribution mechanisms are significantly more effective than the status quo.
Formal definitions for usable access control rule sets from goals to metrics BIBAFull-Text 2
  Matthias Beckerle; Leonardo A. Martucci
Access control policies describe high level requirements for access control systems. Access control rule sets ideally translate these policies into a coherent and manageable collection of Allow/Deny rules. Designing rule sets that reflect desired policies is a difficult and time-consuming task. The result is that rule sets are difficult to understand and manage. The goal of this paper is to provide means for obtaining usable access control rule sets, which we define as rule sets that (i) reflect the access control policy and (ii) are easy to understand and manage. In this paper, we formally define the challenges that users face when generating usable access control rule sets and provide formal tools to handle them more easily. We started our research with a pilot study in which specialists were interviewed. The objective was to list usability challenges regarding the management of access control rule sets and verify how those challenges were handled by specialists. The results of the pilot study were compared and combined with results from related work and refined into six novel, formally defined metrics that are used to measure the security and usability aspects of access control rule sets. We validated our findings with two user studies, which demonstrate that our metrics help users generate statistically significant better rule sets.
CASA: context-aware scalable authentication BIBAFull-Text 3
  Eiji Hayashi; Sauvik Das; Shahriyar Amini; Jason Hong; Ian Oakley
We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user's current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users' receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.

SOUPS de jour

Retrospective privacy: managing longitudinal privacy in online social networks BIBAFull-Text 4
  Oshrat Ayalon; Eran Toch
Online social networks provide access to the user's information for long periods of time after the information's initial publication. In this paper, we investigate the relation between information aging and its sharing preferences on Facebook. Our findings are based on a survey of 193 Facebook users, in which we asked users to specify their sharing preferences and intentions towards posts that were published in different periods of time (from the time of the survey and up to 24 months prior to the time of the survey.) Our results show that willingness to share significantly drops with the time passed since publishing the post. The occurrence of life changes, such as graduating from college or moving to a new town, is correlated with a further decrease in the willingness to share. We discuss our findings by relating it to information aging theories and privacy theories. Finally, we use our results to reflect on privacy mechanisms for long-term usage of online social networks, such as expiry date for content and historical information reviewing processes.
Confused Johnny: when automatic encryption leads to confusion and mistakes BIBAFull-Text 5
  Scott Ruoti; Nathan Kim; Ben Burgon; Timothy van der Horst; Kent Seamons
A common approach to designing usable security is to hide as many security details as possible from the user to reduce the amount of information and actions a user must encounter. This paper gives an overview of Pwm (Private Webmail), our secure webmail system that uses security overlays to integrate tightly with existing webmail services like Gmail. Pwm's security is mostly transparent, including automatic key management and automatic encryption. We describe a series of Pwm user studies indicating that while nearly all users can use the system without any prior training, the security details are so transparent that a small percentage of users mistakenly sent out unencrypted messages and some users are unsure whether they should trust Pwm. We then conducted user studies with an alternative prototype to Pwm that uses manual encryption. Surprisingly users were accepting of the extra steps of cutting and pasting ciphertext themselves. They avoided mistakes and had more trust in the system with manual encryption. Our results suggest that designers may want to reconsider manual encryption as a way to reduce transparency and foster greater trust.
Your attention please: designing security-decision UIs to make genuine risks harder to ignore BIBAFull-Text 6
  Cristian Bravo-Lillo; Saranga Komanduri; Lorrie Faith Cranor; Robert W. Reeder; Manya Sleeper; Julie Downs; Stuart Schechter
We designed and tested attractors for computer security dialogs: user-interface modifications used to draw users' attention to the most important information for making decisions. Some of these modifications were purely visual, while others temporarily inhibited potentially-dangerous behaviors to redirect users' attention to salient information. We conducted three between-subjects experiments to test the effectiveness of the attractors.
   In the first two experiments, we sent participants to perform a task on what appeared to be a third-party site that required installation of a browser plugin. We presented them with what appeared to be an installation dialog from their operating system. Participants who saw dialogs that employed inhibitive attractors were significantly less likely than those in the control group to ignore clues that installing this software might be harmful.
   In the third experiment, we attempted to habituate participants to dialogs that they knew were part of the experiment. We used attractors to highlight a field that was of no value during habituation trials and contained critical information after the habituation period. Participants exposed to inhibitive attractors were two to three times more likely to make an informed decision than those in the control condition.


What matters to users?: factors that affect users' willingness to share information with online advertisers BIBAFull-Text 7
  Pedro Giovanni Leon; Blase Ur; Yang Wang; Manya Sleeper; Rebecca Balebako; Richard Shay; Lujo Bauer; Mihai Christodorescu; Lorrie Faith Cranor
Much of the debate surrounding online behavioral advertising (OBA) has centered on how to provide users with notice and choice. An important element left unexplored is how advertising companies' privacy practices affect users' attitudes toward data sharing. We present the results of a 2,912-participant online study investigating how facets of privacy practices -- data retention, access to collected data, and scope of use -- affect users' willingness to allow the collection of behavioral data. We asked participants to visit a health website, explained OBA to them, and outlined policies governing data collection for OBA purposes. These policies varied by condition. We then asked participants about their willingness to permit the collection of 30 types of information. We identified classes of information that most participants would not share, as well as classes that nearly half of participants would share. More restrictive data-retention and scope-of-use policies increased participants' willingness to allow data collection. In contrast, whether the data was collected on a well-known site and whether users could review and modify their data had minimal impact. We discuss public policy implications and improvements to user interfaces to align with users' privacy preferences.
Do not embarrass: re-examining user concerns for online tracking and advertising BIBAFull-Text 8
  Lalit Agarwal; Nisheeth Shrivastava; Sharad Jaiswal; Saurabh Panjwani
Recent studies have highlighted user concerns with respect to third-party tracking and online behavioral advertising (OBA) and the need for better consumer choice mechanisms to address these phenomena. We re-investigate the question of perceptions of third-party tracking while situating it in the larger context of how online ads, in general, are perceived by users. Via in-depth interviews with 53 Web users in India, we find that although concerns for third-party tracking and OBA remain noticeable amongst this population, other aspects of online advertising -- like the possibility of being shown ads with embarrassing and suggestive content -- are voiced as greater concerns than the concern of being tracked. Current-day blocking tools are insufficient to redress the situation: users demand selective filtering of ad content (as opposed to blocking out all ads) and are not satisfied with mechanisms that only control tracking and OBA. We conclude with design recommendations for end-user tools to control online ad consumption keeping in mind the concerns brought forth by our study.
Sleights of privacy: framing, disclosures, and the limits of transparency BIBAFull-Text 9
  Idris Adjerid; Alessandro Acquisti; Laura Brandimarte; George Loewenstein
In an effort to address persistent consumer privacy concerns, policy makers and the data industry seem to have found common grounds in proposals that aim at making online privacy more "transparent." Such self-regulatory approaches rely on, among other things, providing more and better information to users of Internet services about how their data is used. However, we illustrate in a series of experiments that even simple privacy notices do not consistently impact disclosure behavior, and may in fact be used to nudge individuals to disclose variable amounts of personal information. In a first experiment, we demonstrate that the impact of privacy notices on disclosure is sensitive to relative judgments, even when the objective risks of disclosure actually stay constant. In a second experiment, we show that the impact of privacy notices on disclosure can be muted by introducing simple misdirections that do not alter the objective risk of disclosure. These findings cast doubts on the likelihood of initiatives predicated around notices and transparency to address, by themselves, online privacy concerns.

Mobile devices

Modifying smartphone user locking behavior BIBAFull-Text 10
  Dirk Van Bruggen; Shu Liu; Mitch Kajzer; Aaron Striegel; Charles R. Crowell; John D'Arcy
With an increasing number of organizations allowing personal smart phones onto their networks, considerable security risk is introduced. The security risk is exacerbated by the tremendous heterogeneity of the personal mobile devices and their respective installed pool of applications. Furthermore, by virtue of the devices not being owned by the organization, the ability to authoritatively enforce organizational security polices is challenging. As a result, a critical part of organizational security is the ability to drive user security behavior through either on-device mechanisms or security awareness programs. In this paper, we establish a baseline for user security behavior from a population of over one hundred fifty smart phone users. We then systematically evaluate the ability to drive behavioral change via messaging centered on morality, deterrence, and incentives. Our findings suggest that appeals to morality are most effective over time, whereas deterrence produces the most immediate reaction. Additionally, our findings show that while a significant portion of users are securing their devices without prior intervention, it is difficult to influence change in those who do not.
Exploring the design space of graphical passwords on smartphones BIBAFull-Text 11
  Florian Schaub; Marcel Walch; Bastian Könings; Michael Weber
Smartphones have emerged as a likely application area for graphical passwords, because they are easier to input on touchscreens than text passwords. Extensive research on graphical passwords and the capabilities of modern smartphones result in a complex design space for graphical password schemes on smartphones. We analyze and describe this design space in detail. In the process, we identify and highlight interrelations between usability and security characteristics, available design features, and smartphone capabilities. We further show the expressiveness and utility of the design space in the development of graphical passwords schemes by implementing five different existing graphical password schemes on one smartphone platform. We performed usability and shoulder surfing experiments with the implemented schemes to validate identified relations in the design space. From our results, we derive a number of helpful insights and guidelines for the design of graphical passwords.
"Little brothers watching you": raising awareness of data leaks on smartphones BIBAFull-Text 12
  Rebecca Balebako; Jaeyeon Jung; Wei Lu; Lorrie Faith Cranor; Carolyn Nguyen
Today's smartphone applications expect users to make decisions about what information they are willing to share, but fail to provide sufficient feedback about which privacy-sensitive information is leaving the phone, as well as how frequently and with which entities it is being shared. Such feedback can improve users' understanding of potential privacy leakages through apps that collect information about them in an unexpected way. Through a qualitative lab study with 19 participants, we first discuss misconceptions that smartphone users currently have with respect to two popular game applications that frequently collect the phone's current location and share it with multiple third parties. To measure the gap between users' understanding and actual privacy leakages, we use two types of interfaces that we developed: just-in-time notifications that appear the moment data is shared and a visualization that summarizes the shared data. We then report on participants' perceived benefits and concerns regarding data sharing with smartphone applications after experiencing notifications and having viewed the visualization. We conclude with a discussion on how heightened awareness of users and usable controls can mitigate some of these concerns.


On the ecological validity of a password study BIBAFull-Text 13
  Sascha Fahl; Marian Harbach; Yasemin Acar; Matthew Smith
The ecological validity of password studies is a complex topic and difficult to quantify. Most researchers who conduct password user studies try to address the issue in their study design. However, the methods researchers use to try to improve ecological validity vary and some methods even contradict each other. One reason for this is that the very nature of the problem of ecological validity of password studies is hard to study, due to the lack of ground truth. In this paper, we present a study on the ecological validity of password studies designed specifically to shed light on this issue. We were able to compare the behavior of 645 study participants with their real world password choices. We conducted both online and laboratory studies, under priming and non-priming conditions, to be able to evaluate the effects of these different forms of password studies. While our study is able to investigate only one specific password environment used by a limited population and thus cannot answer all questions about ecological validity, it does represent a first important step in judging the impact of ecological validity on password studies.
Usability and security evaluation of GeoPass: a geographic location-password scheme BIBAFull-Text 14
  Julie Thorpe; Brent MacRae; Amirali Salehi-Abari
We design, implement, and evaluate GeoPass: an interface for digital map-based authentication where a user chooses a place as his or her password (i.e., a "location-password"). We conducted a multi-session in-lab/at-home user study to evaluate the usability, memorability, and security of location-passwords created with GeoPass. The results of our user study found that 97% of users were able to remember their location-password over the span of 8-9 days and most without any failed login attempts. Users generally welcomed GeoPass; all of the users who completed the study reported that they would at least consider using GeoPass for some of their accounts. We also perform an in-depth usability and security analysis of location-passwords. Our security analysis includes the effect of information that could be gleaned from social engineering. The results of our security analysis show that location-passwords created with GeoPass can have reasonable security against online attacks, even when accounting for social engineering attacks. Based on our results, we suggest GeoPass would be most appropriate in contexts where logins occur infrequently, e.g., as an alternative to secondary authentication methods used for password resets, or for infrequently used online accounts.
Memory retrieval and graphical passwords BIBAFull-Text 15
  Elizabeth Stobert; Robert Biddle
Graphical passwords are an alternative form of authentication that use images for login, and leverage the picture superiority effect for good usability and memorability. Categories of graphical passwords have been distinguished on the basis of different kinds of memory retrieval (recall, cued-recall, and recognition). Psychological research suggests that leveraging recognition memory should be best, but this remains an open question in the password literature. This paper examines how different kinds of memory retrieval affect the memorability and usability of random assigned graphical passwords. A series of five studies of graphical and text passwords showed that participants were able to better remember recognition-based graphical passwords, but their usability was limited by slow login times. A graphical password scheme that leveraged recognition and recall memory was most successful at combining memorability and usability.