HCI Bibliography Home | HCI Conferences | SOUPS Archive | Detailed Records | RefWorks | EndNote | Hide Abstracts
SOUPS Tables of Contents: 0506070809101112131415

Proceedings of the 2010 Symposium on Usable Privacy and Security

Fullname:Symposium on Usable Privacy and Security
Editors:Lorrie Faith Cranor
Location:Redmond, Washington
Dates:2010-Jul-14 to 2010-Jul-16
Standard No:ISBN 1-4503-0264-5, 978-1-4503-0264-7; ACM DL: Table of Contents hcibib: SOUPS10
Links:Conference Home Page
  1. Passwords and accounts
  2. Authentication for mobile devices
  3. Privacy
  4. Security models and decision making
  5. SOUPS du Jour

Passwords and accounts

Do windows users follow the principle of least privilege?: investigating user account control practices BIBAKFull-Text 1
  Sara Motiee; Kirstie Hawkey; Konstantin Beznosov
The principle of least privilege requires that users and their programs be granted the most restrictive set of privileges possible to perform required tasks in order to limit the damages caused by security incidents. Low-privileged user accounts (LUA) and user account control (UAC) in Windows Vista and Windows 7 are two practical implementations of this principle. To be successful, however, users must apply due diligence, use appropriate accounts, and respond correctly to UAC prompts. With a user study and contextual interviews, we investigated the motives, understanding, behaviour, and challenges users face when working with user accounts and the UAC. Our results show that 69% of participants did not apply the UAC approach correctly. All 45 participants used an administrator user account, and 91% were not aware of the benefits of low-privilege user accounts or the risks of high-privilege ones. Their knowledge and experience were limited to the restricted rights of low-privilege accounts. Based on our findings, we offer recommendations to improve the UAC and LUA approaches.
Keywords: least privilege principle, least privilege user account, usable security, user account control
Encountering stronger password requirements: user attitudes and behaviors BIBAKFull-Text 2
  Richard Shay; Saranga Komanduri; Patrick Gage Kelley; Pedro Giovanni Leon; Michelle L. Mazurek; Lujo Bauer; Nicolas Christin; Lorrie Faith Cranor
Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required users to change their passwords. Through our survey of 470 CMU computer users, we collected data about behaviors and practices related to the use and creation of passwords. We also captured users' opinions about the new, stronger policy requirements. Our analysis shows that, although most of the users were annoyed by the need to create a complex password, they believe that they are now more secure. Furthermore, we perform an entropy analysis and discuss how our findings relate to NIST recommendations for creating a password policy. We also examine how users answer specific questions related to their passwords. Our results can be helpful in designing better password policies that consider not only technical aspects of specific policy rules, but also users' behavior in response to those rules.
Keywords: passwords, policy, security, survey, usability
A closer look at recognition-based graphical passwords on mobile devices BIBAKFull-Text 3
  Paul Dunphy; Andreas P. Heiner; N. Asokan
Graphical password systems based on the recognition of photographs are candidates to alleviate current over-reliance on alphanumeric passwords and PINs. However, despite being based on a simple concept -- and user evaluations consistently reporting impressive memory retention -- only one commercial example exists and overall take-up is low. Barriers to uptake include a perceived vulnerability to observation attacks; issues regarding deployability; and the impact of innocuous design decisions on security not being formalized. Our contribution is to dissect each of these issues in the context of mobile devices -- a particularly suitable application domain due to their increasing significance, and high potential to attract unauthorized access. This produces: 1) A novel yet simple solution to the intersection attack that permits greater variability in login challenges; 2) Detailed analysis of the shoulder surfing threat that considers both simulated and human testing; 3) A first look at image processing techniques to contribute towards automated photograph filtering. We operationalize our observations and gather data in a field context where decentralized mechanisms of varying entropy were installed on the personal devices of participants. Across two working weeks success rates collected from users of a high entropy version were similar to those of a low entropy version at 77%, and login durations decreased significantly across the study.
Keywords: graphical passwords, mobile devices, shoulder surfing

Authentication for mobile devices

Usably secure, low-cost authentication for mobile banking BIBAKFull-Text 4
  Saurabh Panjwani; Edward Cutrell
This paper explores user authentication schemes for banking systems implemented over mobile phone networks in the developing world. We analyze an authentication scheme currently deployed by an Indian mobile banking service provider which uses a combination of PINs and printed codebooks for authenticating users. As a first step, we report security weaknesses in that scheme and show that it is susceptible to easy and efficient PIN recovery attacks. We then propose a new scheme which offers better secrecy of PINs, while still maintaining the simplicity and scalability advantages of the original scheme. Finally, we investigate the usability of the two schemes with a sample of 34 current and potential customers of the banking system. Our findings suggest that the new scheme is more efficient, less susceptible to human error and better preferred by the target consumers.
Keywords: ICTD, PIN, authentication, banking, developing regions, mobile, paper, security, usability
Two heads are better than one: security and usability of device associations in group scenarios BIBAKFull-Text 5
  Ronald Kainda; Ivan Flechais; A. W. Roscoe
We analyse and evaluate the usability and security of the process of bootstrapping security among devices in group scenarios. While a lot of work has been done in single user scenarios, we are not aware of any that focusses on group situations. Unlike in single user scenarios, bootstrapping security in a group requires coordination, attention, and cooperation of all group members. In this paper, we provide an analysis of the security and usability of bootstrapping security in group scenarios and present the results of a usability study on these scenarios. We also highlight crucial factors necessary for designing for secure group interactions.
Keywords: device association, group interactions, security protocols, usability
Influence of user perception, security needs, and social factors on device pairing method choices BIBAKFull-Text 6
  Iulia Ion; Marc Langheinrich; Ponnurangam Kumaraguru; Srdjan Capkun
Recent years have seen a proliferation of secure device pairing methods that try to improve both the usability and security of today's de-facto standard -- PIN-based authentication. Evaluating such improvements is difficult. Most comparative laboratory studies have so far mainly focused on completeness, trying to find the single best method among the dozens of proposed approaches -- one that is both rated the most usable by test subjects, and which provides the most robust security guarantees. This search for the "best" pairing method, however, fails to take into account the variety of situations in which such pairing protocols may be used in real life. The comparative study reported here, therefore, explicitly situates pairing tasks in a number of more realistic situations. Our results indicate that people do not always use the easiest or most popular method -- they instead prefer different methods in different situations, based on the sensitivity of data involved, their time constraints, and the social conventions appropriate for a particular place and setting. Our study also provides qualitative data on factors influencing the perceived security of a particular method, the users' mental models surrounding security of a method, and their security needs.
Keywords: authentication, device pairing, security, social factors, usability, user studies


The impact of social navigation on privacy policy configuration BIBAKFull-Text 7
  Andrew Besmer; Jason Watson; Heather Richter Lipford
Social navigation is a promising approach to help users make better privacy and security decisions using community knowledge and expertise. Social navigation has recently been applied to several privacy and security systems such as peer-to-peer file sharing, cookie management, and firewalls. However, little empirical evaluation of social navigation cues has been performed in security or privacy systems to understand the real impact such knowledge has on user behavior and the resulting policies. In this paper, we explore the application of social navigation to access control policy configuration using an empirical between subjects study. Our results indicate that community information does impact user behavior, but only when the visual representation of the cue is sufficiently strong.
Keywords: policy configuration, privacy, social navigation, social networking
Optimizing a policy authoring framework for security and privacy policies BIBAKFull-Text 8
  Maritza Johnson; John Karat; Clare-Marie Karat; Keith Grueneberg
Policies which address security and privacy are pervasive parts of both technical and social systems, and technology to enable both organizations and individuals to create and manage such policies is seen as a critical need in IT. This paper describes policy authoring as a key component to usable privacy and security systems, and advances the notions of policy templates in a policy management environment in which different roles with different skill sets are seen as important. We discuss existing guidelines and provide support for the addition of new guidelines for usable policy authoring for security and privacy systems. We describe the relationship between general policy templates and specific policies, and the skills necessary to author each of these in a way that produces high-quality policies. We also report on an experiment in which technical users with limited policy experience authored policy templates using a prototype template authoring user interface we developed.
Keywords: policy authoring, policy management, policy refinement, privacy policy, security policy, user experience design
Feasibility of structural network clustering for group-based privacy control in social networks BIBAKFull-Text 9
  Simon Jones; Eamonn O'Neill
Users of social networking sites often want to manage the sharing of information and content with different groups of people based on their differing relationships. However, grouping contacts places a significant configuration burden on the user. Automated approaches to grouping may have the potential to reduce this burden, however, their use remains largely untested. We investigate people's rationales when grouping their contacts for the purpose of controlling their privacy, finding six criteria that they commonly considered. We assess an automated approach to grouping, based on a network clustering algorithm, whose performance may be analogous to the human's use of some of these criteria. We find that the similarity between the groups created by people and those created by the algorithm is correlated with the modularity of their network. We also demonstrate that the particular clustering algorithm, SCAN, which detects hubs and outliers within a network can be beneficial for identifying contacts who are hard to group or for whom privacy preferences are inconsistent with the rest of their group.
Keywords: automation, content sharing, group-based access control, network structure, privacy, social media, social networks, tie strength

Security models and decision making

Where do security policies come from? BIBAFull-Text 10
  Dinei Florêncio; Cormac Herley
We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength.
   We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.
Folk models of home computer security BIBAKFull-Text 11
  Rick Wash
Home computer systems are insecure because they are administered by untrained users. The rise of botnets has amplified this problem; attackers compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which expert security advice to follow: four conceptualizations of 'viruses' and other malware, and four conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring expert security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they cleverly take advantage of gaps in these models so that many home computer users do not take steps to protect against them.
Keywords: folk models, home security, mental models
Improving users' security choices on home wireless networks BIBAKFull-Text 12
  Justin T. Ho; David Dearman; Khai N. Truong
Home networks are common but notoriously difficult to setup and maintain. The difficulty users experience in setting up and maintaining their home network is problematic because of the numerous security threats that can exploit poorly configured and maintained network security. Because there is little empirical data to characterize the usability problems associated with the adoption of wireless network security, we surveyed primary caretakers and users of 20 home networks, examining their perceptions and usage of the security features available to them. We found that users did not understand the difference between access control lists and encryption, and that devices fail to properly notify users of weak security configuration choices. To address these issues, we designed and evaluated a novel wireless router configuration wizard that encouraged strong security choices by improving the network configuration steps. We found that security choices made by users of our wizard resulted in stronger security practices when compared to the wizard from a leading equipment manufacturer.
Keywords: access control, configuration, mental model, usable security, wireless network
Textured agreements: re-envisioning electronic consent BIBAKFull-Text 13
  Matthew Kay; Michael Terry
Research indicates that less than 2% of the population reads license agreements during software installation [12]. To address this problem, we developed textured agreements, visually redesigned agreements that employ factoids, vignettes, and iconic symbols to accentuate information and highlight its personal relevance. Notably, textured agreements accomplish these goals without requiring modification of the underlying text. A between-subjects experimental study with 84 subjects indicates these agreements can significantly increase reading times. In our study, subjects spent approximately 37 seconds on agreement screens with textured agreements, compared to 7 seconds in the plain text control condition. A follow-up study examined retention of agreement content, finding that median scores on a comprehension quiz increased by 4 out of 16 points for textured agreements. These results provide convincing evidence of the potential for textured agreements to positively impact software agreement processes.
Keywords: EULA, end-user license agreement, informed consent

SOUPS du Jour

On the impact of real-time feedback on users' behaviour in mobile location-sharing applications BIBAKFull-Text 14
  Lukasz Jedrzejczyk; Blaine A. Price; Arosha K. Bandara; Bashar Nuseibeh
Effective privacy management requires that mobile systems' users be able to make informed privacy decisions as their experience and knowledge of a system progresses. Prior work has shown that making such privacy decisions is a difficult task for users because systems do not provide support for awareness, visibility and accountability when sharing privacy-sensitive information. This paper reports results of our investigation into the efficacy of realtime feedback as a mechanism for incorporating these features of social translucence in location-sharing applications, in order to help users make better privacy decisions. We explored the role of real-time feedback in the context of Buddy Tracker, a mobile location-sharing application. Our work focuses on ways in which real-time feedback affects people's behaviour in order to identify the main criteria for acceptance of this technology. Based on the data from a three week field trial of Buddy Tracker, a focus group session, and interviews, we found that when using a system that provided real-time feedback, people were more accountable for their actions and reduced the number of unreasonable location requests. We have used the results of our study to propose high-level design criteria for incorporating real-time feedback into information sharing applications in a manner that ensures social acceptance of the technology.
Keywords: feedback, location based services, mobile computing, privacy management, social translucence
Parenting from the pocket: value tensions and technical directions for secure and private parent-teen mobile safety BIBAKFull-Text 15
  Alexei Czeskis; Ivayla Dermendjieva; Hussein Yapit; Alan Borning; Batya Friedman; Brian Gill; Tadayoshi Kohno
An increasing number of high-tech devices, such as driver monitoring systems and Internet usage monitoring tools, are advertised as useful or even necessary for good parenting of teens. Simultaneously, there is a growing market for mobile "personal safety" devices. As these trends merge, there will be significant implications for parent-teen relationships, affecting domains such as privacy, trust, and maturation. Not only the teen and his or her parents are affected; other important stakeholders include the teen's friends who may be unwittingly monitored. This problem space, with less clear-cut assets, risks, and affected parties, thus lies well outside of more typical computer security applications.
   To help understand this problem domain and what, if anything, should be built, we turn to the theory and methods of Value Sensitive Design, a systematic approach to designing for human values in technology. We first develop value scenarios that highlight potential issues, benefits, harms, and challenges. We then conducted semi-structured interviews with 18 participants (9 teens and their parents). Results show significant differences with respect to information about: 1) internal state (e.g., mood) versus external environment (e.g., location) state; 2) situation (e.g., emergency vs. non-emergency); and 3) awareness (e.g., notification vs. non-notification). The value scenario and interview results positioned us to identify key technical challenges -- such as strongly protecting the privacy of a teen's contextual information during ordinary situations but immediately exposing that information to others as appropriate in an emergency -- and corresponding architectural levers for these technologies.
   In addition to laying a foundation for future work in this area, this research serves as a prototypical example of using Value Sensitive Design to explicate the underlying human values in complex security domains.
Keywords: direct and indirect stakeholders, maturation, mobile phones, parenting technologies, privacy, safety, security, teenagers, value dams and flows, value sensitive design, value tensions
Towards understanding ATM security: a field study of real world ATM use BIBAKFull-Text 16
  Alexander De Luca; Marc Langheinrich; Heinrich Hussmann
With the increase of automated teller machine (ATM) frauds, new authentication mechanisms are developed to overcome security problems of personal identification numbers (PIN). Those mechanisms are usually judged on speed, security, and memorability in comparison with traditional PIN entry systems. It remains unclear, however, what appropriate values for PIN-based ATM authentication actually are. We conducted a field study and two smaller follow-up studies on real-world ATM use, in order to provide both a better understanding of PIN-based ATM authentication, and on how alternative authentication methods can be compared and evaluated. Our results show that there is a big influence of contextual factors on security and performance in PIN-based ATM use. Such factors include distractions, physical hindrance, trust relationships, and memorability. From these findings, we draw several implications for the design of alternative ATM authentication systems, such as resilience to distraction and social compatibility.
Keywords: ATM, authentication, design implications, field study, lessons learned, security