October 27, 2011

Two Ph.D. student vacancies

There are two Ph.D. student positions available at my research group LERSSE. Ph.D. students are accepted with full support in the form of research assistantships and positions are available for starting in September 2012. Application deadline is December 1!

LERSSE is a world-class international multidisciplinary research group specializing in the following areas of computer security:

  • Usable security (i.e., application of HCI methods to security)
  • Web security
  • Security and privacy of online social networks
  • Distributed systems security
  • Mobile device security

Besides usual training in computing, we are particularly interested in those applicants who have background or interest in applying methods of social science, cognitive science, psychology, and HCI to the domain of computer security.

LERSSE graduates commonly go on working for top hi-tech R&D and consulting companies in North and South America, Asia, Europe, and Middle East.  For more information about our research and people visit us at http://lersse.ece.ubc.ca

The University of British Columbia (UBC), established in 1908, is one of Canada’s leading research universities and is consistently highly ranked, including the most recent rank of 22nd in the world by Times Higher Education. UBC attracts 54,000 students from across Canada and 140 countries around the world.

Vancouver, Canada, is the great place to live, study, and work. It consistently ranks in the top 4 cities in the world. A survey by the Economist Intelligence Unit (EIU) has found that Vancouver is the world’s best place to live.

For further details and application instructions, see http://lersse.ece.ubc.ca/apply

Leave a Comment

Filed under distributed systems security, social networks security, usable security, web security

September 30, 2011

On vulnerability of Facebook users to social botnets

How likely for a Facebook user to accept a friendship request from a stranger (albeit a pretty/handsome one)? By how much do such chances correlate with “promiscuity” of the user in terms of FB friends? Can such requests be automated? What can an adversary gain from befriending users?

Continue reading

Leave a Comment

Filed under human factos in security, social networks security

August 19, 2011

Towards Usable Web Single Sign-On

Steps for SSO user experience with the proposed IDeB browser

OpenID is an open and promising Web single sign-on (SSO) solution. The research led by my Ph.D. student San-Tsai Sun investigates the challenges and concerns web users face when using OpenID for authentication, and identifies what changes in the login flow could improve the users’ experience and adoption incentives. Continue reading

Leave a Comment

Filed under distributed systems security, mental models of security, usable security, web security, web single sign on

August 18, 2011

The Lab Study Troubles

Differences between UBC and CMU studies in the age of participants.

Can real behavior of users, when it comes to security decisions, be observed in lab studies? A recent paper from my research group sheds light on this question.

Initially, our goal was quite different. We replicated and extended a 2008 study conducted at CMU that investigated the e effectiveness of SSL warnings. To achieve better ecological validity, we adjusted the experimental design: allowing participants to use their web browser of choice and recruiting a more representative user sample.

Continue reading

Comments Off

Filed under usable security

August 17, 2011

Can Metaphors of Physiscal Security Work for Computers?

Physical Security Metaphor for Personal Firewall Warnings

There is evidence that the communication of security risks to home computer users has been unsuccessful. Prior research has found that users do not heed risk communications, that they do not read security warning texts, and that they ignore them. Risk communication should convey the basic facts relevant to the warning recipient’s decision. In the warning science literature, one successful technique for characterizing and designing risk communication is to employ the mental models approach, which is a decision-analytic framework. With this approach, the design of risk communication is based on the recipients’ mental model(s). The goal of the framework is to help people make decisions by providing risk communication that improves the recipients’ mental models in one of three ways: (1) adding missing knowledge, (2) restructuring the person’s knowledge when it inappropriately focussed (i.e., too general or too narrow), and (3) removing misconceptions.

Continue reading

Leave a Comment

Filed under human factos in security, mental models of security, usable security

August 10, 2011

Heuristics for Evaluating IT Security Management Tools

The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, standard usability heuristics (e.g., Nielsen’s) are hard to apply, as IT security management occurs within a complex and collaborative context that involves diverse stakeholders. In a joint project with CA Technologies, my Ph.D. student Pooya Jaferian has proposed a set of ITSM usability heuristics that are based on activity theory, are supported by prior research, and consider the complex and cooperative nature of security management. The paper reporting the evaluation of the heuristics received Best Paper Award at SOUPS ’11.

Continue reading

Leave a Comment

Filed under human factos in security, IT security management, usable security

March 6, 2011

Have users signed up?

I participated in a panel “Password Managers, Single Sign-On, Federated ID: Have users signed up?” at Workshop on The Future of User Authentication and Authorization on the Web: Challenges in Current Practice, New Threats, and Research Directions, which was collocated with the conference on Financial Cryptography and Data Security. In my panel presentation, I showed the most recent results of the evaluation of OpenID authentication experience by participants, conducted in my lab, which shed some light on why users have not signed up, at least for OpenID. An apparent reluctance among the end users of employing OpenID, despite the fact that there are over one billion OpenId-enabled accounts, results from technical, business, and human factors. This particular short presentation was devoted to the usability factors.

Leave a Comment

Filed under human factos in security, mental models of security, usable security, web single sign on

February 25, 2011

Is OpenID too Open? Technical, Business, and Human Issues That Get in the Way of OpenID and Ways of Addressing Them

The web is essential for business and personal activities well beyond information retrieval, such online banking, financial transactions, and payment authorization, but reliable user authentication remains a challenge. OpenID is a mainstream Web single sign-on (SSO) solution intended for Internet-scale adoption. There are currently over one billion OpenID-enabled user accounts provided by major content-hosting and service providers (CSPs), e.g., Yahoo!, Google, Facebook, but only a few relying parties that allow users to use their OpenID credentials for SSO. Why is that? I presented at Eurecom an overview OpenID, and then discussed weaknesses of (1) the protocol and its implementations, (2) the business model behind it, and (3) the user interface. The talk concluded with a discussion of a proposal for addressing some of OpenID issues.

See presentation slides for more details.

Leave a Comment

Filed under business factors in security, human factos in security, usable security, web security, web single sign on

February 20, 2011

CHI Work in Progress to Feature LERSSE Research

This year, in Vancouver, Work In Progress Posters session of SIG CHI Conference will feature three research projects of my graduate students.

Continue reading

Leave a Comment

Filed under IT security management, mental models of security, usable security, web security, web single sign on

February 13, 2011

Undergrad Security Course Features Cool Projects

Students in my undergraduate computer security course had done several excellent projects. You can watch video clips of the projects or read reports.

Continue reading

Leave a Comment

Filed under human factos in security, other, usable security, web security