Category Archives: human factos in security

by | April 30, 2020 · 6:49 PM

“Amazon vs. My Brother” Receives a Honourable Mention Award

Paper co-authored by my PhD students  Yue Huang and Borke Obada-Obieh has received a Honourable Mention award at CHI 2020. Such awards are given to top 2-6% submissions.

Yue and Borke spoke to 26 Canadian adults who used shared smart speakers at home, including Amazon Echo, Google Home and Apple HomePod. We found that participants not only worried about keeping their data safe from the manufacturer or other entities; they also feared potential misuse of the device by people they actually live with and know.

Continue reading
by | February 24, 2020 · 2:42 AM

How People Survive the Cryptojungle

Cryptocurrency markets have grown substantially in recent years, and have attracted new users and investors, pushing the overall number of owners into the millions. At the same time, the number of distinct cryptocurrencies has exploded to over 5,000. In this burgeoning and chaotic “cryptojungle,” new and unexplored incentives and risks drive the behavior of users and non-users of cryptocurrencies. While previous research has focused almost exclusively on Bitcoin, other cryptocurrencies and utility tokens have been ignored.  Led by my PhD student Artemij Voskobojnikov, an interview study of cryptocurrency users and non-users focused on their perceptions and management of cryptocurrency risks as well as their reasons for or against involvement with cryptocurrencies. 

Continue reading
by | February 13, 2019 · 5:02 AM

Age and Smartphone Authentication

Nobody wants to spend time unlocking their phones, particularly when it happens some 50 times a day. This is why both industry and academia have been figuring out how to minimize this unwanted overhead, while still keeping smartphones users secure. To improve the technology, developers need to understand how exactly users use it, what works and what does not, what are the patterns of users’ behaviour with the technology. This is the knowledge gap that LERSSE’s alumni Lina Qiu was working on addressing in her Master’s thesis research. Her research investigated the interplay between age and smartphone authentication behavior.

Continue reading
by | January 24, 2019 · 5:04 PM

Making Sense of Unauthorized Access to Smartphones

Unauthorized physical access to personal devices by people known to the owner of the device is a common concern, and a common occurrence. But how do people experience incidents of unauthorized access? Using an online survey, I’ve collaborated with Diogo Marques from the University of Lisbon, his co-supervisors, and my UBC colleague Prof. Ivan Beschastnikh. Diogo led a study, in which he collected 102 accounts of unauthorized access. Participants wrote stories about past situations in which either they accessed the smartphone of someone they know, or someone they know accessed theirs. The findings of the study will be presented in May at ACM SIG CHI conference, the top HCI venue in the world..

Continue reading
by | May 16, 2017 · 11:02 PM

WannaCry: A Case Study for the Multitude of Cybersecurity Dimensions

I was recently asked to speak to the media about WannaCry. While preparing for the interview (see the video below), I’ve realized that this particular case is a good illustration of the various dimensions of cybersecurity: Continue reading

by | April 5, 2017 · 5:31 AM

Predicting Smartphone Users’ Permission Decisions

Current smartphone operating systems regulate application permissions by prompting users on an ask-on-first-use basis. Prior research has shown that this method is ineffective because it fails to account for context: the circumstances under which an application first requests access to data may be vastly different than the circumstances under which it subsequently requests access. LERSSE’s Primal is leading the research collaboration with UC Berkeley, in which a longitudinal 131-person field study was performed to analyze the contextuality behind user privacy decisions to regulate access to sensitive resources. Continue reading

by | February 26, 2017 · 6:11 AM

“I Don’t Use Apple Pay Because It’s Less Secure …”

This paper reports on why people use, not use, or have stopped using mobile tap-and-pay in stores. The results of our online survey with 349 Apple Pay and 511 Android Pay participants suggest that the top reason for using mobile tap-andpay is usability. Surprisingly, for nonusers of Apple Pay, security was their biggest concern. A common security misconception we found among the nonusers (who stated security as their biggest concern) was that they felt storing card information on their phones is less secure than physically carrying cards inside their wallets. Continue reading

by | January 15, 2017 · 6:22 AM

Social Insider Attacks on Facebook

Facebook accounts are secured against unauthorized access through passwords and device-level security. Those defenses, however, may not be sufficient to prevent social insider attacks, where attackers know their victims, and gain access to a victim’s account by interacting directly with their device. To characterize these attacks, we ran two MTurk studies. In the first study Continue reading

by | January 10, 2017 · 5:14 AM

“I’m too Busy to Reset my LinkedIn Password”

A common security practice used to deal with a password breach is locking user accounts and sending out an email to tell users that they need to reset their password to unlock their account. This paper evaluates the effectiveness of this security practice based on the password reset email that LinkedIn sent out around May 2016, and through an online survey conducted on 249 LinkedIn users who received that email. Our evaluation shows that only about 46% of the participants reset their passwords.

Continue reading

by | December 30, 2016 · 2:00 PM

Going After Vulnerable Population to Defend It

The orthodox paradigm to defend against automated social-engineering attacks in large-scale socio-technical systems is reactive and victim-agnostic. Defenses generally focus on identifying the attacks/attackers (e.g., phishing emails, social-bot infiltrations, malware offered for download). To change the status quo, we propose in our paper presented at NSPW ’16 to identify, even if imperfectly, the vulnerable user population, that is, the users that are likely to fall victim to such attacks. Once identified, information about the vulnerable population can be used in two ways. Continue reading