Category Archives: mental models of security

Smartphone Users’ Family, Friends, and Other Enemies

The number of smartphone users worldwide was expected to surpass 2 billion in 2016. To protect personal and other sensitive information from unauthorized access, some smartphone users lock their phones. Yet, others don’t, risking the data and online services accessible through their devices. The risks emanate from both device thieves and those who belong to the users’ social circles, so called social insiders. In 2014, 2.1 million Americans (under 2%) had phones stolen. Continue reading

Investigation of Phishing Avoidance

phishing_studyThis paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Our mobile game design aimed to enhance the users’ avoidance behaviour through motivation to protect themselves against phishing threats. Continue reading

San-Tsai Sun defends his Ph.D. dissertation on Web Single Sign-On Systems and graduates

San-TsaiMy Ph.D. student San-Tsai Sun has successfully defended and submitted the final version of his thesis “Towards Improving the Usability and Security of Web Single Sign-On Systems.” He’s moving back to industry, where he will be applying his expertise in web security to real-world systems. Congratulations to San-Tsai on very successful completion of the Ph.D. program, with many quality publications.

Towards Usable Web Single Sign-On

Steps for SSO user experience with the proposed IDeB browser

OpenID is an open and promising Web single sign-on (SSO) solution. The research led by my Ph.D. student San-Tsai Sun investigates the challenges and concerns web users face when using OpenID for authentication, and identifies what changes in the login flow could improve the users’ experience and adoption incentives. Continue reading

Can Metaphors of Physiscal Security Work for Computers?

Physical Security Metaphor for Personal Firewall Warnings

There is evidence that the communication of security risks to home computer users has been unsuccessful. Prior research has found that users do not heed risk communications, that they do not read security warning texts, and that they ignore them. Risk communication should convey the basic facts relevant to the warning recipient’s decision. In the warning science literature, one successful technique for characterizing and designing risk communication is to employ the mental models approach, which is a decision-analytic framework. With this approach, the design of risk communication is based on the recipients’ mental model(s). The goal of the framework is to help people make decisions by providing risk communication that improves the recipients’ mental models in one of three ways: (1) adding missing knowledge, (2) restructuring the person’s knowledge when it inappropriately focussed (i.e., too general or too narrow), and (3) removing misconceptions.

Continue reading

Have users signed up?

I participated in a panel “Password Managers, Single Sign-On, Federated ID: Have users signed up?” at Workshop on The Future of User Authentication and Authorization on the Web: Challenges in Current Practice, New Threats, and Research Directions, which was collocated with the conference on Financial Cryptography and Data Security. In my panel presentation, I showed the most recent results of the evaluation of OpenID authentication experience by participants, conducted in my lab, which shed some light on why users have not signed up, at least for OpenID. An apparent reluctance among the end users of employing OpenID, despite the fact that there are over one billion OpenId-enabled accounts, results from technical, business, and human factors. This particular short presentation was devoted to the usability factors.

CHI Work in Progress to Feature LERSSE Research

This year, in Vancouver, Work In Progress Posters session of SIG CHI Conference will feature three research projects of my graduate students.

Continue reading

Lessons learned from studying users’ mental models of security

In the course of past three years at LERSSE, we have done several studies that helped us to further the understanding of users’ mental models, when it comes to security. Continue reading

Single Sign On on the Web: What’s broken and What can be fixed?

With Ph.D. student San-Tsai Sun, we have been investigating single-sign-on for Web. Continue reading

Understanding Wants and Needs of Personal Firewall Users

I’ve presented results of a user study by my graduate student Fahimeh Raja at SafeConfig. She conducted semi-structured interviews with a diverse set of participants to gain an understanding of their knowledge, requirements, perceptions, and misconceptions of personal firewalls. There are several interesting findings. Continue reading