Archive for the 'Studies' Category

How Users Use Access Control

Friday, July 17th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a15-smetters.pdf
Diana Smetters and Nathan Good
Access control is a specification of policy indicating who can do what to whom.  Access control is hard to use.  People often get around it by granting overly permissive capabilities.  Looking at Windows XP, there are over a dozen of checkboxes that can be flipped for each file!  However, people like [...]

Balancing Usability and Security in a Video CAPTCHA

Friday, July 17th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a14-kluever.pdf
Kurt Kluever and Richard Zanibbi
CAPTCHA’s are used for a variety of purposes, but most generally to combat spammers.  A desirable CAPTCHA should be automatically generated, should not rely on secret databases or algorithms, should be usable, and should be hard to spoof.  Most existing CAPTCHAs fail in one or more of these respects, usually usability.
This [...]

Games for Extracting Randomness

Friday, July 17th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a12-halprin.pdf
Ran Halprin and Moni Naor
Random number generation is important for many security tasks - especially cryptography.  And yet getting good random numbers is notoriously difficult in practice.  Sources of randomness traditionally include “secret” data such as MAC addresses; real-time data such as hard-disk access and click timing; physical sources such as lava lamps, cloud [...]

Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols

Friday, July 17th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a11-kainda.pdf
Ronald Kainda, Ivan Flechais and Andrew William Roscoe
Out-of-band device pairing refers to pairing devices using a channel external to the devices themselves, such as through user interactions.  Technical security is achieved by using protocols based on formal proofs and are governed by the quality of the secrets involved.  However, the security achieved in practice must [...]

Serial Hook-Ups: A Comparative Usability Study of Secure Device Pairing Methods

Friday, July 17th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a10-kobsa.pdf
Alfred Kobsa, Rahim Sonawalla, Gene Tsudik, Ersin Uzun and Yang Wang
Secure device pairing refers to the pairing two or more devices in a manner that can be trusted such that the users pair the devices they believe they are pairing without allowing a malicious third-party to join in the process.  Generally this has to be [...]

1 + 1 = You: Measuring the comprehensibility of metaphors for configuring backup authentication

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a9-schechter.pdf
Stuart Schechter and Robert Reeder
What to do when the user forget their password?  A common method is to provide security questions.  Unfortunately, an initial analysis of the most commonly used security questions found that none were all that great, suffering from either poor memorability or poor security.  What about e-mail based recovery?  This doesn’t work [...]

Personal Choice and Challenge Questions: A Security and Usability Assessment

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a8-just.pdf
Mike Just and David Aspinall
Challenge questions often serve as part of a password recover mechanism, though are sometimes included along with conventional authentication.  For a long time there was little research in this area, but some studies have emerged recently, generally concluding that challenge questions are neither very usable nor secure. 
This study sought to [...]

Look into my Eyes! Can you guess my Password?

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a7-deluca.pdf
Alexander De Luca, Martin Denzel and Heinrich Hussmann
Many password entry systems suffer from weakness against attacks where the attacker can view either the keyboard or screen.  The proposal is to use eye movements for password entry, building off the findings of EyePassword, Eye Gestures, and PassShapes.  The researchers implemented EyePassShapes, in which the user traces [...]

Ubiquitous Systems and the Family: Thoughts about the Networked Home

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a6-little.pdf
Linda Little, Elizabeth Sillence and Pam Briggs
Overall the well-being of a family is dependent on how well the members of the family communicate and interact.  If we are creating products and services for families it is important to recognize that the dynamics of a different families can be very different.  The project organizers sought to [...]

Challenges in Supporting End-User Privacy and Security Management with Social Navigation

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a5-goecks.pdf
Jeremy Goecks, W.  Keith Edwards and Elizabeth D.  Mynatt
Privacy and security management often talk about users engaging in boundary management, where decisions are made about what can cross the boundary.  However, as the boundary often changes due to context and task, this can be very hard to automate.  Social navigation is seen on Amazon, NYT, [...]

A “Nutrition Label” for Privacy

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a4-kelley.pdf
Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W.  Reeder
Privacy polices in their current form are typically long, dense, and ignored by users.  P3P is an XML-format allowing websites to specify their privacy policy in a machine-readable manner.  The study’s initial attempt at visualizing the P3P data was to expand it into a [...]

School of Phish: A Real-Word Evaluation of Anti-Phishing Training

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a3-kumaraguru.pdf
Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair and Theodore Pham
How do we train users to not be phished?  There are existing materials out there that are pretty good, but they could be better.  Regardless, most people don’t proactively go looking for security training materials and “security notice” e-mails sent [...]