Usable Security

Read the paper here.
The authors describe three design principles: dynamic visualization of system activity, integration of configuration and action, and event-based architectures.
The system they studied is Impromptu, a file-sharing system where users can move coloured dots representing their files on a shared pie-shaped area.  A sector of the pie belongs to each user, and [...]

Read the paper here.
The authors studied Privacy Finder, a search engine whose result lists are enhanced with privacy information from websites’ P3P policies.  Their study investigated whether this additional privacy information would affect user behaviour.
Participants in the user study were asked to shop online for two products: first, a six-outlet surge protector, and second, [...]

Read the paper here.
Phishing is a semantic attack: it exploits the gap between user’s intentions and the system’s operation (in particular when submitting data).  The key factors are: what is the data and where will it go?
The Web Wallet is a browser sidebar that users open by pressing a secure attention key (F2).  [...]

Read the paper here.
Many organizations tell users to create “mnemonic phrase-based passwords” — passwords made up by thinking of a memorable sentence or phrase, then compressing each word of the phrase to a character (such as its first letter, a number, or a punctuation character).  Association with the phrase helps users remember their passwords, [...]

Read the paper here.
This study compared the real and perceived vulnerability of Passfaces (a graphical password system) to dictionary and non-dictionary passwords.  There were four conditions: Passfaces with a mouse, Passfaces with the keyboard, a dictionary password, and a non-dictionary password.
The study confirmed that the concern about shoulder-surfing vulnerability of Passfaces with a mouse [...]

Read the paper here.
This study of password use surveyed about 50 Princeton undergraduates.  The participants had, on average, about 3 passwords, they acquire more accounts over time, and they reuse their passwords more as they acquire more accounts.  Participants most commonly rely on their memory to recall passwords, and not using software tools.  [...]

Read the paper here.
People tend to share files using e-mail instead of file sharing systems.  The authors feel that one of the major obstacles to using file sharing features is the difficulty of end-user access control, and so they decided to analyze this problem.  They looked at the access control mechanism in the [...]

Read the paper here.
The authors believe that better tools for communicating privacy policies will lead to better privacy protection and privacy-preserving use of personal information.  Their tool, SPARCLE, helps organizations analyze and construct clearer privacy policies, and helps them implement policies and check for compliance.
The policy-writing part of SPARCLE lets users construct privacy rules [...]

Read the paper here.
The Polaris software is described in a technical report at the HP website.  It isolates applications in separate user accounts to reduce the damage that can be done by viruses and trojans.
The authors conducted a usability study measuring effectiveness, efficiency, and user satisfaction, and asked users to complete eight tasks.  [...]

In a recent e-mail message, Ian Grigg wrote that security professionals often seek perfection whereas users typically deal in fuzzy probabilities and moderate risks.
I run into this conflict in perspective all the time, since I frequently alternate between talking with security folks and usability folks, and am constantly amazed at what is obvious to one [...]

71% of office workers stopped in the London Underground seemed willing to give their password in exchange for a chocolate bar, but we don’t know if those passwords were real.  MailFrontier ran an online phishing IQ test, but it’s not externally valid because the user has the wrong primary task.
Rob Miller highlighted three challenges [...]

This paper describes a study that tested how and when people chose to reveal their location information using a mobile phone.  From time to time users would receive messages requesting their location and they could choose how and whether to reply.  The phone also offered automatic disclosure functions (to periodically send location information [...]