Visible to the public Biblio

Filters: Author is Serge Egelman  [Clear All Filters]
2016-12-08
Alain Forget, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Cranor, Serge Egelman, Marian Harbach, Rahul Telang.  2016.  Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes. Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016).

Computer security problems often occur when there are disconnects between users’ understanding of their role in computer security and what is expected of them. To help users make good security decisions more easily, we need insights into the challenges they face in their daily computer usage. We built and deployed the Security Behavior Observatory (SBO) to collect data on user behavior and machine configurations from participants’ home computers. Combining SBO data with user interviews, this paper presents a qualitative study comparing users’ attitudes, behaviors, and understanding of computer security to the actual states of their computers. Qualitative inductive thematic analysis of the interviews produced “engagement” as the overarching theme, whereby participants with greater engagement in computer security and maintenance did not necessarily have more secure computer states. Thus, user engagement alone may not be predictive of computer security. We identify several other themes that inform future directions for better design and research into security interventions. Our findings emphasize the need for better understanding of how users’ computers get infected, so that we can more effectively design user-centered mitigations.

2016-12-07
Sarah Pearman, Nicholas Munson, Leeyat Slyper, Lujo Bauer, Serge Egelman, Arnab Kumar, Charu Sharma, Jeremy Thomas, Nicolas Christin.  2016.  Risk Compensation in Home-User Computer Security Behavior: A Mixed-Methods Exploratory Study. SOUPS 2016: 12th Symposium on Usable Privacy and Security.

Risk homeostasis theory claims that individuals adjust their behaviors in response to changing variables to keep what they perceive as a constant accepted level of risk [8]. Risk homeostasis theory is used to explain why drivers may drive faster when wearing seatbelts. Here we explore whether risk homeostasis theory applies to end-user security behaviors. We use observed data from over 200 participants in a longitudinal in-situ study as well as survey data from 249 users to attempt to determine how user security behaviors and attitudes are affected by the presence or absence of antivirus software. If risk compensation is occurring, users might be expected to behave more dangerously in some ways when antivirus is present. Some of our preliminary data suggests that risk compensation may be occurring, but additional work with larger samples is needed. 

2016-12-06
Serge Egelman, Marian Harbach, Eyal Peer.  2016.  Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS) CHI '16 Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. :5257-5261.

The Security Behavior Intentions Scale (SeBIS) measures the computer security attitudes of end-users. Because intentions are a prerequisite for planned behavior, the scale could therefore be useful for predicting users' computer security behaviors. We performed three experiments to identify correlations between each of SeBIS's four sub-scales and relevant computer security behaviors. We found that testing high on the awareness sub-scale correlated with correctly identifying a phishing website; testing high on the passwords sub-scale correlated with creating passwords that could not be quickly cracked; testing high on the updating sub-scale correlated with applying software updates; and testing high on the securement sub-scale correlated with smartphone lock screen usage (e.g., PINs). Our results indicate that SeBIS predicts certain computer security behaviors and that it is a reliable and valid tool that should be used in future research.