User-Centered Design for Security - July 2014

Public Audience

Our goal is to better understand human behavior within security systems and through that learn knowledge propose, design, and build better security systems. There are several research thrusts involved in meeting this challenge:

Understanding, Measuring, and Applying User Perceptions of Security and Usability: This research focuses on empirical studies, through surveys methodology, to understand the perceptions of security and usability in visual systems. Current research has focused on the graphical password system used by Android, and a large data set of pair-wise preferences has been collected. Next phase of the research is to apply learned knowledge of the perceptions of users to predict user perceptions and use those predictions to design better policy, better user interaction, and better security systems generally. The research goal is to design systems where the perceptions of security inherently match some known metric of security, thus improving security by design.

Measuring Queuing Language in User Graphical Password Selection: When users are asked to select passwords, they are asked to select a "strong" password, but how effective is this language as compared to other language choices, such as "unique"  or "secure" or other visual or textual indicators that could be use to queue prior to selecting a password. Current efforts in this domain is developing a empirical research methodology that can test hypotheses regarding user queuing and their eventual password selection, focusing first on graphical passwords and later extending to text based passwords. The results of this research will lead to the better design of security procedures which could "nudge" users towards more secure choices.

Improving Password Memorability: A typical user has passwords on dozens if not hundreds of websites, systems, and devices. Especially on systems that the user does not frequently use, it is easy to forget passwords. This then leads to reset when the user needs to login, opening up potential security holes. We have developed and pilot tested an experiment for improving password memorability through a timed reminder service based in principles of cognitive psychology. We are testing whether users, when prompted to login on a schedule with increasingly distant time periods, will better remember their passwords for multiple sites. If our hypothesis is correct, this will be one way to leverage lessons of HCI, cognitive science, and psychology to improve security of systems through better understanding human behavior.

Privacy Conscious URL Sharing:  A defining characteristic of current internet culture is to share information, such as through social network services. Recent efforts by the PI have shown that the URLs being share may contain more content than intended by the users, in particular, information embedded within the URL query string. The URL query string stores additional key-value pairs that are used by the web server to normally faithfully render the resulting web page; however, not all query string keys and values are used for rendering. Some are used for user tracking, and if publicly shared, this tracking information is also shared. We strive to develop new systems that better analyze the privacy risks for users through new metrics, properly present those risks to users, and enable users to make choices about how their URLs are shared. The results of this research will improve the privacy understanding and privacy exposure of users.

PI(s): Jen Golbeck and Adam J. Aviv

Researchers: 

HARD PROBLEM(S) ADDRESSED

This research focuses on addressing two of the hard problems: Human Behavior and Metrics. 

PUBLICATIONS