User-Centered Design for Security - UMD - October 2014
Public Audience
PI(s): Jen Golbeck and Adam J. Aviv
Researchers: Dane Fichter, Jeanne Luning-Prak
PROJECT OVERVIEW
Our goal is to better understand human behavior within security systems, and to use that knowledge to propose, design, and build better security systems. There are several research thrusts involved in meeting this challenge:
Understanding, Measuring, and Applying User Perceptions of Security and Usability: This research focuses on using empirical studies (surveys) to understand perceptions of security and usability in visual systems. Current research has focused on the graphical password system used by Android, and a large dataset of pair-wise preferences has been collected. The next phase of the research is to apply what we have learned to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. The research goal is to design systems where users' perceptions of security match some known metric of security, thus inducing security by design.
Measuring Cueing Language in User Graphical Password Selection: When users are asked to select passwords, they are asked to select a "strong" password, but how effective is this language as compared to other language choices, such as "unique" or "secure" or other visual or textual indicators that could be use prior to selecting a password? Current efforts in this domain are developing an empirical research methodology that can test hypotheses regarding user queuing and their eventual password selection, focusing first on graphical passwords and later extending to text based passwords. The results of this research will lead to the better design of security procedures which could "nudge" users towards more secure choices.
Improving Password Memorability: A typical user has passwords on dozens if not hundreds of websites, systems, and devices. Especially on systems that the user does not frequently use, it is easy to forget passwords. This then leads to reset when the user needs to login, opening up potential security holes. We have developed and pilot-tested an experiment for improving password memorability through a timed reminder service based in principles of cognitive psychology. We are testing whether users, when prompted to login on a schedule with increasingly distant time periods, will better remember their passwords for multiple sites. If our hypothesis is correct, this will be one way to leverage lessons of HCI, cognitive science, and psychology to improve security of systems through better understanding human behavior.
Privacy Conscious URL Sharing: A defining characteristic of current internet culture is to share information, e.g., through social network services. Recent efforts by the PI have shown that URLs being shared may contain more content than intended by the users, in particular, information embedded within the URL query string. The URL query string stores additional key-value pairs that are used by the web server to faithfully render the resulting web page; however, not all query string keys and values are used for rendering. Some are used for user tracking, and if publicly shared, this tracking information is also shared. We strive to develop new systems that better analyze the privacy risks for users through new metrics, properly present those risks to users, and enable users to make choices about how their URLs are shared. The results of this research will improve the privacy understanding and privacy exposure of users.
HARD PROBLEM(S) ADDRESSED
Human Behavior; Metrics.
PUBLICATIONS
Papers published during quarter
- LESS is more: Host-Agent Based Simulator for Large-scale Evaluation of Security Systems . John Sonchack and Adam J. Aviv. Procedings of the European Symposium on Research in Computer Security (ESORICS'14). September, 2014.
This paper focuses on developing new simulation techniques for evaluating large scale security systems that require coordination across networks. Obtaining datasets to evaluate systems in a repeatable way is challenging for a number of reasons. This paper addresses this challenge by developing a new simulator, LESS, that can revalaluate proposed systems and extend those results.
- On the Privacy Concerns of URL Query Strings. Andrew G. West and Adam J. Aviv. Workshop on Web 2.0 Security and Privacy. May, 2014.
This paper is a study of privacy concerns from the sharing of URL query string. We took a metric based aproach by analyzing a large corpus of shared URLs through an online URL sharing service. We found that a large number of URLs contain sensitive data in the query strings, but that measurement comes about through the development of new entropy based techniques to analyzed the unstructured query string data. We believe these techniques for privacy measurements can be applied to other security problems.
Papers accepted for publication
- Measuring Privacy Disclosures in URL Query Strings. Andrew G. West and Adam J. Aviv. To apear in IEEE Internet and Computing.
This paper extends the prior work for journal form (see above).
- Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. To apear at Anual Computer Security Applications Conference (ACSAC '14). To appear Dec. 2014
This paper directly relates to the proposed tasks and presents a study of the perceptions of security and usability of Android's unlock password pattern. We found that perceptions of security are unaffected by spatial shifting, but greatly affected by "complexity." Most surprisingly, we can predict perceptions and find that none of the tested features alone impact perceptions, but rather the total size of the paper was the most predictive of security perceptions.
- A Self-Report Survey of Android Unlock Passwords. Poster presentation at the Anual Computer Security Applications Conference (ACSAC '14). To apear Dec. 2014.
This poster presents preliminary work of follow up research that attempts to measure Android's unlock passwords in the wild via a self-report study where participants self reveal their password in a safe and secure way. This is work led by high school student collaborator.