User-Centered Design for Security - UMD - January 2015
Public Audience
PI(s): Jen Golbeck and Adam J. Aviv
Researchers: Dane Fichter, Jeanne Luning-Prak, Devon Budzitowski, Zahra Ashktorab
PROJECT OVERVIEW
Our goal is to better understand human behavior within security systems, and to use that knowledge to propose, design, and build better security systems. There are several research thrusts involved in meeting this challenge:
Understanding, Measuring, and Applying User Perceptions of Security and Usability: This research focuses on using empirical studies (surveys) to understand perceptions of security and usability in visual systems. Current research has focused on the graphical password system used by Android, and a large dataset of pair-wise preferences has been collected. The next phase of the research is to apply what we have learned to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. The research goal is to design systems where users' perceptions of security match some known metric of security, thus inducing security by design.
Measuring Cueing Language in User Graphical Password Selection: When users are asked to select passwords, they are asked to select a "strong" password, but how effective is this language as compared to other language choices, such as "unique" or "secure" or other visual or textual indicators that could be use prior to selecting a password? Current efforts in this domain are developing an empirical research methodology that can test hypotheses regarding user queuing and their eventual password selection, focusing first on graphical passwords and later extending to text based passwords. The results of this research will lead to the better design of security procedures which could "nudge" users towards more secure choices.
Improving Password Memorability: A typical user has passwords on dozens if not hundreds of websites, systems, and devices. Especially on systems that the user does not frequently use, it is easy to forget passwords. This then leads to reset when the user needs to login, opening up potential security holes. We have developed and pilot-tested an experiment for improving password memorability through a timed reminder service based in principles of cognitive psychology. We are testing whether users, when prompted to login on a schedule with increasingly distant time periods, will better remember their passwords for multiple sites. If our hypothesis is correct, this will be one way to leverage lessons of HCI, cognitive science, and psychology to improve security of systems through better understanding human behavior.
Privacy Conscious URL Sharing: A defining characteristic of current internet culture is to share information, e.g., through social network services. Recent efforts by the PI have shown that URLs being shared may contain more content than intended by the users, in particular, information embedded within the URL query string. The URL query string stores additional key-value pairs that are used by the web server to faithfully render the resulting web page; however, not all query string keys and values are used for rendering. Some are used for user tracking, and if publicly shared, this tracking information is also shared. We strive to develop new systems that better analyze the privacy risks for users through new metrics, properly present those risks to users, and enable users to make choices about how their URLs are shared. The results of this research will improve the privacy understanding and privacy exposure of users.
HARD PROBLEM(S) ADDRESSED
Human Behavior; Metrics.
PUBLICATIONS
Papers published during quarter
- Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. Adam J. Aviv and Dane Fichter. Procedings of the 30th Annual Computer Security Applications Conference (ACSAC), 2014.
This paper directly relates to the proposed tasks and presents a study of the perceptions of security and usability of Android's unlock password pattern. We found that perceptions of security are unaffected by spatial shifting, but greatly affected by "complexity." Most surprisingly, we can predict perceptions and find that none of the tested features alone impact perceptions, but rather the total size of the paper was the most predictive of security perceptions..
- Measuring Privacy Disclosures in URL Query Strings. Andrew G. West and Adam J. Aviv. Internet Computing, IEEE, 18(6): 52-59, 2014.
- A Self-Report Survey of Android Unlock Passwords. Andrew G. West and Adam J. Aviv. Poster presentation at ACSAC 2014.
This poster presents preliminary work of follow up research that attempts to measure Android's unlock passwords in the wild via a self-report study where participants self reveal their password in a safe and secure way.
Papers submitted for publication
- SoK: Humans in security Systems. J. Golbeck, M. Mazurek, and C. Mayhorn. Submitted to IEEE Security & Privacy.