Visible to the public USE: User Security Behavior (CMU/Berkeley/University of Pittsburgh Collaborative Proposal) - January 2016Conflict Detection Enabled

Submitted by Jamie Presken on Thu, 12/10/2015 - 10:26am

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): A. Acquisti, L.F. Cranor, N. Christin, R. Telang
Researchers: Alain Forget (CMU), Serge Egelman (Berkeley), and Scott Beach (Univ of Pittsburgh)

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)
This refers to Hard Problems, released November 2012.

Understanding and Accounting for Human Behavior

The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.

2) PUBLICATIONS

  1. A. Forget, S. Pearman, J. Thomas, A. Acquisti, N. Christin, L.F. Cranor, S. Egelman, M. Harbach, R. Telang. "'My Daughter Fixes All My Mistakes': A Qualitative Study on User Engagement and Computer Security Outcomes." In preparation for submission for peer-review to the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016).
  2. Serge Egelman, Marian Harbach, and Eyal Peer. Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS). Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '16), 2016. To appear.
  3. A. Forget, S. Komanduri, A. Acquisti, N. Christin, L.F. Cranor, R. Telang. "Security Behavior Observatory: Infrastructure for Long-term Monitoring of Client Machines." Carnegie Mellon University CyLab Technical Report CMU-CyLab-14-009. https://www.cylab.cmu.edu/research/techreports/2014/tr_cylab14009.html (accessed 2014-09-05)
  4. A. Forget, S. Komanduri, A. Acquisti, N. Christin, L.F. Cranor, R. Telang (2014). Building the Security Behavior Observatory: An Infrastructure for Long-term Monitoring of Client Machines. Invited talk and poster at the IEEE Symposium and Bootcamp on the Science of Security (HotSoS) 2014.

By its very nature, this project has had a long setup phase. Building an infrastructure to collect data this robust from home computers with a wide variety of configurations has been a challenge, and it took significant time to establish and test a reliable infrastructure and to begin building a participant sample and dataset large enough for meaningful analysis. Now that we have a greater number of higher-quality sensors and participants sending us data for at least a few consecutive months, our research and data analysis has begun to result in publication submissions.

We are in the process of revising a paper for submission to the SOUPS 2016 conference. This paper combined the quantitative data collected via this infrastructure with qualitative findings from interviews with our research participants. As we continue to build more secure, reliable, and robust infrastructure, we will acquire more and better data, resulting in more publications.

Our collaborator at UC Berkeley has also submitted a publication to the SIGCHI Conference on Human Factors in Computing Systems (ACM CHI 2016) in which behavioral data is analyzed to validate the Security Behavior Intentions Scale. This publication emerged from some preliminary analysis of SBO data, and then additional online studies of security-related behaviors were run at UC Berkeley. This paper has been accepted and will appear at CHI 2016 in May. We plan to build on this preliminary work in the future by conducting additional research on the relationships between the Security Behavior Intentions scale and certain security-related behaviors observed in SBO client data.

We are currently considering where to submit another paper that more thoroughly describes the SBO infrastructure and to showcase some basic results we have gathered so far. We also hope to compile the lessons learnt about building and launching such a large-scale field study into another publication.

3) KEY HIGHLIGHTS

  • We are currently revising a paper in preparation for its submission to the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016) conference. This paper will examine the relationships between users' self-reported engagement securing their computers and the actual security states and outcomes on their machines.
  • We have successfully deployed version 4.0 and are currently deploying version 5.0 of our client data collection software. Version 4.0 included improvements to the the network packet sensor, registry sensor, and Windows Management Interface (WMI) sensor, and it also contained multiple updates to improve the software's stability and data collection abilities.
Groups: