USE: User Security Behavior (CMU/Berkeley/University of Pittsburgh Collaborative Proposal) - July 2016

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): A. Acquisti, L.F. Cranor, N. Christin, R. Telang
Researchers: Alain Forget (CMU), Serge Egelman (Berkeley), and Scott Beach (Univ of Pittsburgh)

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)
This refers to Hard Problems, released November 2012.

The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.

2) PUBLICATIONS

1. A. Forget, S. Pearman, J. Thomas, A. Acquisti, N. Christin, L.F. Cranor, S. Egelman, M. Harbach, R. Telang. "'My Daughter Fixes All My Mistakes': A Qualitative Study on User Engagement and Computer Security Outcomes." In preparation for submission for peer-review to the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016).
2. Serge Egelman, Marian Harbach, and Eyal Peer. Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS). Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '16), 2016. To appear.
3. A. Forget, S. Komanduri, A. Acquisti, N. Christin, L.F. Cranor, R. Telang. "Security Behavior Observatory: Infrastructure for Long-term Monitoring of Client Machines." Carnegie Mellon University CyLab Technical Report CMU-CyLab-14-009. https://www.cylab.cmu.edu/research/techreports/2014/tr_cylab14009.html (accessed 2014-09-05)
4. A. Forget, S. Komanduri, A. Acquisti, N. Christin, L.F. Cranor, R. Telang (2014). Building the Security Behavior Observatory: An Infrastructure for Long-term Monitoring of Client Machines. Invited talk and poster at the IEEE Symposium and Bootcamp on the Science of Security (HotSoS) 2014.

By its very nature, this project has included a long setup phase. Building an infrastructure to collect robust data from home computers with a wide variety of configurations has been a challenge, and it took significant time to establish and test a reliable infrastructure and to begin building a participant sample and dataset large enough for meaningful analysis. Now that we have a greater number of higher-quality sensors and a larger sample of participants, some of whom have been sending us data for as long as 15 consecutive months, our research and data analysis has begun to result in publication submissions.

In March 2016, we submitted a paper to the SOUPS 2016 conference. This paper combined the quantitative data collected via this infrastructure with qualitative findings from interviews with our research participants. As we continue to build more secure, reliable, and robust infrastructure, we will acquire more and better data, resulting in more publications.

As mentioned in the previous report, our collaborator at UC Berkeley has also submitted a publication to the SIGCHI Conference on Human Factors in Computing Systems (ACM CHI 2016) in which behavioral data is analyzed to validate the Security Behavior Intentions Scale. This publication emerged from some preliminary analysis of SBO data and additional online studies of security-related behaviors run at UC Berkeley. This paper has been accepted and will appear at CHI 2016 in May. We plan to build on this preliminary work in the future by conducting additional research on the relationships between the Security Behavior Intentions scale and certain security-related behaviors observed in SBO client data.

3) KEY HIGHLIGHTS

• We submitted a paper to the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016) conference. This paper examined the relationships between users' self-reported engagement in securing their computers and the actual security states and outcomes on their machines.

• Since the last report, we successfully deployed version 5.0 and are currently deploying version 6.0 of our client data collection software. Within each of these releases, we added additional sensors to collect more information from our participants that we can apply to future research. Most notably, we added a file hash sensor to calculate hash values for downloaded files and executables and a user interface sensor to record user interactions with visual elements of the applications on their computer, such as system tray notifications.