Visible to the public User-Centered Design for Security - UMD - July 2016Conflict Detection Enabled

Submitted by jkatz on Mon, 06/27/2016 - 6:28pm

Public Audience

PI(s): Jen Golbeck and Adam J. Aviv
Researchers: Yehuda Katz,  Zahra Ashktorab, Dane Fichter, Jeanne Luning-Prak, Devon Budzitowski, Ryan Kelly, Mathew Sommers, Ethan Genco, Didar Alan, Kyle Hawkins, Cody Vernon, Justin Maguire, John Davin, Susanna Heidt, Jacob Brown, Hunter Lamp, Thomas Armistead, Alexander Huang

HARD PROBLEM(S) ADDRESSED

Human Behavior; Metrics

 

PROJECT OVERVIEW

Our goal is to better understand human behavior within security systems, and to use that knowledge to propose, design, and build better security systems. When humans are involved in security systems in any way, usability is important. A system that is designed around natural human memory, attention, and cognitive abilities will be easy to use and lead people toward acting in secure ways; systems that force users into inherently difficult tasks lead to people circumventing security guidelines or protocols in order to get their tasks done efficiently.

We are undertaking several efforts in the usable security space; in particular in the space of understanding the security and usabily of text and graphical passwords. This research effort has led to the development of new classes (PI Golbeck), capstone projects involving undergraduates (PI Aviv), the presentation and publication of papers (PI Golbeck and PI Aviv), and numerous service opportunities that bring awareness to usable security issues to a wider audience.

Here, we detail our research efforts in the previous year for the following topic areas, which are all related to the hard problem of Human Behavior and Metrics:

  • Improving Password Memorability
  • Measuring Cueing Language in User Graphical Password Selection
  • Understanding, Measuring and Applying User Perceptions of Security and Usability
  • Privacy Conscious URL Sharing

We also outline how this research effort continues. One theme that persists is the focus on usable security issues related to mobile devices. Clearly, as mobile devices, such as smartphones, tablets, etc., continue to proliferate as the primary computer for many individuals, understanding the usability and security impact remain a primary focus for this research effort. 

UPDATES SINCE LAST REPORT: Since the last report, we are in the middle of data collection for a privacy memoriability project and we  completed a survey of privacy concerns related to data used in personalization. We have also begun executing the development of new metrics for shoulder surfing vulnerability. Additionally, we presented a poster at SOUPS on strength meters for patterns. 

----------------------------------------------------

Improving Password Memorability: This project is based around designing mechanisms to help people remember passwords more effectively. Password resets are a point of insecurity, so the more often people can remember passwords, the more reduced this risk point becomes.  We have designed an experiment to test how well memorization techniques can be applied to passwords.

Since our last report, we have had our app accepted into the iPhone store (you can download a copy - CrainTrainX) and launched a new study which you, too, can join at http://www.cs.umd.edu/~golbeck/exp/passwordmem/

We are currently recruiting participants and collecting data. 

Measuring Cueing Language in User Graphical Password Selection. When users are asked to select passwords, they are asked to select a "strong" password, but how effective is this language as compared to other language choices, such as "unique"  or "secure" or other visual or textual indicators that could be use prior to selecting a password? Current efforts in this domain are developing an empirical research methodology that can test hypotheses regarding user queuing and their eventual password selection, focusing first on graphical passwords and later extending to text based passwords. The results of this research will lead to the better design of security procedures, which could "nudge" users towards more secure choices.

With efforts from research students Jeanne Lunig-Prak and Devon Budzitowski, we have developed a pilot study to be run on Amazon Mechanical Turk.  The survey requires participants to select an initial graphical password which they will be then cued that that choice was insufficient in some way. A participate selects again after the cue, and the difference between these choices, and a later test of recall, informs us of how well the cueing works for different cue. Following up opn this effort, undergraduate student Sussana Heidt has done a comparitive study of pattern meters. This work was accepted as a poster at SOUPS'16.

 

Figure 2: A sample cue from pilot study on improving password choice

User Perception of Data Sharing and Privacy 

Since our last report, we have completed a paper on user perception and understanding of privacy issues related to personal information sharing in apps. In the paper which we just published in Future Internet, we focused on Facebook apps and set out to understand  how concerned users are about privacy and how well-informed they are about what personal data apps can access.  We found that initially, subjects were generally under-informed about what data apps could access from their profiles. After viewing additional information about these permissions, subjects' concern about privacy on Facebook increased. Subjects' understanding of what data apps were able to access increased, although even after receiving explicit information on the topic, many subjects still did not fully understand the extent to which apps could access their data.

Metrics for Shoulder Surfing Vulnerability

Undergradaute student John Davin is spearheading a new project on measuring the strength of authentication systems to shoulder surfing attacks. To do this, we have developed a new methodology that can properly measure this vulnerability. The method will include performing a series of recordings of a users authenticating on mobile device from multiple camera angles and multiple authentication system (e.g., PIN, pattern, password). We will then recruit participants to perform as attackes and attempt to measure how succesful those attacks are under various conditions of the test. We expect this project to expand in the fall. 

 

Figure 4: Sample videos for measuring shoulder surfing from multiple angles. 

Network-based Behavior Biometrics

In Summer 2016, Golbeck and her team also began a project on social network-based behavioral biometrics as a mechanism for deanonymization.  Understanding which social features can be used for deanonymization can lead to suggestions of cloaking behaviors that people can use to improve their chances of remaining anonymous. We are working with datasets from Flickr and Twitter for this first phase of analysis.

 

SERVICE

Keynote presentation by Jennifer Golbeck at Northrop Grumman (June 2016)

Keynote presentation by Jennifer Golbeck at Guidance Software EnFuse Conference (June 2016)

Keynote presentation by Jennifer Golbeck at ISC2 CyberSecure Gov (May 2016)

Keynote presentation by Jennifer Golbeck at ICI Mutual (April 2016)

Invited Talk by Adam Aviv at International Computer Science Institute (March 2016)

Program Comittee Member by Adam Aviv for Privacy Enhancing Technologies Symposium (PETS'17)

Program Comittee Member by Adam Aviv for the Anual Computer Security Applications Conferernce (ACSAC'16)

Program and Steering Comittee Member by Adam Aviv for Advances in Computer Secuirty Eduction (ASE) Workshop 

"Security and Social Engineering" Time Warner Security Summit (Keynote) Santa Monica, CA  (Jen Golbeck)

"Data Analytics of Security",  Ingram Micro Vantage Denver (Keynote), Denver, CO  (Jen Golbeck)

"Human Side of Security",  Ingram Micro Vantage Kansas City,  Kansas City, MO  (Jen Golbeck)

Program Committee Member, Adam Aviv, Privacy Enahcing Technology Symposium (PETS'16)

Workshop and Tutorrial Chair, Adam Aviv, at Symposium on Usable Security and Privacy (SOUPS'16)

Invited Talk by Adam Aviv at Carnegie Mellon University (Feb. 2016)

Invited Talk by Adam Aviv at the DC-Area Privacy and Security Meeting (Nov. 2015)

Program Committee Member by Adam Aviv for Usable Security Worksop (USEC'16)

Program Committee Member by Adam Aviv for Symposium on Access control Models and Technologies (SACMAT'16)

Program Committee Member by Adam Aviv for Privacy Enhancing Technology Symposium (PETS'15, PETS'16)

Program Co-Chair service by Adam Aviv, 8th Workshop on Cyber Security Evaluation and Test (CSET’15).

Wireless Security Track Chair for IEEE VTC Fall 2015 service by Adam Aviv. IEEE Vehical Technology Conference.

Invited Talk at IEEE Intelligence and Security Informatics Conferences May 2015. 

Invited Talk by Adam Aviv at University of Maryland Baltimore County on “Human Factors in Mobile Device Authentication.” Jan 16, 2015.

Invited Talk by Adam Aviv at Carnegie Melon University on “Measuring Visual Perceptions of Security: Case study of Android’s Graphical Password” Jul 2, 2014.

Coursera MOOC, Jennifer Golbeck,  "Usable Security" offered once in 2014, once in 2015. A total of 55,000 students registered for this course

Keynote Presentation  by Jennifer Golbeck, "Privacy and Social Media", presented at Howard County Gifted Middle School Expo, May 29, 2015

Keynote Presentation by Jennifer Golbeck, "Data Analytics and Security" presented at Ingram Micro Vantage Kansas City, February 18, 2015.

Keynote Presentation by Jennifer Golbeck, "Toward Usable Security", presented at National Cyber Security Awareness Month, ATS, Inc.

PUBLICATIONS

Papers/Workshops/Posters published in 2016

  • Preliminary Findings from an Exploratory Qualitative Study of Security-Conscious Users of Mobile Authentication.  Flynn Wolf, Ravi Kuber, and Adam J. Aviv. In the proceedings of the Workshop on Security Information Workers. 2016.
     
  • Position Paper: Measuring the Impact of Alphabet and Culture on Graphical Passwords.  Adam J. Aviv, Markus Duermuth and Payas Gupta. In the proceedings of the Who Are You?! Adventures in Authentication Workshop. 2016.
     
  • Towards Non-Observable Authentication for Mobile Devices. Flynn Wolf, Ravi Kuber, and Adam J. Aviv. Poster presented at SOUPS'16.
     
  • Refining Graphical Password Strength Meters. Sussanna Heidt and Adam J. Aviv. Poster presented at SOUPS'16.
     
  • Analyzing the Impact of Collection Methods and Demographics for Android's Pattern Unlock. Adam J. Aviv, Justin Maguire, and Jeanne Luning-Prack. In the proceedings of the Worskhopt on Usable Security (USEC). 2016
     
  • Developing and Evaluating a Gestural and Tactile Mobile Interface to Support User Authentication. Abdullah Ali, Adam J. Aviv, and Ravi Kuber. To apear at the  iConference. 2016 
  •  User Perception of Facebook App Data Access: A Comparison of Methods and Privacy Concerns. Jennifer Golbeck, Matthew Louis Mauriello.Future Internet, 8(2), 9. 2016.

Papers/Workshop/Posters published in 2015

  • Is Bigger Better? Comparing User Generated Passwords on 3x3 vs 4x4 Grid Sizes for Android's Pattern Unlock. Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. In the proceedings of Anual Aplied Computer Security Conference (ACSAC). 2015

  • Do Bigger Grid Sizes Mean Better Passwords? 3x3 vs. 4x4 Grid Sizes for Android Unlock Patterns. Devon Budzitowski, Adam J. Aviv, and Ravi Kuber. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.

  • Comparisons of Data Collection Methods for Android Graphical Pattern Unlock. Adam J. Aviv and Jeanne Luning-Prak.  Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.

  • Alternative Keyboard Layouts for Improved Password Entry and Creation on Mobile Devices. Ethan Genco, Ryan Kelley, Cody Vernon and Adam J. Aviv.  Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.

Papers/Workshops/Posters published in 2014

  • Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. Adam J. Aviv and Dane Fichter. Procedings of the 30th Annual Computer Security Applications Conference (ACSAC), 2014.
     
  • Measuring Privacy Disclosures in URL Query Strings. Andrew G. West and Adam J. Aviv. Internet Computing, IEEE, 18(6): 52-59, 2014.

  • On the Privacy Concerns of URL Query Strings . Andrew G. West and Adam J. Aviv. Workshop on Web 2.0 Security and Privacy. May, 2014.

  • A Self-Report Survey of Android Unlock Passwords. Jeanne Luning-Prak and Adam J. Aviv. Poster presentation at ACSAC 2014.

 Papers submitted for Publication

  • SoK: Humans in Security Systems. J. Golbeck, M. Mazurek, and C. Mayhorn. Submitted to IEEE Security & Privacy.

 

Groups: