User-Centered Design for Security - UMD - April 2017

Public Audience

PI(s): Jen Golbeck and Adam J. Aviv
Researchers: Yehuda Katz,  Zahra Ashktorab, Dane Fichter, Jeanne Luning-Prak, Devon Budzitowski, Ryan Kelly, Mathew Sommers, Ethan Genco, Didar Alan, Kyle Hawkins, Cody Vernon, Justin Maguire, John Davin, Susanna Heidt, Jacob Brown, Hunter Lamp, Thomas Armistead, Alexander Huang, Stephen Chan, Hannah Urbaczewski

HARD PROBLEM(S) ADDRESSED

Human Behavior; Metrics

PROJECT OVERVIEW

Our goal is to better understand human behavior within security systems, and to use that knowledge to propose, design, and build better security systems. When humans are involved in security systems in any way, usability is important. A system that is designed around natural human memory, attention, and cognitive abilities will be easy to use and lead people toward acting in secure ways; systems that force users into inherently difficult tasks lead to people circumventing security guidelines or protocols in order to get their tasks done efficiently.

We are undertaking several efforts in the usable security space; in particular in the space of understanding the security and usabily of text and graphical passwords. This research effort has led to the development of new classes (PI Golbeck), capstone projects involving undergraduates (PI Aviv), the presentation and publication of papers (PI Golbeck and PI Aviv), and numerous service opportunities that bring awareness to usable security issues to a wider audience.

Here, we detail our research efforts for this project on Human Behavior and Metrics (updated since the last report):

• Improving Password Memorability
• Network Based Behavior Biometrics
• Users Perception of Data Sharing and Privacy
• Metrics to Asses the Shoulder Surfing Vulnerability of Mobile Authenticatoni
• (NEW!) Mobile Privacy Perceptions and the Impact on Mobile Device Authentication (evolution of prior topics)
• (NEW!) Understanding Password Changing Strategies of Users under High Password Turn Over
• (-completed-) Privacy Conscious URL Sharing

We also outline the progresses of this research effort continues. One theme that persists is the focus on usable security issues related to mobile devices. Clearly, as mobile devices, such as smartphones, tablets, etc., continue to proliferate as the primary computer for many individuals, understanding the usability and security impact remain a primary focus for this research effort. 

UPDATES SINCE LAST REPORT: Since the last report, we have completed the prototype for the shoulder-surfing study and are preparing to launch in-lab studies and on-line studies; data should be collected an analyzed by the next report. Additionally, we are advancing a new project in understanding humans' interaction with password policies that require frequent changing of passwords, as is the case within the DoD, by analyzing those policies, data collected from the institutions password portal, and designing studies to assess the mental models associated with how users change their passwords.  

Work on measuring Cueing Language has evolved into a new project that is focused on users' perceptions of privacy on mobile devices and how that perception affects choices of mobile authentication. We currently have ongoing work to repeat prior experiments and adding further questions based on prior measurements. 

We conducted a study on user security and privacy concerns that arise when internet service providers install public wifi hotspots on their home routers. This paper was submitted to the ACM Wireless Security Conference.

We also conducted a study on user privacy concerns and their relationship to consent with respect to information commonly used in personalization and recommendation systems. This paper was submitted to RecSys.

Finally, work on privacy conscious URL sharing has fully completed and no further work on this will be provided in future reports. 

----------------------------------------------------

Improving Password Memorability

This project is based around designing mechanisms to help people remember passwords more effectively. Password resets are a point of insecurity, so the more often people can remember passwords, the more reduced this risk point becomes.  We have designed an experiment to test how well memorization techniques can be applied to passwords.

Since our last report, we have had our app accepted into the iPhone store (you can download a copy - CrainTrainX) and launched a new study which you, too, can join at http://www.cs.umd.edu/~golbeck/exp/passwordmem/

We are currently recruiting participants and collecting data. 

 Mobile Privacy Perceptions and the Impact on Mobile Device Authentication

 This project is the evolution of the prior projects, Measuring Cueing Language in User Graphical Password Selection, where we are now focusing on the mental models of privacy applied to mobile devices and how those models may affect the choice of mobile authentication. The project evolution is driven in part due to the need to better understand the current state of affairs before attempting to change behavior. The research methods are building upon prior work and collected data with a focus on repeating prior experiments to see how password selection has changed since this research was first conducted, and also adding additional questinairres for participants. This research is being conducted by Adam Aviv in collaboration with a colleague at USNA, Stephen Chan, and Ravi Kuber at UMBC.  

User Perception of Data Sharing and Privacy 

Since our last report, we have completed a paper on user perception and understanding of privacy issues related to personal information sharing in apps. In the paper which we just published in Future Internet, we focused on Facebook apps and set out to understand  how concerned users are about privacy and how well-informed they are about what personal data apps can access.  We found that initially, subjects were generally under-informed about what data apps could access from their profiles. After viewing additional information about these permissions, subjects' concern about privacy on Facebook increased. Subjects' understanding of what data apps were able to access increased, although even after receiving explicit information on the topic, many subjects still did not fully understand the extent to which apps could access their data.

Metrics for Shoulder Surfing Vulnerability

Undergradaute student John Davin is spearheading a new project on measuring the strength of authentication systems to shoulder surfing attacks. To do this, we have developed a new methodology that can properly measure this vulnerability. The method will include performing a series of recordings of a users authenticating on mobile device from multiple camera angles and multiple authentication system (e.g., PIN, pattern, password). We will then recruit participants to perform as attackes and attempt to measure how succesful those attacks are under various conditions of the test. We expect this project to expand in the fall. 

​Figure 1: Sample videos for measuring shoulder surfing from multiple angles. 

Current efforts on this project is in the stage of developing an on-line survey was completed and is in the process of being launched for measurment in both in-lab and on-line studies via Amazon Mechanical Turk. We hope to start data analysis within the next 3 months. 

Network-based Behavior Biometrics

In Summer 2016, Golbeck and her team also began a project on social network-based behavioral biometrics as a mechanism for deanonymization.  Understanding which social features can be used for deanonymization can lead to suggestions of cloaking behaviors that people can use to improve their chances of remaining anonymous. We are working with datasets from Flickr and Twitter for this first phase of analysis.

Understanding Password Changing Strategies under High Password Change Settings

This project is led by PI Adam Aviv at the Naval Academy in collaboration with an undergraduate student, Hannah Urbaczewski. The goal of this project is to measure human interaction with password changing policies and how this might affect the security of password selection and modification. We propose to measure this by doing a policy analysis in discussion with the IT staff at USNA. Following, we will conduct face-to-face interviews with users under that policy to better understand strategies for password seletction when frequent password changes are required, e.g., every 90 days, and finally, we intend to conduct studies where participants, given a base password, must guess other participants modifications to that password, as would likely be the case under a password change. 

User Concerns with Public Wifi Hotposts on Private Routers

This work was conducted by PI Golbeck at the University of Maryland. Cable companies and Internet Service Providers have begun to offer public wifi hotspots run through customers’ in-home wireless routers. This greatly expands the number of hotspots a company can offer, but it is often done with out the consent of the customers and sometimes without informing them that it is happening. This has led to a range of privacy and security concerns among the customers whose routers are used. In this paper, we analyze 501 online comments posted to news stories about this practice to develop a taxonomy of user concerns and identify their frequency. We found only about 19% of comments were unconcerned about the practice. Of those concerned, over 40% believed the practice was a violation of autonomy. Worries about quality of service impacts were similarly common. Issues of trust, legal liability, deceptive practices, and power were also quite common. We present these results and offer a discussion of the implications. Submitted to ACM WiSec 2017

The Importance of Consent in User Comfort with Personalization  - This work was  conducted by PI Golbeck at the University of Maryland. Numerous research projects have documented concerns that users have with data commonly used by recommender systems. In this paper, we extend that work by specifically inves- tigating the link between consent, explicitly given, and pri- vacy concern. In a study with 662 subjects, we found that the majority of users would not consent to data from outside systems being used to personalize their experience, and siz- able minorities object to even internal system data being used. Among those who said they could consent, found they are of- ten uncomfortable with the data being used if they are not asked to consent, but become comfortable after they can explicitly give their consent. We discuss implications for recom- mender systems going forward, specifically with respect to incorporating data into algorithms when users are unlikely to consent to its use.  Submitted to RecSys 2017

SERVICE

Presentation by Jennifer Golbeck at  University of Pittsburgh Big Data Science Colloquium (March 2017)
"Foretold Futures from Digital Footprints: Artificial Intelligence, Behavior Prediction, and Privacy"

Keynote by Jennifer Golbeck at University of Tennessee Social Media Week  (February 2017)
''Algorithmic Servants or Algorithmic Tyranny: Living With a Predicted Future''

Keynote by Jennifer Golbeck at Washington & Lee University Mudd Center for Ethics (February 2017)
"Foretold Futures from Digital Footprints: Artificial Intelligence, Behavior Prediction, and Privacy"

JPETS Technical Committee by Adam Aviv (January 2017)

Workshop and Tutorial Chair at SOUPS by Adam Aviv (March 2017)

NSPW Program Comittee by Adam Aviv (January 2017)

Instutianal Review Board member at USNA by Adam Aviv (September 2016)

Keynote presentation by Jennifer Golbeck at Northrop Grumman (June 2016)

Keynote presentation by Jennifer Golbeck at Guidance Software EnFuse Conference (June 2016)

Keynote presentation by Jennifer Golbeck at ISC2 CyberSecure Gov (May 2016)

Keynote presentation by Jennifer Golbeck at ICI Mutual (April 2016)

Invited Talk by Adam Aviv at International Computer Science Institute (March 2016)

Program Comittee Member by Adam Aviv for Privacy Enhancing Technologies Symposium (PETS'17)

Program Comittee Member by Adam Aviv for the Anual Computer Security Applications Conferernce (ACSAC'16)

Program and Steering Comittee Member by Adam Aviv for Advances in Computer Secuirty Eduction (ASE) Workshop 

"Security and Social Engineering" Time Warner Security Summit (Keynote) Santa Monica, CA  (Jen Golbeck)

"Data Analytics of Security",  Ingram Micro Vantage Denver (Keynote), Denver, CO  (Jen Golbeck)

"Human Side of Security",  Ingram Micro Vantage Kansas City,  Kansas City, MO  (Jen Golbeck)

Program Committee Member, Adam Aviv, Privacy Enahcing Technology Symposium (PETS'16)

Workshop and Tutorrial Chair, Adam Aviv, at Symposium on Usable Security and Privacy (SOUPS'16)

Invited Talk by Adam Aviv at Carnegie Mellon University (Feb. 2016)

Invited Talk by Adam Aviv at the DC-Area Privacy and Security Meeting (Nov. 2015)

Program Committee Member by Adam Aviv for Usable Security Worksop (USEC'16)

Program Committee Member by Adam Aviv for Symposium on Access control Models and Technologies (SACMAT'16)

Program Committee Member by Adam Aviv for Privacy Enhancing Technology Symposium (PETS'15, PETS'16)

Program Co-Chair service by Adam Aviv, 8th Workshop on Cyber Security Evaluation and Test (CSET’15).

Wireless Security Track Chair for IEEE VTC Fall 2015 service by Adam Aviv. IEEE Vehical Technology Conference.

Invited Talk at IEEE Intelligence and Security Informatics Conferences May 2015. 

Invited Talk by Adam Aviv at University of Maryland Baltimore County on “Human Factors in Mobile Device Authentication.” Jan 16, 2015.

Invited Talk by Adam Aviv at Carnegie Melon University on “Measuring Visual Perceptions of Security: Case study of Android’s Graphical Password” Jul 2, 2014.

Coursera MOOC, Jennifer Golbeck,  "Usable Security" offered once in 2014, once in 2015. A total of 55,000 students registered for this course

Keynote Presentation  by Jennifer Golbeck, "Privacy and Social Media", presented at Howard County Gifted Middle School Expo, May 29, 2015

Keynote Presentation by Jennifer Golbeck, "Data Analytics and Security" presented at Ingram Micro Vantage Kansas City, February 18, 2015.

Keynote Presentation by Jennifer Golbeck, "Toward Usable Security", presented at National Cyber Security Awareness Month, ATS, Inc.

PUBLICATIONS

Papers in Submission/Preperation:

• User Concerns with Personal Routers Used as Public Wi-fi hotspots. Jennifer Golbeck. Submitted to ACM WiSec
• The Importance of Consent in User Comfort with Personalization. Jennifer Golbeck. Submitted to RecSys
• Do Privacy Attitudes on Mobile Devices Impact the Strength of Unlock Authentication? Adam J. Aviv, Ravi Kuber and Stephen Chan. 
• An Empirical Study Examining the Perceptions and Behaviors of Security Conscious Users of Mobile Authentication. Flynn Wolfe, Ravi Kuber and Adam J. Aviv. 
• SoK: Collection and Analysis Methods for Android's Graphical Password Unlock. Adam J. Aviv, Markus Duermeuth, and Ravi Kuber.
• Baseline Measurements of Shoulder Surfing Analysis and Comparability for Smartphone Unlock Authentication. John Davin, Adam J. Aviv, Flynn Wolfe, and Ravi Kuber. 
• SoK: Humans in Security Systems. J. Golbeck, M. Mazurek, and C. Mayhorn. 

Papers/Workshops/Posters published since start of Project

• Preliminary Findings from an Exploratory Qualitative Study of Security-Conscious Users of Mobile Authentication.  Flynn Wolf, Ravi Kuber, and Adam J. Aviv. In the proceedings of the Workshop on Security Information Workers. 2016.
• Position Paper: Measuring the Impact of Alphabet and Culture on Graphical Passwords.  Adam J. Aviv, Markus Duermuth and Payas Gupta. In the proceedings of the Who Are You?! Adventures in Authentication Workshop. 2016.
• Towards Non-Observable Authentication for Mobile Devices. Flynn Wolf, Ravi Kuber, and Adam J. Aviv. Poster presented at SOUPS'16.
• Refining Graphical Password Strength Meters. Sussanna Heidt and Adam J. Aviv. Poster presented at SOUPS'16.
• Analyzing the Impact of Collection Methods and Demographics for Android's Pattern Unlock. Adam J. Aviv, Justin Maguire, and Jeanne Luning-Prack. In the proceedings of the Worskhopt on Usable Security (USEC). 2016
• Developing and Evaluating a Gestural and Tactile Mobile Interface to Support User Authentication. Abdullah Ali, Adam J. Aviv, and Ravi Kuber. To apear at the  iConference. 2016 
•  User Perception of Facebook App Data Access: A Comparison of Methods and Privacy Concerns. Jennifer Golbeck, Matthew Louis Mauriello.Future Internet, 8(2), 9. 2016.
• Papers/Workshop/Posters published in 2015
• Is Bigger Better? Comparing User Generated Passwords on 3x3 vs 4x4 Grid Sizes for Android's Pattern Unlock. Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. In the proceedings of Anual Aplied Computer Security Conference (ACSAC). 2015
• Do Bigger Grid Sizes Mean Better Passwords? 3x3 vs. 4x4 Grid Sizes for Android Unlock Patterns. Devon Budzitowski, Adam J. Aviv, and Ravi Kuber. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
• Comparisons of Data Collection Methods for Android Graphical Pattern Unlock. Adam J. Aviv and Jeanne Luning-Prak.  Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
• Alternative Keyboard Layouts for Improved Password Entry and Creation on Mobile Devices. Ethan Genco, Ryan Kelley, Cody Vernon and Adam J. Aviv.  Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
• Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. Adam J. Aviv and Dane Fichter. Procedings of the 30th Annual Computer Security Applications Conference (ACSAC), 2014.
• Measuring Privacy Disclosures in URL Query Strings. Andrew G. West and Adam J. Aviv. Internet Computing, IEEE, 18(6): 52-59, 2014.
• On the Privacy Concerns of URL Query Strings . Andrew G. West and Adam J. Aviv. Workshop on Web 2.0 Security and Privacy. May, 2014.
• A Self-Report Survey of Android Unlock Passwords. Jeanne Luning-Prak and Adam J. Aviv. Poster presentation at ACSAC 2014.