USE: User Security Behavior (CMU/Berkeley/University of Pittsburgh Collaborative Proposal) - July 2017
Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.
PI(s): A. Acquisti, L.F. Cranor, N. Christin, R. Telang
Researchers: Alain Forget (CMU), Serge Egelman (Berkeley), and Scott Beach (Univ of Pittsburgh)
1) HARD PROBLEM(S) ADDRESSED (with short descriptions)
This refers to Hard Problems, released November 2012.
The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.
2) PUBLICATIONS
- C. Canfield, B. Fischoff, A. Davis, A. Forget, S. Pearman, and J. Thomas. 2017. Replication: Challenges in Using Data Logs to Validate Phishing Detection Ability Metrics. In Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017).
3) KEY HIGHLIGHTS
We had a paper accepted to SOUPS 2017 (which will take place July 12-14). This paper replicates the work of another paper that had used signal detection theory to assess participants' vulnerability to phishing attacks. The previous paper had used survey data from online participants, and our paper employs in-situ data from the Security Behavior Observatory (SBO) as well as survey responses from SBO participants to test the construct validity and predictive validity of the measures used in the previous study. The paper reports some evidence of construct validity but does not show evidence of predictive validity: SBO participants' signal detection measures from their survey data did not appear to be related to measures of security outcomes observed in their in-situ behavioral data (e.g., counts of malware infection rates or visits to blacklisted URLs).
4) COMMUNITY ENGAGEMENTS - if applicable
N/A
5) EDUCATIONAL ADVANCES - if applicable
N/A
- Approved by NSA
- NSA Program Manager
- Scalability and Composability
- Policy-Governed Secure Collaboration
- Metrics
- Resilient Architectures
- Human Behavior
- CMU
- A Language and Framework for Development of Secure Mobile Applications
- Epistemic Models for Security
- Geo-Temporal Characterization of Security Threats
- Highly Configurable Systems
- Multi-Model Run-Time Security Analysis
- Race Vulnerability Study and Hybrid Race Detection
- Real-time Privacy Risk Evaluation and Enforcement
- Science of Secure Frameworks
- Secure Composition of Systems and Policies
- Security Reasoning for Distributed Systems with Uncertainty
- Usable Formal Methods for the Design and Composition of Security and Privacy Policies
- USE: User Security Behavior
- August'17