Characterizing user behavior and anticipating its effects on computer security with a Security Behavior Observatory - July 2019
PI(s), Co-PI(s), Researchers:
Lorrie Cranor, Nicolas Christin
Researchers: Sarah Pearman, Jeremy Thomas
HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.
The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.
PUBLICATIONS
- Accepted conference paper:
- Why people (don't) use password managers effectively. Sarah Pearman, Shikun Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. To be published in Proceedings of the Symposium on Usable Privacy and Security (SOUPS 2019). Will be presented in Santa Clara, CA in August 2019.
- This paper addresses the hard problem of "Understanding and Accounting for Human Behavior," in particular addressing the question of why more users do not adopt tools to help them manage passwords despite finding password security challenging.
- Why people (don't) use password managers effectively. Sarah Pearman, Shikun Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. To be published in Proceedings of the Symposium on Usable Privacy and Security (SOUPS 2019). Will be presented in Santa Clara, CA in August 2019.
PUBLIC ACCOMPLISHMENT HIGHLIGHTS
The purpose is to give our immediate sponsors a body of evidence that the funding they are providing is delivering results that "more than justify" the investment they are making.
- Why people (don't) use password managers effectively. Sarah Pearman, Shikun Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. To be published in Proceedings of the Symposium on Usable Privacy and Security (SOUPS 2019). Will be presented in Santa Clara, CA in August 2019.
- This paper is a followup to a paper that we published in CCS 2017. We conducted interviews with a separate sample of 30 participants to follow up on previous findings that suggested that people using password managers did not necessarily have stronger passwords or decreased password reuse. Our results suggested that users of built-in password managers may have different underlying motivations for using password tools (i.e., mostly focused on convenience) and may thus use those tools to aid their insecure password habits, whereas people using separately installed password managers seem to be more motivated to prioritize security.
- Systems of password authentication are especially affected by the hard problem of understanding and accounting for human behavior, since human behavior and capabilities tend to be directly at odds with what are considered the most secure password practices. This line of research that seeks to understand why users are choosing various existing password tools and why those tools are or are not leading to more secure password practices is crucial for finding usable solutions for managing authentication.
COMMUNITY ENGAGEMENTS
EDUCATIONAL ADVANCES (If Applicable)