Characterizing user behavior and anticipating its effects on computer security with a Security Behavior Observatory - July 2020
PI(s), Co-PI(s), Researchers:
Lorrie Cranor, Nicolas Christin
Researchers: Sarah Pearman, Jeremy Thomas
HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.
The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.
PUBLICATIONS
- (How) Do people change their passwords after a breach? Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia. Appeared at Workshop on Technology and Consumer Protection (ConPro 2020). Virtual Conference, May 21, 2020
PUBLIC ACCOMPLISHMENT HIGHLIGHTS
The purpose is to give our immediate sponsors a body of evidence that the funding they are providing is delivering results that "more than justify" the investment they are making.
We have been working on multiple papers examining user responses to breaches. One of these papers, which examines password behavior after password breaches, was accepted and appeared at the ConPro 2020 workshop during the most recent quarter. In this paper, we used the Security Behavior Observatory (SBO) dataset to examine specific password breaches and determine how often people actually change their passwords in the aftermath of a breach and how constructive these changes are.
The SBO addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected.
COMMUNITY ENGAGEMENTS
EDUCATIONAL ADVANCES (If Applicable)