Human Aspects

Warning messages are one of the last lines of defense in computer security, and are fundamental to users' security interactions with technology. Unfortunately, research shows that users routinely ignore security warnings. A key contributor to this disregard is habituation, the diminishing of attention due to frequent exposure. However, previous research examining habituation has done so only indirectly, by observing the influence of habituation on security behavior, rather than measuring habituation itself.

Online social engineering attacks have been often used for cybercrime activities. These attacks are low cost and complicate attack attribution. Pure technical defense solutions cannot counter them, which rely on human gullibility. Humans often engage in short-cut decision-making, which can lead to errors. Another expectation is that users should be able to understand complex security tips, which do not consider user demographics. User age has been overlooked in understanding these attacks and user behavior related to them.

Adolescents are at higher risk of engaging in risky behaviors in online social networks. This project develops digital intervention solutions to motivate, educate, support and engender safe social networking behaviors among adolescents. It significantly extends the current understanding of adolescent motivations for engaging in risky online behaviors and the state-of-the-art solutions for reducing adolescent exposure to such behaviors.

Despite an emphasis the security community places on the importance of producing secure software, the number of new security vulnerabilities in software increases every year. This research is based on the assumption that software vulnerabilities are caused by misunderstandings, or lack of knowledge, called blind spots, which the developers experience while they are building systems. When building systems, developers often focus more on functional requirements than on non-functional ones, such as security.

Cryptographic systems often rely on the secrecy of cryptographic credentials; however, these are vulnerable to eavesdropping and can resist neither a user's intentional disclosure nor coercion attacks where the user is forced to reveal the credentials. Conventional biometric keys (e.g., fingerprint, iris, etc.), unfortunately, can still be surreptitiously duplicated or adversely revealed. In this research, the PIs argue that the most secure cryptographic credentials are ones of which the users aren't even aware.