Usable Security: History, Themes, and Challenges

There has been roughly 15 years of research into approaches for aligning research in Human Computer Interaction with computer Security, more colloquially known as ``usable security.'' Although usability and security were once thought to be inherently antagonistic, today there is wide consensus that systems that are not usable will inevitably suffer security failures when they are deployed into the real world. Only by simultaneously addressing both usability and security concerns will we be able to build systems that are truly secure. This book presents the historical context of the work to date on usable security and privacy, creates a taxonomy for organizing that work, outlines current research objectives, presents lessons learned, and makes suggestions for future research. Table of Contents: Acknowledgments / Figure Credits / Introduction / A Brief History of Usable Privacy and Security Research / Major Themes in UPS Academic Research / Lessons Learned / Research Challenges / Conclusion: The Next Ten Years / Bibliography / Authors' Biographies

[1]  Jeffrey Hunker A privacy expectations and security assurance offer system , 2008, NSPW '07.

[2]  David A. Wagner,et al.  When it's better to ask forgiveness than get permission: attribution mechanisms for smartphone resources , 2013, SOUPS.

[3]  Robert W. Reeder,et al.  1 + 1 = you: measuring the comprehensibility of metaphors for configuring backup authentication , 2009, SOUPS.

[4]  Clare-Marie Karat,et al.  An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench , 2006, SOUPS '06.

[5]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[6]  John M. Carroll,et al.  Training wheels in a user interface , 1984, CACM.

[7]  Edward W. Felten,et al.  Secrecy, flagging, and paranoia: adoption criteria in encrypted email , 2006, CHI.

[8]  Simson L. Garfinkel,et al.  How to make secure email easier to use , 2005, CHI.

[9]  Heather Richter Lipford,et al.  The impact of social navigation on privacy policy configuration , 2010, SOUPS.

[10]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[11]  Lorrie Faith Cranor,et al.  Capturing location-privacy preferences: quantifying accuracy and user-burden tradeoffs , 2011, Personal and Ubiquitous Computing.

[12]  Stephen Wilson Public key superstructure "it's PKI Jim, but not as we know it!" , 2008, IDtrust '08.

[13]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[14]  Jonathan Grudin,et al.  When social networks cross boundaries: a case study of workplace use of facebook and linkedin , 2009, GROUP.

[15]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[16]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[17]  Roy Want,et al.  Photographic Authentication through Untrusted Terminals , 2003, IEEE Pervasive Comput..

[18]  Vyas Sekar,et al.  Measuring user confidence in smartphone security and privacy , 2012, SOUPS.

[19]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[20]  Sharath Pankanti,et al.  Biometrics: a tool for information security , 2006, IEEE Transactions on Information Forensics and Security.

[21]  Steven M. Bellovin,et al.  Facebook and privacy: it's complicated , 2012, SOUPS.

[22]  Harry Hochheiser The platform for privacy preference as a social protocol: An examination within the U.S. policy context , 2002, TOIT.

[23]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[24]  Lujo Bauer,et al.  The Impact of Length and Mathematical Operators on the Usability and Security of System-Assigned One-Time PINs , 2013, Financial Cryptography Workshops.

[25]  Kirstie Hawkey,et al.  What makes users refuse web single sign-on?: an empirical investigation of OpenID , 2011, SOUPS.

[26]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[27]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[28]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[29]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[30]  Charles C. Wood Logging, security experts data base, and crypto key management , 1984, ACM '84.

[31]  Lance J. Hoffman,et al.  Computers and Privacy: A Survey , 1969, CSUR.

[32]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[33]  Matthew Smith,et al.  Helping Johnny 2.0 to encrypt his Facebook conversations , 2012, SOUPS.

[34]  Tara Matthews,et al.  Location disclosure to social relations: why, when, & what people want to share , 2005, CHI.

[35]  Lorrie Faith Cranor,et al.  Guest Editors' Introduction: Secure or Usable? , 2004, IEEE Secur. Priv..

[36]  Anind K. Dey,et al.  Who wants to know what when? privacy preference determinants in ubiquitous computing , 2003, CHI Extended Abstracts.

[37]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[38]  Tao Lu,et al.  A Systematic Approach to Context Aware Service Design , 2012, J. Comput..

[39]  Shujun Li,et al.  Breaking e-banking CAPTCHAs , 2010, ACSAC '10.

[40]  Robert M. Metcalfe "The stockings were hung by the chimney with care" , 1973, RFC.

[41]  Alessandro Acquisti,et al.  Silent Listeners: The Evolution of Privacy and Disclosure on Facebook , 2013, J. Priv. Confidentiality.

[42]  Kirstie Hawkey,et al.  A case study of enterprise identity management system adoption in an insurance organization , 2009, CHIMIT.

[43]  Lorrie Faith Cranor,et al.  Improving Computer Security Dialogs , 2011, INTERACT.

[44]  Stefan Savage,et al.  Dirty Jobs: The Role of Freelance Labor in Web Service Abuse , 2011, USENIX Security Symposium.

[45]  Joseph Bonneau,et al.  Linguistic Properties of Multi-word Passphrases , 2012, Financial Cryptography Workshops.

[46]  Aniket Kittur,et al.  Crowdsourcing user studies with Mechanical Turk , 2008, CHI.

[47]  Deirdre K. Mulligan,et al.  Stopping spyware at the gate: a user study of privacy, notice and spyware , 2005, SOUPS '05.

[48]  Eamonn O'Neill,et al.  Feasibility of structural network clustering for group-based privacy control in social networks , 2010, SOUPS.

[49]  Robert Biddle,et al.  Browser interfaces and extended validation SSL certificates: an empirical study , 2009, CCSW '09.

[50]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[51]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[52]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[53]  René Mayrhofer,et al.  Shake Well Before Use: Intuitive and Secure Pairing of Mobile Devices , 2009, IEEE Transactions on Mobile Computing.

[54]  William Yurcik,et al.  Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection , 2007, CHI.

[55]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[56]  Jennifer King,et al.  Privacy: is there an app for that? , 2011, SOUPS.

[57]  David Ma,et al.  Does domain highlighting help people identify phishing sites? , 2011, CHI.

[58]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[59]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[60]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[61]  Lorrie Faith Cranor Agents of Choice: Tools that Facilitate Notice and Choice about Web Site Data Practices , 2000, ArXiv.

[62]  Win Treese The state of security on the internet , 2004, NTWK.

[63]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[64]  Elena Kolesnikova,et al.  "It Won't Happen To Me!": Self-Disclosure in Online Social Networks , 2009, AMCIS.

[65]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[66]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[67]  Diana K. Smetters,et al.  How users use access control , 2009, SOUPS.

[68]  Steven M. Bellovin,et al.  Laissez-faire file sharing: access control designed for individuals at the endpoints , 2009, NSPW '09.

[69]  Lujo Bauer,et al.  Access Control for Home Data Sharing: Attitudes, Needs and Practices , 2010, CHI.

[70]  Claudio Soriente,et al.  HAPADEP: Human-Assisted Pure Audio Device Pairing , 2008, ISC.

[71]  Kasia Muldner,et al.  The challenges of using an intrusion detection system: is it worth the effort? , 2008, SOUPS '08.

[72]  Yang Wang,et al.  Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising , 2012, CHI.

[73]  Yang Wang,et al.  Serial hook-ups: a comparative usability study of secure device pairing methods , 2009, SOUPS.

[74]  Amir Herzberg,et al.  Security and identification indicators for browsers against spoofing and phishing attacks , 2008, TOIT.

[75]  Todd M. Gureckis,et al.  CUNY Academic , 2016 .

[76]  Yang Wang,et al.  What matters to users?: factors that affect users' willingness to share information with online advertisers , 2013, SOUPS.

[77]  Paul E. Hoffman,et al.  SMTP Service Extension for Secure SMTP over Transport Layer Security , 2002, RFC.

[78]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[79]  Paul C. van Oorschot,et al.  On countering online dictionary attacks with login histories and humans-in-the-loop , 2006, TSEC.

[80]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[81]  Alma Whitten,et al.  Making Security Usable , 2004 .

[82]  Lorrie Faith Cranor,et al.  "Little brothers watching you": raising awareness of data leaks on smartphones , 2013, SOUPS.

[83]  Scott Dick,et al.  A large-scale empirical study of P3P privacy policies: Stated actions vs. legal obligations , 2009, TWEB.

[84]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[85]  Milton L. Mueller Commentary: ICANN and Internet regulation , 1999, CACM.

[86]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[87]  John T. Stasko,et al.  Countering security information overload through alert and packet visualization , 2006, IEEE Computer Graphics and Applications.

[88]  Diana K. Smetters,et al.  User experiences with sharing and access control , 2006, CHI EA '06.

[89]  Lorrie Faith Cranor,et al.  P3P deployment on websites , 2008, Electron. Commer. Res. Appl..

[90]  Lorrie Faith Cranor,et al.  Americans' attitudes about internet behavioral advertising practices , 2010, WPES '10.

[91]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[92]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[93]  David A. Wagner,et al.  Short paper: location privacy: user behavior in the field , 2012, SPSM '12.

[94]  Ronald J. Mann,et al.  Regulating Internet payment intermediaries , 2003, ICEC '03.

[95]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[96]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[97]  Yang Wang,et al.  Smart, useful, scary, creepy: perceptions of online behavioral advertising , 2012, SOUPS.

[98]  白石 善明,et al.  "Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes"の紹介 , 2013 .

[99]  Norman M. Sadeh,et al.  Capturing social networking privacy preferences: can default policies help alleviate tradeoffs between expressiveness and user burden? , 2009, Privacy Enhancing Technologies.

[100]  E. Litt Knock, Knock. Who's There? The Imagined Audience , 2012 .

[101]  Heather Richter Lipford,et al.  Moving beyond untagging: photo privacy in a tagged world , 2010, CHI.

[102]  John C. Mitchell,et al.  Text-based CAPTCHA strengths and weaknesses , 2011, CCS '11.

[103]  J. Kase Graphical Passwords , 2008 .

[104]  Yossi Matias,et al.  How to Make Personalized Web Browising Simple, Secure, and Anonymous , 1997, Financial Cryptography.

[105]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[106]  Siddharth Suri,et al.  Conducting behavioral research on Amazon’s Mechanical Turk , 2010, Behavior research methods.

[107]  N. Asokan,et al.  Secure Device Pairing Based on a Visual Channel: Design and Usability Study , 2011, IEEE Transactions on Information Forensics and Security.

[108]  Adam J. Lee,et al.  Eyeing your exposure: quantifying and controlling information sharing for improved privacy , 2011, SOUPS.

[109]  Eben M. Haber,et al.  Design guidelines for system administration tools developed through ethnographic field studies , 2007, CHIMIT '07.

[110]  George Washington,et al.  A Roadmap for Cybersecurity Research , 2009 .

[111]  Norman Sadeh,et al.  Understanding and capturing people's mobile app privacy preferences , 2013 .

[112]  Michael D. Buhrmester,et al.  Amazon's Mechanical Turk , 2011, Perspectives on psychological science : a journal of the Association for Psychological Science.

[113]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[114]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[115]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[116]  John T. Stasko,et al.  Attacking information visualization system usability overloading and deceiving the human , 2005, SOUPS '05.

[117]  Alessandro Acquisti,et al.  Nudging Privacy: The Behavioral Economics of Personal Information , 2009, IEEE Security & Privacy.

[118]  Clare-Marie Karat,et al.  Optimizing a policy authoring framework for security and privacy policies , 2010, SOUPS.

[119]  Nathaniel Good,et al.  Usability and privacy: a study of Kazaa P2P file-sharing , 2003, CHI '03.

[120]  Mary Ellen Zurko,et al.  Someone to watch over me , 2012, NSPW '12.

[121]  Eytan Adar,et al.  The PViz comprehension tool for social network privacy settings , 2012, SOUPS.

[122]  Richard Kissel,et al.  Guidelines for Media Sanitization , 2006 .

[123]  Paul Dourish,et al.  Unpacking "privacy" for a networked world , 2003, CHI '03.

[124]  Sean Turner,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification , 2019, RFC.

[125]  Kirstie Hawkey,et al.  Guidelines for designing IT security management tools , 2008, CHiMiT '08.

[126]  Rob Miller,et al.  Facemail: showing faces of recipients to prevent misdirected email , 2007, SOUPS '07.

[127]  Sameer Patil,et al.  Reasons, rewards, regrets: privacy considerations in location sharing as an interactive practice , 2012, SOUPS.

[128]  Mark S. Ackerman,et al.  Privacy in e-commerce: examining user scenarios and privacy preferences , 1999, EC '99.

[129]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[130]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[131]  Jakob Nielsen,et al.  Chapter 4 – The Usability Engineering Lifecycle , 1993 .

[132]  Seungyeop Han,et al.  Short paper: enhancing mobile application permissions with runtime feedback and constraints , 2012, SPSM '12.

[133]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[134]  Steven Hsu,et al.  A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings , 2011, SOUPS.

[135]  Lorrie Faith Cranor,et al.  When are users comfortable sharing locations with advertisers? , 2011, CHI.

[136]  Alexander P. Pons,et al.  Understanding user perspectives on biometric technology , 2008, CACM.

[137]  Rakesh Bobba,et al.  Usable secure mailing lists with untrusted servers , 2009, IDtrust '09.

[138]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[139]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[140]  W. Keith Edwards,et al.  Security automation considered harmful? , 2008, NSPW '07.

[141]  Clare-Marie Karat,et al.  Designing and evaluating usable security and privacy technology , 2009, SOUPS.

[142]  Gonzalo Álvarez,et al.  CAPTCHAs: An Artificial Intelligence Application to Web Security , 2011, Adv. Comput..

[143]  Lorrie Faith Cranor,et al.  Understanding and capturing people’s privacy policies in a mobile social networking application , 2009, Personal and Ubiquitous Computing.

[144]  Jan-Michael Frahm,et al.  Security Analysis and Related Usability of Motion-Based CAPTCHAs: Decoding Codewords in Motion , 2014, IEEE Transactions on Dependable and Secure Computing.

[145]  Eran Toch,et al.  Retrospective privacy: managing longitudinal privacy in online social networks , 2013, SOUPS.

[146]  Colin Potts,et al.  Privacy practices of Internet users: Self-reports versus observed behavior , 2005, Int. J. Hum. Comput. Stud..

[147]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[148]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[149]  Jessica Staddon,et al.  Are privacy concerns a turn-off?: engagement and privacy in social networks , 2012, SOUPS.

[150]  Sean White,et al.  RhythmLink: securely pairing I/O-constrained devices by tapping , 2011, UIST.

[151]  Jason I. Hong,et al.  Exploring capturable everyday memory for autobiographical authentication , 2013, UbiComp.

[152]  Xiaotie Deng,et al.  The methodology and an application to fight against Unicode attacks , 2006, SOUPS '06.

[153]  Donald A. Norman,et al.  Design rules based on analyses of human error , 1983, CACM.

[154]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[155]  Alessandro Acquisti,et al.  School of Phish: A Real-Word Evaluation of Anti-Phishing Training (CMU-CyLab-09-002) , 2009 .

[156]  Srdjan Capkun,et al.  Home is safer than the cloud!: privacy concerns for consumer cloud storage , 2011, SOUPS.

[157]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[158]  Manuel Blum,et al.  reCAPTCHA: Human-Based Character Recognition via Web Security Measures , 2008, Science.

[159]  Douglas Stebila,et al.  Reinforcing bad behaviour: the misuse of security indicators on popular websites , 2010, OZCHI '10.

[160]  Eser Kandogan,et al.  Security Administrators: A Breed Apart , 2007 .

[161]  Alain Forget,et al.  Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism , 2012, IEEE Transactions on Dependable and Secure Computing.

[162]  Farnam Jahanian,et al.  When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments , 2010, HotMobile '10.

[163]  Lorrie Faith Cranor,et al.  Privacy manipulation and acclimation in a location sharing application , 2013, UbiComp.

[164]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[165]  Xian Ke,et al.  Typing patterns: a key to user identification , 2004, IEEE Security & Privacy Magazine.

[166]  Ninghui Li,et al.  End-User Privacy in Human–Computer Interaction , 2009 .

[167]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[168]  Richard J. Duro,et al.  τ-NEAT , 2015 .

[169]  Jens Riegelsberger,et al.  The researcher's dilemma: evaluating trust in computer-mediated communication , 2003, Int. J. Hum. Comput. Stud..

[170]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, CHI Extended Abstracts.

[171]  Markus Jakobsson,et al.  Phishing and Countermeasures , 2006 .

[172]  Jerome H. Saltzer,et al.  Principles of Computer System Design: An Introduction , 2009 .

[173]  Paul C. van Oorschot,et al.  Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[174]  Airi Lampinen,et al.  We're in it together: interpersonal management of disclosure in social network services , 2011, CHI.

[175]  Klaus H. Hinrichs,et al.  An implicit author verification system for text messages based on gesture typing biometrics , 2014, CHI.

[176]  Neha Jain,et al.  Specifying privacy policies with P3P and EPAL: lessons learned , 2004, WPES '04.

[177]  Volker Roth,et al.  Simple and effective defense against evil twin access points , 2008, WiSec '08.

[178]  Antonella De Angeli,et al.  Usability and biometric verification at the ATM interface , 2003, CHI '03.

[179]  Jeff Yan,et al.  Usability of CAPTCHAs or usability issues in CAPTCHA design , 2008, SOUPS '08.

[180]  José Carlos Brustoloni,et al.  Improving security decisions with polymorphic and audited dialogs , 2007, SOUPS '07.

[181]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[182]  Julie Thorpe,et al.  Graphical Dictionaries and the Memorable Space of Graphical Passwords , 2004, USENIX Security Symposium.

[183]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[184]  Diana K. Smetters,et al.  Ad-hoc Guesting: When Exceptions Are the Rule , 2008, UPSEC.

[185]  Paul Resnick,et al.  PICS: Internet access controls without censorship , 1996, CACM.

[186]  Lorrie Faith Cranor,et al.  Who's viewed you?: the impact of feedback in a mobile location-sharing application , 2009, CHI.

[187]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, SOUPS.

[188]  Lujo Bauer,et al.  Real life challenges in access-control management , 2009, CHI.

[189]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[190]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[191]  Yang Wang,et al.  A field trial of privacy nudges for facebook , 2014, CHI.

[192]  Jens Grossklags,et al.  Third-party apps on Facebook: privacy and the illusion of control , 2011, CHIMIT '11.

[193]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[194]  Alessandro Acquisti,et al.  Predicting Social Security numbers from public data , 2009, Proceedings of the National Academy of Sciences.

[195]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[196]  Heather Richter Lipford,et al.  Configuring audience-oriented privacy policies , 2009, SafeConfig '09.

[197]  Lujo Bauer,et al.  A user study of policy creation in a flexible access-control system , 2008, CHI.

[198]  Eben M. Haber Security Administration Tools and Practices , 2005 .

[199]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[200]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[201]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[202]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[203]  Michael S. Bernstein,et al.  Quantifying the invisible audience in social networks , 2013, CHI.

[204]  Zeynep Tufekci Can You See Me Now? Audience and Disclosure Regulation in Online Social Network Sites , 2008 .

[205]  Maurice V. Wilkes,et al.  Time-sharing computer systems , 1968 .

[206]  Dawn Song,et al.  Hash Visualization: a New Technique to improve Real-World Security , 1999 .

[207]  Jacob Kramer-Duffield,et al.  Friends only: examining a privacy-enhancing behavior in facebook , 2010, CHI.

[208]  Janette Moody Public Perceptions of Biometric Devices: The Effect of Misinformation on Acceptance and Use , 2004 .

[209]  Nasir D. Memon,et al.  Biometric-rich gestures: a novel approach to authentication on multi-touch devices , 2012, CHI.

[210]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[211]  Drummond Reed,et al.  OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[212]  John Zimmerman,et al.  I'm the mayor of my house: examining why people use foursquare - a social-driven location sharing application , 2011, CHI.

[213]  Jessica Staddon,et al.  Indirect content privacy surveys: measuring privacy without asking about it , 2011, SOUPS.

[214]  David J. Danelski,et al.  Privacy and Freedom , 1968 .

[215]  Gregory D. Abowd,et al.  Control, Deception, and Communication: Evaluating the Deployment of a Location-Enhanced Messaging Service , 2005, UbiComp.

[216]  Robert W. Reeder,et al.  Expandable grids: a user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring , 2008 .

[217]  Yang Wang,et al.  "I regretted the minute I pressed share": a qualitative study of regrets on Facebook , 2011, SOUPS.

[218]  Ronald C. Dodge,et al.  The Influences of Social Networks on Phishing Vulnerability , 2012, 2012 45th Hawaii International Conference on System Sciences.

[219]  Lorrie Faith Cranor,et al.  User interfaces for privacy agents , 2006, TCHI.

[220]  Rob Miller,et al.  Johnny 2: a user test of key continuity management with S/MIME and Outlook Express , 2005, SOUPS '05.

[221]  Lorrie Faith Cranor,et al.  Standardizing privacy notices: an online study of the nutrition label approach , 2010, CHI.

[222]  Srinivas Devadas,et al.  The untrusted computer problem and camera based authentication using optical character recognition , 2002 .

[223]  M. Prensky Digital Natives, Digital Immigrants , 2001 .

[224]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[225]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.

[226]  Ed H. Chi,et al.  Talking in circles: selective sharing in google+ , 2012, CHI.

[227]  Dan Boneh,et al.  An Analysis of Private Browsing Modes in Modern Browsers , 2010, USENIX Security Symposium.

[228]  Clare-Marie Karat Iterative Usability Testing of a Security Application , 1989 .

[229]  Fred H. Cate,et al.  The Limits of Notice and Choice , 2010, IEEE Security & Privacy.

[230]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[231]  Richard Zanibbi,et al.  Balancing usability and security in a video CAPTCHA , 2009, SOUPS.

[232]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.

[233]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[234]  Alexander De Luca,et al.  Using data type based security alert dialogs to raise online security awareness , 2011, SOUPS.

[235]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[236]  Julie Thorpe,et al.  Exploiting predictability in click-based graphical passwords , 2011, J. Comput. Secur..

[237]  Heather Richter Lipford,et al.  Users' (mis)conceptions of social applications , 2010, Graphics Interface.

[238]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[239]  Mervyn A. Jack,et al.  User perceptions of security, convenience and usability for ebanking authentication tokens , 2009, Comput. Secur..

[240]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[241]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions , 2009, IEEE Symposium on Security and Privacy.

[242]  Heather Crawford Keystroke dynamics: Characteristics and opportunities , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[243]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[244]  William Yurcik Tool update: NVisionIP improvements (difference view, sparklines, and shapes) , 2006, VizSEC '06.

[245]  Brenda Hall‐Taylor The Corporatization of the Australian University , 2001 .

[246]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[247]  M. Angela Sasse,et al.  Evaluating the usability and security of a graphical one-time PIN system , 2010, BCS HCI.

[248]  Paul McKellips Knock, knock... , 2014, Lab Animal.

[249]  Tal Garfinkel,et al.  Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation , 2005, USENIX Security Symposium.

[250]  Lorrie Faith Cranor,et al.  An Investigation into Facebook Friend Grouping , 2011, INTERACT.

[251]  Patrick Gage Kelley Designing a privacy label: assisting consumer understanding of online privacy practices , 2009, CHI Extended Abstracts.

[252]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[253]  Robert W. Reeder,et al.  When the Password Doesn't Work: Secondary Authentication for Websites , 2011, IEEE Security & Privacy.

[254]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[255]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[256]  Chris North,et al.  Visualizing cyber security: Usable workspaces , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[257]  Jeremy Clark,et al.  Tapas: design, implementation, and usability evaluation of a password manager , 2012, ACSAC '12.

[258]  Louis D. Brandeis,et al.  The Right to Privacy , 1890 .

[259]  Lorrie Faith Cranor,et al.  Timing is everything?: the effects of timing and placement of online privacy indicators , 2009, CHI.

[260]  Kirstie Hawkey,et al.  Heuristics for Evaluating IT Security Management Tools , 2014, Hum. Comput. Interact..

[261]  Ben Shneiderman,et al.  Designing The User Interface , 2013 .

[262]  Jeremy Clark,et al.  Usability of anonymous web browsing: an examination of Tor interfaces and deployability , 2007, SOUPS '07.

[263]  Loren M. Kohnfelder,et al.  Towards a practical public-key cryptosystem. , 1978 .

[264]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[265]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[266]  Neil Selwyn,et al.  The digital native - myth and reality , 2009, Aslib Proc..

[267]  Kristina Höök,et al.  Social navigation: techniques for building more usable systems , 2000, INTR.

[268]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[269]  Chris Newman,et al.  Using TLS with IMAP, POP3 and ACAP , 1999, RFC.

[270]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.

[271]  Mark W. Newman,et al.  Share and share alike: exploring the user interface affordances of file sharing , 2006, CHI.

[272]  Clare-Marie Karat,et al.  Evaluating assistance of natural language policy authoring , 2008, SOUPS '08.

[273]  Mohamed Shehab,et al.  Social applications: exploring a more secure framework , 2009, SOUPS.

[274]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[275]  John C. Mitchell,et al.  How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation , 2010, 2010 IEEE Symposium on Security and Privacy.

[276]  Andy Hopper,et al.  The active badge location system , 1992, TOIS.

[277]  Nisheeth Shrivastava,et al.  Do not embarrass: re-examining user concerns for online tracking and advertising , 2013, SOUPS.

[278]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, Int. J. Hum. Comput. Stud..

[279]  Stanislav Kurkovsky,et al.  Digital natives and mobile phones: A survey of practices and attitudes about privacy and security , 2010, 2010 IEEE International Symposium on Technology and Society.

[280]  Simson L. Garfinkel,et al.  Leaking Sensitive Information in Complex Document Files--and How to Prevent It , 2014, IEEE Security & Privacy.

[281]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[282]  Linda Little,et al.  Ubiquitous systems and the family: thoughts about the networked home , 2009, SOUPS.

[283]  Kasia Muldner,et al.  Toward understanding distributed cognition in IT security management: the role of cues and norms , 2011, Cognition, Technology & Work.

[284]  Laurianne McLaughlin Online fraud gets sophisticated , 2003, IEEE Internet Computing.

[285]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[286]  Lorrie Faith Cranor,et al.  A user study of the expandable grid applied to P3P privacy policy visualization , 2008, WPES '08.

[287]  Lorrie Faith Cranor,et al.  Empirical models of privacy in location sharing , 2010, UbiComp.

[288]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[289]  David A. Wagner,et al.  I've got 99 problems, but vibration ain't one: a survey of smartphone users' concerns , 2012, SPSM '12.

[290]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[291]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[292]  Srdjan Capkun,et al.  Influence of user perception, security needs, and social factors on device pairing method choices , 2010, SOUPS.

[293]  Lujo Bauer,et al.  Out of sight, out of mind: Effects of displaying access-control information near the item it controls , 2012, 2012 Tenth Annual International Conference on Privacy, Security and Trust.

[294]  Shriram Krishnamurthi,et al.  Oops, I did it again: mitigating repeated access control errors on facebook , 2011, CHI.

[295]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[296]  L. J. Camp,et al.  Eliminating Stop-Points in the Installation and Use of Anonymity Systems : a Usability Evaluation of the Tor Browser Bundle , 2012 .

[297]  Clare-Marie Karat,et al.  Usable security and privacy: a case study of developing privacy management tools , 2005, SOUPS '05.

[298]  Hassan Takabi,et al.  Exploring reactive access control , 2010, CHI Extended Abstracts.

[299]  Sidney Fels,et al.  Studying IT Security Professionals: Research Design and Lessons Learned , 2007 .

[300]  Frederic Stutzman,et al.  Boundary regulation in social media , 2012, CSCW.

[301]  Pamela J. Wisniewski,et al.  Fighting for my space: coping mechanisms for sns boundary regulation , 2012, CHI.

[302]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[303]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[304]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[305]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[306]  Heather Richter Lipford,et al.  +Your circles: sharing behavior on Google+ , 2012, SOUPS.

[307]  Khai N. Truong,et al.  Improving users' security choices on home wireless networks , 2010, SOUPS.

[308]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[309]  Lorrie Faith Cranor,et al.  Are your participants gaming the system?: screening mechanical turk workers , 2010, CHI.

[310]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[311]  Arun Kumar,et al.  Article in Press Pervasive and Mobile Computing ( ) – Pervasive and Mobile Computing a Comparative Study of Secure Device Pairing Methods , 2022 .

[312]  K. Strater,et al.  Strategies and struggles with privacy in an online social networking community , 2008 .

[313]  高田哲司,et al.  "Exploring the Design Space of Graphical Passwords on Smartphones"の紹介 , 2013 .

[314]  Douglas A. Reynolds,et al.  SHEEP, GOATS, LAMBS and WOLVES A Statistical Analysis of Speaker Performance in the NIST 1998 Speaker Recognition Evaluation , 1998 .

[315]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[316]  Lorrie Faith Cranor,et al.  Privacy as part of the app decision-making process , 2013, CHI.

[317]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[318]  Danah Boyd,et al.  Profiles as Conversation: Networked Identity Performance on Friendster , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[319]  Matthew Kay,et al.  Textured agreements: re-envisioning electronic consent , 2010, SOUPS.

[320]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.