Easy Does It: More Usable CAPTCHAs by Angelique Moscicki
- CAPTCHA: block low grade, automated abuse on low risk tasks; many variations in specific features
- usability measures: accuracy, solving time, satisfaction
- automatic variations in features and parameters; 97,000 Mechanical Turk participants on 750,000 tests; 5,000 satisfaction surveys
- findings: users sensitive to font choice, prefer simpler character sets, eg numeric; not sensitive to screen resolution, length; many feature interactions, 20% had nonlinear relationships! user testing required; preference for positive words, digits, and common words; random strings least preferred
- tested and deployed new algorithm: numeric digits, removed confusion between 1 and 7 and o (oh) and 0 (zero); +6.7% accuracy, -55% reloads, -10% failed
Using Personal Examples to Improve Risk Communication for Security and Privacy Decisions by Marian Herbach
- 67 million apps downloaded per day on Google Play in 2013; users entrust personal data to devices
- many people do not understand permissions and get habituation so ignore and just grant them
- use concrete and personal examples to demonstrate risk; eg show photos that could be deleted or describe explicit risks like viruses or show example contacts
- study: mockup app with pilot and Mechanical Turk; pick 2-6 apps to install and present permission screen;
- findings: 14-23% of the time participants chose less-requesting apps or none even after app selected; didn't prevent users from choosing to install at least one app (in most cases); brand and high ratings didn't change decisions; showing personal information created negative affect including paying more attention to real permission screens
Experiences in Account Hijacking by Iulia Ion and Richard Shay
- account compromise: example Mat Honan; lots of effort for a small goal (twitter handle) on a normal person with devastating impact to that person
- goal: how to encourage people to use good security practices; experiences and attitudes
- study: 294 Mechanical Turk participants; 15-30% said they had an account compromised and received different survey
- findings: accounts are often valuable and used often; attackers unknown and known (effect relationship); harm is concrete and emotional; accept some responsibility for security; incomplete security understanding; 50% notified by others, 30% noticed content, 30% notified by service, 17% locked; 33% had email sent from account; 20% said no concrete harm; most felt negative emotions; 2/3 said it improved their security behavior; most say user and service provider are responsible; often said responsibility related to passwords; services should prevent and inform user of compromises
- implications: use stories with emotional appeal to drive people to better security behavior; emphasize that there is more to security beyond passwords; services should have good notification mechanisms (alternative channels)
Experimenting at Scale with Google Chrome's SSL Warning by Adrienne Felt
- active network attack: intercepting traffic between user and server; SSL supposed to protect; if something is wrong with SSL, warning is shown
- 68% of the time people ignore warning; often annoyed by false warning; but warning could be improved, eg FireFox only has 33% clock through level on their warning; want to stop annoying people and get informed consent
- study: 17,000 impressions per condition over a week; with FireFox warning in chrome, lower level but still higher than in FireFox; images of people didn't impact, despite expectations from psychology; styling changes had no effect; number of extra clicks has no effect
- other factors? better headlines and calls to action; separate action buttons physically and make less similar
Betrayed by Updates: How Negative Experiences Effect Future Security by Rick Wash
- eg police warning at Michigan State about IE security vulnerability
- most attacks target known vulnerabilities where patch is available; why do people not patch?
- interviewed 37 non-expert Windows users, mostly grad students (high risk if computer compromised, low cash to replace)
- findings: don't want unexpected changes to user interface; unused and unrecognized software, like Java; current version already works, why bother, like Adobe Reader
- ref: Microsoft Security Intelligence Report v13, 2013; browser, Java, adobe account for large proportion of attack vector