More Like this

1. Why Can’t Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security

   Smith, Justin; Do, Lisa Nguyen; Murphy-Hill, Emerson (January 2020, Proceedings of the Sixteenth Symposium on Usable Privacy and Security)

   null (Ed.)

   Static analysis tools can help prevent security incidents, but to do so, they must enable developers to resolve the defects they detect. Unfortunately, developers often struggle to interact with the interfaces of these tools, leading to tool abandonment, and consequently the proliferation of preventable vulnerabilities. Simply put, the usability of static analysis tools is crucial. The usable security community has successfully identified and remedied usability issues in end user security applications, like PGP and Tor browsers, by conducting usability evaluations. Inspired by the success of these studies, we conducted a heuristic walkthrough evaluation and user study focused on four security-oriented static analysis tools. Through the lens of these evaluations, we identify several issues that detract from the usability of static analysis tools. The issues we identified range from workflows that do not support developers to interface features that do not scale. We make these findings actionable by outlining how our results can be used to improve the state-of-the-art in static analysis tool interfaces. 

   more » « less
2. The Role of Product Reviewers in Evaluating Security and Privacy

   Guo, Wentao; Walter, Jason; Mazurek, Michelle L. (May 2022, 6th IEEE SPW Workshop on Technology and Consumer Protection (ConPro ’22))

   As consumers adopt new Internet-connected devices, apps, and other software, they are often exposed to security and privacy vulnerabilities that they likely do not have time, exper- tise, or incentive to evaluate themselves. Can professionals and institutions help by evaluating the security and privacy of these products on behalf of consumers? As a first step, we interview product reviewers about their work, specifically whether and how they incorporate security and privacy. To inform our interview design, we conduct content analysis on published product reviews to identify security- or privacy-relevant content. 

   more » « less
3. A Typology of Perceived Triggers for End-User Security and Privacy Behaviors

   Das, Sauvik; Dabbish, Laura A; Hong, Jason I. (January 2019, USENIX Symposium on Usable Privacy and Security (SOUPS))

   What triggers end-user security and privacy (S&P) behaviors? How do those triggers vary across individuals? When and how do people share their S&P behavior changes? Prior work, in usable security and persuasive design, suggests that answering these questions is critical if we are to design systems that encourage pro-S&P behaviors. Accordingly, we asked 852 online survey respondents about their most recent S&P behaviors (n = 1947), what led up to those behaviors, and if they shared those behaviors. We found that social “triggers”, where people interacted with or observed others, were most common, followed by proactive triggers, where people acted absent of an external stimulus, and lastly by forced triggers, where people were forced to act. People from different age groups, nationalities, and levels of security behavioral intention (SBI) all varied in which triggers were dominant. Most importantly, people with low-to-medium SBI most commonly reported social triggers. Furthermore, participants were four times more likely to share their behavior changes with others when they, themselves, reported a social trigger. 

   more » « less
4. Uncovering Privacy and Security Challenges In K-12 Schools

   https://doi.org/10.1145/3544548.3580777  

   Chanenson, J.; Sloane, B.; Morrill, A.; Chee, J.; Rajan, N.; Huang, D.; Chetty, M. (January 2023, Human factors in computing systems)

   Increased use of technology in schools raises new privacy and security challenges for K-12 students---and harms such as commercialization of student data, exposure of student data in security breaches, and expanded tracking of students---but the extent of these challenges is unclear. In this paper, first, we interviewed 18 school officials and IT personnel to understand what educational technologies districts use and how they manage student privacy and security around these technologies. Second, to determine if these educational technologies are frequently endorsed across United States (US) public schools, we compiled a list of linked educational technology websites scraped from 15,573 K-12 public school/district domains and analyzed them for privacy risks. Our findings suggest that administrators lack resources to properly assess privacy and security issues around educational technologies even though they do pose potential privacy issues. Based on these findings, we make recommendations for policymakers, educators, and the CHI research community. 

   more » « less
5. Protecting Sensitive Data Early in the Research Data Lifecycle

   https://doi.org/10.29012/jpc.846  

   Karcher, Sebastian; Secen, Sefa; Weber, Nic (December 2023, Journal of Privacy and Confidentiality)

   How do researchers in fieldwork-intensive disciplines protect sensitive data in the field, how do they assess their own practices, and how do they arrive at them? This article reports the results of a qualitative study with 36 semi-structured interviews with qualitative and multi-method researchers in political science and humanitarian aid/migration studies. We find that researchers frequently feel ill-prepared to handle the management of sensitive data in the field and find that formal institutions provide little support. Instead, they use a patchwork of sources to devise strategies for protecting their informants and their data. We argue that this carries substantial risks for the security of the data as well as their potential for later sharing and re-use. We conclude with some suggestions for effectively supporting data management in fieldwork-intensive research without unduly adding to the burden on researchers conducting it. 

   more » « less