Today people depend on technology, but often do not take the necessary steps to prioritize privacy and security. Researchers have been actively studying usable security and privacy to enable better response and management. A breadth of research focuses on improving the usability of tools for experts and organizations. Studies that look at non-expert users tend to analyze the experience for a device, software, or demographic. There is a lack of understanding of the security and privacy among average users, regardless of the technology, age, gender, or demographic. To address this shortcoming, we surveyed 47 publications in the usable security and privacy space. The work presented here uses qualitative text analysis to find major themes in user-focused security research. We found that a user’s misunderstanding of technology is central to risky decision-making. Our study highlights trends in the research community and remaining work. This paper contributes to this discussion by generalizing key themes across user experience in usable security and privacy.
more »
« less
This content will become publicly available on August 14, 2025
Security and Privacy Software Creators' Perspectives on Unintended Consequences
Security & Privacy (S&P) software is created to have positive impacts on people: to protect them from surveillance and attacks, enhance their privacy, and keep them safe. Despite these positive intentions, S&P software can have unintended consequences, such as enabling and protecting criminals, misleading people into using the software with a false sense of security, and being inaccessible to users without strong technical backgrounds or with specific accessibility needs. In this study, through 14 semi-structured expert interviews with S&P software creators, we explore whether and how S&P software creators foresee and mitigate unintended consequences. We find that unintended consequences are often overlooked and ignored. When addressed, they are done in unstructured ways—often ad hoc and just based on user feedback—thereby shifting the burden to users. To reduce this burden on users and more effectively create positive change, we recommend S&P software creators to proactively consider and mitigate unintended consequences through increasing awareness and education, promoting accountability at the organizational level to mitigate issues, and using systematic toolkits for anticipating impacts.
more »
« less
- Award ID(s):
- 2207008
- PAR ID:
- 10517449
- Publisher / Repository:
- USENIX
- Date Published:
- Journal Name:
- Proceedings of the USENIX conference
- ISSN:
- 1049-5606
- Format(s):
- Medium: X
- Location:
- Philadelphia, PA, USA
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Graphical User Interface (GUI)-based APplications (GAPs) are ubiquitous, both in business and personal use and they are deployed on diverse software and hardware platforms. Unfortunately, close to 50Mil people have disabilities in the USA alone and over 600Mil worldwide, and it is difficult for Users With Disabilities (UWDs) to work with GAPs on their smartphones. Since there are hundreds of disabilities that impair people in vision, movement, thinking, remembering, learning, communicating, and hearing, UWDs need specialized enhancements to GUIs. Mobile Assistive APplications (MA2Ps) provide these enhancement services using specialized accessibility technologies that are fundamentally insecure, thus exposing all smartphone users to a variety of attacks. The goal of this framework is therefore to investigate security problems with accessibility technologies and to explore a novel theoretical foundation to allow stakeholders to create, analyze, and predict the security and privacy behavior of complex MA2Ps for UWDs. A connecting thread in the research thrusts is a combination of GAP and MA2P modeling and compositional intercomponent analysis using these models to create a prototype that can predict and mitigate security threats posed by accessiblity technologies for smartphone users. Also, the results of the proposed framework should inform the GUI security and assistive technologies communities about the possibilities and limits of program analyses and machine learning in dealing with security problems posed by accessibility technologies that make users unsafe.more » « less
-
The prevalence of smartphones in our society warrants more research on understanding the characteristics of users and their information privacy behaviors when using mobile apps. This paper investigates the antecedents and consequences of “power use” (i.e., the competence and desire to use technology to its fullest) in the context of informational privacy. In a study with 380 Android users, we examined how gender and users’ education level influence power use, how power use affects users’ intention to install apps and share information with them versus their actual privacy behaviors (i.e., based on the number of apps installed and the total number of “dangerous permission” requests granted to those apps). Our findings revealed an inconsistency in the effect of power use on users’ information privacy behaviors: While the intention to install apps and to share information with them increased with power use, the actual number of installed apps and dangerous permissions ultimately granted decreased with power use. In other words, although the self-reported intentions suggested the opposite, people who scored higher on the power use scale seemed to be more prudent about their informational privacy than people who scored lower on the power use scale. We discuss the implications of this inconsistency and make recommendations for reconciling smartphone users’ informational privacy intentions and behaviors.more » « less
-
News coverage of security and privacy (S&P) events is pervasive and may affect the salience of S&P threats to the public. To better understand this coverage and its effects, we asked: What types of S&P news come into people's awareness? How do people hear about and share this news? Over two years, we recruited 1999 participants to fill out a survey on emergent S&P news events. We identified four types of S&P news: financial data breaches, corporate personal data breaches, high sensitivity systems breaches, and politicized / activist cybersecurity. These event types strongly correlated with how people shared S&P news-e.g., financial data breaches were shared most (42%), while politicized / activist cybersecurity events were shared least (21%). Furthermore, participants' age, gender and security behavioral intention strongly correlated with how they heard about and shared S&P news-e.g., males more often felt a personal responsibility to share, and older people were less likely to hear about S&P news through conversation.more » « less
-
People often rely on their friends, family, and other loved ones to help them make decisions about digital privacy and security. However, these social processes are rarely supported by technology. To address this gap, we developed an Android-based mobile application ("app") prototype which helps individuals collaborate with people they know to make informed decisions about their app privacy permissions. To evaluate our design, we conducted an interview study with 10 college students while they interacted with our prototype. Overall, participants responded positively to the novel idea of using social collaboration as a means for making better privacy decisions. Yet, we also found that users are less inclined to help others and may be only willing to partake in conversations that directly affect themselves. We discuss the potential for embedding social processes in the design of systems that support privacy decision-making, as well as some of the challenges of this approach.more » « less