Search results

The purpose of this study is to understand user perceptions and misconceptions regarding security tools. Security and privacy-preserving tools (for brevity, the authors term them as “security tools” in this paper, unless otherwise specified) are designed to protect the security and privacy of people in the digital environment. However, inappropriate use of these tools can lead to unexpected consequences that are preventable. Hence, it is significant to examine why users do not understand the security tools.

The authors conducted a qualitative study with 40 participants in the USA to investigate the prevalent misconceptions of people regarding security tools, their perceptions of data access and the corresponding impact on their usage behavior and data protection strategies.

While security vulnerabilities are often rooted in people’s internet usage behavior, this study examined user’s mental models of the internet and unpacked how the misconceptions about security tools relate to those mental models.

Based on the findings, this study offers recommendations highlighting the design aspects of security tools that need careful attention from researchers and industry practitioners, to alleviate users’ misconceptions and provide them with accurate conceptual models toward the desired use of security tools.

With the rapid deployment of internet of things (IoT) technologies, it has been essential to address the security and privacy issues through maintaining transparency in data practices. The prior research focused on identifying people's privacy preferences in different contexts of IoT usage and their mental models of security threats. However, there is a dearth in existing literature to understand the mismatch between user's perceptions and the actual data practices of IoT devices. Such mismatches could lead users unknowingly sharing their private information, exposing themselves to unanticipated privacy risks. The paper aims to identify these mismatched privacy perceptions in this work.

The authors conducted a lab study with 42 participants, where they compared participants’ perceptions with the data practices stated in the privacy policy of 28 IoT devices from different categories, including health and exercise, entertainment, smart homes, toys and games and pets.

The authors identified the mismatched privacy perceptions of users in terms of data collection, sharing, protection and storage period. The findings revealed the mismatches between user's perceptions and the data practices of IoT devices for various types of information, including personal, contact, financial, heath, location, media, connected device, online social media and IoT device usage.

The findings from this study lead to the recommendations on designing simplified privacy notice by highlighting the unexpected data practices, which in turn, would contribute to the secure and privacy-preserving use of IoT devices.

Two-factor authentication is being implemented more broadly to improve security against phishing, shoulder surfing, keyloggers and password guessing attacks. Although passwords serve as the first authentication factor, a common approach to implementing the second factor is sending a one-time code, either via e-mail or text message. The prevalence of smartphones, however, creates security risks in which a stolen phone leads to user’s accounts being accessed. Physical tokens such as RSA’s SecurID create extra burdens for users and cannot be used on many accounts at once. This study aims to improve the usability and security for two-factor online authentication.

The authors propose a novel second authentication factor that, similar to passwords, is also based on something the user knows but operates similarly to a one-time code for security purposes. The authors design this component to provide higher security guarantee with minimal memory burden and does not require any additional communication channels or hardware. Motivated by psychology research, the authors leverage users’ autobiographical memory in a novel way to create a secure and memorable component for two-factor authentication.

In a multi-session lab study, all of the participants were able to log in successfully on the first attempt after a one-week delay from registration and reported satisfaction on the usability of the scheme.

The results indicate that the proposed approach to leverage autobiographical memory is a promising direction for further research on second authentication factor based on something the user knows.

A huge amount of personal and sensitive data are shared on Facebook, which makes it a prime target for attackers. Adversaries can exploit third-party applications connected to a user’s Facebook profiles (i.e. Facebook apps) to gain access to this personal information. Users’ lack of knowledge and the varying privacy policies of these apps make them further vulnerable to information leakage. However, little has been done to identify mismatches between users’ perceptions and the privacy policies of Facebook apps. This paper aims to address this challenge in the work.

The authors conducted a lab study with 31 participants, where the authors received data on how they share information on Facebook, their Facebook-related security and privacy practices and their perceptions on the privacy aspects of 65 frequently-used Facebook apps in terms of data collection, sharing and deletion. The authors then compared participants’ perceptions with the privacy policy of each reported app. Participants also reported their expectations about the types of information that should not be collected or shared by any Facebook app.

The analysis reveals significant mismatches between users’ privacy perceptions and reality (i.e. privacy policies of Facebook apps), where the authors identified over-optimism not only in users’ perceptions of information collection but also in their self-efficacy in protecting their information in Facebook despite experiencing negative incidents in the past.

To the best of the knowledge, this is the first study on the gap between users’ privacy perceptions around Facebook apps and reality. The findings from this study offer direction for future research to address that gap through designing usable, effective and personalized privacy notices to help users to make informed decisions about using Facebook apps.