The Lab Study Troubles
Can real behavior of users, when it comes to security decisions, be observed in lab studies? A recent paper from my research group sheds light on this question. Initially, our goal was quite different. We replicated and extended a 2008 study conducted at CMU that investigated the e effectiveness of SSL warnings. To achieve better […]
Can Metaphors of Physiscal Security Work for Computers?
There is evidence that the communication of security risks to home computer users has been unsuccessful. Prior research has found that users do not heed risk communications, that they do not read security warning texts, and that they ignore them. Risk communication should convey the basic facts relevant to the warning recipient’s decision. In the […]
Heuristics for Evaluating IT Security Management Tools
The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, standard usability heuristics (e.g., Nielsen’s) are hard to apply, as IT security management occurs within a complex and collaborative context that involves diverse stakeholders. In a joint project with CA Technologies, my Ph.D. student Pooya […]
Have users signed up?
I participated in a panel “Password Managers, Single Sign-On, Federated ID: Have users signed up?” at Workshop on The Future of User Authentication and Authorization on the Web: Challenges in Current Practice, New Threats, and Research Directions, which was collocated with the conference on Financial Cryptography and Data Security. In my panel presentation, I showed the most recent […]
Is OpenID too Open? Technical, Business, and Human Issues That Get in the Way of OpenID and Ways of Addressing Them
The web is essential for business and personal activities well beyond information retrieval, such online banking, financial transactions, and payment authorization, but reliable user authentication remains a challenge. OpenID is a mainstream Web single sign-on (SSO) solution intended for Internet-scale adoption. There are currently over one billion OpenID-enabled user accounts provided by major content-hosting and […]