Kat Krol

Don't work. Can't work? Why it's time to rethink security warnings

As the number of Internet users has grown, so have the security threats that they face online. Security warnings are one key strategy for trying to warn users about those threats; but recently, it has been questioned whether they are effective. We conducted a study in which 120 participants brought their own laptops to a usability test of a new academic article summary tool. They encountered a PDF download warning for one of the papers. All participants noticed the warning, but 98 (81.7%) downloaded the PDF file that triggered it. There was no significant difference between responses to a brief generic warning, and a longer specific one. The participants who heeded the warning were overwhelmingly female, and either had previous experience with viruses or lower levels of computing skills. Our analysis of the reasons for ignoring warnings shows that participants have become desensitised by frequent exposure and false alarms, and think they can recognise security risks. At the same time, their answers revealed some misunderstandings about security threats: for instance, they rely on anti-virus software to protect them from a wide range of threats, and do not believe that PDF files can infect their machine with viruses. We conclude that security warnings in their current forms are largely ineffective, and will remain so, unless the number of false positives can be reduced.

The Privacy Economics of Voluntary Over-disclosure in Web Forms

The Web form is the primary method of collecting personal data from individuals on the Web. Privacy concerns, time spent, and typing effort act as a major deterrent to completing Web forms. Yet consumers regularly provide more data than required. In a field experiment, we recruited 1,500 Web users to complete a form asking for ten items of identity and profile information of varying levels of sensitivity. We manipulated the number of mandatory fields (none vs. two) and the compensation for participation (

The Great Authentication Fatigue – And How to Overcome It

0.25 vs.

Too Taxing on the Mind! Authentication Grids are not for Everyone

0.50) to quantify the extent of over-disclosure, the motives behind it, and the resulting costs and privacy invasion. We benchmarked the efficiency of compulsion and incentives in soliciting data against voluntary disclosure alone.We observed a high prevalence of deliberate and unpaid over-disclosure of data. Participants regularly completed more form fields than required, or provided more details than requested. Through careful experimental design, we verified that participants understood that additional data disclosure was voluntary, and the information provided was considered sensitive. In our experiment, we found that making some fields mandatory jeopardised voluntary disclosure for the remaining optional fields. Conversely, monetary incentives for disclosing those same fields yielded positive spillover by increasing revelation ratios for other optional fields. We discuss the implications for commercial website operators, regulators, privacy-enhancing browser standards, and further experimental research in privacy economics.

Control versus Effort in Privacy Warnings for Webforms

We conducted a two-part study to understand the impact of authentication on employees’ behaviour and productivity in a US governmental organisation. We asked 23 participants to keep a diary of all their authentication events within a 24-hour period, and subsequently interviewed them about their experience with authentication. We found that the authentication tasks employees have to perform not only carry significant workload, but that the way in which authentication disrupts primary tasks reduces productivity and creates frustration. Our participants reported a range of coping strategies, including use of tools and re-organising their work to avoid security. Avoidance meant they logged in less frequently, stopped using certain devices and services. They also reported not pursing innovative ideas because of “the battle with security” that would be required. Our case study paints a picture of chronic ‘authentication fatigue’ resulting from current policies and mechanisms, and the negative impact on staff productivity and morale. We propose that organisations need to urgently re-think how they authenticate users in a pervasive technology requirement, and advocate a paradigm shift from explicit to implicit authentication.

I don't like putting my face on the Internet!: An acceptance study of face biometrics as a CAPTCHA replacement

The security and usability issues associated with passwords have encouraged the development of a plethora of alternative authentication schemes. These aim to provide stronger and/or more usable authentication, but it is hard for the developers to anticipate how users will perform with and react to such schemes. We present a case study of a one-time password entry method called the Vernitski Authentication Grid VAG, which requires users to enter their password in pairs of characters by finding where the row and the column containing the characters intersect and entering the character from this intersection. We conducted a laboratory user evaluation ni¾ź=i¾ź36 and found that authentication took 88.6i¾źs on average, with login times decreasing with practice. Participants were faster authenticating on a tablet than on a PC. Overall, participants found using the grid complex and time-consuming. Their stated willingness to use it depended on the context of use, with most participants considering it suitable for accessing infrequently used and high-stakes accounts and systems. While using the grid, 31 out of 36 participants pointed at the characters, rows and columns with their fingers or mouse, which undermines the shoulder-surfing protection that the VAG is meant to offer. Our results demonstrate there cannot be a one-size-fits-all replacement for passwords --- usability and security can only be achieved through schemes designed to fit a specific context of use.

Report: Authentication Diary Study

Webforms are the primary way of collecting information online. However, some users may wish to limit the amount of personal information they provide and only fill out the minimum required for the transaction. With less than one third of websites marking fields as mandatory or optional, limiting disclosure can be a daunting task. This paper reports on a large behavioural online experiment on user reactions to warnings alerting them that they are about to submit non-mandatory information. Eight warning dialogues were tested between 4,620 participants. We found that warnings mentioning security or privacy threats both significantly reduced the disclosure of personal information in the webforms used (e.g., -27 percentage points for date of birth). The most actionable warning was not the one that minimised user effort but the one that left participants most in control. We consider our study useful to establish what kind of warning messages could help users manage their privacy. In order not to contribute to the ever increasing warning fatigue, a good real-world implementation of over-disclosure indicators would be for the browser to provide users with real-time information on mandatoriness/optionality when the webform loads, for example by highlighting optional fields.

Productive Security: A scalable methodology for analysing employee security behaviours

Biometric technologies have the potential to reduce the effort involved in securing personal activities online, such as purchasing goods and services. Verifying that a user session on a website is attributable to a real human is one candidate application, especially as the existing CAPTCHA technology is burdensome and can frustrate users. Here we examine the viability of biometrics as part of the consumer experience in this space. We invited 87 participants to take part in a lab study, using a realistic ticket-buying website with a range of human verification mechanisms including a face biometric technology. User perceptions and acceptance of the various security technologies were explored through interviews and a range of questionnaires within the study. The results show that some users wanted reassurance that their personal image will be protected or discarded after verifying, whereas others felt that if they saw enough people using face biometrics they would feel assured that it was trustworthy. Face biometrics were seen by some participants to be more suitable for high-security contexts, and by others as providing extra personal data that had unacceptable privacy implications.