Nina Gerber

“If It Wasn’t Secure, They Would Not Use It in the Movies” – Security Perceptions and User Acceptance of Authentication Technologies

Whereas the text password is still ubiquitous as authentication scheme, its shortcomings are well-acknowledged within the research community. A plurality of alternatives such as other knowledge-based, token-based or biometric authentication schemes have been developed. Although the usability of these schemes has been analyzed, the results concerning further user perceptions are complex and somewhat ambiguous. Further, most of these results stem from focus groups and surveys where the actual interaction with the systems was not tested. To shine light on this topic we conducted a laboratory study with 35 participants to compare and understand user perceptions of several biometric and non-biometric authentication schemes. We simulated the interaction with authentication schemes to protect our participants’ data and to avoid affecting influences of particular implementations. The results showed that the text password is still popular among the participants for reasons of familiarity and due to privacy aspects, namely because no personal information has to be provided. Fingerprint and iris recognition were well liked among the biometrics by many participants due to the perceived security of using a unique feature for authentication. However, the use of personal information also raised privacy concerns in others. This leads to the assumption that there might be two user groups preferring either passwords or biometrics. The assumption along with possible influencing variables such as authentication context or familiarity should be addressed in future research. The simulation of authentication schemes could further be improved by addressing realistic error rates to increase external validity of the study design.

Developing and Evaluating a Five Minute Phishing Awareness Video.

Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video.

Explaining the privacy paradox: A systematic review of literature investigating privacy attitude and behavior

Abstract Although survey results show that the privacy of their personal data is an important issue for online users worldwide, most users rarely make an effort to protect this data actively and often even give it away voluntarily. Privacy researchers have made several attempts to explain this dichotomy between privacy attitude and behavior, usually referred to as ‘privacy paradox’. While they proposed different theoretical explanations for the privacy paradox, as well as empirical study results concerning the relationship of individual factors on privacy behavior and attitude, no comprehensive explanation for the privacy paradox has been found so far. We aim to shed light on the privacy paradox phenomenon by summarizing the most popular theoretical privacy paradox explanations and identifying the factors that are most relevant for the prediction of privacy attitude and behavior. Since many studies focus on the behavioral intention instead of the actual behavior, we decided to consider this topic as well. Based on a literature review, we identify all factors that significantly predict one of the three privacy aspects and report the corresponding standardized effect sizes (β). The results provide strong evidence for the theoretical explanation approach called ‘privacy calculus’, with possibly gained benefits being among the best predictors for disclosing intention as well as actual disclosure. Other strong predictors for privacy behavior are privacy intention, willingness to disclose, privacy concerns and privacy attitude. Demographic variables play a minor role, only gender was found to weakly predict privacy behavior. Privacy attitude was best predicted by internal variables like trust towards the website, privacy concerns or computer anxiety. Despite the multiplicity of survey studies dealing with user privacy, it is not easy to draw overall conclusions, because authors often refer to slightly different constructs. We suggest the privacy research community to agree on a shared definition of the different privacy constructs to allow for conclusions beyond individual samples and study designs.

Sharing the ‘Real Me’ – How Usage Motivation and Personality Relate to Privacy Protection Behavior on Facebook

Although social networks like Facebook have become an important part of social communication and daily life for many people, most users have concerns regarding their privacy on Facebook. In order to gain a deeper understanding of how users try to protect their private data on Facebook, we conducted an online survey with 280 German Facebook users. We used regression analyses to investigate if usage motivation and personality relate to the management of privacy settings as well as the deployment of other protection strategies in Facebook, such as blocking certain contacts or deleting a post or photo/video tag. Our results showed that Facebook users with rather lax privacy settings have a greater feeling of being meaningful and stimulated when using Facebook than users with rather strict privacy settings. Furthermore, Facebook users scoring high on extraversion and low on agreeableness tend to use more other protection strategies besides the management of privacy settings. However, no association could be found between usage motivation and the deployment of other protection strategies on the one hand, and between personality and the management of privacy settings on the other hand. The results indicate that it is important for privacy researchers as well as product and privacy intervention designers to consider the user’s motivation to share personal data, because only if privacy studies and interventions account for this important factor, it is possible not only to gain a complete picture of the privacy behavior of users, but also to influence it.

Das Privacy-Paradoxon – Ein Erklärungsversuch und Handlungsempfehlungen

Der Schutz der eigenen Privatsphare im digitalen Alltag fallt schwer. Spatestens seit der Omniprasenz des mobilen Internets dank Smartphones und der damit verbundenen rapiden Verbreitung digitaler Dienste, ist die Verbreitung personliche Informationen immer schwerer zu kontrollieren. Daruber hinaus stellte die Forschung bereits vor etwa zehn Jahren fest, dass Menschen sich widerspruchlich in Bezug auf ihre Privatsphare verhalten (Norberg et al. 2007) und bezeichneten dieses Phanomen als das Privacy-Paradoxons. Um zu klaren, warum Menschen sich im Hinblick auf ihre Privatsphare widerspruchlich verhalten und ob dies in der Tat paradox im Sinne des Wortes ist, ist es notwendig, zu verstehen, was Menschen motiviert und wie sie Entscheidungen treffen. Kurz, wie menschliches Verhalten entsteht. Im Rahmen dieses Beitrags werden Faktoren beschrieben und diskutiert, die in verschiedenen Situationen das menschliche Verhalten beeinflussen und aus diesen ein integratives Verhaltensmodell im Kontext der digitalen Privatsphare abgeleitet. Auf Basis dieses Modell werden dann Antworten auf die Frage geliefert, wie das Phanomen des Privacy-Paradoxons zu erklaren ist und anhand eines Beispiels diskutiert, was sich daraus fur die Praxis an Handlungsansatzen ableiten lassen.

Promoting Secure Email Communication and Authentication

Nowadays, the possibility to communicate securely is crucial for users in the private as well as in the business context. However, to do so they have to face problems regarding mismatching mental models of encryption and bad usability not only concerning the encryption, but also the authentication process. To solve this problem, we evaluate users’ perception on encryption and authentication schemes in order to (1) derive a process, which is more in line with their expectations and (2) use authentication schemes which provide security but also achieve a high acceptance rate from users. We plan to integrate our findings into a prototypical software in order to evaluate users’ acceptance for our technical approach.

Productivity vs security: mitigating conflicting goals in organizations

Purpose This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals. Design/methodology/approach This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees’ security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small- to medium-sized organizations (SMEs) with overall 90 employees. Findings The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees. Research limitations/implications Both studies rely on self-reported data and are, therefore, likely to contain some kind of bias. Practical implications Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations. Originality/value This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.