Verena Zimmermann

“If It Wasn’t Secure, They Would Not Use It in the Movies” – Security Perceptions and User Acceptance of Authentication Technologies

Whereas the text password is still ubiquitous as authentication scheme, its shortcomings are well-acknowledged within the research community. A plurality of alternatives such as other knowledge-based, token-based or biometric authentication schemes have been developed. Although the usability of these schemes has been analyzed, the results concerning further user perceptions are complex and somewhat ambiguous. Further, most of these results stem from focus groups and surveys where the actual interaction with the systems was not tested. To shine light on this topic we conducted a laboratory study with 35 participants to compare and understand user perceptions of several biometric and non-biometric authentication schemes. We simulated the interaction with authentication schemes to protect our participants’ data and to avoid affecting influences of particular implementations. The results showed that the text password is still popular among the participants for reasons of familiarity and due to privacy aspects, namely because no personal information has to be provided. Fingerprint and iris recognition were well liked among the biometrics by many participants due to the perceived security of using a unique feature for authentication. However, the use of personal information also raised privacy concerns in others. This leads to the assumption that there might be two user groups preferring either passwords or biometrics. The assumption along with possible influencing variables such as authentication context or familiarity should be addressed in future research. The simulation of authentication schemes could further be improved by addressing realistic error rates to increase external validity of the study design.

Ende-zu-Ende sichere E-Mail-Kommunikation

ZusammenfassungDer vorliegende Beitrag untersucht, ob die 1999 von Whitten und Tygar („Why Johnny can’t encrypt“) identifizierten Usability-Probleme von Ende-zu-Ende sicherer E-Mail-Kommunikation in heutigen Lösungen weiterhin existieren. Dafür wurde mithilfe der Methode Cognitive Walkthrough die Benutzbarkeit von zwei aktuellen Verschlüsselungsanwendungen (gpg4o®1 und Enigmail2) evaluiert. Die Ergebnisse werden im Zusammenhang mit den Erkenntnissen von Whitten und Tygar diskutiert.

Ethical guidelines for nudging in information security & privacy

Abstract There has recently been an upsurge of interest in the deployment of behavioural economics techniques in the information security and privacy domain. In this paper, we consider the nature of one particular intervention, the nudge, and the way it exercises its influence. We contemplate the ethical ramifications of nudging, in its broadest sense, deriving general principles for ethical nudging from the literature. We extrapolate these principles to the deployment of nudging in information security and privacy. Furthermore, we explain how researchers can use these guidelines to ensure that they satisfy the ethical requirements during nudge trials in information security and privacy. Our guidelines also provide guidance to ethics review boards that are required to evaluate nudge-related research.

Promoting Secure Email Communication and Authentication

Nowadays, the possibility to communicate securely is crucial for users in the private as well as in the business context. However, to do so they have to face problems regarding mismatching mental models of encryption and bad usability not only concerning the encryption, but also the authentication process. To solve this problem, we evaluate users’ perception on encryption and authentication schemes in order to (1) derive a process, which is more in line with their expectations and (2) use authentication schemes which provide security but also achieve a high acceptance rate from users. We plan to integrate our findings into a prototypical software in order to evaluate users’ acceptance for our technical approach.