Advancements in information technology often task users with complex and consequential privacy and security decisions. A growing body of research has investigated individuals’ choices in the presence of privacy and information security tradeoffs, the decision-making...
Anecdotal evidence and scholarly research have shown that Internet users may regret some of their online disclosures. To help individuals avoid such regrets, we designed two modifications to the Facebook web interface that nudge users to consider the content and...
We designed and tested attractors for computer security dialogs: user-interface modifications used to draw users’ attention to the most important information for making decisions. Some of these modifications were purely visual, while others temporarily inhibited...
Today’s smartphone applications expect users to make decisions about what information they are willing to share, but fail to provide sufficient feedback about which privacy sensitive information is leaving the phone, as well as how frequently and with which entities...
The matrix barcodes known as Quick Response (QR) codes are rapidly becoming pervasive in urban environments around the world. QR codes are used to represent data, such as a web address, in a compact form that can be scanned readily and parsed by consumer mobile...
This report presents the findings of a study which investigated the outcome of password strength and the behaviour; and sentiment of users subjected to four different password-composition policies.
Computer security warnings are intended to protect users and their computers. However, research suggests that users frequently ignore these warnings. The authors describe a study designed to gain insight into how users perceive and respond to computer alerts....
Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required...
Although online retailers detail their privacy practices in online privacy policies, this information often remains invisible to consumers, who seldom make the effort to read and understand those policies. This paper reports on research undertaken to determine whether...
In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti- phishing educational materials....
Research focusing on educating users about phishing and identifying phishing emails, as opposed to using technology for prevention and detection. The research identified multiple problems, namely: that people were not motivated to learn about security; that security...
PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated the effectiveness...
Companies collect personally identifiable information that website visitors are not always comfortable sharing. One proposed remedy is to use economics rather than legislation to address privacy risks by creating a marketplace for privacy where website visitors would...
Researchers studied the effectiveness of web browser phishing warnings by targeting 60 study participants with simulated email phishing attacks. 97% of study participants clicked a link in at least one simulated phishing email. When then presented with a passive web...
Tools that aim to combat phishing attacks must take into account how and why people fall for them in order to be effective. This study reports a pilot survey of 232 computer users to reveal predictors of falling for phishing emails, as well as trusting legitimate...
In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a...
This study reports on what everday user do when they come across suspicious emails. An analysis suggests people can manage risks they’re familiar with but are unable to extrapolate their strategies to deal with unfamiliar risks.
Stay up to date
Sign up to our newsletter for the latest news, views and insights.
