Visible to the public International Conferences: Human Computer Interaction (CHI 15), Korea

SoS Newsletter- Advanced Book Block

SoS Logo

International Conferences: Human Computer Interaction (CHI 15), Korea


The 33d ACM Conference on Human Factors in Computing Systems was held on April 18-23, 2015 in Seoul. Korea. The conference web page is available at:   The citations are on topics of interest directly related to the Science of Security community—human factors in cybersecurity.


Mahdi Nasrullah Al-Ameen, Matthew Wright, Shannon Scielzo; “Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 2315-2324. Doi: 10.1145/2702123.2702241
Abstract: Given the choice, users produce passwords reflecting common strategies and patterns that ease recall but offer uncertain and often weak security. System-assigned passwords provide measurable security but suffer from poor memorability. To address this usability-security tension, we argue that systems should assign random passwords but also help with memorization and recall. We investigate the feasibility of this approach with CuedR, a novel cued-recognition authentication scheme that provides users with multiple cues (visual, verbal, and spatial) and lets them choose the cues that best fit their learning process for later recognition of system-assigned keywords. In our lab study, all 37 of our participants could log in within three attempts one week after registration (mean login time: 38.0 seconds). A pilot study on using multiple CuedR passwords also showed 100% recall within three attempts. Based on our results, we suggest appropriate applications for CuedR, such as financial and e-commerce accounts.
Keywords: authentication, cued-recognition, usable security (ID#: 15-5601)


Emanuel von Zezschwitz, Alexander De Luca, Philipp Janssen, Heinrich Hussmann; “Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)lock Patterns;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 2339-2342. Doi: 10.1145/2702123.2702202
Abstract: We performed a systematic evaluation of the shoulder surfing susceptibility of the Android pattern (un)lock. The results of an online study (n=298) enabled us to quantify the influence of pattern length, line visibility, number of knight moves, number of overlaps and number of intersections on observation resistance. The results show that all parameters have a highly significant influence, with line visibility and pattern length being most important. We discuss implications for real-world patterns and present a linear regression model that can predict the observability of a given pattern. The model can be used to provide proactive security measurements for (un)lock patterns, in analogy to password meters.
Keywords: authentication, observability, pattern, security (ID#: 15-5602)


Hendrik Meutzner, Santosh Gupta, Dorothea Kolossa; “Constructing Secure Audio CAPTCHAs by Exploiting Differences between Humans and Machines;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 2335-2338. Doi: 10.1145/2702123.2702127
Abstract: To prevent abuses of Internet services, CAPTCHAs are used to distinguish humans from programs where an audio-based scheme is beneficial to support visually impaired people. Previous studies show that most audio CAPTCHAs, albeit hard to solve for humans, are lacking security strength. In this work we propose an audio CAPTCHA that is far more robust against automated attacks than it is reported for current CAPTCHA schemes. The CAPTCHA exhibits a good trade-off between human usability and security. This is achieved by exploiting the fact that the human capabilities of language understanding and speech recognition are clearly superior compared to current machines. We evaluate the CAPTCHA security by using a state-of-the-art attack and assess the intelligibility by means of a large-scale listening experiment.
Keywords: audio captcha, humans vs. machines, security, usability, user studies, visual impairment, web accessibility (ID#: 15-5603)


Eric Gilbert; “Open Book: A Socially-inspired Cloaking Technique that Uses Lexical Abstraction to Transform Messages;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 477-486. Doi: 10.1145/2702123.2702295
Abstract: Both governments and corporations routinely surveil computer-mediated communication (CMC). Technologists often suggest widespread encryption as a defense mechanism, but CMC encryption schemes have historically faced significant usability and adoption problems. Here, we introduce a novel technique called Open Book designed to address these two problems. Inspired by how people deal with eavesdroppers offline, Open Book uses data mining and natural language processing to transform CMC messages into ones that are vaguer than the original. Specifically, we present: 1) a greedy Open Book algorithm that cloaks messages by transforming them to resemble the average Internet message; 2) an open-source, browser-based instantiation of it called Read Me, designed for Gmail; and, 3) a set of experiments showing that intended recipients can decode Open Book messages, but that unintended human- and machine-recipients cannot. Finally, we reflect on some open questions raised by this approach, such as recognizability and future side-channel attacks.
Keywords: cmc, encryption, social media, usable security (ID#: 15-5604)


Serge Egelman, Eyal Peer; “Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS);” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 2873-2882. Doi: 10.1145/2702123.2702249
Abstract: Despite the plethora of security advice and online education materials offered to end-users, there exists no standard measurement tool for end-user security behaviors. We present the creation of such a tool. We surveyed the most common computer security advice that experts offer to end-users in order to construct a set of Likert scale questions to probe the extent to which respondents claim to follow this advice. Using these questions, we iteratively surveyed a pool of 3,619 computer users to refine our question set such that each question was applicable to a large percentage of the population, exhibited adequate variance between respondents, and had high reliability (i.e., desirable psychometric properties). After performing both exploratory and confirmatory factor analysis, we identified a 16-item scale consisting of four sub-scales that measures attitudes towards choosing passwords, device securement, staying up-to-date, and proactive awareness.
Keywords: individual differences, psychometrics, security behavior (ID#: 15-5605)


Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, Jeff Grimes; “Improving SSL Warnings: Comprehension and Adherence;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 2893-2902. Doi: 10.1145/2702123.2702442
Abstract: Browsers warn users when the privacy of an SSL/TLS connection might be at risk. An ideal SSL warning would empower users to make informed decisions and, failing that, guide confused users to safety. Unfortunately, users struggle to understand and often disregard real SSL warnings. We report on the task of designing a new SSL warning, with the goal of improving comprehension and adherence. We designed a new SSL warning based on recommendations from warning literature and tested our proposal with microsurveys and a field experiment. We ultimately failed at our goal of a well-understood warning. However, nearly 30% more total users chose to remain safe after seeing our warning. We attribute this success to opinionated design, which promotes safety with visual cues. Subsequently, our proposal was released as the new Google Chrome SSL warning. We raise questions about warning comprehension advice and recommend that other warning designers use opinionated design.
Keywords: design, google consumer surveys, https, microsurveys, security, ssl, tls/ssl, warnings (ID#: 15-5606)


Youngbae Song, Geumhwan Cho, Seongyeol Oh, Hyoungshick Kim, Jun Ho Huh; “On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 2893-2902. Doi: 10.1145/2702123.2702365
Abstract: We propose an effective pattern lock strength meter to help users choose stronger pattern locks on Android devices. To evaluate the effectiveness of the proposed meter with a real world dataset (i.e., with complete ecological validity), we created an Android application called EnCloud that allows users to encrypt their Dropbox files. 101 pattern locks generated by real EnCloud users were collected and analyzed, where some portion of the users were provided with the meter support. Our statistical analysis indicates that about 10% of the pattern locks that were generated without the meter support could be compromised through just 16 guessing attempts. As for the pattern locks that were generated with the meter support, that number goes up to 48 guessing attempts, showing significant improvement in security. Our recommendation is to implement a strength meter in the next version of Android.
Keywords: password, password strength meter, pattern lock, security (ID#: 15-5607)


Alina Hang, Alexander De Luca, Heinrich Hussmann; “I Know What You Did Last Week! Do You?: Dynamic Security Questions for Fallback Authentication on Smartphones;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 2893-2902. Doi: 10.1145/2702123.2702131
Abstract: In this paper, we present the design and evaluation of dynamic security questions for fallback authentication. In case users lose access to their device, the system asks questions about their usage behavior (e.g. calls, text messages or app usage). We performed two consecutive user studies with real users and real adversaries to identify questions that work well in the sense that they are easy to answer for the genuine user, but hard to guess for an adversary. The results show that app installations and communication are the most promising categories of questions. Using three questions from the evaluated categories was sufficient to get an accuracy of 95.5% - 100%.
Keywords: dynamic security questions, fallback authentication (ID#: 15-5608)


Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, Blase Ur; “A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 2903-2912. Doi: 10.1145/2702123.2702586
Abstract: Users often struggle to create passwords under strict requirements. To make this process easier, some providers present real-time feedback during password creation, indicating which requirements are not yet met. Other providers guide users through a multi-step password-creation process. Our 6,435-participant online study examines how feedback and guidance affect password security and usability. We find that real-time password-creation feedback can help users create strong passwords with fewer errors. We also find that although guiding participants through a three-step password-creation process can make creation easier, it may result in weaker passwords. Our results suggest that service providers should present password requirements with feedback to increase usability. However, the presentation of feedback and guidance must be carefully considered, since identical requirements can have different security and usability effects depending on presentation.
Keywords: authentication, password-composition policies, passwords, security policy, usable security (ID#: 15-5609)


Jason W. Clark, Peter Snyder, Damon McCoy, Chris Kanich; “’I Saw Images I Didn't Even Know I Had’: Understanding User Perceptions of Cloud Storage Privacy;” CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015, Pages 1641-1644. Doi: 10.1145/2702123.2702535
Abstract: Billions of people use cloud-based storage for personal files. While many are likely aware of the extent to which they store information in the cloud, it is unclear whether users are fully aware of what they are storing online. We recruited 30 research subjects from Craigslist to investigate how users interact with and understand the privacy issues of cloud storage. We studied this phenomenon through surveys, an interview, and custom software which lets users see and delete their photos stored in the cloud. We found that a majority of users stored private photos in the cloud that they did not intend to upload, and a large portion also chose to permanently delete some of the offending images. We believe our study highlights a mismatch between user expectation and reality. As cloud storage is plentiful and ubiquitous, effective tools for enabling risk self-assessment are necessary to protect users' privacy.
Keywords: cloud, privacy, security, threat modeling (ID#: 15-5610)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.