Visible to the public USE: User Security Behavior (CMU/Berkeley/University of Pittsburgh Collaborative Proposal) - April 2017Conflict Detection Enabled

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): A. Acquisti, L.F. Cranor, N. Christin, R. Telang
Researchers: Alain Forget (CMU), Serge Egelman (Berkeley), and Scott Beach (Univ of Pittsburgh)

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)
This refers to Hard Problems, released November 2012.

The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.


  • J. Tan, L. Bauer, J. Bonneau, L. F. Cranor, J. Thomas, and B. Ur. Can Unicorns Help Users Compare Crypto Key Fingerprints? 2017. In Proceedings of the ACM CHI Conference on Human Factors in Computing Systems (CHI '17). To be presented.
  • C. Canfield, B. Fischoff, A. Davis, A. Forget, S. Pearman, and J. Thomas. 2017. Replication: Challenges in Using Data Logs to Validate Phishing Detection Ability Metrics. Submitted to the Thirteenth Symposium on Usable Privacy and Security (SOUPS) 2017: pending review.


Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%. We found the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. While we identified some fingerprint representations as particularly promising, the best option for situations when security is paramount may be to develop protocols that rely on software rather than humans to compare cryptographic key fingerprints.

4) COMMUNITY ENGAGEMENTS - if applicable


5) EDUCATIONAL ADVANCES - if applicable