Visible to the public Science of Human Cirumvention of Science - April 2017Conflict Detection Enabled

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Tao Xie

Co-PI(s): Jim Blythe (USC), Ross Koppel (UPenn), and Sean Smith (Dartmouth)

This refers to Hard Problems, released November 2012.

Our project most closely aligns with problem 5, "Understanding and Accounting for Human Behavior." However, it also pertains to problems 1, 2, and 3:

  • Scalability and Composability: We want to understand not just the drivers of individual incidents of human circumvention, but also the net effect of these incidents.Included here are measures of the environment (physical, organizational, hierarchical, embeddedness within larger systems.)
  • Policy-Governed Secure Collaboration: In order to create policies that in reality actually enable secure collaboration among users in varying domains, we need to understand and predict the de facto consequences of policies, not just the de juro ones.
  • Security-Metrics-Driven Evaluation, Design, Development, and Deployment:Making sane decisions about what security controls to deploy requires understanding the de facto consequences of these deployments---instead of just pretending that circumvention by honest users never happens.

Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

  • Dengfeng Li, Wing Lam, Wei Yang, Zhengkai Wu, Xusheng Xiao, and Tao Xie, "Towards Privacy-Preserving Mobile Apps: A Balancing Act", accepted as a poster, Symposium and Bootcamp on the Science of Security (HotSoS 2017), April 4-5, 2017, Hanover, Maryland (To be presented by Dengfeng Li).
  • Ross Koppel, Jim Blythe, Vijay Kothari, and Sean Smith, "Password Logbooks and What Their Amazon Reviews Reveal About Their Users' Motivations, Beliefs, and Behaviors", accepted for publication in proceedings of, and presentation at, 2nd European Workshop on Usable Security (EuroUSEC 17), April 29, 2017, Paris, France (To be presented by Vijay Kothari).

Other Presentations

Jim Blythe, Sean Smith, Ross Koppel, Christopher Novak, Vijay Kothari. "FARM: A Toolkit for Finding the Appropriate Level of Realism for Modeling." Accepted to HotSoS, Hanover, Maryland, April 4-5, 2017.

  • Jim Blythe, "Modeling Human Behavior to Improve Cyber Security", Invited talk to U Buffalo, February 2017
  • Wing Lam, Dengfeng Li, and Wei Yang. "Towards Privacy-Preserving Mobile Utility Apps: A Balancing Act." Monthly UIUC/R2 Meeting, February 2017.
  • Tao Xie. "Each and Every Student Should Study Computer Science". Invited Talk. National Society of Black Engineers (NSBE) Chapter at University of Illinois at Urbana-Champaign, February 2017.
  • Tao Xie. "User Expectations in Mobile App Security." Invited Talk. IEEE Rochester Section CS/CIS joint chapters/Department of Computing Security, Rochester Institute of Technology, March 2017.
  • Jim Blythe, Ross Koppel, Sean Smith, Vijay Kothari, David Harmon, Christopher Novak. "A Cross-Disciplinary Study of User Circumvention of Security." UIUC SoS Lablet/R2 Monthly Meeting (via teleconference). March 16, 2017.
  • Jim Blythe, Ross Koppel, Sean Smith, and Vijay Kothari. "Analysis of Two Parallel Surveys on Cybersecurity: Users and Security Administrators--- notable similarities and differences." Accepted to HotSoS, Hanover, Maryland, April 4-5, 2017.
  • Sean Smith, Ross Koppel, Jim Blythe, and Vijay Kothari. "Flawed Mental Models Lead to Bad Cybersecurity Decisions: Let's Do a Better Job!" Accepted to HotSoS, Hanover, Maryland, April 4-5, 2017.


Our goal is to improve aggregate security in light of rampant user circumvention of security policies and recommended security practices. We combine our interdisciplinary expertise to tackle this problem of human circumvention of security using various approaches, including, but not limited to, semiotic modeling, surveys, behavioral experiments (including use of a Mechanical Turk), and agent-based simulation. We seek to (a) enlighten security practitioners as to what users think and do, (b) bridge disconnects between security practitioners' mental models and reality, (c) develop tools to aid in security decisions, and (d) suggest better security solutions.

Via fieldwork in real-world enterprises, we have been identifying and cataloging types and causes of circumvention by well-intentioned users. We are using help desk logs, records security-related computer changes, analysis of user behavior in situ, and surveys--in addition to interviews and observations. We then began to build and validate models of usage and circumvention behavior, for individuals and then for populations within an enterprise--as well as developing some typologies of the deeper patterns and causes. For example, we've adapted previous work in the area of semiotics to build a model to capture mismorphisms, disconnects between various actors' mental models, the system's representation of reality, and the reality itself. We believe improvements to this model may enable us to meaningfully classify hosts of security issues and suggest methods to address them.

We have been developing questionnaires for both high-level computer security professionals and general users. These results will improve our understanding of perceptions, attitudes, and behaviors of both security practitioners and general users. Indeed, results may improve security practitioners' decisions directly or indirectly by providing requisite data to build faithful models of human behavior that can inform security practitioners. We have conducted surveys on a small scale and have done initial analysis of results. We are now conducting surveys on a larger scale.

Using DASH, an agent-based modeling platform, we have built and are continually improving upon a password simulation for measuring the security provided by a password composition policy, taking into account human circumventions such as writing down and reusing passwords. We continue to refine the model to improve its faithfulness to reality and usefulness. In particular, this quarter we developed a model of phishing attacks, updated the model for password attacks leading to new results shown in the presentation of March 16, and demonstrated a phishing simulation that included one million DASH agents running on DETER.

We're building a platform to conduct password security experiments on Mechanical Turk that will provide data on why, how, and when users circumvent recommended password practices. We are completing final stages of testing and aim to perform these experiments in the near future.

We are collaborating with researchers at University of Pennsylvania who specialize in simulating and checking Markov chain models. We are exploring ways to blend these Markov-based models with our DASH model to tackle security problems using ground-truth data from the Mechanical Turk experiments and the literature.

We have been continually developing a platform, called DASH, for agent-based simulations of circumventive behavior in order to understand their causes and consequences. We have largely completed the re-implementation of DASH in Python and have built several agents on the new platform, including models for password behavior, authentication on shared computers and attackers.

We have continued developing a privacy framework that enables a mobile app's developers to determine what sensitive information can be anonymized while maintaining a desirable level of utility efficacy. We presented the preliminary work in the Monthly UIUC/R2 Meeting in Feb 2017. We will present a poster on this work at the HotSoS 2017.

We now list some accomplishment highlights from the latest quarter. (Section 2 below has a more complete presentation.)

  • Co-PIs Blythe and Koppel will present three posters at HotSoS 2017. These reflect updates and additions to previous works by our team.
  • Co-PIs Blythe, Koppel, and Smith, and Dartmouth graduate student Kothari submitted the paper "Password Logbooks and User Reviews: What Their Amazon Reviews Reveal About Their Users' Motivations, Beliefs, and Behaviors" to EuroUSEC 2017. The paper was accepted.
  • Co-PIs Blythe, Koppel, and Smith, and graduate student Kothari gave an overview of the SHUCS project, discussing recent and future work, during the UIUC SoS Lablet/R2 Monthly Meeting held on March 16, 2017.
  • We have applied for and received IRB approval to run the Mechanical Turk experiment from the IRB office of the University of Pennsylvania.
  • PI Xie along with his students and collaborator will present a poster "Towards Privacy-Preserving Mobile Apps: A Balancing Act" at HotSoS 2017.
  • Students advised by PI Xie presented a talk on "Towards Privacy-Preserving Mobile Utility Apps: A Balancing Act." During the Monthly UIUC/R2 Meeting, Feb 2017.