Visible to the public Characterizing user behavior and anticipating its effects on computer security with a Security Behavior Observatory - April 2019Conflict Detection Enabled

PI(s), Co-PI(s), Researchers:

This refers to Hard Problems, released November 2012.

The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.


We have not had any papers accepted yet during this quarter. We have made two submissions to conferences (described below).


The purpose is to give our immediate sponsors a body of evidence that the funding they are providing is delivering results that "more than justify" the investment they are making.

  • What breach? Measuring people's reactions to breaches in the wild. Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia. Submitted to the 28th USENIX Security Symposium. In review.
    • In this analysis, we used the SBO dataset to study how people come to learn about breaches online and the actions people take in the aftermath of breaches.
    • This relates to the hard problem of understanding and accounting for human behavior: in particular, we seek to understand what influences people to learn about breaches and to take actions to protect the security of their accounts and information.
  • Why people (don't) use password managers effectively. Sarah Pearman, Shikun Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. Submitted to the Symposium on Usable Privacy and Security (SOUPS 2019). In review.
    • We submitted a paper to SOUPS 2019 that is a followup to a paper that we published in CCS 2017. We conducted interviews with a separate sample of 30 participants to follow up on previous findings that suggested that people using password managers did not necessarily have stronger passwords or decreased password reuse. Our results suggested that users of built-in password managers may have different underlying motivations for using password tools (i.e., mostly focused on convenience) and may thus use those tools to aid their insecure password habits, whereas people using separately installed password managers seem to be more motivated to prioritize security.
    • Systems of password authentication are especially affected by the hard problem of understanding and accounting for human behavior, since human behavior and capabilities tend to be directly at odds with what are considered the most secure password practices. This line of research that seeks to understand why users are choosing various existing password tools and why those tools are or are not leading to more secure password practices is crucial for finding usable solutions for managing authentication.