Apple announced the introduction of app privacy details to their App Store in December 2020, marking the first ever real-world, large-scale deployment of the privacy nutrition label concept, which had been introduced by researchers over a decade earlier. The Apple labels are created by app developers, who self-report their app's data practices. In this paper, we present the first study examining the usability and understandability of Apple's privacy nutrition label creation process from the developer's perspective. By observing and interviewing 12 iOS app developers about how they created the privacy label for a real-world app that they developed, we identified common challenges for correctly and efficiently creating privacy labels. We discuss design implications both for improving Apple's privacy label design and for future deployment of other standardized privacy notices.
https://dl.acm.org/doi/abs/10.1145/3491102.3502012
Incident response playbooks provide step-by-step guidelines to help security operations personnel quickly respond to specific threat scenarios. Although playbooks are common in the security industry, they have not been empirically evaluated for effectiveness. This paper takes a first step toward measuring playbooks and the frameworks used to design them, using two studies conducted in an enterprise environment. In the first study, twelve security professionals created two playbooks each, using two standard playbook design frameworks; the resulting playbooks were evaluated by experts for accuracy. In the second, we observed five personnel using the created playbooks in no-notice threat exercises within a live security-operations center. We find that playbooks can help simplify and support incident response efforts. However, playbooks designed using the frameworks we examined often lack sufficient detail for real-world use, particularly for more junior technicians. We provide recommendations for improving playbooks, playbook frameworks, and organizational processes surrounding playbook use.
https://dl.acm.org/doi/abs/10.1145/3491102.3517559
Reliably recruiting participants with programming skills is an ongoing challenge for empirical studies involving software development technologies, often leading to the use of crowdsourcing platforms and computer science (CS) students. In this work, we use five existing survey instruments to explore the programming skills, privacy and security attitudes, and secure development self-efficacy of participants from a CS student mailing list and four crowdsourcing platforms (Appen, Clickworker, MTurk, and Prolific). We recruited 613 participants who claimed to have programming skills and assessed recruitment channels regarding costs, quality, programming skills, as well as privacy and security attitudes. We find that 27% of crowdsourcing participants, 40% of crowdsourcing participants who self-report to be developers, and 89% of CS students answered all programming skill questions correctly. CS students were the most cost-effective recruitment channel and rated themselves lower than crowdsourcing participants about secure development self-efficacy.
https://dl.acm.org/doi/abs/10.1145/3491102.3501957
Decentralized finance (DeFi) enables crypto-asset holders to conduct complex financial transactions, while maintaining control over their assets in the blockchain ecosystem. However, the transparency of blockchain networks and the open mechanism of DeFi applications also cause new security issues. In this paper, we focus on sandwich attacks, where attackers take advantage of the transaction confirmation delay and cause financial losses for victims. We evaluate the impact and investigate users' perceptions of sandwich attacks through a mix-method study. We find that due to users' lack of technical background and insufficient notifications from the markets, many users were not aware of the existence and the impact of sandwich attacks. They also had a limited understanding of how to resolve the security issue. Interestingly, users showed high tolerance for the impact of sandwich attacks on individuals and the ecosystem, despite potential financial losses. We discuss general implications for users, DeFi applications, and the community.
https://dl.acm.org/doi/abs/10.1145/3491102.3517585