Hacking, Developering, and Privacy Ops

会議の名前
CHI 2022
Understanding Challenges for Developers to Create Accurate Privacy Nutrition Labels
要旨

Apple announced the introduction of app privacy details to their App Store in December 2020, marking the first ever real-world, large-scale deployment of the privacy nutrition label concept, which had been introduced by researchers over a decade earlier. The Apple labels are created by app developers, who self-report their app's data practices. In this paper, we present the first study examining the usability and understandability of Apple's privacy nutrition label creation process from the developer's perspective. By observing and interviewing 12 iOS app developers about how they created the privacy label for a real-world app that they developed, we identified common challenges for correctly and efficiently creating privacy labels. We discuss design implications both for improving Apple's privacy label design and for future deployment of other standardized privacy notices.

受賞
Honorable Mention
著者
Tianshi Li
Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
Kayla Reiman
Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
Yuvraj Agarwal
Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
Lorrie Cranor
Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
Jason I. Hong
Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
論文URL

https://dl.acm.org/doi/abs/10.1145/3491102.3502012

動画
How Ready is Your Ready? Assessing the Usability of Incident Response Playbook Frameworks
要旨

Incident response playbooks provide step-by-step guidelines to help security operations personnel quickly respond to specific threat scenarios. Although playbooks are common in the security industry, they have not been empirically evaluated for effectiveness. This paper takes a first step toward measuring playbooks and the frameworks used to design them, using two studies conducted in an enterprise environment. In the first study, twelve security professionals created two playbooks each, using two standard playbook design frameworks; the resulting playbooks were evaluated by experts for accuracy. In the second, we observed five personnel using the created playbooks in no-notice threat exercises within a live security-operations center. We find that playbooks can help simplify and support incident response efforts. However, playbooks designed using the frameworks we examined often lack sufficient detail for real-world use, particularly for more junior technicians. We provide recommendations for improving playbooks, playbook frameworks, and organizational processes surrounding playbook use.

受賞
Honorable Mention
著者
Rock Stevens
University of Maryland, College Park, Maryland, United States
Daniel Votipka
Tufts University, Medford, Massachusetts, United States
Josiah Dykstra
National Security Agency, Fort Meade, Maryland, United States
Fernando Tomlinson
Department of Defense, Arlington, Virginia, United States
Erin Quartararo
University of Maryland, College Park, Maryland, United States
Colin Ahern
New York City Cyber Command, New York, New York, United States
Michelle L.. Mazurek
University of Maryland, College Park, Maryland, United States
論文URL

https://dl.acm.org/doi/abs/10.1145/3491102.3517559

動画
Recruiting Participants With Programming Skills: A Comparison of Four Crowdsourcing Platforms and a CS Student Mailing List
要旨

Reliably recruiting participants with programming skills is an ongoing challenge for empirical studies involving software development technologies, often leading to the use of crowdsourcing platforms and computer science (CS) students. In this work, we use five existing survey instruments to explore the programming skills, privacy and security attitudes, and secure development self-efficacy of participants from a CS student mailing list and four crowdsourcing platforms (Appen, Clickworker, MTurk, and Prolific). We recruited 613 participants who claimed to have programming skills and assessed recruitment channels regarding costs, quality, programming skills, as well as privacy and security attitudes. We find that 27% of crowdsourcing participants, 40% of crowdsourcing participants who self-report to be developers, and 89% of CS students answered all programming skill questions correctly. CS students were the most cost-effective recruitment channel and rated themselves lower than crowdsourcing participants about secure development self-efficacy.

受賞
Honorable Mention
著者
Mohammad Tahaei
University of Bristol, Bristol, United Kingdom
Kami Vaniea
University of Edinburgh, Edinburgh, United Kingdom
論文URL

https://dl.acm.org/doi/abs/10.1145/3491102.3501957

動画
Impact and User Perception of Sandwich Attacks in the DeFi Ecosystem
要旨

Decentralized finance (DeFi) enables crypto-asset holders to conduct complex financial transactions, while maintaining control over their assets in the blockchain ecosystem. However, the transparency of blockchain networks and the open mechanism of DeFi applications also cause new security issues. In this paper, we focus on sandwich attacks, where attackers take advantage of the transaction confirmation delay and cause financial losses for victims. We evaluate the impact and investigate users' perceptions of sandwich attacks through a mix-method study. We find that due to users' lack of technical background and insufficient notifications from the markets, many users were not aware of the existence and the impact of sandwich attacks. They also had a limited understanding of how to resolve the security issue. Interestingly, users showed high tolerance for the impact of sandwich attacks on individuals and the ecosystem, despite potential financial losses. We discuss general implications for users, DeFi applications, and the community.

著者
Ye Wang
ETH Zurich, Zurich, Switzerland
Patrick Zuest
ETH Zurich, Zurich, Switzerland
Yaxing Yao
University of Maryland Baltimore County, Baltimore, Maryland, United States
Zhicong Lu
City University of Hong Kong, Hong Kong, China
Roger Wattenhofer
ETH Zurich, Zurich, Switzerland
論文URL

https://dl.acm.org/doi/abs/10.1145/3491102.3517585

動画