Engaging Users for Security and Privacy

会議の名前
CHI 2025
Choose From a List: A User Study of Random Password Memorability
要旨

Even for users of password managers, primary passwords are a common root of trust; these must be secure against offline attacks. Randomly generated passwords provide strength guarantees but are less memorable. Cognitive psychology studies have found that providing a choice aids recall, however no studies have investigated the impact of choice on password recall in isolation. To address this, we conducted a longitudinal user study (N=861 at initial follow-up) where users selected and memorized a password from a list of 1, 8, 32, or 128 random passwords. The users entered their password multiple times after selection to improve memory, and we followed up 7 and 28 days later. We found no evidence that selecting from a list improved memorability, which suggests designers and researchers should explore other avenues. Finally, we identify potential directions for new interfaces that help users generate random passwords that will be easier to use.

著者
Michael Clark
Brigham Young University, Provo, Utah, United States
Gregory L. Snow
Brigham Young University, Orem, Utah, United States
Kent Seamons
Brigham Young University, Provo, Utah, United States
DOI

10.1145/3706598.3714043

論文URL

https://dl.acm.org/doi/10.1145/3706598.3714043

動画
“All Sorts of Other Reasons to Do It”: Explaining the Persistence of Sub-optimal IoT Security Advice
要旨

The proliferation of consumer Internet of Things (IoT) devices has raised security concerns. In response, governments have been advising consumers on security measures, but these recommendations are not guaranteed to be implementable owing to the diverse and rapidly evolving IoT landscape, risking wasted efforts and uncertainty caused by unsuccessful attempts to secure devices. Through interviews and a workshop with 14 stakeholders involved in a Dutch national public awareness campaign, we found that while stakeholders recognized the validity of these concerns, they opted to continue the campaign with minor modifications while expecting regulatory changes to resolve the observed problem. Their justifications reveal an institutional incentive structure that overlooks well-documented user realities in security and privacy HCI research. This raises important considerations for the design and delivery of such support strategies. By fostering a collaborative dialogue, we aim to contribute to the development of user-centered security practices.

著者
Veerle van Harten
TU Delft, Delft, Netherlands
Carlos Hernandez Ganan
TU Delft, Delft, Netherlands
Michel van Eeten
Delft University of Technology, Delft, Netherlands
Simon Parkin
TU Delft, Delft, Netherlands
DOI

10.1145/3706598.3713719

論文URL

https://dl.acm.org/doi/10.1145/3706598.3713719

動画
“Watch My Health, Not My Data”: Understanding Perceptions, Barriers, Emotional Impact, & Coping Strategies Pertaining to IoT Privacy and Security in Health Monitoring for Older Adults
要旨

The proliferation of “Internet of Things (IoT)” provides older adults with critical support for “health monitoring” and independent living, yet significant concerns about security and privacy persist. In this paper, we report on these issues through a two-phase user study, including a survey (N = 22) and semi-structured interviews (n = 9) with adults aged 65+. We found that while 81.82% of our participants are aware of security features like “two-factor authentication (2FA)” and encryption, 63.64% express serious concerns about unauthorized access to sensitive health data. Only 13.64% feel confident in existing protections, citing confusion over “data sharing policies” and frustration with “complex security settings” which lead to distrust and anxiety. To cope, our participants adopt various strategies, such as relying on family or professional support and limiting feature usage leading to disengagement. Thus, we recommend “adaptive security mechanisms,” simplified interfaces, and real-time transparency notifications to foster trust and ensure “privacy and security by design” in IoT health systems for older adults.

著者
Suleiman Saka
University of Denver, Denver, Colorado, United States
Sanchari Das
University of Denver, Denver, Colorado, United States
DOI

10.1145/3706598.3714019

論文URL

https://dl.acm.org/doi/10.1145/3706598.3714019

動画
Understanding and Improving User Adoption and Security Awareness in Password Checkup Services
要旨

Password checkup services (PCS) identify compromised, reused, or weak passwords, helping users secure at-risk accounts. However, adoption rates are low. We investigated factors influencing PCS use and password change challenges via an online survey (n=238). Key adoption factors were "perceived usefulness," "ease of use," and "self efficacy." We also identified barriers to changing compromised passwords, including alert fatigue, low perceived urgency, and reliance on other security measures. We then designed interfaces mitigating these issues through clearer messaging and automation (e.g., simultaneous password changes and direct links to change pages). A user study (N=50) showed our designs significantly improved password change success rates, reaching 40% and 74% in runtime alert and PCS checkup reporting scenarios, respectively (compared to 16% and 60% with a baseline).

著者
Sanghak Oh
Sungkyunkwan University, Suwon, Gyeonggi, Korea, Republic of
Heewon Baek
Sungkyunkwan university, Seoul, Korea, Republic of
Jun Ho Huh
Samsung Research, Seoul, Korea, Republic of
Taeyoung Kim
Sungkyunkwan University, Suwon, Korea, Republic of
Woojin Jeon
Sungkyunkwan University, Suwon-si, Korea, Republic of
Ian Oakley
KAIST, Daejeon, Korea, Republic of
Hyoungshick Kim
Sungkyunkwan University, Seoul, Korea, Republic of
DOI

10.1145/3706598.3713284

論文URL

https://dl.acm.org/doi/10.1145/3706598.3713284

動画
I Was Told to Install the Antivirus App, but I'm Not Sure I Need It: Understanding Smartphone Antivirus Software Adoption and User Perceptions
要旨

The rising threat of mobile malware has prompted security vendors to recommend antivirus software for smartphones, yet user misconceptions, regulatory requirements, and improper use undermine its effectiveness. Our mixed-method study, consisting of in-depth interviews with 23 participants and a survey of 250 participants, examines smartphone antivirus software adoption in South Korea, where mandatory installation for banking and other financial apps is common. Many users confuse antivirus software with general security tools and remain unaware of its limited scope. Adoption is significantly influenced by perceived vulnerability, response efficacy, self-efficacy, social norms, and awareness, while concerns about system performance and skepticism about necessity lead to discontinuation or non-use. Mandatory installations for financial apps in South Korea contribute to user misconceptions, negative perceptions, and a false sense of security. These findings highlight the need for targeted user education, clearer communication about mobile-specific threats, and efforts to promote informed and effective engagement with antivirus software.

著者
Seyoung Jin
Sungkyunkwan University, Suwon, Korea, Republic of
Heewon Baek
Sungkyunkwan university, Seoul, Korea, Republic of
Uichin Lee
KAIST, Daejeon, Korea, Republic of
Hyoungshick Kim
Sungkyunkwan University, Seoul, Korea, Republic of
DOI

10.1145/3706598.3713452

論文URL

https://dl.acm.org/doi/10.1145/3706598.3713452

動画
PrivCAPTCHA: Interactive CAPTCHA to Facilitate Effective Comprehension of APP Privacy Policy
要旨

Traditional app privacy policies are often lengthy and non-interactive, leading users to skip them and remain uninformed. To address this, we proposed PrivCAP, a technique to enhance user comprehension by presenting policies in a concise, interactive format. PrivCAP adopted a CAPTCHA-based design, requiring users to interact with clickable chunks of concise policy content, thus reducing physical and cognitive load. A formative study (N=38) demonstrated that participants valued informed consent alongside concerns over data collection and sharing, marking the first such evaluation among Chinese users. This study further found a preference for concise visualizations and interactable formats. PrivCAP, leveraging few-shot prompting on Large Language Models (LLMs), accurately translates privacy policies into clickable, chunked formats optimized for smartphone screens. In an evaluation (N=28), PrivCAP outperformed traditional policy presentations in improving user understanding, reducing cognitive load, and maintaining efficiency, with participants favoring its engaging design and reporting more informed decision-making.

著者
Shuning Zhang
Tsinghua University, Beijing, China
Xin Yi
Tsinghua University, Beijing, China
Shixuan Li
Tsinghua University, Beijing, China
Haobin Xing
Tsinghua University, Beijing, China
Hewu Li
Tsinghua University, Beijing, China
DOI

10.1145/3706598.3713928

論文URL

https://dl.acm.org/doi/10.1145/3706598.3713928

動画
Measuring Risks to Users' Health Privacy Posed by Third-Party Web Tracking and Targeted Advertising
要旨

Online advertising platforms may be able to infer privacy-sensitive information about people, such as their health conditions. This could lead to harms like exposure to predatory targeted advertising or unwanted disclosure of health conditions to employers or insurers. In this work, we experimentally evaluate whether online advertisers target people with health conditions. We collected the browsing histories of people with and without health conditions. We crawled their histories to simulate their browsing profiles and collected the ads that were served to them. Then, we compared the content of the ads between groups. We observed that the profiles of people who visited more health-related web pages received more health-related ads. 49.5% of health-related ads used deceptive advertising techniques. Our findings suggest that new privacy regulations and enforcement measures are needed to protect people's health privacy from online tracking and advertising platforms.

著者
Eric W. Zeng
Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
Xiaoyuan Wu
Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
Emily N. Ertmann
University of Pennsylvania, Philadelphia, Pennsylvania, United States
Lily Huang
University of Pennsylvania, Philadelphia, Pennsylvania, United States
Danielle F. Johnson
University of Pennsylvania, Philadelphia, Pennsylvania, United States
Anusha T. Mehendale
University of Pennsylvania, Philadelphia, Pennsylvania, United States
Brandon T. Tang
University of Pennsylvania, Philadelphia, Pennsylvania, United States
Karolina Zhukoff
University of Pennsylvania, Philadelphia, Pennsylvania, United States
Michael Adjei-Poku
University of Pennsylvania, Philadelphia, Pennsylvania, United States
Lujo Bauer
Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
Ari Friedman
University of Pennsylvania, Philadelphia, Pennsylvania, United States
Matthew McCoy
University of Pennsylvania, Philadelphia, Pennsylvania, United States
DOI

10.1145/3706598.3714318

論文URL

https://dl.acm.org/doi/10.1145/3706598.3714318

動画