The growing use of smart home devices poses considerable privacy and security challenges, especially for individuals like migrant domestic workers (MDWs) who may be surveilled by their employers. This paper explores the privacy and security challenges experienced by MDWs in multi-user smart homes through in-depth semi-structured interviews with 26 MDWs and 5 staff members of agencies that recruit and/or train domestic workers in China. Our findings reveal power imbalances in the relationships between MDWs and their employers and agencies, influenced by Chinese cultural and social factors (such as Confucianism and collectivism) as well as legal ones. Furthermore, the widespread and normalized use of surveillance technologies in China, particularly in public spaces, exacerbates these power imbalances, reinforcing a sense of constant monitoring and control. Drawing on our findings, we provide recommendations for domestic worker agencies and policymakers to address the privacy and security challenges faced by MDWs in Chinese smart homes.
https://dl.acm.org/doi/10.1145/3706598.3713616
Cryptocurrency adoption has surged dramatically, with over 500 million global users. Despite the appeal of self-custodial wallets, which grant users control over their assets, these users often struggle with the complexities of securing seed phrases, leading to substantial financial losses. This paper investigates the behaviors, challenges, and security practices of cryptocurrency users regarding seed phrase management. We conducted a mixed-methods study comprising semi-structured interviews with 20 participants and a comprehensive survey of 643 respondents. Our findings reveal significant gaps in users' understanding and practices around seed phrase security and the circumstances under which users share their seed phrases. We also explore users' mental models of shared accounts and strategies for handling cryptocurrency assets in the event of death. We found that the majority of our participants harbored significant misconceptions about seed phrases that could expose them to significant security risks --- e.g., only 43% could correctly identify an image of a seed phrase, many believed they could reset their seed phrase if they lost them. Moreover, only a minority have engaged in any estate planning for their crypto assets. By identifying these challenges and behaviors, we provide actionable insights for the design of more secure and user-friendly cryptocurrency wallets, ultimately aiming to enhance user confidence in managing their crypto assets reduce their exposure to scams and accidental loss of assets, and simplify the creation of bequeathment plans.
https://dl.acm.org/doi/10.1145/3706598.3713209
Chief Information Security Officers (CISOs) are responsible for setting and executing organizations' information security strategies. This role has only grown in importance as a result of today's increasingly high-stakes threat landscape. To understand these key decision-makers, we interviewed 16 current and former CISOs to understand how they build a security strategy and the day-to-day obstacles that they face. Throughout, we find that the CISO role is strongly shaped by a business enablement perspective, driven by broad organizational goals beyond solely technical protection. Within that framing, we describe the most salient concerns for CISOs, isolate key decision-making factors they use when prioritizing security investments, and surface practical complexities and pain points that they face in executing their strategy. Our results surface opportunities to help CISOs better navigate the complex task of managing organizational risk, as well as lessons for how security tools can be made more deployable in practice.
https://dl.acm.org/doi/10.1145/3706598.3713895
What drives employees to ensure security when handling information assets in organizations? There is growing interest from the security behavior community in how autonomous motivators shape employees’ security-related behaviors. To reconcile the scattered viewpoints on autonomous motivation and synthesize findings from studies utilizing various theoretical frameworks, we systematically reviewed relevant publications. We present a preregistered literature review that investigated (a) what forms of autonomous motivation have been examined in organizational security contexts, (b) which behaviors/behavioral intentions are related to autonomous motivators, and (c) how autonomous motivation affects employees’ security behaviors. Based on an initial set of 432 papers, filtered down to 45 studies, we identified 17 unique autonomous motivators and three types of related security behaviors. This review not only develops a refined taxonomy of autonomous motivation related to security behaviors but also charts a path forward for future research on autonomous motivation in human-centered security.
https://dl.acm.org/doi/10.1145/3706598.3713122
Modern web applications use features like camera and geolocation for personalized experiences, requiring user permission via browser prompts. To explain these requests, applications provide rationales—contextual information on why permissions are needed. Despite their importance, little is known about how often rationales appear on the web or their influence on user decisions. This paper presents the first large-scale study of how the web ecosystem handles permission rationales, covering three areas: (i) identifying webpages that use permissions, (ii) detecting and classifying permission rationales, and (iii) analyzing their attributes to understand their impact on user decisions. We examined over 770K webpages from Chrome telemetry, finding 3.6K unique rationale texts and 749 rationale UIs across 85K pages. We extracted key rationale attributes and assessed their effect on user behavior by cross-referencing them with Chrome telemetry data. Our findings reveal nine key insights, providing the first evidence of how different rationales affect user decisions.
https://dl.acm.org/doi/10.1145/3706598.3713547
People-centred security is critical for the security of an organisation, but we know that it comes at a cost. Recently the academic literature base has started to focus on how security might be understood and promoted as a facet of the overall culture of an organisation. This work sets out to understand the experiences of employees and management when using an anonymous online discussion platform to discuss cybersecurity policies. Following a 2-week deployment in a large UK educational institution, we found that anonymity helped individuals share their experiences, and that these experiences helped others understand more about the rationale for security policies. However, we also found that anonymity negatively impacted on individuals’ ability to discuss specific problems and follow up on incidents. We discuss the opportunities and challenges of using anonymous discussion platforms in organisations for improving the security culture through social participation and a more transparent listening culture.
https://dl.acm.org/doi/10.1145/3706598.3713290
This paper presents a comprehensive Systematization of Knowledge on tangible privacy and security interfaces (TaPSI). Tangible interfaces provide physical forms for digital interactions. They can offer significant benefits for privacy and security applications by making complex and abstract security concepts more intuitive, comprehensible, and engaging. Through a literature survey, we collected and analyzed 80 publications. We identified terminology used in these publications and addressed usable privacy and security domains, contributions, applied methods, implementation details, and opportunities or challenges inherent to TaPSI. Based on our findings, we define TaPSI and propose the TaPSI Research Framework, which guides future research by offering insights into when and how to conduct research on privacy and security involving TaPSI as well as a design space of TaPSI.
https://dl.acm.org/doi/10.1145/3706598.3713968