Small businesses need vulnerability assessments to identify and mitigate cyber risks. Cybersecurity clinics provide a solution by offering students hands-on experience while delivering free vulnerability assessments to local organizations. To scale this model, we propose an Open Source Intelligence (OSINT) clinic where students conduct assessments using only publicly available data. We enhance the quality of investigations in the OSINT clinic by addressing the technical and collaborative challenges. Over the duration of the 2023-24 academic year, we conducted a three-phase co-design study with six students. Our study identified key challenges in the OSINT investigations and explored how generative AI could address these performance gaps. We developed design ideas for effective AI integration based on the use of AI probes and collaboration platform features. A pilot with three small businesses highlighted both the practical benefits of AI in streamlining investigations, and limitations, including privacy concerns and difficulty in monitoring progress.
Children born in the digital era are facing increasing privacy risks and the need to control privacy in various contexts, suggesting an urgent need to enhance their privacy literacy. While previous research focuses on developing children's privacy literacy by delivering privacy knowledge, it remains unclear how children process the knowledge and apply it in various privacy situations. Furthermore, children's desire for privacy controls remains understudied. To fill the gap, we conducted two five-day co-design workshops with 11 children (ages 6-11). We uncovered children's sophisticated expectations of everyday privacy management, such as staying aware of their privacy situations, strong authentication methods, and minimal privacy exposure. We further discovered that children translated their privacy knowledge to privacy practices through an iterative reflection and action process. We discussed key considerations to support children's privacy literacy development by leveraging this process and offered implications for children-friendly privacy design.
This paper systematized existing knowledge on cybersecurity and privacy game-based approaches, exploring their goals, scope, and evaluation methods. Our review of 93 academic papers revealed that these approaches serve multiple purposes and target diverse player types. We identified 11 key aspects of cybersecurity and privacy that these approaches addressed, such as threats, defensive strategies, and data privacy. Additionally, we analyzed the effectiveness evaluation methods of these approaches, emphasizing the connections between evaluation techniques, types of data used, and their alignment with the approaches' goals. We also summarized the aspects of user experience evaluated in the literature and the types of questions used to capture these experiences. Reflecting on these methods, we provide guidance for future research and practice in designing and evaluating game-based approaches. Finally, we identify key gaps and propose opportunities to enhance user understanding, foster adaptability, and address emerging cybersecurity and privacy challenges.
Malware analysis provides useful information for defending organizations against the growing number of cyberattacks. To leverage such information to enhance security, malware analysts are expected to collaborate with members of their own and other teams. However, there has been insufficient research into their actual collaboration and communication. Furthermore, given that challenges in their communication can lead to critical errors, it is imperative to understand and mitigate these challenges. We interviewed 15 malware analysts to explore their roles, collaborators, and communication means and challenges. We found that the roles within malware analysis teams are diverse and identified the roles and collaborations in which analysts leverage malware analysis knowledge effectively. We also identified several key communication challenges, including difficulties in aligning understanding in collaborative analysis and low motivation for information sharing. On the basis of our findings, we provide recommendations to address each communication challenge.
While companies are increasingly moving towards the ‘pay for privacy’ model, it is unclear how consumers make privacy decisions under this model. Toward that, we conducted an incentive-compatible lottery study on Prolific to understand the factors behind users’ choice to have additional data privacy controls. With 265 United States participants across two device risk conditions (High-risk: camera vs. Low-risk: light bulb) and three cash conditions ($9.99 vs. $19.99 vs. $29.99), results reveal that device risk and cash offerings influence participants’ lottery choice. We further observed an interaction effect between participants’ technical literacy and cash option. Specifically, technical participants chose the data privacy controls instead of cash at a higher rate when the cash condition was $29.99. In contrast, less technical participants favored the privacy option at a higher rate when the cash condition was $9.99. Implications of our findings for user data privacy are discussed in the paper.
Intelligence analysts must quickly and accurately examine and report on information in multiple modalities, including video, audio, and images. With the rise of Generative AI and deepfakes, analysts face unprecedented challenges, and require effective, reliable, and explainable media detection and analysis tools. This work explores analysts' requirements for deepfake detection tools and explainability features. From a study of 30 practitioners from the United States Intelligence Community, we identified the need for a comprehensive and explainable solution that incorporates a wide variety of methods and supports the production of intelligence reports. In response, we propose a design for an analyst-centered tool, and introduce a digital media forensics ontology to support analysts’ interactions with the tool and understanding of its results. We conducted a study grounded in work-related tasks as an initial evaluation of this approach, and report on its potential to assist analysts and areas for improvement in future work.
Online fraud substantially harms individuals and seniors are disproportionately targeted. While family is crucial for seniors, little research has empirically examined how they protect seniors against fraud. To address this gap, we employed an inductive thematic analysis of 124 posts and 16,872 comments on RedNote (Xiaohongshu), exploring the family support ecosystem for senior-targeted online fraud in China. We develop a taxonomy of senior-targeted online fraud from a familial perspective, revealing younger members often spot frauds hard for seniors to detect, such as unusual charges. Younger family members fulfill multiple safeguarding roles, including preventative measures, fraud identification, fraud persuasion, loss recovery, and education. They also encounter numerous challenges, such as seniors' refusal of help and considerable mental and financial stress. Drawing on these, we develop a conceptual framework to characterize family support in senior-targeted fraud, and outline implications for researchers and practitioners to consider the broader stakeholder ecosystem and cultural aspects.