Public administrations provide critical services and manage sensitive data for a country's citizens. Recent phishing campaigns targeting public sector employees highlight their attractiveness as targets. Deploying state-of-the-art authentication technologies, such as FIDO2, can improve overall security. We conducted a mixed-methods study in Germany to understand better the practices and challenges of deploying passwordless authentication in the public sector. First, we conducted an online survey (N=108) among German public sector employees to gain insights into their experiences and challenges. Next, we partnered with an e-government vendor and performed an in-situ experiment. We let 11 employees from the public sector experience FIDO2 under real-world conditions. Our results show that only a minority of our participants were aware of current passwordless authentication procedures. In our experiment, FIDO2-based methods left an overall positive impression. Hierarchical and heterogeneous public sector structures and the need for more technical expertise and equipment were barriers to adoption.
Email is ubiquitous, and in the context of phishing, it becomes critical, as risky behaviours like clicking on phishing links or downloading malicious files can lead to severe consequences. While much research exists on phishing susceptibility, there is still a gap in understanding factors that influence user micro-behaviour when interacting with phishing emails. To address this, we offer a tool, the Precision Email Simulator, to support phishing researchers, as well as considerations in conceptualising controlled `experimental simulation' studies, which are currently underutilised in phishing research. The Precision Email Simulator simulates real-world email inboxes and tracks precision user data, such as time spent on messages and eye-tracking for key areas like URLs and sender addresses. We discuss the practical uses of our simulator, and provide recommendations and guidelines of using our email simulator.
Employees, once seen as the weakest link in organizational cybersecurity, are now recognized as crucial defenders against malicious attacks. Thus, understanding employee attitudes towards cybersecurity, a major factor driving security behavior, is essential for protecting organizations. Using semi-structured interviews and focus groups, this study holistically explores attitudes toward cybersecurity, its influencing factors, and the employees’ needs for fostering positive attitudes. The study offers in-depth insights into affective, cognitive, and behavioral components of attitudes, ranging from annoyance and fear to appreciation for cybersecurity measures. Influencing key factors include (in)direct cybersecurity experiences and individual perceptions - both highlighting social influences. For developing positive attitudes, employees express needs related to the company's social and cultural framework, communication styles, educational contents and formats. The study contributes to developing effective security strategies that address the individual, social, and organizational factors that shape cybersecurity attitudes, ultimately promoting a stronger organizational security.
Software developing small and medium enterprises (SMEs) play a crucial role as suppliers to larger corporations and public administration. It is therefore necessary for them to be able to demonstrate that their products meet certain security criteria, both to gain trust of their customers and to comply to standards that demand such a demonstration. In this study we have investigated ways for SMEs to demonstrate their security when operating in a business-to-business model, conducting semi-structured interviews (N=16) with practitioners from different SMEs in Denmark and validating our findings in a follow-up workshop (N=6). Our findings indicate five distinctive security demonstration approaches, namely: Certifications, Reports, Questionnaires, Interactive Sessions and Social Proof. We discuss the challenges, benefits, and recommendations related to these approaches, concluding that none of them is a one-size-fits all solution and that more research into relative advantages of these approaches and their combinations is needed.
Uncertainty is inherent in science built on previous results. In geoscience, for instance, researchers analyzing volcanic deposits assess the uncertainty around past deposit classifications. To aid this assessment, we followed a design by immersion approach to co-design uncertainty visualizations. We observed that besides visualizing it, it is challenging even to define what constitutes uncertainty, as how researchers understand and process uncertainty evolves. This motivated us to reach other members of the community to better understand how they integrate uncertainty in their work. Informed by a series of interviews, we first redesigned our visualization system and then introduced it as a technology probe to a broader community of geoscientists. Our results highlight that uncertainty in science is malleable and that visualization systems should be designed with this malleability in mind.
Through a set of design implications, we advocate for visualizations that promote user agency and flexibility in defining and processing uncertainty.
AI development is shaped by academics and industry leaders---let us call them ``influencers''---but it is unclear how their views align with those of the public. To address this gap, we developed an interactive platform that served as a data collection tool for exploring public views on AI, including their fears, hopes, and overall sense of hopefulness. We made the platform available to 330 participants representative of the U.S. population in terms of age, sex, ethnicity, and political leaning, and compared their views with those of 100 AI influencers identified by Time magazine. The public fears AI getting out of control, while influencers emphasize regulation, seemingly to deflect attention from their alleged focus on monetizing AI's potential. Interestingly, the views of AI influencers from underrepresented groups such as women and people of color often differ from the views of underrepresented groups in the public.