Usable security and privacy challenges with disruptive technologies

Abstract

In the current age, disruptive technologies are proliferating rapidly and a plethora of devices is interconnected and exchanges data. This always- online paradigm poses significant challenges to their users as the underlying information-sharing models are difficult to understand. Hence, managing security and privacy has become increasingly complex for users. This complexity is more and more acknowledged and research has started to address human aspects of information security. End-users often struggle with security systems that are too diffcult to use and not designed to fulfil the users' needs. As a result, they are susceptible to a variety of attacks or accidentally disclose sensitive information without being aware of it. This highlights the need for an integration of human-computer interaction aspects in security research. This interdisciplinary eld which is also referred to as usable security has become necessary and is commonly an emerging eld of research. The goal of this work is to contribute to making security and privacy technology more user-friendly by understanding the users through user studies and by providing new concepts and designs that fulfil the users' needs. Throughout this thesis, we focused on usable security challenges around disruptive technologies. First, we systematized social engineering attack vectors and used machine learning to detect underground marketplaces where stolen sensitive data is traded. Then, we studied QR code-based phishing attacks and proposed and evaluated user-centric mitigation strategies. Moreover, we explored design directions for the design of future privacy-mediating technologies to support informed consent between users of wearable cameras in public places. Through qualitative interviews, we determined form factors for future designs and found that the participants preferred a tangible and decentralized device with a simple button to push. Furthermore, we proposed an enhanced PIN scheme called force-PINs and showed that our approach supports users in selecting stronger PINs with only minimal task overhead compared to digit-only PINs. We furthermore conducted user studies to research security and privacy-related challenges of crypto applications such as Bitcoin and TLS. Our large-scale study with Bitcoin users revealed that even experienced users often lose they keys and insuficiently backup their digital assets. The results of a lab study to study usability challenges in the HTTPS deployment process suggests that administrators are confronted with poor usability which results in weak configurations. Our findings in various fields of application revealed future challenges for the design of usable security and privacy technology based on user studies. Also, we presented user-centric security schemes and showed that our approaches improve security with a reasonable task overhead.