DOCSLIB.ORG

User Experience with Mobile Security and Privacy Mechanisms ABSTRACT

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
User Experience with Mobile Security and Privacy Mechanisms ABSTRACT USEREXPERIENCEWITHMOBILESECURITY AND PRIVACY MECHANISMS vorgelegt von Dipl.-Ing. Lydia Kraus geb. in Memmingen von der Fakultät IV - Elektrotechnik und Informatik der Technischen Universität Berlin zur Erlangung des akademischen Grades Doktorin der Ingenieurwissenschaften – Dr.-Ing. – genehmigte Dissertation Promotionsausschuss: Vorsitzender: Prof. Dr. Jean-Pierre Seifert Gutachter: Prof. Dr.-Ing. Sebastian Möller Gutachterin: Prof. Dr.-Ing. Delphine Reinhardt Gutachter: Prof. Dr. Markus Dürmuth Tag der wissenschaftlichen Aussprache: 4. Juli 2017 Berlin 2017 Lydia Kraus: User experience with mobile security and privacy mechanisms ABSTRACT Smartphones have become indispensable in the life of many people. They are constant companions, connections to the world, information sources, and substitutes for other devices and tools that had to be carried individually in the past. While smartphones offer a variety of sources for positive user experience, their downside is their vulnera- bility to security attacks and the potential they offer to harm a users’ privacy. However, due to their known vulnerabilities, smartphones also encompass a number of mechanisms to protect a user’s security and privacy. This thesis focuses especially on security and privacy mechanisms which are visible to the end-user and which involve ac- tions by the end-user, such as app permissions and screen locks with authentication. Research on the human factors related to mobile security and pri- vacy mechanisms often follows the usable security and privacy para- digm. Thereby, usability forms the basis of understanding and im- proving the interaction between humans and security systems. An ex- tension of the usability paradigm is the user experience (UX) paradigm which considers interaction factors beyond usability such as motiva- tion, affect and emotion, and joy of use. The present thesis extends the body of knowledge on human fac- tors and mobile security and privacy mechanisms by taking a user experience approach to the topic. It first investigates users’ experi- ences with and motivations to use mobile security and privacy in several qualitative, explorative studies. The findings thereof suggest that users not only suffer from limited usability of mobile security and privacy mechanisms, but that such mechanisms also need to ad- dress non-functional product qualities (e.g. hedonic quality) and the fulfillment of psychological needs. Those needs do not necessarily have to be related to the psychological need of Security only, but can also encompass aspects such as Autonomy and Stimulation. By the help of two use cases – app permissions and screen locks with authentication – several quantitative studies evaluate the poten- tial of these mechanisms to shape the user experience in general and in particular with respect to hedonic quality. The results of the quanti- tative studies suggest that usability is an important factor for a good user experience with mobile security and privacy mechanisms. Fur- thermore, the results indicate that also these kinds of mechanisms can be manipulated in their potential to address aspects such as hedonic quality and need fulfillment. This suggests an extended design space for mobile security and privacy mechanisms which provides system designers with new possibilities to design secure systems that enable iii positive experiences. Based on these findings, directions for future research are discussed. ZUSAMMENFASSUNG Smartphones sind im Leben vieler Menschen unabkömmlich gewor- den – sie sind ständige Begleiter, Verbindung in die Welt, Informa- tionsquellen und zu guter Letzt ein Ersatz für viele Geräte oder Werk- zeuge, die man in der Vergangenheit einzeln mit sich tragen musste. Obwohl Smartphones eine Vielzahl an positiven Erlebnissen bieten können, leiden sie unter der Einschränkung, dass sie verwundbar gegenüber Angriffen auf die Sicherheit und Privatsphäre der Nutzer sind. Aus diesem Grund beinhalten Smartphones jedoch eine Reihe von Mechanismen zum Schutz gegen selbige. Die vorliegende Disser- tation beschäftigt sich mit der Anwendung solcher Mechanismen und dabei speziell mit den Mechanismen, die vom Endnutzer wahrgenom- men und eingesetzt werden können, wie zum Bespiel App-Berechti- gungen und Bildschirmsperren mit Authentifizierung. Die Erforschung menschlicher Einflussfaktoren in Bezug auf die Nutzung mobiler Sicherheits- und Privatsphäremechanismen folgt oft dem Paradigma der “Usable Security and Privacy”. In diesem Paradigma ist die Gebrauchstauglichkeit der Kernfaktor um Inter- aktionen mit mobilen Sicherheits- und Privatsphäremechanismen zu verstehen und zu verbessern. Eine Erweiterung des Gebrauchstaug- lichkeitsparadigmas ist das Nutzererlebnisparadigma (engl. User Ex- perience (UX)), das Interaktionsaspekte berücksichtigt, die über die Gebrauchstauglichkeit hinausgehen, wie z.B. Motivation, Affekt und Emotion, oder auch Spaß bei der Nutzung. Die vorliegende Dissertation erweitert den Kenntnisstand zu menschlichen Einflussfaktoren bei der Interaktion mit mobilen Si- cherheits- und Privatsphäremechanismen, indem sie einen Nutzer- erlebnis-basierten Ansatz zur Erforschung des Themengebiets auf- greift. Dabei werden zuerst Nutzererlebnisse mit und Motivatoren für die Nutzung mobiler Sicherheits- und Privatsphäremechanismen in qualitativen Studien erforscht. Die Ergebisse dieser Studien deuten darauf hin, dass Nutzer nicht nur unter der eingeschränkten Ge- brauchstauglichkeit solcher Systeme leiden, sondern, dass auch Be- darf besteht, nicht-funktionale Produktqualitäten (wie z.B. hedoni- sche Qualität) und die Erfüllung von psychologischen Bedürfnissen mit solchen Mechanismen anzusprechen. Diese Bedürfnisse müssen sich nicht allein am psychologischen Bedürfnis nach Sicherheit aus- richten, sondern können auch andere Bedürfnisse wie zum Beispiel das Bedürfnis nach Autonomie und Stimulation einschließen. Anhand zweier Fallbeispiele – App-Berechtigungen und Bildschirm- sperren mit Authentifizierung – wird in mehreren quantitativen Stu- iv dien das Potenzial dieser Mechanismen, das Benutzererlebnis im All- gemein und im Besonderen in Bezug auf hedonische Qualitäten zu formen, evaluiert. Die Ergebnisse der quantitativen Studien lassen darauf schließen, dass Gebrauchstauglichkeit ein wichtiger Faktor für das Benutzererlebnis mit solchen Mechanismen ist. Darüber hin- aus zeigen die Ergebnisse, dass auch solche Arten von Mechanismen in ihrem Potenzial, Aspekte wie hedonische Qualität und Bedürfnis- erfüllung anzusprechen, manipuliert werden können. Dies eröffnet einen erweiterten Gestaltungsraum für mobile Sicherheits- und Pri- vatsphäremechanismen, der Systemdesignern neue Möglichkeiten bie- tet sichere Systeme, deren Benutzung ein positives Benutzererlebnis hervorruft, zu gestalten. Basierend auf diesen Ergebnissen werden Richtungen für zukünftige Forschung aufgezeigt. v PUBLICATIONS Parts of this thesis have been previously published in the following papers or articles. An asterisk (*) at the end of a paper indicates that I received support from students in conducting the studies and/or ana- lyzing the data. In that case, the students provided support according to my instructions or under my guidance. Peer-reviewed workshop, conference, and journal publications: “Using Statistical Information to Communicate Android Permis- sion Risks to Users.” Lydia Kraus, Ina Wechsung, and Sebastian Möller. Proceedings of the 4th Workshop on Socio-Technical Aspects in Se- curity and Trust. Co-located with the 27th IEEE Computer Security Foun- dations Symposium. IEEE. 2014, pp. 48 -– 55. http://dx.doi.org/10. 1109/STAST.2014.15 * While searching Google Play for a new app, I noticed that many apps of similar functionality greatly differ in the number and kinds of per- missions they request. Consequently, I came up with the concept of using statistical information about permissions of apps with similar functionality to support users in estimating the privacy intrusiveness of an app. I designed and conducted the user study, analyzed the data, and wrote the manuscript. Ina Wechsung supported me with the study design and the data analysis. Furthermore, she provided feedback on the manuscript. Sebastian Möller provided feedback for the study design and on the manuscript. “Analyzing end-users’ knowledge and feelings surrounding smart- phone security and privacy.” Lydia Kraus, Tobias Fiebig, Viktor Mi- ruchna, Sebastian Möller, and Asaf Shabtai. Proceedings of the Work- shop on Mobile Security Technologies (MoST). Co-located with the IEEE Symposium on Security & Privacy. 2015. 11 pages.* This paper is based upon my idea to understand threat models of mobile security and privacy from a user’s perspective. I designed and conducted the focus group study, analyzed the data and wrote the manuscript. Tobias Fiebig supported me with his knowledge of IT security during the course of the research and greatly contributed to the abstract, the introduction and the background section of the manuscript. Furthermore, he supported me in finalizing the discus- sion section. Viktor Miruchna was a great support in data analysis. Asaf Shabtai provided feedback during the preparation of the study vi and for the manuscript, and Sebastian Möller provided feedback for finalizing the paper. “Exploring Psychological Need Fulfillment for Security and Privacy Actions on Smartphones.” Lydia Kraus, Ina Wechsung, and Sebas- tian Möller. Proceedings of the 1st European Workshop on Usable Security (EuroUSEC). Internet Society. 2016. 12 pages. http://dx.doi.org/10. 14722/eurousec.2016.23009
Load more

Recommended publications
  • Digital Security in Context
    Digital Security in Context: Learning how human rights defenders adopt digital security practices Becky Kazansky Digital Security in Context: Learning how human rights defenders adopt digital security practices Table of Contents Setting the Scene......................................................................................................................................................4 1 Background and Rationale..........................................................................................................................4 2 Situating Tactical Tech's Practitioner Research........................................................................................7 3 Configuring the User: Perspectives from Academic Research................................................................9 4 Prioritising Context and Practice in Practitioner Work..........................................................................12 5 Practice-based Research Foundations.....................................................................................................14 Research Approach and Methods......................................................................................................................17 1 Research Implementation......................................................................................................................... 17 2 Sample......................................................................................................................................................... 19 3 Operationalising
    [Show full text]
  • New Trends in Social Media
    ISBN 978-9934-8644-7-6 1 NEW TRENDS IN SOCIAL MEDIA PREPARED BY THE NATO STRATEGIC COMMUNICATIONS CENTRE OF EXCELLENCE 1 ISBN 978-9934-8644-7-6 NEW TRENDS IN SOCIAL MEDIA Project director: Beata Bialy, Sanda Svetoka Text Editor: Juris Beņķis Production & Copy Editor:Linda Curika The NATO StratCom Centre of Excellence, based in Latvia, is a multinational, cross-sector organization which provides comprehensive analyses, advice and practical support to the alliance and allied nations. This report is a product of the NATO Strategic Communications Centre of Excellence (NATO StratCom COE). It is produced for NATO, NATO member countries, NATO partners, related private and public institutions and related individuals. It does not represent the opinions or policies of NATO. © All rights reserved by the NATO StratCom COE. Reports may not be copied, reproduced, distributed or publicly displayed without reference to the NATO StratCom COE. Cover photo: Alex Ingram Flickr creative commons licence Riga, December 2016 NATO Strategic Communications Centre of Excellence Riga, Kalnciema iela 11b, Latvia LV1048 www.stratcomcoe.org Ph.: 0037167335463 [email protected] 2 OUR LATEST PUBLICATIONS 3 TABLE OF CONTENTS FOREWORD ………...................................................................................................................……………………..4 INTRODUCTION………………………………………..................................................................…..……6 SOCIAL MEDIA TRENDS……………………….........................................................................................…………7
    [Show full text]
  • A Worldwide Survey of Encryption Products
    A Worldwide Survey of Encryption Products Bruce Schneier Kathleen Seidel Saranya Vijayakumar Berkman Center for Internet Independent Researcher Harvard College and Society [email protected] [email protected] Harvard University [email protected] February 11, 2016 Version 1.0 Introduction Data security is a worldwide problem, and there is a wide world of encryption solutions available to help solve this problem. Most of these products are developed and sold by for-profit entities, although some are created as free open-source projects. They are available, either for sale or free download, all over the world. In 1999, a group of researchers from George Washington University attempted to survey the worldwide market for encryption products [HB+99]. The impetus for their survey was the ongoing debate about US encryption export controls. By collecting information about 805 hardware and software encryption products from 35 countries outside the US, the researchers showed that restricting the export of encryption products did nothing to reduce their availability around the world, while at the same time putting US companies at a competitive disadvantage in the information security market. Seventeen years later, we have tried to replicate this survey. Findings We collected information on as many encryption products as we could find anywhere in the world. This is a summary of our findings: We have identified 865 hardware or software products incorporating encryption from 55 different countries. This includes 546 encryption products from outside the US, representing two-thirds of the total. Table 1 summarizes the number of products from each country. The most common non-US country for encryption products is Germany, with 112 products.
    [Show full text]
  • End-To-End Encrypted Messaging Protocols: an Overview Kseniia Ermoshina, Francesca Musiani, Harry Halpin
    End-to-End Encrypted Messaging Protocols: An Overview Kseniia Ermoshina, Francesca Musiani, Harry Halpin To cite this version: Kseniia Ermoshina, Francesca Musiani, Harry Halpin. End-to-End Encrypted Messaging Protocols: An Overview. Third International Conference, INSCI 2016 - Internet Science, Sep 2016, Florence, Italy. pp.244 - 254, 10.1007/978-3-319-45982-0_22. hal-01426845 HAL Id: hal-01426845 https://hal.inria.fr/hal-01426845 Submitted on 5 Jan 2017 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. End-to-end Encrypted Messaging Protocols: An Overview Ksenia Ermoshina1, Francesca Musiani2, and Harry Halpin3 1 i3-CSI, MINES ParisTech, France [email protected] 2 ISCC, CNRS/Paris-Sorbonne/UPMC, France [email protected] 3INRIA, France [email protected] Abstract.This paper aims at giving an overview of the different core proto- cols used for decentralized chat and email-oriented services. This work is part of a survey of 30 projects focused on decentralized and/or end-to-end encrypted internet messaging, currently conducted in the early stages of the H2020 CAPS project NEXTLEAP. Keywords: Decentralization; end-to-end encryption; messaging; protocols; NEXTLEAP Exploratory/Survey Paper 1.
    [Show full text]
  • Considerations for Mandating Open Interfaces Acknowledgements
    December 2020 White Paper: Considerations for Mandating Open Interfaces Acknowledgements The report was developed by a small team led by Carl Gahnberg, following the strategic guidance of Robin Wilton, Olaf Kolkman and Steve Olshansky. Simon Phipps and Javier Ruiz, consultants for the Internet Society, served as lead authors of the report, providing invaluable expertise and vision. We would also like to thank the group of external experts that provided important comments and suggestions in reviews of earlier drafts, including: Amelia Andersdotter; John Bergmayer; Ian Brown; Cory Doctorow; Gurshabad Grover; Ali Lange; Mark Nottingham; Thomas Reibe; and Chris Riley. Special thanks to Andrew Sullivan, Joseph Lorenzo Hall, and Katie Watson Jordan for review and comments that helped improve the final version of the report. internetsociety.org | CC BY-NC-SA 4.0 Considerations for Mandating Open Interfaces | 2 Table of contents Introduction ...........................................................................................................................................................................................................4 Background .............................................................................................................................................................................................................6 Motivations for mandating open interfaces ................................................................................................................................................6 Enhancing
    [Show full text]