Modul

The module examination is carried out in the form of partial examinations on the selected courses of the module, with which the minimum requirement at creditpoints is fulfilled. The learning control is described in each course. The overall score of the module is made up of the sub-scores weighted with creditpoints and is cut off after the first comma point.

Students …

• know why many existing security and privacy mechanisms are not usable and why many awareness/education/training approaches are not effective
• can explain for concrete examples why these are not usable / not effective including why people are likely to face problems with these
• can explain what mental models are, why they are important and how they can be identified
• know how to conduct a cognitive walkthrough to identify problems with existing mechanisms and approaches
• know how to conduct semi-structured interviews
• know how user studies in the security context differ from those conducted in other contexts
• can explain the process of human centered security / privacy by design
• know the advantages and disadvantages of various graphical password schemes
• know concepts such as just in time and place security interventions

None

The history of information security and privacy has taught us that it takes more than technological innovation to develop effective security and privacy mechanisms: Many aspects of information security and privacy actually depend on both technical and human factors. As a result of focusing on the technical factors, we are seeing a persistent gap between theoretical security and actual security in real world which becomes an increasing problem in the age of digitalization. The gap is mainly caused by strong and actually unrealistic assumptions regarding the users’ knowledge and behavior.

Human factors in security and privacy research addresses several types of security and privacy mechanisms, e.g., authentication mechanisms including text and graphical passwords, security and privacy indicators (such as the icons in the address bar of nowadays web browsers) and security and privacy interventions like warning messages, permission dialogs and security and privacy policies as well as corresponding configuration interfaces. Besides security and privacy mechanisms, human factors in security and privacy researchers deal with security and privacy awareness, education, and training approaches.

 ‘Human factors in security & privacy’ research areas are:

• identifying users’ mental models using techniques such as (semi-)structured interviews or focus groups,
• evaluating existing approaches regarding their effectiveness in supporting their users in making secure decisions / informed decisions in the context of privacy using techniques such as cognitive walkthroughs, lab user studies or even field studies,
• proposing improved / new approaches and evaluating their effectiveness using the so called human-centered security / privacy by design approach.

This module discusses the various problems of existing security and privacy mechanisms and security and privacy awareness/education/training approaches. The lecture addresses relevant psychological and sociological aspects which are important to know and to consider when developing more usable security/privacy mechanisms and more effective awareness/education/training approaches. The human centered security and privacy by design approach is introduced. Furthermore, some of the methodologies used in this area are explained and a subset of them is applied. Finally, positive examples, such as graphical passwords, are introduced and discussed. Note,the main part of the exercise is replicating an interview based study. The main focus of the lab will be to replicate a quantitative based user study. 

The total workload for this module is approximately 270 hours.