Spotlight on Lablet Research #4 - Characterizing User Behavior and Anticipating its Effects on Computer Security with a Security Behavior Observatory

Spotlight on Lablet Research #4 -

Project: Characterizing User Behavior and Anticipating its Effects on Computer Security with a Security Behavior Observatory 

Lablet: Carnegie Mellon University

This research aims to characterize users’ choices of password tools and what influence the tools have on password practices. The results of this study will contribute to finding usable solutions for managing authentication.

Technically secure systems may still be exploited if users behave in unsafe ways. Most studies of user behavior are in controlled laboratory settings or in large-scale between-subjects measurements in the field. Both methods have shortcomings: lab experiments are not in natural environments and therefore may not accurately capture real-world behaviors (i.e., low ecological validity), whereas large-scale measurement studies do not allow the researchers to probe user intent or gather explanatory data for observed behaviors, and they offer limited control for confounding factors. The CMU research team, led by Principal Investigator (PI) Lorrie Cranor and Co-PI Nicolas Christin, uses a multi-purpose observational resource, the Security Behavior Observatory (SBO), which was developed to collect data from Windows home computers. The SBO collects a wide array of system, network, and browser data from over 500 home Windows computer users (who participate as human subjects), and this data can be used to investigate a number of aspects of computer security that are especially affected by the hard problem of understanding and accounting for human behavior. Password authentication is one aspect of computer security that is heavily affected by human behavior, since human tendencies and capabilities tend to be directly at odds with what are considered the most secure password practices. This team has previously used data from the SBO to investigate password practices, including the prevalence of password reuse and the potential effects of password management tools on password habits, and this year they published a follow-up study that used interviews to understand why users are choosing various existing password tools and why those tools are or are not leading to more secure password practices. The team is also conducting ongoing work on a number of related research questions, including investigating how people learn about online data breaches and actions people take in the aftermath of those breaches.

To follow up on previous findings that suggested that people in the SBO sample using password managers did not necessarily have stronger passwords or decreased password reuse, the team conducted interviews with a separate sample of 30 participants to better understand password habits and choices of password management tools. These results were published at the Symposium on Usable Privacy and Security (SOUPS). The results suggested that users of built-in password managers may have different underlying motivations for using password tools (i.e., mostly focused on convenience) and may thus use those tools to aid their insecure password habits, whereas people using separately installed password managers seem to be more motivated to prioritize security.

The team is also conducting ongoing research using the SBO dataset to study how people learn about breaches online and the actions people take in the aftermath of breaches. They are studying to what extent participants come across breach information in their browsing, and what aspects of people or their browsing increase their likelihood of reading about breach information. They also study the methods by which people come across breach-related pages characteristics of these methods and pages and what influences people to learn more about breaches or take action (either in the form of more browsing or changing passwords), how often people actually change their passwords in the aftermath of a breach, and how constructive these changes are.

The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior “in the wild.” This data is the closest to the ground truth of the users’ everyday security and privacy challenges that the research community has ever collected. The insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security and privacy, economics, and human-computer interaction.

The SBO dataset has been used in multiple related projects since its inception and will continue to provide researchers across the community with users’ actual practices in a variety of security and privacy applications.

Additional details on this project can be found here.