Spotlight on Lablet Research #32 - Characterizing User Behavior and Anticipating its Effects on Computer Security with a Security Behavior Observatory

Spotlight on Lablet Research #32 -

Characterizing User Behavior and Anticipating its Effects on Computer Security with a Security Behavior Observatory

Lablet: Carnegie Mellon University
Participating Sub-Lablet: Indiana University

This research aims to characterize home computer users' computer use and online behavior choices that impact security and privacy. This work can be used to develop models and technologies to be targeted to realistic situations.

Systems that are technically secure may still be exploited if users behave in unsafe ways. Most studies of user behavior are in controlled laboratory settings or in large-scale between-subjects measurements in the field. Both methods have shortcomings: lab experiments are not in natural environments and therefore may not accurately capture real-world behaviors (i.e., low ecological validity), whereas large-scale measurement studies do not allow the researchers to probe user intent or gather explanatory data for observed behaviors, and they offer limited control for confounding factors. The research team, led by Principal Investigator (PI) Lorrie Cranor and Co-PI Nicolas Christin, used a multi-purpose observational resource, the Security Behavior Observatory (SBO), which was developed to collect data from Windows home computers. The SBO collected a wide array of system, network, and browser data from over 500 home Windows computer users (who participated as human subjects), and this data can be used to investigate a number of aspects of computer security that are especially affected by the hard problem of understanding and accounting for human behavior. While data collection for this project ended in 2019, the team continues to analyze the dataset and conduct ongoing work on a number of research questions. The research team is also committed to keeping the dataset accessible to researchers.

For a paper entitled, "What breach? Measuring online awareness of security incidents by studying real-world browsing behavior," SBO data was used to examine 1) how often people read about security incidents online; 2) whether and to what extent they then follow up and take action; and 3) what influences the likelihood that they will read about an incident and take some action.

Another paper, "How Do Home Computer Users Browse the Web?" used data collected through the SBO to provide new insights into how users browse the internet. Researchers first compared the data to previous studies conducted over the past two decades and identified changes in user browsing and navigation. Most notably, they observed a substantial increase in the use of multiple browser tabs to switch between pages. Using the more detailed information provided by the SBO, the team identified and quantified a critical measurement error inherent in previous server-side measurements that do not capture when users switch between browser tabs. This issue leads to an incomplete picture of user browsing behavior and an inaccurate measurement of user navigation and dwell time. In addition, the researchers observed that users exhibit a wide range of browsing habits that do not easily cluster into different categories, a common assumption made in research study design and software development. They found that browsing the web consumes the majority of users' time spent on their computer, eclipsing the use of all other software on their machine. The data showed that users spend the majority of their time browsing a few popular websites, but also spend a disproportionate amount of time on low-visited websites on the edges of the internet. Users navigating to these low-visited sites are much more likely to interact with riskier content like adware, alternative health and science information, and potentially illegal streaming and gambling sites. Finally, the research team identified the primary gateways that are used to navigate to these low-visited sites and discussed the implications for future research.

A recent paper, "Adulthood is trying each of the same six passwords that you use for everything: The scarcity and ambiguity of security advice on social media," addressed the extent to which security- and privacy-related information is presented to users through their social media or "friends."

The SBO collects data directly from people's own home computers, thereby capturing people's computing behavior "in the wild." This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. The research team expects that the insights discovered by analyzing this data will profoundly impact multiple research domains, including, but not limited to, behavioral sciences, computer security and privacy, economics, and human-computer interaction.