Learning from Authoritative Security Experiment Results
The Challenges and Pitfalls in the Design and Execution of Human-Technology Interaction-based Experiments
Humans today use computers in nearly every aspect of their lives. Human interactions with computers include everything from general use (e.g., email, web) to device specific use (e.g., controls for SCADA system) to using security tools (e.g., virus detectors) to being system administrators and defenders. Issues involving these human-technology interactions can result in system compromise (e.g., social engineering attacks, mis-configuring security technologies) and difficulty in defending systems (e.g., excessive cognitive load reducing human effectiveness). These issues give rise to the urgency of cybersecurity research focused on human-technology interactions.
Human-technology interaction experiments require special considerations beyond those of network and host based security experiments conducted in traditional IT security research. (E.g., sample size, instrumentation, and how learning impacts repeatability.) In this panel discussion, researchers from a range of disciplines will discuss the challenges and pitfalls they have encountered in experiments involving human-technology interactions. This panel will focus specifically on the challenges and means to design experiments to be scientifically sound and produce reliable results.
Joseph Bonneau is a Postdoctoral Researcher at Stanford University and a Technology Fellow at the Electronic Frontier Foundation. His research focuses on cryptography and security protocols, particularly how they interact with human and organizational behavior and economic incentives. Recently he has focused on Bitcoin and related cryptocurrencies and secure messaging tools. He is also known for his work on passwords and web authentication. He received a PhD from the University of Cambridge under the supervision of Ross Anderson and an BS/MS from Stanford under the supervision of Dan Boneh. Last year he was as a Postdoctoral Fellow at CITP, Princeton and he has previously worked at Google, Yahoo, and Cryptography Research Inc.
Daniel Sanchez is a Cognitive Scientist in the Computer Science Laboratory at SRI International and recently formed the interdisciplinary Computational Cognitive Neuroscience group to focus on applying and studying cognitive neuroscience for translational purposes. His research has examined the operating characteristics of memory systems in the acquisition and expression of cognitive and motor skills. Daniel’s work applying implicit sequence learning to password authentication was featured in the PBS NOVA special, Rise of the Hackers. Daniel received his PhD from Northwestern University in 2013.
Jim Blythe is a research scientist in the DETER group at USC's Information Sciences Institute, where he works on understanding and modeling human security behavior and its impact on tools and policies. His research background is in AI and planning under uncertainty. Jim has run human-technology experiments in social network visualization and knowledge acquisition in addition to security domains, and is on the steering committee for the USEC workshop series on usable security. He is creating an agent toolkit in DETER called DASH, designed to help experimenters capture and replay human behavior across a variety of scenarios and share their data with the community of researchers.
Moderator: Laura S. Tinnel, SRI International