HotSoft

Usable security is a new research area combining human-computer interaction (HCI) and computer security. It aims to design “secure systems that people can use” and recognizes that even the most secure system will fail if it is used incorrectly or bypassed by users. It is especially important to consider user interaction when designing a security system because the consequences of an unusable system can lead to “dangerous errors”, i.e. errors that may have negative consequences with respect to security. Our work has focused on user authentication. In particular, we have conducted studies on password managers and graphical password systems, using in-lab experiments, interviews, and larger field studies. We are also investigating some of the broader issues related to usable security, namely users’ mental models of security and how these impact usability, the role of persuasion in security interfaces, and the nature of identity theft. We are also exploring how computer game design might inform usable security, so there is cross-over with our games and hypermedia research. Honours: The award for best paper at SOUPS 2007 (the ACM Symposium on Usable Privacy and Security) went to our paper: A Second Look at the Usability of Click-based Graphical Passwords

Faculty

• Dr. Robert Biddle, Professor in Computer Science and Cognitive Science
• Dr. Sonia Chiasson, Professor in Computer Science
• Dr. Paul van Oorschot, Professor in Computer Science
• Dr. Andrew Patrick, Adjunct Research Professor in Psychology and in Computer Science

Graduate Students

• Alain Forget, Ph.D. Candidate in Computer Science
• Daniel LeBlanc, Ph.D. Candidate in Psychology
• Gerardo Reynaga, Ph.D. Candidate in Computer Science
• Elizabeth Stobert, M.A. Candidate in Psychology
• Max Hlywa, M.A. Candidate in Psychology
• Nick Wright, M.A. Candidate in Psychology

Related Groups

We work in collaboration with the Carleton Computer Security Lab.

Recent Publications

• R. Biddle, S. Chiasson, P.C. van Oorschot (2011). Graphical Passwords: Learning from the First Twelve Years. Technical Report TR-11-01, School of Computer Science, Carleton University, Ottawa, Canada. To appear in ACM Computing Surveys 44(4).  This paper replaces and obsoletes TR-09-09
• S. Chiasson, C. Deschamps, E. Stobert, M. Hlywa, B. Freitas Machado, G. Chan, R. Biddle(2010). The MVP Web-based Authentication Framework. Technical Report TR-10-19, School of Computer Science, Carleton University, Ottawa, Canada.
• E. Stobert, A. Forget, S. Chiasson, P.C. van Oorschot, R. Biddle (2010). Exploring Usability Effects of Increasing Security in Click-based Graphical Passwords. Annual Computer Security Applications Conference (ACSAC), Austin, USA
• S. Chiasson, C. Deschamps, M. Hlywa, G. Chan, E. Stobert, R. Biddle (2010). MVP: A web-based framework for user studies in authentication. ACM Symposium on Usable Privacy and Security (SOUPS), Redmond, WA, USA (2-page paper, poster).
• E. Stobert, S. Chiasson, R. Biddle (2010). Persuasion, Social Graces, and Computer Security. PERSUASIVE 2010, Springer LNCS, June 2010, Copenhagen, Denmark (4-page paper, poster).
• Elizabeth Stobert, Alain Forget, Sonia Chiasson, Paul van Oorschot, Robert Biddle (2010). Exploring Usability Effects of Increasing Security in Click-based Graphical Passwords. Technical Report TR-10-06, School of Computer Science, Carleton University, Ottawa, Canada.
• Alain Forget, Sonia Chiasson, Robert Biddle (2010). Shoulder-Surfing Resistance with Eye-Gaze Entry in Click-Based Graphical Passwords. ACM SIGCHI Conference on Human Factors in Computing Systems: Note (CHI), Atlanta, USA, April 2010
• Elizabeth Stobert (2010). Usability and Strength in Click-based Graphical Passwords. ACM SIGCHI Conference on Human Factors in Computing Systems: Student Research Competition (CHI), Atlanta, USA, April 2010.
• Alain Forget, Sonia Chiasson, Robert Biddle (2010). Input Precision for Gaze-Based Graphical Passwords. ACM SIGCHI Conference on Human Factors in Computing Systems: Work in Progress (CHI), Atlanta, USA, April 2010.
• R. Biddle, S. Chiasson, P.C. van Oorschot (2009). Graphical Passwords: Learning from the First Generation. Technical Report TR-09-09, School of Computer Science, Carleton University, Ottawa, Canada. Obsolete. Replaced by TR-11-01
• Sonia Chiasson, Alain Forget, Elizabeth Stobert, P.C. van Oorschot, and Robert Biddle, Multiple password interference in text and click-based graphical passwords. ACM Computer and Communications Security (CCS), Chicago, USA, November 2009. Final version pdf (Preliminary version: Technical Report TR-08-20).
• Sonia Chiasson, Alain Forget, Paul van Oorschot, and Robert Biddle. User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security 8(6), December 2009. SpringerLink (Preliminary version available as: Technical Report TR-08-14)
• Alain Forget, Sonia Chiasson, and Robert Biddle. Lessons from brain age on persuasion for computer security. In CHI ’09: CHI ’09 extended abstracts on Human factors in computing systems, New York, NY, USA, 2009. ACM. Extended abstract (pdf) or poster (jpg)
• Jennifer Sobey, Robert Biddle, P. C. Oorschot, and Andrew S. Patrick. Exploring user reactions to new browser cues for extended validation certificates. In ESORICS ’08: Proceedings of the 13th European Symposium on Research in Computer Security, pages 411–427, Berlin, Heidelberg, 2008. Springer- Verlag.
• S. Chiasson, A. Forget, R. Biddle, , and P.C. van Oorschot. Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. BCS-HCI 2008: Proceedings of the 22nd British HCI Group Annual Conference on HCI, British Computer Society, 2008. pdf
• Alain Forget, Sonia Chiasson, P.C. van Oorschot, and Robert Biddle. Improving Text Passwords Through Persuasion. In Proceedings of the 4th ACM Symposium on Usable Privacy and Security (SOUPS 2008), pages 1-12. pdf
• A. Forget, S. Chiasson, R. Biddle (2008). Lessons from Brain Age on Password Memorability. ACM Future Play, November 2008, Toronto, Canada. (poster) Extended abstract (pdf) or poster (jpg)
• D. LeBlanc, S. Chiasson, A. Forget, R. Biddle (2008). Can eye gaze predict graphical passwords? ACM Symposium on Usable Privacy and Security (SOUPS), July 2008, Pittsburgh, USA. (poster) Extended abstract (pdf)
• S. Chiasson, A. Forget, R. Biddle (2008). Accessibility and Graphical Passwords. Symposium on Accessible Privacy and Security (SOAPS), July 2008, Pittsburgh, USA. pdf
• S. Chiasson, A. Forget, R. Biddle, P.C. van Oorschot (2008). Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. HCI 2008. British Computer Society. September 2008, Liverpool, UK. Final version pdf (Preliminary version available as Technical Report TR-07-16)
• A. Forget, S. Chiasson, P.C. van Oorschot, R. Biddle (2008). Improving Text Passwords Through Persuasion. ACM Symposium on Usable Privacy and Security (SOUPS), July 2008, Pittsburgh, USA. pdf
• A. Forget, S. Chiasson, P.C. van Oorschot, R. Biddle (2008). Persuasion for Stronger Passwords: Motivation and Pilot Study. International Conference on Persuasive Technology, June 2008, Oulu, Finland. pdf
• A. Forget, R. Biddle (2008). Memorability of Persuasive Passwords. ACM SIGCHI Student Research Competition (CHI SRC), April 2008, Florence, Italy. (poster) pdf or poster (.jpg)
• S. Chiasson, J. Srinivasan, R. Biddle, P.C. van Oorschot (2008). Centered Discretization with Application to Graphical Passwords. USENIX UPSEC 2008 (Usability, Psychology, and Security 2008), April 2008. Final version pdf (Preliminary version available as Technical Report TR-08-03)
• A. Forget, S. Chiasson, R. Biddle (2007). Persuasion as Education for Computer Security. AACE World Conference on E-Learning in Corporate, Government, Healthcare, and Higher Education (E-Learn), October 2007, Québec City, QC, Canada. pdf
• A. Forget, S. Chiasson, R. Biddle (2007). Helping Users Protect Themselves from e-Criminals in Click-Based Graphical Passwords. Anti-Phishing Working Group (APWG) eCrime Researchers Summit, October 2007, Pittsburgh, PA, USA (poster). abstract or poster (.jpg)
• A. Forget, S. Chiasson, R. Biddle (2007). Helping Users Create Better Passwords: Is this the right approach? ACM Symposium on Usable Privacy and Security (SOUPS), July 2007, Pittsburg, PA, USA (poster). abstract or poster (.jpg)
• S. Chiasson, R. Biddle, P.C van Oorschot (2007). A Second Look at the Usability of Click-based Graphical Passwords. ACM Symposium on Usable Privacy and Security (SOUPS), July 2007, Pittsburg, PA, USA. Final version pdf (Preliminary version available as: Technical Report TR-07-10. pdf)
• S. Chiasson, R. Biddle, A. Somayaji (2007). Even Experts Deserve Usable Security: Design guidelines for security management systems. Workshop on Usable IT Security Management (USM’07) held with the ACM Symposium on Usable Privacy and Security (SOUPS), July 2007, Pittsburg, PA, USA. pdf
• S. Chiasson, P.C. van Oorschot, R. Biddle (2007). Graphical Password Authentication Using Cued Click Points. ESORICS 2007, September 2007. Dresden, Germany. Final version pdf (Preliminary version available as: Technical Report TR-07-13. pdf)
• S. Chiasson, R. Biddle (2007). Persuading Users to Behave Securely. 2nd Conference on Persuasive Technology, April 2007, Palo Alto, CA, USA (poster). abstract or poster (.png)
• S.Chiasson, R. Biddle (2007).Issues in User Authentication. CHI 2007 Workshop: Security user studies: Methodologies and best practices. April 2007, San Jose, CA, USA. pdf
• S. Chiasson, P.C. van Oorschot, R. Biddle (2006). A Usability Study and Critique of Two Password Managers. USENIX Security Symposium. August 2006, Vancouver, BC, Canada. pdf ppt
• S. Chiasson, R. Biddle, P.C. van Oorschot (2006). Materials for a Usability Study of Password Managers. Presented as part of the Security User Studies Workshop, Symposium on Usable Privacy and Security (SOUPS 2006). July 2006, Pittsburg, PA, USA. zip

Related Work

The following papers offer a good introduction to usable security:

• A. Whitten and J.D. Tygar (1999). Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. Proceedings. of the 8^th USENIX Security Symposium, Aug. 1999.
• A. Adams and M.A. Sasse (1999). Users are not the Enemy. Communications of the ACM, v.42(12), 1999.
• R. Dhamija, J.D. Tygar, M. Hearst (2006). Why Phishing Works. Proceedings of the SIGCHI conference on Human Factors in Computing Systems (CHI 2006), April 2006, Montréal, QC, Canada.