Creating better computer security by studying user behavior

Billions of dollars are lost annually due to computer fraud, yet most people working on computer security are focused on engineering new systems without regard for how people will actually use those systems. Dr. Serge Egelman of the International Computer Science Institute strives to improve computer security and online privacy by addressing human factors. He designs scientific experiments to explore how people behave in various situations, how they make privacy and security decisions, and how computer systems and their interfaces can then be better devised to improve behavior and understanding.

For example, Dr. Egelman's research into why people disregard computer security warnings was used by developers to design warnings that are less likely to get ignored. The results of this research have been incorporated into major web browsers, which are used by hundreds of millions of users today.

  • Research on web-based threats to privacy and security involves performing human subject experiments to examine how people respond to current mitigations, such as web browser security warnings and various privacy tools. His team is also performing research to discover new threats to privacy, such as how companies devise new methods for online tracking, and then how to mitigate those threats.
  • Dr. Egelman's team is currently researching how to improve smartphone platforms so that users better understand and can control how third-party apps may be using their personal information, and then developing new ways that they can control their privacy.
  • The team is designing experiments that look into how individual differences (e.g., personality traits) may be predictive of privacy and security attitudes and behaviors, so that this information can then be used to design systems that tailor privacy and security settings to an individual's needs. Their goal is to design systems that can simply "learn" a user's preferences, without having to explicitly ask the user to take the time to modify complicated settings panels.
  • Research on ubiquitous computing platforms, such as wearable devices, centers around discovering and mitigating new threats to user privacy and security prior to these systems (and their associated risks) becoming widespread. By designing privacy indicators that communicate how personal information is being accessed and shared, it will be possible for users to better understand when they're being recorded and what data may be accessed by others.

Dr. Egelman collaborates with psychologists (to better understand decision-making processes), behavioral economists (to better understand how incentives influence behavior), as well as "more traditional" computer security researchers (to stay knowledgeable on the newest threats). He hopes that his multidisciplinary approach to research will yield systems that help users make fewer - but better - computer privacy and security decisions.

Dr. Serge Egelman is a Senior Researcher in the International Computer Science Institute (ICSI) and a research scientist at the University of California, Berkeley, in the Department of Electrical Engineering and Computer Sciences (EECS). His research focuses on usable privacy and security, with the specific aim of better understanding how people make decisions surrounding their privacy and security, and then creating improved interfaces that better align stated preferences with outcomes. This has included human subjects research on social networking privacy, access controls, authentication mechanisms, web browser security warnings, and privacy-enhancing technologies. He received his Ph.D. from Carnegie Mellon University and prior to that was an undergraduate at the University of Virginia. He has also performed research at NIST, Brown University, Microsoft Research, and Xerox PARC. Unlike most computer security researchers, Dr. Egelman considers himself a scientist and not an engineer, in that he is much more interested in uncovering generalizable knowledge about human behavior, rather than simply building new systems. He is passionate about solving problems in a unique way and is motivated by the idea that his work contributes to human knowledge. He's had an interest in computers since he was very little when his father brought home his first PC in the early 1980s. As an undergraduate he took a human-computer interaction course, which gave him a new perspective on why a lot of computer security problems exist: failure to account for human factors. Thus, he made this his focus in graduate school, by examining how computer security (and online privacy) can be improved by studying how humans actually behave and then using this knowledge to design systems that are much more usable.

AIS Best Publication of 2011

The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study

ISR Best Published Paper

The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study

SOUPS Best Paper Award

Android Permissions: User Attention, Comprehension, and Behavior, with A. P. Felt

CHI Honorable Mention Award (Best Paper Nominee)

Of Passwords and People: Measuring the Effect of Password-Composition Policies