Search

Your search keyword '"VANIEA, KAMI"' showing total 114 results
Start Over Author "VANIEA, KAMI"

Refine your results

more »

more »

more »

more »
114 results on '"VANIEA, KAMI"'

1. Phishing Codebook: A Structured Framework for the Characterization of Phishing Emails

Author

Saka, Tarini, Jain, Rachiyta, Vaniea, Kami, and Kökciyan, Nadin

Subjects
Computer Science - Cryptography and Security
Abstract

Phishing is one of the most prevalent and expensive types of cybercrime faced by organizations and individuals worldwide. Most prior research has focused on various technical features and traditional representations of text to characterize phishing emails. There is a significant knowledge gap about the qualitative traits embedded in them, which could be useful in a range of phishing mitigation tasks. In this paper, we dissect the structure of phishing emails to gain a better understanding of the factors that influence human decision-making when assessing suspicious emails and identify a novel set of descriptive features. For this, we employ an iterative qualitative coding approach to identify features that are descriptive of the emails. We developed the ``Phishing Codebook'', a structured framework to systematically extract key information from phishing emails, and we apply this codebook to a publicly available dataset of 503 phishing emails collected between 2015 and 2021. We present key observations and challenges related to phishing attacks delivered indirectly through legitimate services, the challenge of recurring and long-lasting scams, and the variations within campaigns used by attackers to bypass rule-based filters. Furthermore, we provide two use cases to show how the Phishing Codebook is useful in identifying similar phishing emails and in creating well-tailored responses to end-users. We share the Phishing Codebook and the annotated benchmark dataset to help researchers have a better understanding of phishing emails., Comment: 18 pages

Published
2024

2. To Patch, or not To Patch? That is the Question: A Case Study of System Administrators' Online Collaborative Behaviour

Author

Jenkins, Adam, Wolters, Maria, and Vaniea, Kami

Subjects
Computer Science - Human-Computer Interaction, Computer Science - Social and Information Networks
Abstract

System administrators, similar to end users, may delay or avoid software patches, also known as updates, despite the impact their timely application can have on system security. These admins are responsible for large, complex, amalgamated systems and must balance the security related needs of their organizations, which would benefit from the patch, with the need to ensure that systems must continue to run unimpeded. In this paper, we present a case study which follows the online life-cycle of a pair of Microsoft patches. We find that communities of sysadmins have evolved sophisticated mechanisms to perform risk assessments that are centred around collecting, synthesizing, and generating information on patches. These communities span different Virtual Communities of Practice, as well as influencers who monitor and report on the impact of new patches. As information is propagated and aggregated across blogs, forums, web sites, and mailing lists, eventually resulting in a consensus around the risk of a patch. Our findings highlight the role that these communities play in informing risk management decisions: Patch information is not static, and it transforms as communities collaborate to understand patch issues.

Published
2023

3. Twitter has a Binary Privacy Setting, are Users Aware of How It Works?

Author

Keküllüoğlu, Dilara, Vaniea, Kami, Wolters, Maria K., and Magdy, Walid

Subjects
Computer Science - Social and Information Networks, Computer Science - Human-Computer Interaction
Abstract

Twitter accounts are public by default, but Twitter gives the option to create protected accounts, where only approved followers can see their tweets. The publicly visible information changes based on the account type and the visibility of tweets also depends solely on the poster's account type which can cause unintended disclosures especially when users interact. We surveyed 336 Twitter users to understand users' awareness of account information visibility, as well as the tweet visibility when users interact. We find that our participants are aware of the visibility of their profile information and individual tweets. However, the visibility of followed topics, lists, and interactions with protected accounts is confusing. Only 31% of the participants were aware that a reply by a public account to a protected account's tweet would be publicly visible. Surprisingly, having a protected account does not result in a better understanding of the account information or tweet visibility., Comment: Proceeding of the 2023 ACM SIGCHI Conference on Computer-Supported Cooperative Work & Social Computing (CSCW'23)

Published
2022

4. Embedding Privacy Into Design Through Software Developers: Challenges & Solutions

Author

Tahaei, Mohammad, Vaniea, Kami, and Rashid, Awais

Subjects
Computer Science - Human-Computer Interaction, Computer Science - Cryptography and Security, Computer Science - Computers and Society, Computer Science - Software Engineering
Abstract

To make privacy a first-class citizen in software, we argue for equipping developers with usable tools, as well as providing support from organizations, educators, and regulators. We discuss the challenges with the successful integration of privacy features and propose solutions for stakeholders to help developers perform privacy-related tasks., Comment: To be published in "IEEE Security & Privacy: Special Issue on Usable Security for Security Workers" 11 pages, 4 figures

Published
2022
Full Text
View/download PDF

5. Understanding Privacy Switching Behaviour on Twitter

Author

Keküllüoğlu, Dilara, Vaniea, Kami, and Magdy, Walid

Subjects
Computer Science - Human-Computer Interaction, Computer Science - Social and Information Networks
Abstract

Changing a Twitter account's privacy setting between public and protected changes the visibility of past tweets. By inspecting the privacy setting of over 100K Twitter users over 3 months, we noticed that over 40% of those users change their privacy setting at least once with around 16% changing it over 5 times. This motivated us to explore the reasons why people switch their privacy setting. We studied these switching phenomena quantitatively by comparing the tweeting behaviour of users when public vs protected, and qualitatively using two follow-up surveys (n=100, n=324) to understand potential reasoning behind the observed behaviours. Our quantitative analysis shows that users who switch privacy settings mention others and share hashtags more when their setting is public. Our surveys highlighted that users turn protected to share personal content and regulate boundaries while they turn public to interact with others in ways prevented by being protected., Comment: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI'22)

Published
2022

6. From an Authentication Question to a Public Social Event: Characterizing Birthday Sharing on Twitter

Author

Keküllüoğlu, Dilara, Magdy, Walid, and Vaniea, Kami

Subjects
Computer Science - Social and Information Networks, Computer Science - Human-Computer Interaction
Abstract

Date of birth (DOB) has historically been considered as private information and safe to use for authentication, but recent years have seen a shift towards wide public sharing. In this work we characterize how modern social media users are approaching the sharing of birthday wishes publicly online. Over 45 days, we collected over 2.8M tweets wishing happy birthday to 724K Twitter accounts. For 50K accounts, their age was likely mentioned revealing their DOB, and 10% were protected accounts. Our findings show that the majority of both public and protected accounts seem to be accepting of their birthdays and DOB being revealed online by their friends even when they do not have it listed on their profiles. We further complemented our findings through a survey to measure awareness of DOB disclosure issues and how people think about sharing different types of birthday-related information. Our analysis shows that giving birthday wishes to others online is considered a celebration and many users are quite comfortable with it. This view matches the trend also seen in security where the use of DOB in authentication process is no longer considered best practice., Comment: Proceedings of The 16th International AAAI Conference on Weblogs and Social Media (ICWSM'22)

Published
2022

7. 'I Don't Know Too Much About It': On the Security Mindsets of Computer Science Students

Author

Tahaei, Mohammad, Jenkins, Adam, Vaniea, Kami, and Wolters, Maria

Subjects
Computer Science - Cryptography and Security, Computer Science - Human-Computer Interaction
Abstract

The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples' code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.

Published
2021
Full Text
View/download PDF

8. Capturing the Connections: Unboxing Internet of Things Devices

Author

Vaniea, Kami, Tallyn, Ella, and Speed, Chris

Subjects
Computer Science - Human-Computer Interaction
Abstract

Based upon a study of how to capture data from Internet of Things (IoT) devices, this paper explores the challenges for data centric design ethnography. Often purchased to perform specific tasks, IoT devices exist in a complex ecosystem. This paper describes a study that used a variety of methods to capture the interactions an IoT device engaged in when it was first setup. The complexity of the study that is explored through the annotated documentation across video and router activity, presents the ethnographic challenges that designers face in an age of connected things.

Published
2017

12. Data-Enhanced Design: Engaging Designers in Exploratory Sensemaking with Multimodal Data.

Author

Gorkovenko, Katerina, Jenkins, Adam, Vaniea, Kami, and Murray-Rust, Dave

Abstract

The article focuses on exploring ways for designers, without strong data skills, to engage with multimodal data and develop contextual understanding of product use, using telemetry data captured by a GoPro camera attached to a bicycle. Topics include a lightweight version of data-enhanced design research, the integration of video data and rider conversations for exploratory sensemaking, and the potential for designers to utilize data for ideation.

Published
2023
Full Text
View/download PDF

15. Data-Enhanced Design: Engaging Designers in Exploratory Sensemaking with Multimodal Data

Author

Gorkovenko, Katerina (author), Jenkins, Adam (author), Vaniea, Kami (author), Murray-Rust, D.S. (author), Gorkovenko, Katerina (author), Jenkins, Adam (author), Vaniea, Kami (author), and Murray-Rust, D.S. (author)

Abstract

Research in the wild can reveal human behaviors, contexts, and needs around products that are difficult to observe in the lab. Telemetry data from the use of physical products can help facilitate in the wild research, in particular by suggesting hypotheses that can be explored through machine learning models. This paper explores ways for designers without strong data skills to engage with multimodal data to develop a contextual understanding of product use. This study is framed around a lightweight version of a data enhanced design research process where multimodal telemetry data was captured by a GoPro camera attached to a bicycle. This was combined with the video data and conversation with the rider to carry out an exploratory sensemaking process and generate design research questions that could potentially be addressed through data capture, annotation, and machine learning. We identify a range of ways that designers could make use of the data for ideation and developing context through annotating and exploring the data. Participants used data and annotation practices to connect the micro and macro, spot interesting moments, and frame questions around an unfamiliar problem. The work follows the designers’ questions, methods, and explorations, both immediate concerns and speculations about working at larger scales with machine learning models. This points to the possibility of tools that help designers to engage with machine learning, not just for optimization and refinement, but for creative ideation in the early stages of design processes., Human Information Communication Design

Published
2023
Full Text
View/download PDF

19. Context-Based Clustering to Mitigate Phishing Attacks

Author

Saka, Tarini, Vaniea, Kami E, and Kokciyan, Nadin

Subjects
Artificial Intelligence, Context, phishing, security, Human-Centered Artificial Intelligence, Usable Security, Clustering
Abstract

Phishing is by far the most common and disruptive type of cyber-attack faced by most organizations. Phishing messages may share common attributes such as the same or similar subject lines, the same sending infrastructure, similar URLs with certain parts slightly varied, and so on. Attackers use such strategies to evade sophisticated email filters, increasing the difficulty for computing support teams to identify and block all incoming emails during a phishing attack. Limited work has been done on grouping human-reported phishing emails, based on the underlying scam, to help the computing support teams better defend organizations from phishing attacks. In this paper, we explore the feasibility of using unsupervised clustering techniques to group emails into scams that could ideally be addressed together. We use a combination of contextual and semantic features extracted from emails and perform a comparative study on three clustering algorithms with varying feature sets. We use a range of internal and external validation methods to evaluate the clustering results on real-world email datasets. Our results show that unsupervised clustering is a promising approach for scam identification and grouping, and analyzing reported phishing emails is an effective way of mitigating phishing attacks and utilizing the human perspective.

Published
2022

20. PhishED: Automated contextual feedback for reported Phishing

Author

Jenkins, Adam, Kokciyan, Nadin, and Vaniea, Kami E

Subjects
usability, security, phishing
Abstract

When people receive malicious emails that claim to be from a trusted entity like their bank, they can be frightened and uncertain about how safe it is to ignore or delete the message. The uncertainty is hard on users and it may lead them to engage in unsafe actions like clicking on links ``just to check.'' In this work we look at how to provide quick and accurate support to people who report phishing so that they can confidentially take appropriate action. For this, we will build a phishing-advice tool, PhishEd, that allows people to report malicious emails that they encounter and get automatically generated advice in response that is contextual to the suspicious email. The advice is meant to both help them make an informed decision about the reported email as well as provide some education to help them in handling future malicious emails better.

Published
2022

21. Proximity Displays for Access Control

Author

Vaniea, Kami

Abstract

Managing access to shared digital information, such as photographs and documents. is difficult for end users who are accumulating an increasingly large and diverse collection of data that they want to share with others. Current policy-management solutions require a user to proactively seek out and open a separate policy-management interface when she wants to review or change her access-control policy. However, end users treat access control as a secondary task, and rarely visit a website for the primary task of managing security. Historically, security administrators and auditors were available to check for access-control issues on behalf of users, but in the age of Facebook and Flickr people are responsible for their own content. Users need a way to review their access-control policies that fits into their normal workflows. This thesis proposes the use of "proximity information displays"--small interface components spatially located near the data elements (or near a representation of data, e.g., file name in a file manager or thumbnail photo in a photo album) that contain information about who currently has access or who could access the data. These displays are intended to help users become more aware of how their data has been used in the past and how the data could be used in the future. We present empirical studies that test the hypothesis: Users of a system that includes proximity information displays of access control-information will implement policies that result in grant/deny actions that better match their preferences than will users of a system where access-control information is available only on a secondary interface. The focus of this thesis is understanding the impact of proximity displays on people's permission-modification behavior. The displays were conceptualized based on interviews with end users and security administrators, which highlighted the need for increased end-user awareness of their policies. Focus groups showed that people liked the idea of showing permission information in proximity to data. Finally, several evaluation studies were conducted in the lab and online using a photo-sharing website. Participants who saw proximity displays that were more comprehensive and could be glanced at easily were better able to identify access-control policy errors. Participants who saw displays that were overly coarse-grained, on the sidebar, or showed information about who had previously viewed the photos, showed no improvement over those who saw permission settings only on a secondary interface. Our studies suggest that proximity displays for access control can help significantly the majority of users who do not normally check their access-control policies. [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page: http://www.proquest.com/en-US/products/dissertations/individuals.shtml.]

Published
2012

23. Lessons Learned from Recruiting Participants with Programming Skills for Empirical Privacy and Security Studies

Author

Tahaei, Mohammad and Vaniea, Kami E

Subjects
emperical software engineering, recruitment, developers, crowdsourcing, usable privacy and security
Abstract

In the past decade the usable privacy and security research community has extended its research to expert users such as software developers who have been shown to face challenges when working with privacy and security technologies. However, it is often challenging to run empirical studies with developers because they can be hard to recruit for interviews or surveys. Researchers have successfully used social media, crowdsourcing platforms, and computer science students for recruiting, but recruitment is still a significant pain point in many studies. This short paper reflects on our experience recruiting developers, particularly for empirical privacy and security research, for multiple studies from 2019 to 2022.

Published
2022

24. Virtual Reality Observations: Using Virtual Reality to Augment Lab-Based Shoulder Surfing Research

Author

Mathis, Florian, O'Hagan, Joseph, Khamis, Mohamed, and Vaniea, Kami

Subjects
Authentication, Shoulder Surfing, Virtual Reality
Abstract

Given the difficulties of studying the shoulder surfing resistance of authentication systems in a live setting, researchers often ask study participants to shoulder surf authentications by watching two-dimensional (2D) video recordings of a user authenticating. How-ever, these video recordings do not provide participants with a realistic shoulder surfing experience, creating uncertainty in the value and validity of lab-based shoulder surfing experiments. In this work, we exploit the unique characteristics of virtual reality (VR) and study the use of non-immersive/immersive VR recordings for shoulder surfing research. We conducted a user study (N=18) to explore the strengths and weaknesses of such a VR-based shoulder surfing research approach. Our results suggest that immersive VR observations result in a more realistic shoulder surfing experience, in a significantly higher sense of being part of the authentication environment, in a greater feeling of spatial presence, and in a higher level of involvement than 2D video observations without impacting participants’ observation performance. This suggests that studying shoulder surfing in VR is advantageous in many ways compared to currently used approaches, e.g., participants can freely choose their observation angle rather than being limited to a fixed observation angle as done in current methods. We discuss the strengths and weaknesses of using VR for shoulder surfing research and conclude with four recommendations to help researchers decide when (and when not) to employ VR for shoulder surfing research in the authentication research domain.

Published
2022

25. Understanding Privacy-Related Advice on Stack Overflow

Author

Tahaei, Mohammad, Li, Tianshi, and Vaniea, Kami

Abstract

Privacy tasks can be challenging for developers, resulting in privacy frameworks and guidelines from the research community which are designed to assist developers in considering privacy features and applying privacy enhancing technologies in early stages of software development. However, how developers engage with privacy design strategies is not yet well understood. In this work, we look at the types of privacy-related advice developers give each other and how that advice maps to Hoepman’s privacy design strategies.We qualitatively analyzed 119 privacy-related accepted answers on Stack Overflow from the past five years and extracted 148 pieces of advice from these answers. We find that the advice is mostly around compliance with regulations and ensuring confidentiality with a focus on the inform, hide, control, and minimize of the Hoepman’s privacy design strategies. Other strategies, abstract, separate, enforce, and demonstrate, are rarely advised. Answers often include links to official documentation and online articles, highlighting the value of both official documentation and other informal materials such as blog posts. We make recommendations for promoting the under-stated strategies through tools, and detail the importance of providing better developer support to handle third-party data practices.

Published
2022

33. Code-Level Dark Patterns: Exploring Ad Networks' Misleading Code Samples with Negative Consequences for Users

Author

Tahaei, Mohammad and Vaniea, Kami E

Subjects
usable privacy, software developers, ad networks
Abstract

We introduce code-level dark patterns in ad networks. These are official code samples provided by ad networks that will result in user-facing dark patterns, if copy-pasted by developers. Developers who do not carefully read the code for all the nuanced consequences may endanger users privacy by using these code samples. We present three code samples from Google and Amazon ad networks where the code samples do not provide a "I do not consent" option for location data collection, the consent form keeps reappearing until the user consents, and the inclusion of unnecessary permissions when they are presented as "optional'' in the surrounding text.

Published
2021

42. Opinions on Weblinks

Author

Albakry, Sara, Vaniea, Kami, and Wolters, Maria

Subjects
Mathematical and Computer Sciences, URL Readability, Phishing Prevention, Link Destination, Empirical Evaluation, Online Safety, Web Literacy, Uniform Resource Locators, Web Users
Abstract

This document provides a concrete version of the survey used in the URL reading experiment conducted in April 2017 and reported in the associated paper to appear at CHI'20 on 25 April, 2020. This documentation serves two purposes. First, it helps readers of the associated paper to perceive what the experiment participants have seen. Second, it provides more concrete details than the main paper to enable accurate replications of the experiment by interested researchers. Researchers who wish to use this survey in replication studies are encouraged to read the design rationale in the associated paper. The document presents the 46 fictitious Unified Resource Locators (URL) designed to empirically evaluate web users ability to read URLs and the exact wording of the associated multiple-choice questions. Each URL is associated with two questions: where this URL goes and how safe it is to click on it. These 46 URL trials systematically vary the URL structure, the number and brand names appearing in the URL and the position of the brand name in the URL. More details about the experiment results, survey design process and rationale can be found in the associated paper: Sara Albakry, Kami Vaniea, and Maria Wolters. What is this URL’s Destination: Empirical Evaluation of Web Users’ URL Reading. In Proceedings of the SIGCHI Conference on Human Factors in computing systems. ACM, 2020., One PDF document is included. The document includes an introduction explaining the survey overall flow and a flow diagram followed by four main sections representing the survey building blocks: Introduction, Consent Statement, Instructions, URL Reading Trials, and Demographics and Post-Survey Questions.

Published
2020
Full Text
View/download PDF

44. Prototyping Usable Privacy and Security Systems: Insights from Experts.

Author

Mathis, Florian, Vaniea, Kami, and Khamis, Mohamed

Subjects
*SECURITY systems, *HUMAN-computer interaction, *PRIVACY, *COMMUNITY support, *PROTOTYPES
Abstract

Iterative design, implementation, and evaluation of prototype systems is a common approach in Human-Computer Interaction (HCI) and Usable Privacy and Security (USEC); however, research involving physical prototypes can be particularly challenging. We report on twelve interviews with established and nascent USEC researchers who prototype security and privacy-protecting systems and have published work in top-tier venues. Our interviewees range from professors to senior PhD candidates, and researchers from industry. We discussed their experiences conducting USEC research that involves prototyping, opinions on the challenges involved, and the ecological validity issues surrounding current evaluation approaches. We identify the challenges faced by researchers in this area such as the high costs of conducting field studies when evaluating hardware prototypes, the scarcity of open-source material, and the resistance to novel prototypes. We conclude with a discussion of how the USEC community currently supports researchers in overcoming these challenges and places to potentially improve support. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results