Usable Security – Internet Security Research Lab

In researching secure systems, usability has always received less emphasis then security. This approach has led to a plethora of research that appears promising but is ultimately unacceptable to users (e.g., PGP). More over, as shown by Whitten and Tygar’s Why Johnny Can’t Encrypt, usability problems can actually degrade the security a system is attempting to provide.

Our research into usable security focus on two branches: First, we have researched the usability of existing research proposals and industrial systems. This is helpful in understanding what is currently being done that is helpful and what is harmful. Furthermore, by exposing real systems to user feedback, we are able to discover user preferences that can help in designing the next generation of secure systems.

Second, we are exploring how user-first design can be applied to security systems. Our work into secure communication, password-based authentication, and strengthening TLS are all focused on providing solutions that meet the needs of users, are easy-to-use, and are rated as desirable by users.

Publications
S. Ruoti, T. Monson, J. Wu, D. Zappala, K. Seamons. Weighing Context and Trade-offs: How Suburban Adults Selected Their Online Security Posture, 13th Annual Symposium on Usable Privacy and Security (SOUPS 2017), Santa Clara, California, July 2017. [Presentation]

S. Ruoti, J. Andersen, T. Monson, D. Zappala, K. Seamons. Private Webmail 2.0: Simple and Easy-to-Use Secure Email, 29th ACM Symposium on User Interface Software and Technology (UIST 2016). ACM, 2016.

S. Ruoti, M. O’Neill, D. Zappala, K. Seamons. User Attitudes Toward the Inspection of Encrypted Traffic, 12th Annual Symposium on Usable Privacy and Security (SOUPS 2016). USENIX, 2016. [Presentation]

S. Ruoti, K. Seamons. Standard Metrics and Scenarios for Usable Authentication, 2nd Workshop on “Who Are You?! Adventures in Authentication” at the Symposium on Usable Privacy and Security (WAY 2016). USENIX, 2016. [Presentation]

S. Ruoti, J. Andersen, K. Seamons. Strengthening Passwords-based Authentication, 2nd Workshop on “Who Are You?! Adventures in Authentication” at the Symposium on Usable Privacy and Security (WAY 2016). USENIX, 2016. [Presentation]

S. Ruoti, J. Andersen, S. Heidbrink, M. O’Neill, E. Vaziripour, J. Wu, D. Zappala, K. Seamons. “We’re on the Same Page”: A Usability Study of Secure Email Using Pairs of Novice Users, Proceedings of the 34th Annual ACM Conference on Human Factors in Computing Systems (CHI 2016). ACM, 2016. [Presentation]

S. Ruoti, B. Roberts, K. Seamons. Authentication Melee: A Usability Analysis of Seven Web Authentication Systems 24th Annual International Conference on World Wide Web (WWW 2015), Florence, Italy, May 2015. [Presentation]

M. O’Neill, S. Ruoti, K. Seamons, D. Zappala. Poster – TLS Proxies: Friend or Foe? 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014), Scottsdale, Arizona, November 2014.

M. O’Neill, S. Ruoti, K. Seamons, D. Zappala. TLS Proxies: Friend or Foe? arXiv preprint 1407.7146, July 2014.

S. Ruoti, N. Kim, B. Burgon, T.W. van der Horst, and K. Seamons. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes 9th Annual Symposium on Usable Privacy and Security (SOUPS 2013), Newcastle, United Kingdom, July 2013. [Presentation]

C. Robison, S. Ruoti, T. W. van der Horst, and K. E. Seamons. Private Facebook Chat 2012 International Conference on Privacy, Security, Risk, and Trust (PASSAT 2012) and 2012 International Conference on Social Computing (SocialCom 2012), Amsterdam, Netherlands, September 2012. [Presentation]

Posters
S. Ruoti, J. Andersen, T. Monson, D. Zappala, K. Seamons. A Comparison of PGP, IBE, and Password-based Secure Email, Poster Session at the Symposium on Usable Privacy and Security (SOUPS 2016). Denver, CO, 2016. [Poster]

S. Ruoti, J. Andersen, S. Heidbrink, M. O’Neill, E. Vaziripour, J. Wu, D. Zappala, K. Seamons. “We’re on the Same Page”: A Usability Study of Secure Email Using Pairs of Novice Users, Poster Session at the Symposium on Usable Privacy and Security (SOUPS 2016). Denver, CO, 2016. [Poster]

S. Ruoti, B. Roberts, K. Seamons. Authentication Melee: A Usability Analysis of Seven Web Authentication Systems, Poster Session at the Symposium on Usable Privacy and Security (SOUPS 2015). Montreal, Canada, 2015. Distinguished Poster Award. [Poster]

M. O’Neill, S. Ruoti, K. Seamons, D. Zappala. TLS Proxies: Friend or Foe? 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014). Scottsdale, AZ, 2014. [Poster]

Theses
Scott Ruoti. Authentication Melee: A Usability Analysis of Seven Web Authentication Systems. December 2014.
Song Yuanzheng. Browser-Based Manual Encryption. August 2014.
Ben Burgon. Pwm: A Secure Webmail System Designed for Easy Adoption. March 2014.
Nathan Kim. Message Protector: Demonstrating that Manual Encryption Improves Usability. May 2013.
Chris Robison. KiwiVault: Encryption Software for Portable Storage Devices. December 2012.

Data Sets
User Attitudes Toward the Inspection of Encrypted Traffic
“We’re on the Same Page”: A Usability Study of Secure Email Using Pairs of Novice Users