Human-centred Security & Privacy

Interdisciplinary Research Group in Socio-technical Cybersecurity

Human-centred Security & Privacy

One of the key research areas of IRiSC revolves around the role of the human in cybersecurity and privacy. 

While there exists a commonly held view that “people are the weakest link in the security chain”, in recent years it has become widely acknowledged that neither users, nor developers, nor security managers are “the enemy”. 

Designing secure systems is a socio-technical endeavor that has to place an equal amount of focus on both the technical and social components i.e., technology and people need to work together in harmony to achieve the production tasks as well as to perform the enabling task of securing the system effectively. Thus, technical cyber security measures cannot be effectively deployed without also studying people’s values and goals, their behavior as well as their involvement and relationship with security and privacy critical systems.

In different cybersecurity contexts our research activities cover: 
  • Understanding users’ motivations, perceptions and interactions with secure systems, security controls and privacy-enhancing technologies 
  • UX evaluations of security and privacy critical systems
  • Socio-technical security analysis 
  • Detecting misalignments between users’ perceptions and system security and privacy 
Example use cases:

Threat intelligence sharing platforms are becoming indispensable tools for cooperative and collaborative cybersecurity. Nevertheless, despite the growing research in this area, the emphasis is often placed on the technical aspects, incentives, or implications associated with threat intelligence sharing, as opposed to investigating challenges encountered by users of such platforms. To date, user experience aspects remain largely unexplored.

Some of the questions we are addressing relate to: 

  • How do different security information workers evaluate the user experience of leading CTI information sharing platforms?
  • What are the constraining and enabling factors of security information sharing from end-users’ perspective?
  • Do users have an accurate understanding of the extent of information sharing i.e. how far information travels when it is shared in a CTI sharing platform? 

Protecting the secrecy of messages online is not only in the interest of citizens that would like to exercise their right to privacy and right to freedom of information, but also those with a professional duty of confidentiality (e.g., journalists, lawyers, doctors, etc.). While in recent years, and following the Snowden revelations, a plethora of secure instant messaging applications have come into existence — with some of them reaching significant popularity — the wide user adoption figures cannot be asserted in the case of secure e-mail. With the total number of business and consumer e-mails sent and received per day, estimated to have exceeded 281 billionit is clear that the need for securing e-mail communication is as relevant and pressing today as it was two decades ago when the first usability studies showed significant problems with the existing e-mail encryption mechanisms.

Some of the questions we are addressing in this context: 

  • What models and what strategies can be used to investigate misalignments between the objective technical security guarantees provided by a system and the subjective security guarantees as perceived by users?
  • Can an analysis of misalignments lead to insightful discoveries about a system’s socio-technical security or insecurity?
  • What is the role of security and privacy indicators on the perception and misperception of system security and privacy and which indicators do end-users find appropriate to represent different privacy states in secure email systems?

See also:

Get in touch with us

SnT – Interdisciplinary Centre for Security, Reliability and Trust
Maison du Nombre, 6, avenue de la Fonte L-4364 Esch-sur-Alzette
info-irisc-lab@uni.lu