User Experience Design for Cybersecurity & Privacy: addressing user misperceptions of system security and privacy

Abstract

The increasing magnitude and sophistication of malicious cyber activities by various threat actors poses major risks to our increasingly digitized and inter-connected societies. However, threats can also come from non-malicious users who are being assigned too complex security or privacy-related tasks, who are not motivated to comply with security policies, or who lack the capability to make good security decisions. This thesis posits that UX design methods and practices are necessary to complement security and privacy engineering practices in order to (1) identify and address user misperceptions of system security and privacy; and (2) inform the design of secure systems that are useful and appealing from end-users’ perspective.

The first research objective in this thesis is to provide new empirical accounts of UX aspects in three distinct contexts that encompass security and privacy considerations, namely: cyber threat intelligence, secure and private communication, and digital health technology. The second objective is to empirically contribute to the growing research domain of mental models in security and privacy by investigating user perceptions and misperceptions in the afore-mentioned contexts. Our third objective is to explore and propose methodological approaches to incorporating users’ perceptions and misperceptions in the socio-technical security analyses of systems.

Qualitative and quantitative user research methods with experts as well as end users of the applications and systems under investigation were used to achieve the first two objectives. To achieve the third objective, we also employed simulation and computational methods.

Cyber Threat Intelligence: CTI sharing platforms

Reporting on a number of user studies conducted over a period of two years, this thesis offers a unique contribution towards understanding the constraining and enabling factors of security information sharing within one of the leading CTI sharing platforms, called MISP. Further, we propose a conceptual workflow and toolchain that would seek to detect user (mis)perceptions of key tasks in the context of CTI sharing, such as verifying whether users have an accurate comprehension of how far information travels when shared in a CTI sharing platform, and discuss the benefits of our socio-technical approach as a potential security analysis tool, simulation tool, or educational / training support tool.

Secure & Private Communication: Secure Email

We propose and describe multi-layered user journeys, a conceptual framework that serves to capture the interaction of a user with a system as she performs certain goals along with the associated user beliefs and perceptions about specific security or privacy-related aspects of that system. We instantiate the framework within a use case, a recently introduced secure email system called p≡p, and demonstrate how the approach can be used to detect misperceptions of security and privacy by comparing user opinions and behavior against system values and objective technical guarantees offered by the system. We further present two sets of user studies focusing on the usability and effectiveness of p≡p’s security and privacy indicators and their traffic-light inspired metaphor to represent different privacy states and guarantees.

Digital Health Technology: Contact Tracing Apps

Considering human factors when exploring the adoption as well as the security and privacy aspects of COVID-19 contact tracing apps is a timely societal challenge as the effectiveness and utility of these apps highly depend on their widespread adoption by the general population. We present the findings of eight focus groups on the factors that impact people’s decisions to adopt, or not to adopt, a contact tracing app, conducted with participants living in France and Germany. We report how our participants perceived the benefits, drawbacks, and threat model of the contact tracing apps in their respective countries, and discuss the similarities and differences between and within the study groups.

Finally, we consolidate the findings from these studies and discuss future challenges and directions for UX design methods and practices in cybersecurity and digital privacy.