A security ceremony expands a security protocol with everything that is considered out of band for it. Notably, it incorporates the user, who, according to their belief systems and cultural values, may be variously targeted by social engineering attacks. This makes ceremonies complex and varied, hence the need for their formal analysis aimed at their rigorous understanding. Formal analysis in turn requires clarifying the ceremony structure to build a ceremony model. The model defined here spans over a number of socio-technical layers, ranging from a computer network to society. It inspires a layered analysis of security ceremonies, that is layer by layer. This paper focuses on the human-computer interaction layer, which features a socio-technical protocol between a user persona and a computer interface. Future work will be to traverse all layers by formal analysis.
The joint study of computer security, privacy and humancomputer interaction (HCI) over the last two decades has shaped a research agenda focused upon usable privacy & security. However, in HCI research more generally there has long been an awareness of the need to understand and design for user experience, in recognition of the complex and multi-faceted role that technology now plays in our lives. In this paper we add to the growing discussion by introducing the notion of experiencecentered privacy and security. We argue that in order to engage users of technology around issues related to experiences of privacy and security, research methods are required that may be outside of the normal repertoire of methods that we typically call upon. We describe three projects that developed non-typical research methods to reveal experiential insights into user interactions with privacy and security-related technologies. We conclude by proposing a research agenda that begins to illustrate how the discourse and methods of experience-centered design might serve to provide valuable alternative perspectives on new and enduring user-facing privacy and security problems.
Consent is a multifaceted concept that has not received much attention in information systems literature. In this paper we categorise current electronic consent decision making systems into first generation, ex-post and principled Electronic Consent Management. We argue for the adoption of principled ECM as a way forward to consent management in information systems, and outline a research framework for ECM, proposing three key components: consent theory, ECM norms, and ECM norms' manifestation. A real world context is then selected to illustrate the framework's intention.
Framed within the theoretical lens of positive and negative security, this paper presents a study of newcomers to Sweden and the roles of mobile phones in the establishment of a new life. Using creative engagement methods through a series of workshops, two researchers engaged 70 adult participants enrolled into further education colleges in Sweden. Group narratives about mobile phone use were captured in creative outputs, researcher observations and notes and were analysed using thematic analysis. Key findings show that the mobile phone offers security for individuals and a safe space for newcomers to establish a new life in a new land as well as capitalising on other spaces of safety, such as maintaining old ties. This usage produces a series of threats and vulnerabilities beyond traditional technological security thinking related to mobile phone use. The paper concludes with recommendations for policies and support strategies for those working with newcomers.
It has been argued that human-centred security design needs to accommodate the considerations of three dimensions: (1) security, (2) usability and (3) accessibility. The latter has not yet received much attention. Now that governments and health services are increasingly requiring their citizens/patients to use online services, the need for accessible security and privacy has become far more pressing. The reality is that, for many, security measures are often exasperatingly inaccessible. Regardless of the outcome of the debate about the social acceptability of compelling people to access public services online, we still need to design accessibility into these systems, or risk excluding and marginalising swathes of the population who cannot use these systems in the same way as abled users. These users are particularly vulnerable to attack and online deception not only because security and privacy controls are inaccessible but also because they often struggle with depleted resources and capabilities together with less social, economic and political resilience. This conceptual paper contemplates the accessible dimension of human-centred security and its impact on the inclusivity of security technologies. We scope the range of vulnerabilities that can result from a lack of accessibility in security solutions and contemplate the nuances and complex challenges inherent in making security accessible. We conclude by suggesting a number of avenues for future work in this space.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.