Steffen Bartsch scite author profile

2011

Agile methods are widely employed to develop high-quality software, but theoretical analyses argue that agile methods are inadequate for security-critical projects. However, most agile-developed software today needs to satisfy baseline security requirements, so that we need to focus on how to achieve this this level for typical agile projects. In this paper, we provide insights from the practitioner's perspective on security in agile development and report on exploratory, qualitative findings from interviews. Our findings extend the theoretical prior work and suggest to focus on adequate customer involvement, developer security awareness and expertise, and continuously improving the development process for security.

Contextualized Web Warnings, and How They Cause Distrust

Theuerling

et al. 2013

Abstract. Current warnings in Web browsers are difficult to understand for lay users. We address this problem through more concrete warning content by contextualizing the warning -for example, taking the user's current intention into account in order to name concrete consequences. To explore the practical value of contextualization and potential obstacles, we conduct a behavioral study with 36 participants who we either confront with contextualized or with standard warning content while they solve Web browsing tasks. We also collect exploratory data in a posterior card-sorting exercise and interview. We deduce a higher understanding of the risks of proceeding from the exploratory data. Moreover, we identify conflicting effects from contextualization, including distrust in the content, and formulate recommendations for effective contextualized warning content.

Mental Models of Verifiability in Voting

Olembo

2013

In order for voters to verify their votes, they have to carry out additional steps besides selecting a candidate and submitting their vote. In previous work, voters have been found to be confused about the concept of and motivation for verifiability in electronic voting when confronted with it. In order to better communicate verifiability to voters, we identify mental models of verifiability in voting using a questionnaire distributed online in Germany. The identified mental models are, Trusting, No Knowledge, Observer, Personal Involvement and Matching models. Within the same survey, we identify terms that can be used in place of 'verify' as well as security-relevant metaphors known to the voters that can be used to communicate verifiability.

A calculus for the qualitative risk assessment of policy override authorization

2010

Exploring twisted paths: Analyzing authorization processes in organizations

2011

Voter, What Message Will Motivate You To Verify Your Vote?

Olembo¹,

Renaud²,

Bartsch³

et al. 2014

Abstract-There is increasing interest in verifiable Internet voting systems that enable voters to verify the integrity of their vote on the voting platform prior to casting it, and any interested party to verify the integrity of the election results. The ease with which a vote can be verified plays a key role. Empowering individual voters to act as interested yet objective verifiers increases the probability of fraud detection. Verifying constitutes additional effort, something humans resist unless the benefits are compelling enough. Thus, what is the best way to provide such motivation? We report on a survey, distributed to 123 respondents, in which we explore the effects of three types of motivating messages on voters' intention to verify a vote, using a smartphone app. The motivating messages were intended to increase the intention to verify a vote. Our findings have persuaded us that further research on the use of motivating messages in the context of verifiable voting is warranted.

Adopting the CMU/APWG Anti-phishing Landing Page Idea for Germany

Stockhardt

et al. 2013

Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Abstract-Phishing attacks still pose a significant problem and purely technical solutions cannot solve this problem. While research literature in general shows that educating users in security is hard, the Anti-Phishing Landing Page proposed by CMU researchers seems promising as it appears in the most teachable moment -namely once someone clicked on a link and was very likely to fall for phishing. While this page is already in use and exists in many languages we show that it is not effective in Germany as most users leave the page immediately without having read any advice. We therefore explore options to adopt their ideas for Germany. We focus on which are the trustworthy institutes that could provide such a landing page on their web pages and what is an appropriate headline and design.

Capturing Attention for Warnings about Insecure Password Fields – Systematic Development of a Passive Security Intervention

Kolb

et al. 2014

Abstract. Eavesdropping on passwords sent over insecure connections still poses a significant threat to Web users. Current measures to warn about insecure connections in browsers are often overlooked or ignored. In this paper, we systematically design more effective security interventions to indicate insecure connections in combination with password requests. We focus on catching the attention of the user with the proposed security interventions. We comparatively evaluate the three developed interventions using eye-tracking and report how effective these options are in the context of three different website designs. We find that one of the options -red background of the password field -captures significantly more attention than the others, but is less linked to the underlying problem than the yellow warning triangle option. Thus, we recommend a combination of the two options.