They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites

Huaman, Nicolas; Amft, Sabrina; Oltrogge, Marten; Acar, Yasemin; Fahl, Sascha

doi:10.1109/sp40001.2021.00094

Cited by 13 publications

(12 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A decision was made to use a single coder for the 1013-item coding exercise described in this paper, which was based on all test coders reaching a consensus on the final set of codes and questions in the coding tree (consistent with the methodology of, e.g., Huaman et al [39]), the acceptably high level of agreement during test codings, and the work effort required to manually code (via the coding tree) 1013 items. Using a single coder is noted as a limitation of this work.…”

Section: Focus On End-resultsmentioning

confidence: 99%

“…Improvement was measured based on inter-coder agreement after modification (i.e., addition/modification of codes and/or questions) of the tree. Over several iterations, coders discussed the results to resolve ambiguities and gaps in code definitions or questions in the coding tree, refining questions difficult to reliably answer and coming to an agreement on the codes [39], improving inter-coder agreement through a relatively concise decision path. To code items that required more reflection, coders consulted a further detailed annotation (see App.…”

Section: Establishing Analysis Toolsmentioning

confidence: 99%

“…To our knowledge, we are the first to build a coding tree that uses questions to guide coders to tags for qualitative data. Typically, a codebook is built iteratively and then used directly (e.g.,[39,44,47,55]).…”

mentioning

confidence: 99%

See 2 more Smart Citations

Security Best Practices: A Critical Analysis Using IoT as a Case Study

Barrera

Bellman

Oorschot

2023

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

Academic research has highlighted the failure of many Internet of Things (IoT) product manufacturers to follow accepted practices, while IoT security best practices have recently attracted considerable attention worldwide from industry and governments. Given current examples of security advice, confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. We explore a surprising lack of clarity, and void in the literature, on what (generically) best practice means, independent of identifying specific individual practices or highlighting failure to follow best practices. We consider categories of security advice, and analyze how they apply over the lifecycle of IoT devices. For concreteness in discussion, we use iterative inductive coding to code and systematically analyze a set of 1013 IoT security best practices, recommendations, and guidelines collated from industrial, government, and academic sources. Among our findings, of all analyzed items, 68% fail to meet our definition of an (actionable) practice, and 73% of all actionable advice relates to the software development lifecycle phase, highlighting the critical position of manufacturers and developers. We hope that our work provides a basis for the community to better understand best practices, identify and reach consensus on specific practices, and find ways to motivate relevant stakeholders to follow them.

show abstract

Section: Focus On End-resultsmentioning

confidence: 99%

Section: Establishing Analysis Toolsmentioning

confidence: 99%

See 1 more Smart Citation

Security Best Practices: A Critical Analysis Using IoT as a Case Study

Barrera

Bellman

Oorschot

2023

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

show abstract

“…Previous research demonstrated the ineffectiveness of poorly designed warning messages [5], [14], [16], [22] the prevalent issues with passwords [18], [25], [47], or security and privacy problems due to wrong mental models and misconceptions. For example, most Android users do not pay attention to permissions and lack comprehension, which can lead to wrong security decisions [17].…”

Section: Introductionmentioning

confidence: 99%

How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study

Gutfleisch

Klemmer

Busch

et al. 2022

2022 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

For software to be secure in practice, users need to be willing and able to appropriately use security features. These features are usually implemented by software professionals during the software development process (SDP), who may be unable to consider the usability of these mechanisms.While research has made progress in supporting developers in creating secure software products, very little attention has been paid to whether and how these security features are made usable. In a semi-structured interview study with 25 software professionals (software developers, designers, architects), we explored how they and other decision-makers encounter and deal with security and usability during the software development process in their companies.Based on 37 hours of interview recordings, we qualitatively analyzed and investigated 23 distinct development contexts in detail. In addition to individual awareness and factors that directly influence the implementation phase, we identify a high impact of contextual factors, such as stakeholder pressure, presence of expertise, and collaboration culture, and the specific implementation of the SDP on usable security in software products. We conclude our work by highlighting important gaps, such as studying and improving contextual factors that contribute to usable security and discussing potential improvements of the status quo.

show abstract

“…Improvement was measured based on inter-coder agreement after modification (i.e., addition/modification of codes and/or questions) of the tree. Over several iterations, coders discussed the results to resolve ambiguities and gaps in code definitions or questions in the coding tree, refining questions difficult to reliably answer and coming to an agreement on the codes [105], improving inter-coder agreement through a 4 The final codebook definitions are given in Fig. 4.4 on page 56.…”

Section: Establishing the Coding Treementioning

confidence: 99%

On Security Best Practices, Systematic Analysis of Security Advice, and Internet of Things Devices

Bellman¹

View full text Add to dashboard Cite

While Internet of Things (IoT) security best practices have recently attracted considerable attention from industry and governments, academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We begin by investigating a surprising lack of consensus, and void in the literature, on what (generically) best practice means, and provide a technical examination of related terminology. We use iterative inducting coding to design an analysis methodology for categorizing security advice and measuring its actionability. We use this methodology to analyze three datasets: a set of 1013 IoT security best practices, recommendations, and guidelines, and two formally recommended IoT security advice documents. We find all three sets to be largely non-actionable. Through design and use of this methodology, we identify the characteristics of actionable security advice.We also analyze recent work on IoT device identification based on three identification objectives (distinguish device instances, distinguish device classes, and authenticate device identity), and the technical approaches by which they are reached: device fingerprinting, classification, and authentication. We differentiate the role of these objectives and approaches in IoT security, and develop a model relating them. viii ix Ashraf Matrawy (Carleton University), and Dr. Mohammad Zulkernine (Queen's University).Finally, a special thank-you goes to my family and friends for all the support over the past five years-your encouragement is deeply appreciated, and I could not have done this without your support.

show abstract

They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites

Cited by 13 publications

References 16 publications

Security Best Practices: A Critical Analysis Using IoT as a Case Study

Security Best Practices: A Critical Analysis Using IoT as a Case Study

How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study

On Security Best Practices, Systematic Analysis of Security Advice, and Internet of Things Devices

Contact Info

Product

Resources

About