The proliferation of consumer Internet of Things (IoT) devices has raised security concerns. In response, governments have been advising consumers on security measures, but these recommendations are not guaranteed to be implementable owing to the diverse and rapidly evolving IoT landscape, risking wasted efforts and uncertainty caused by unsuccessful attempts to secure devices. Through interviews and a workshop with 14 stakeholders involved in a Dutch national public awareness campaign, we found that while stakeholders recognized the validity of these concerns, they opted to continue the campaign with minor modifications while expecting regulatory changes to resolve the observed problem. Their justifications reveal an institutional incentive structure that overlooks well-documented user realities in security and privacy HCI research. This raises important considerations for the design and delivery of such support strategies. By fostering a collaborative dialogue, we aim to contribute to the development of user-centered security practices.

A reduction in phishing threats is of increasing importance to organizations. One part of this effort is to provide training to employees, so that they are able to identify and avoid phishing emails. Yet further, simulated phishing emails are used to test whether employees will both identify and report a suspicious email. We worked with a partner bank to examine a repository of many thousands of reported emails from a behavioural perspective. We divide reported emails into categories and examine reporting trends over time relative to training and phishing simulation campaigns. Among our findings, the level of reporting of benign emails is comparable to the number of malicious emails reported, and we see indications that training and simulations amplify the reporting of benign emails. Our analysis uncovers reporting patterns for unique reporters per email campaign as a promising indicator for the security-related culture around phishing prevention. Evidence from our analysis informs recommendations, such as providing reporting infrastructure for reporting not only malicious emails, but also benign but suspicious work-related emails, in a manner that minimises the disruption for users erring on the side of caution when assessing emails.

Increasingly, organizations are acknowledging the importance of human factors in the management of security in workplaces. There are challenges in managing security infrastructures in which there may be centrally mandated and locally managed initiatives to promote secure behaviours. We apply a co-design methodology to harmonize employee behaviour and centralized security management in a large university. This involves iterative rounds of interviews connected by the co-design methodology: 14 employees working with high-value data with specific security needs; seven support staff across both local and central IT and IT-security support teams; and two senior security decision-makers in the organization. We find that employees prefer local support together with assurances that they are behaving securely, rather than precise instructions that lack local context. Trust in support teams that understand local needs also improves engagement, especially for employees who are unsure what to do. Policy is understood by employees through their interactions with support staff and when they see colleagues enacting secure behaviours in the workplace. The iterative co-design approach brings together the viewpoints of a range of employee groups and security decision-makers that capture key influences that drive secure working practices. We provide recommendations for improvements to workplace security, including recognizing that communication of the policy is as important as what is in the policy.

Security awareness campaigns in organizations now collectively cost billions of dollars annually. There is increasing focus on ensuring certain security behaviors among employees. On the surface, this would imply a user-centered view of security in organizations. Despite this, the basis of what security awareness managers do and what decides this are unclear. We conducted n = 15 semi-structured interviews with full-time security awareness managers, with experience across various national and international companies in European countries, with thousands of employees. Through thematic analysis, we identify that success in awareness management is fragile while having the potential to improve; there are a range of restrictions, and mismatched drivers and goals for security awareness, affecting how it is structured, delivered, measured, and improved. We find that security awareness as a practice is underspecified, and split between messaging around secure behaviors and connecting to employees, with a lack of recognition for the measures that awareness managers regard as important. We discuss ways forward, including alternative indicators of success, and security usability advocacy for employees.

Security awareness and training (SAT) vendors operate in a growing multi-billion dollar market. They publish various marketing promises on their websites to their customers -- organizations of all sizes. This paper investigates how these promises align with customers' needs, how they relate to human-centered security challenges highlighted in prior research, and what narrative is presented regarding the role of employees (as SAT recipients). We also investigate the level of transparency in vendor promises, as to whether it constitutes an information asymmetry. We gathered search terms from n=30 awareness professionals to perform an automated Google search and scraping of SAT vendors' websites. We then performed a thematic analysis of 2,476 statements on 156 websites from 59 vendors. We found that the messaging from SAT vendors precisely targets customers' need for easy-to-implement and compliance-fulfilling SAT products; how SAT products are offered also means that some of the impacts of SAT go unmentioned and are transferred to the customer, such as user support. In this vendor-customer relationship, employees are portrayed as a source of weaknesses, needing an indefinite amount of training to be incorporated into the organization's protection. We conclude with suggestions for SAT vendors and regulators, notably toward an SAT ecosystem that directly links SAT solutions to usable security technologies within the organization environment.

Signature-based network intrusion detection systems (NIDSs) and network intrusion prevention systems (NIPSs) remain at the heart of network defense, along with the rules that enable them to detect threats. These rules allow Security Operation Centers (SOCs) to properly defend a network, yet we know almost nothing about how rules are created, evaluated and managed from an organizational standpoint. In this work, we analyze the processes surrounding the creation, management, and acquisition of rules for network intrusion detection. To understand these processes, we conducted interviews with 17 professionals who work at Managed Security Service Providers (MSSPs) or other organizations that provide network monitoring as a service or conduct their own network monitoring internally. We discovered numerous critical factors, such as rule specificity and total number of alerts and false positives, that guide SOCs in their rule management processes. These lower-level aspects of network monitoring processes have generally been regarded as immutable by prior work, which has mainly focused on designing systems that handle the resulting alert flows by dynamically reducing the number of noisy alerts SOC analysts need to sift through. Instead, we present several recommendations that address these lower-level aspects to help improve alert quality and allow SOCs to better optimize workflows and use of available resources. These recommendations include increasing the specificity of rules, explicitly defining feedback loops from detection to rule development, and setting up organizational processes to improve the transfer of tacit knowledge.

The executive leadership in corporate organizations is increasingly challenged with managing cyber-risks, as an important part of wider business risk management. Cyber-risks are complex, with the threat landscape evolving, including digital infrastructure issues such as trust in networked supply chains, and emerging technologies. Moreover, engaging organizational leadership to assess for risk management is also difficult. This paper reports on a scenario-driven, workshop-based study undertaken with executive leadership to assess for cybersecurity and cyber-risk perception related to preparation for, and response to, potential incidents. The study involves leadership members at a large public-private organization. Our approach utilizes scenarios, which are structured in their design to explore and analyse aspects of business risk, risk ownership, technological complexity, and uncertainty faced by an organizational leadership. The method offers a means to engage with leadership at real-world organizations, capturing capacity and insights to manage business risks due to cyberattacks.

The smishing-based malware Flubot was taken down in mid-2022, yet there is little understanding of how it directly impacted smartphone users. We engage with customers of a partner Internet Service Provider (ISP), who have suffered a Flubot infection on their smartphones. We surveyed 87 ISP customers who had been notified of a Flubot infection, in the months around and preceding the take-down of Flubot. We found that slightly over half of respondents were unaware of the malware infection before being notified, though many others had suspicions. We also observe that just over half of respondents experienced non-technical harms from the malware, with many experiencing harms before notification and several experiencing unwanted or aggressive activity from users of other infected devices. Many respondents reported not having removed the malware, while some discarded the infected device or stopped using online services in their efforts to be more secure afterwards. We offer recommendations, including that clearer guidance be sought to help users identify a malware infection (and not a focus only on prevention), and support provided for recovery from personal harms caused by mobile malware, as the impacts are not only technical.

Consumer IoT devices may suffer malware attacks, and be recruited into botnets or worse. There is evidence that generic advice to device owners to address IoT malware can be successful, but this does not account for emerging forms of persistent IoT malware. Less is known about persistent malware, which resides on persistent storage, requiring targeted manual effort to remove it. This paper presents a field study on the removal of persistent IoT malware by consumers. We partnered with an ISP to contrast remediation times of 760 customers across three malware categories: Windows malware, non-persistent IoT malware, and persistent IoT malware. We also contacted ISP customers identified as having persistent IoT malware on their network-attached storage devices, specifically QSnatch. We found that persistent IoT malware exhibits a mean infection duration many times higher than Windows or Mirai malware; QSnatch has a survival probability of 30% after 180 days, whereby most if not all other observed malware types have been removed. For interviewed device users, QSnatch infections lasted longer, so are apparently more difficult to get rid of, yet participants did not report experiencing difficulty in following notification instructions. We see two factors driving this paradoxical finding: First, most users reported having high technical competency. Also, we found evidence of planning behavior for these tasks and the need for multiple notifications. Our findings demonstrate the critical nature of interventions from outside for persistent malware, since automatic scan of an AV tool or a power cycle, like we are used to for Windows malware and Mirai infections, will not solve persistent IoT malware infections.

User-centric digital identity initiatives are emerging with a mission to shift control over online identity disclosures to the individual. However, there is little representation of prospective users in discussions of the merits of empowering users with new data management responsibilities and the acceptability of new technologies. We conducted a user study comprising a contextual inquiry and semi-structured interviews using a prototype decentralized identity wallet app with 30 online participants. Our usability analysis uncovered misunderstandings about decentralized identifiers (DIDs) and pain points relating to using QR codes and following the signposting of cross-device user journeys. In addition, the technology did not readily resolve questions about whether the user, identity provider, or relying party was in control of data at crucial moments. We also learned that users' judgments of data minimization encompass a broader scope of issues than simply the technical provision of the identity wallet. Our results contribute to understanding future user-centric identity technologies from the view of privacy and user acceptance.

The decisions involved in choosing technology components for systems are poorly understood. This is especially so where the choices pertain to system security and countering the threat of cybersecurity attack. Although common in some commercial products, secure hardware chips provide security functions such as authentication, secure execution and integrity validation on system start, and are increasingly deemed to have a role in devices across sectors, such as IoT devices, autonomous vehicle systems and critical infrastructure components. To understand the decisions and opinions regarding the adoption of secure hardware, we conducted 23 semi-structured interviews with senior decision-makers from companies spanning a range of sectors, sizes and supply-chain roles. Our results consider the business propositional drivers, barriers and economic factors that influence the adoption decisions. Understanding these would help those seeking to influence the adoption process, whether as a business decision, or as a trade or national strategy.

Cybersecurity controls are deployed to manage risks posed by malicious behaviours or systems. What is not often considered or articulated is how cybersecurity controls may impact legitimate users (often those whose use of a managed system needs to be protected, and preserved). This oversight characterises the blunt' nature of many cybersecurity controls. Here we present a framework produced from consideration of concerns across methods from cybercrime opportunity reduction and behaviour change, and existing risk management guidelines. We illustrate the framework and its principles with a range of examples and potential applications, including management of suspicious emails in organizations, and social media controls. The framework describes a capacity to improve the precision of cybersecurity controls by examining shared determinants of negative and positive behaviours in a system. This identifies opportunities for risk owners to better protect legitimate users while simultaneously acting to prevent malicious activity in a managed system. We describe capabilities for a novel approach to managing sociotechnical cyber risk which can be integrated alongside elements of typical risk management processes. This includes consideration of user activities as a system asset to protect, and a consideration of how to engage with other stakeholders in the identification of behaviours to preserve in a system.

The ongoing global COVID-19 pandemic made working from home – wherever working remotely is possible the norm for what had previously been office-based jobs across the world. This change in how we work created a challenging situation for system administrators (sysadmins), as they are the ones building and maintaining the digital infrastructure our world relies on. In this paper, we examine how system administration work changed early in the pandemic from sysadmins’ personal perspectives, through semi-structured interviews and thematic analysis. We find that sysadmins faced a two-sided crisis: While sysadmins’ own work environment changed, they also had to react to the new situation and facilitate stable options to work online for themselves and their colleagues, supporting their users in adapting to the crisis. This finding embeds into earlier work on the connection between IT (security) work and the notion of ‘care’, where we substantiate these earlier findings with results from a repeatable method grounded in coordination theory. Furthermore, while we find that sysadmins perceived no major changes in the way they work, by consecutively probing our interviewees, we find that they did experience several counter-intuitive effects on their work. This includes that while day-to-day communication became inherently more difficult, other tasks were streamlined by the remote working format and were seen as having become easier. Finally, by structuring our results according to a model of coordination and communication, we identify changes in sysadmins’ coordination patterns. From these we derive recommendations for how system administration work can be coordinated, ranging beyond the immediate pandemic response and the transition to any ‘new normal’ way of working.

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote good enough' decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations.

Technology-facilitated abuse or ‘tech abuse’ in intimate partner violence (IPV) contexts describes the breadth of harms that can be enacted using digital systems and online tools. While the misappropriation of technologies in the context of IPV has been subject to prior research, a dedicated study on the United Kingdom’s IPV support sector has so far been missing. The present analysis summarises insights derived from semi-structured interviews with 34 UK voluntary and statutory sector representatives that were conducted over the course of two years (2018–2020). The analysis identifies four overarching themes that point out support services’ practices, concerns and challenges in relation to tech abuse, and specifically the Internet of Things (IoT). These themes include (a) technology-facilitated abuse, where interviewees outline their experiences and understanding of the concept of tech abuse; (b) IoT-enabled tech abuse, focusing on the changing dynamics of tech abuse due to the continuing rise of smart consumer products; (c) data, documentation and assessment, that directs our attention to the shortcomings of existing risk assessment and recording practices; and (d) training, support and assistance, in which participants point to the need for specialist support capabilities to be developed within and beyond existing services.

Leaders of organisations must make investment decisions relating to the security of their organisation. This often happens through consultation with a security specialist. Consultations may be regarded as conversations taking place in a trading zone between the two domains. We propose that supporting the trading zone is a route to sustainable, workable security change improvements. Prompts for such improvements are already in place, in the security stories that reach business leaders through news media, or anecdotes from trusted peers. However, a shift in perspective is needed to view these stories and anecdotes as prompts for individual decision makers to enter into the trading zone with security specialists. We illustrate how to facilitate this shift by recasting security ontology tools, previously centred around security-specific expertise, as a support device to enrich conversations between business expertise and security advice toward finding workable security choices. We frame our proposal within a broader view of community transformation, exploring the important principle of identifying practical opportunities to inform discussions about security solutions that are appropriate in the business context. Community-level discussions have potential to lead to more lasting, effective improvements than those instigated by one-way interventions from security specialists. We extend the view, applying the paradigm to articulate the importance of two-way conversations between business peers and security specialists.

Many consumer Internet-of-Things (IoT) devices are, and will remain, subject to compromise, often without the owner's knowledge. Internet Service Providers (ISPs) are among the actors best-placed to coordinate the remediation of these problems. They receive infection data and can notify customers of recommended remediation actions. There is insufficient understanding of what happens in peoples' homes and businesses during attempts to remediate infected IoT devices. We coordinate with an ISP and conduct remote think-aloud observations with 17 customers who have an infected device, capturing their initial efforts to follow best-practice remediation steps. We identify real, personal consequences from wide-scale interventions which lack situated guidance for applying advice. Combining observations and thematic analysis, we synthesize the personal stories of the successes and struggles of these customers. Most participants think they were able to pinpoint the infected device; however, there were common issues such as not knowing how to comply with the recommended actions, remediations regarded as requiring excessive effort, a lack of feedback on success, and a perceived lack of support from device manufacturers. Only 4 of 17 participants were able to successfully complete all remediation steps. We provide recommendations relevant to various stakeholders, to focus where emergent interventions can be improved.

Smart assistant devices (such as Amazon Echo or Google Home) have notable differences to more conventional consumer computing devices. They can be used through voice control as well as physical interaction, and are often positioned as a shared device within a home environment. We conduct an exploratory online survey with 97 UK-based users of smart assistant devices, to examine the differences users perceive between smart assistants and more familiar devices (such as smartphones and computers), in terms of shared use dynamics, privacy-related behaviours, and privacy concerns. The survey explores typical usage, setup practices, perceived ease of use and control, privacy concerns for multiple users, shared usage of existing devices, and smart assistant privacy control usage. Approximately half of participants were unsure of where to access privacy settings on their smart home assistants; basic device controls and informal privacy controls saw general use. Those who had used privacy controls with previous devices used at least one smart assistant privacy control. Results have implications for supporting transferable privacy behaviours from computing devices to smart home devices, and improving privacy-related design for smart assistants.