Usable Security Beyond End Users

Presented by Michelle Mazurek

Friday, May 19, 2017
10:30 a.m.
ICSI Lecture Hall

Abstract:                                                                                                                                                                                                           

While researchers have developed many tools, techniques,and protocols for improving software security, exploits and breaches are only becoming more frequent. Some of this gap between theoretical security and actual vulnerability can be explained by insufficient consideration of human factors, broadly termed usability, when developing these mechanisms. In particular, security mechanisms may be difficult to use, may conflict with other priorities, or may assume more security knowledge than users possess. For almost 20 years, the usable security community has investigated how to improve the usability of security tools and interfaces aimed at end users. In this talk, I will introduce a research agenda for applying the methods and findings of this community to a new constituency: software developers who are not security experts, but must consider security concerns in their software. I will report on findings from three studies relevant to this topic: how the information resources developers use (such as Stack Overflow) affect their security decisions; how different cryptography libraries, including some designed for usability, affect developers' ability to write secure code; and observations from a quasi-experimental analysis of Build-It, Break-It, Fix-It, a unique secure-programming contest that allowed us to correlate development choices with security results.

Speaker Bio:

Michelle Mazurek is an Assistant Professor in the Computer Science Department and the Institute for Advanced Computer Studies at the University of Maryland, College Park. Her research aims to improve security- and privacy-related decision making by understanding user needs and then building sound tools and systems. Recent projects include analyzing how users learn and process security advice; contrasting user expectations with app behavior in Android apps; examining convenience/security tradeoffs in end-to-end encryption; and examining how and why developers make security and privacy mistakes. Michelle received her her Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University in 2014.