Legend: Papers Presentations Videos Research Posters
Report: Authentication Diary Study – Michelle P. Steves & Mary F. Theofanos. NISTIR 7983 (2014)
Digital Identity Guidelines: Enrollment and Identity Proofing Requirements – Paul Grassi, James Fenton, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63A (2017)
Digital Identity Guidelines: Authentication and Lifecycle Management – Paul Grassi, Elaine Newton, Ray Perliner, Andrew Regenscheid, James Fenton, William Burr, Justin Richter, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63B (2017)
Digital Identity Guidelines: Federation and Assertions – Paul Grassi, Ellen Nadeau, Justin Richer, Sarah Squire, James Fenton, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63C (2017)
Memory and Motor Processes of Password Entry Error - Frank Tamborello & Kristen Greene. Proceedings of the Human Factors and Ergonomics Society Annual Meeting (2016)
Password Entry Errors: Memory or Motor? - Kristen Greene & Frank Tamborello. Proceedings of the 13th International Conference on Cognitive Modeling (2015)
ACT-R Modeling of Password Entry Errors - Kristen Greene & Franklin Tamborello. Proceedings of the 24th Conference on Behavior Representation in Modeling and Simulation (2015)
Electrodermal Activity and Eye Movements Inform the Usability of Passwords - Jennifer R. Bergstrom, Kristen Greene, David C. Hawkins, & Christian Gonzalez. Proceedings of the 44th Annual Meeting of the Society for Neuroscience (2014)
Usability and Security Considerations for Public Safety Mobile Authentication - Yee-Yin Choong, Joshua M. Franklin, & Kristen Greene. NISTIR 8080 (2016)
Measuring the Usability and Security of Permuted Passwords on Mobile Platforms - Kristen Greene, John M. Kelsey, & Joshua M. Franklin. NISTIR 8040 (2016)
Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry - Kristen Greene, Joshua M. Franklin, & John M. Kelsey. Proceedings of ShmooCon (2015)
I Can't Type That! P@$$w0rd Entry on Mobile Devices - Kristen Greene, Melissa A. Gallagher, Brian C. Stanton, & Paul Y. Lee. Proceedings of HCI International (2014)
Usability of PIV Smartcards for Logical Access - Mary F. Theofanos, Emile L. Morse, Hannah Wald, Yee-Yin Choong, Celeste Paul, & Aiping L. Zhang. NISTIR 7867 (2012)
A Field Study of User Behavior and Perception in Smartcard Authentication - Emile L. Morse, Celeste L. Paul, Aiping L. Zhang, Yee-Yin Choong, & Mary F. Theofanos. Proceedings of the 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT) (2011)
PIV Pilot Usability Lessons Learned – Mary Theofanos (Nov 8, 2010)
Must I, can I? I don’t understand your ambiguous password rules – Kristen K. Greene & Yee-Yin Choong. Information and Computer Security (2017)
Secure and Usable Enterprise Authentication: Lessons from the Field - Mary F. Theofanos, Simson L. Garfinkel, & Yee-Yin Choong. IEEE Security & Privacy (2016)
What's a Special Character Anyway? Effects of Ambiguous Terminology in Password Rules - Yee-Yin Choong & Kristen Greene. Proceedings of the Human Factors and Ergonomics Society Annual Meeting (2016)
Password Usability - Yee-Yin Choong (Oct 23, 2015)
Employee Password Usability Study - Yee-Yin Choong (Sep 10, 2015)
What 4,500+ people can tell you – Employees' Attitudes toward Organizational Password Policy Do Matter - Yee-Yin Choong & Mary F. Theofanos. Proceedings of the 3rd International Conference on Human Aspects of Information Security, Privacy, and Trust (2015)
Effects of Password Permutation on Subjective Usability Across Platforms - Kristen Greene. Proceedings of HCI International (2015)
Human Generated Passwords - The Impacts of Password Requirements and Presentation Styles - Paul Y. Lee & Yee-Yin Choong. Proceedings of HCI International (2015)
The Authentication Equation: A Tool to Visualize the Convergence of Security and Usability of Text-Based Passwords - Cathryn A. Ploehn & Kristen Greene Proceedings of HCI International (2015)
Development of a Scale to Assess the Linguistic and Phonological Difficulty of Passwords - Jennifer R. Bergstrom, Stefan A. Frisch, David C. Hawkins, Joy Hackenbracht, Kristen Greene, Mary F. Theofanos, & Brian Griepentrog. Proceedings of the 6th International Conference on Cross-Cultural Design (2014)
United States Federal Employees' Password Management Behaviors – A Department of Commerce Case Study - Yee-Yin Choong, Mary F. Theofanos, & Hung-Kung Liu. NISTIR 7991 (2014)
Character Strings, Memory and Passwords: What a Recall Study Can Tell Us - Brian C. Stanton & Kristen K. Greene. Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS) (2014)
A Cognitive-Behavioral Framework of User Password Management Lifecycle – Yee-Yin Choong. Proceedings of HCI International (2014)
Password Policy Languages: Usable Translation from the Informal to the Formal – Michelle Steves, Mary Theofanos, Celia Paulsen, & Athos Ribeiro. Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust (2015)
Clear, Unambiguous Password Policies: An Oxymoron? – Michelle Steves, Kevin Killourhy, & Mary F. Theofanos Proceedings of the 6th International Conference on Cross-Cultural Design (2014)
Taxonomic Rules for Password Policies: Translating the Informal to the Formal Language - Kevin Killourhy, Yee-Yin Choong, & Mary Theofanos. NISTIR 7970 (2013)
Usability Research in Support Of Cyber-Security: A Password Policy Taxonomy – Kevin Killourhy (May 7, 2008)
Youth Passwords - see Youth Security
Organizational Views of NIST Cryptographic Standards and Testing and Validation Programs – Julie Haney, Mary Theofanos, Yasemin Acar, & Sandra S. Prettyman. NISTIR 8241 (2018)
"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products - Julie M. Haney, Mary F. Theofanos, Yasemin Acar & Sandra S. Prettyman. Proceedings of the Symposium on Usable Privacy and Security (SOUPS) (2018).
Organizational Practices in Cryptographic Development and Testing - Julie M. Haney, Simson L. Garfinkel, & Mary F. Theofanos. Proceedings of the IEEE Conference on Communications and Network Security (CNS) (2017).
Usability and Key Management – Mary Theofanos (Jun 8, 2009)
Cybersecurity Awareness and Training
Measuring the Effectiveness of U.S. Government Security Awareness Programs: A Mixed-Methods Study - Jody L. Jacobs, Julie M. Haney, & Susanne M. Furman. Workshop on Security Information Workers (2022).
An Investigation of Roles, Backgrounds, Knowledge, and Skills of U.S. Government Security Awareness Professionals - Julie M. Haney, Jody L. Jacobs, & Susanne M. Furman. ACM SIGMIS Computers and People Research Conference (2022).
NIST Cybersecurity Role-based Training Study Presentation - Jody Jacobs, Julie Haney, & Susanne Furman. Presented at the Federal Information Security Educators' (FISSEA) Spring Forum (2022). Recorded presentation
NISTIR 8420 “Federal Cybersecurity Awareness Programs: A Mixed Methods Research Study” - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)
NISTIR 8420A “Approaches and Challenges of Federal Cybersecurity Awareness Programs” - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)
NISTIR 8420B “The Federal Cybersecurity Awareness Workforce: Professional Backgrounds, Knowledge, Skills, and Development Activities” - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)
NIST Security Awareness Study - Jody Jacobs, Julie Haney, & Susanne Furman. Presented at the Federal Information Security Educators' (FISSEA) Fall Forum (September 2021). Recorded presentation
Exploring Government Security Awareness Programs: A Mixed Methods Approach - Jody L. Jacobs, Julie M. Haney, Susanne M. Furman, & Fern Barrientos. Workshop on Security Information Workers and poster session at Symposium on Usable Privacy and Security (2021).
Security Awareness Training for the Workforce: Moving Beyond "Check-the-box" Compliance - Julie M. Haney & Wayne Lutters. Computer (2020).
Security Awareness in Action: A Case Study [extended abstract] - Julie M. Haney & Wayne G. Lutters. 5th Workshop on Security Information Workers (WSIW) at the Symposium on Usable Privacy and Security (SOUPS) (2019).
Cybersecurity Advocates: Force Multipliers in Security Behavior Change - Julie Haney, Wayne Lutters, & Jody Jacobs. IEEE Security and Privacy (2021).
Cybersecurity Advocates: Discovering the Characteristics and Skills for an Emergent Role - Julie M. Haney & Wayne Lutters. Information and Computer Security (2021).
Motivating Cybersecurity Advocates: Implications for Recruitment and Retention - Julie M. Haney & Wayne G. Lutters. ACM SIGMIS Computers & Personnel Research (2019)
"It's Scary...It's Confusing...It's Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security [presentation] - Julie Haney. Presented at FISSEA Conference (June 27, 2019)
Perceptions of Smart Home Privacy and Security Responsibility, Concerns, and Mitigations - Julie Haney, Susanne Furman, Yasemin Acar, & Mary Theofanos. Extended abstract from poster presented at Symposium on Usable Privacy and Security (SOUPS) (2019).
Investigating Youths' Learning of Online Safety and Privacy from Others: A Discussion of Study Design and Statistical Analysis Considerations - Kerrianne Buchanan, Yee-Yin Choong, and Olivia Murphy. Workshop on Kids' Online Privacy and Security (2022).
Lessons Learned and Suitability of Focus Groups in Security Information Workers Research - Julie M. Haney, Jody L. Jacobs, Fernando Barrientos, & Susanne M. Furman. Proceedings of the HCI for Cybersecurity, Privacy and Trust affiliated conference at HCI International (2022).
The Power of Qualitative Methods: Aha Moments in Exploring Cybersecurity and Trust - Brian C. Stanton, Mary F. Theofanos, Susanne M. Furman, & Sandra S. Prettyman. User Experience Magazine (2016)
The NIST Phish Scale: Method for rating human phishing detection difficulty (tutorial) - Shaneé Dawkins & Jody Jacobs. Presented at Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) (2021).
Scaling the Phish: Advancing the NIST Phish Scale - Fernando Barrientos, Jody Jacobs, & Shaneé Dawkins. Poster session at International Conference on Human-Computer Interaction (HCII) (2021).
The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails (media article) (2020)
The New NIST Phish Scale, Revealing Why End Users Click - Shaneé Dawkins, Kristen Greene, & Jody Jacobs. Presented at SecureWorld Expo (2020)
Categorizing Human Phishing Difficulty: A Phish Scale - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Journal of Cybersecurity (2020)
Introducing Phish Scale (2020)
A Phish Scale: Rating Human Phishing Message Detection Difficulty - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)
Phishing Behaviors
No Phishing Beyond This Point - Kristen Greene, Michelle Steves, & Mary Theofanos. IEEE Computer (2018)
You've Been Phished (2018)
ISPAB presentation - User Context: An Explanatory Variable in Phishing Susceptibility - Kristen Greene, Michelle Steves, & Mary Theofanos. (June 21, 2018)
User Context: An Explanatory Variable in Phishing Susceptibility – Kristen K. Greene, Michelle P. Steves, Mary F. Theofanos, & Jennifer Kostick. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2018)
Exploratory Lens Model of Decision-Making in Potential Phishing Attack Scenario - Franklin Tamborello & Kristen Greene. NISTIR 8194 (2017)
Differential Privacy (2018)
Non-breach Privacy Events - Simson L Garfinkel & Mary Theofanos. IEEE Security & Privacy (2018)
Preserving Privacy – More Than Reading a Message - Susanne M. Furman & Mary F. Theofanos. Proceedings of the International Conference on Universal Access in Human-Computer Interaction (2014)
Is Usable Security an Oxymoron? - Mary Theofanos. IEEE Computer (2020).
Shouldn't All Security Be Usable? - Mary Frances Theofanos & Shari Lawrence Pfleeger. IEEE Security & Privacy (2011)
ISPAB Panel on Usable Security – Mary Theofanos & Ellen Kowalczyk (Oct 29, 2010)
Usability Research in Support of Cybersecurity – Mary Theofanos (May 7, 2008)
Poor Usability: The Inherent Insider Threat – Mary Theofanos (Mar 21, 2008)
Pandemic Parallels: What can cybersecurity learn from COVID? - Steven Furnell, Julie Haney, & Mary Theofanos. IEEE Computer (2021)
Be Prepared: How US Government Experts Think About Cybersecurity - Mary F. Theofanos, Brian C. Stanton, Sandra S. Prettyman, Susanne M. Furman, & Simson L. Garfinkel. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2017)
Security Fatigue - Brian C. Stanton, Sandra S. Prettyman, Mary F. Theofanos, & Susanne M. Furman. IT Professional (2016)
Cybersecurity Fatigue (2016)
Privacy and Security in the Brave New World: The Use of Multiple Mental Models - Susanne M. Furman, Mary F. Theofanos, Brian C. Stanton, & Sandra S. Prettyman. Proceedings of HCI International (2015)
Basing Cybersecurity Training on User Perceptions - Susanne M. Furman, Mary Frances Theofanos, Yee-Yin Choong, & Brian Stanton. IEEE Security & Privacy (2012)
Challenges to Building Youth's Online Safety Knowledge from a Family Perspective: Results from a Youth/Parent Dyad Study - Olivia Murphy, Yee-Yin Choong, & Kerrianne Buchanan. Workshop on Kids' Online Privacy and Safety (2022).
Investigating Youths' Learning of Online Safety and Privacy from Others: A Discussion of Study Design and Statistical Analysis Considerations - Kerrianne Buchanan, Yee-Yin Choong, and Olivia Murphy. Workshop on Kids' Online Privacy and Safety (2022).
Parenting Digital Natives in a Tech World: Research Findings of Children's and Parents' Password Knowledge & Practices - Yee-Yin Choong (October 25, 2021)
"Passwords Keep Me Safe" – Understanding What Children Think about Passwords - Mary Theofanos, Yee-Yin Choong, & Olivia Murphy. USENIX Security Symposium (2021)
“Passwords protect my stuff”— A Study of Children’s Password Practices - Yee-Yin Choong, Mary F. Theofanos, Karen Renaud, & Suzanne Prior. Journal of Cybersecurity (December 2019)
Case Study – Exploring Children’s Password Knowledge and Practices - Yee-Yin Choong, Mary F. Theofanos, Karen Renaud, & Suzanne Prior. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)
Security and Privacy: authentication, behavior, general security & privacy, privacy, security programs & operations, usability
Technologies: email
Applications: cybersecurity education, cybersecurity workforce, Internet of Things