U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Usable Cybersecurity

Research Publications & Presentations

Topics:


Legend: Papers paper icon   Presentations presentation icon   Videos video icon    Research Posters poster icon

Authentication 

Authentication Diary Study

Report: Authentication Diary Study paper icon – Michelle P. Steves & Mary F. Theofanos. NISTIR 7983 (2014)


Digital Identity Guidelines

Digital Identity Guidelines: Enrollment and Identity Proofing Requirements paper icon – Paul Grassi, James Fenton, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63A (2017)

Digital Identity Guidelines: Authentication and Lifecycle Management paper icon – Paul Grassi, Elaine Newton, Ray Perliner, Andrew Regenscheid, James Fenton, William Burr, Justin Richter, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63B (2017)

Digital Identity Guidelines: Federation and Assertions paper icon – Paul Grassi, Ellen Nadeau, Justin Richer, Sarah Squire, James Fenton, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63C (2017)


Memory and Motor

Memory and Motor Processes of Password Entry Error paper icon - Frank Tamborello & Kristen Greene. Proceedings of the Human Factors and Ergonomics Society Annual Meeting (2016)

Password Entry Errors: Memory or Motor?  report icon - Kristen Greene & Frank Tamborello. Proceedings of the 13th International Conference on Cognitive Modeling (2015)

ACT-R Modeling of Password Entry Errors poster icon - Kristen Greene & Franklin Tamborello. Proceedings of the 24th Conference on Behavior Representation in Modeling and Simulation (2015)

Electrodermal Activity and Eye Movements Inform the Usability of Passwords poster icon - Jennifer R. Bergstrom, Kristen Greene, David C. Hawkins, & Christian Gonzalez. Proceedings of the 44th Annual Meeting of the Society for Neuroscience (2014)


Mobile Authentication

Usability and Security Considerations for Public Safety Mobile Authentication paper icon - Yee-Yin Choong, Joshua M. Franklin, & Kristen Greene. NISTIR 8080 (2016)

Measuring the Usability and Security of Permuted Passwords on Mobile Platforms paper icon - Kristen Greene, John M. Kelsey, & Joshua M. Franklin. NISTIR 8040 (2016)

Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry paper icon video icon - Kristen Greene, Joshua M. Franklin, & John M. Kelsey. Proceedings of ShmooCon (2015)

I Can't Type That! P@$$w0rd Entry on Mobile Devices paper icon - Kristen Greene, Melissa A. Gallagher, Brian C. Stanton, & Paul Y. Lee. Proceedings of HCI International (2014)


Multi-factor Authentication

Usability of PIV Smartcards for Logical Access paper icon - Mary F. Theofanos, Emile L. Morse, Hannah Wald, Yee-Yin Choong, Celeste Paul, & Aiping L. Zhang. NISTIR 7867 (2012)

A Field Study of User Behavior and Perception in Smartcard Authentication paper icon  - Emile L. Morse, Celeste L. Paul, Aiping L. Zhang, Yee-Yin Choong, & Mary F. Theofanos. Proceedings of the 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT) (2011)

PIV Pilot Usability Lessons Learned presentation icon – Mary Theofanos (Nov 8, 2010)


Password Creation and Use

Must I, can I? I don’t understand your ambiguous password rules paper icon  – Kristen K. Greene & Yee-Yin Choong. Information and Computer Security (2017)

Secure and Usable Enterprise Authentication: Lessons from the Field paper icon - Mary F. Theofanos, Simson L. Garfinkel, & Yee-Yin Choong. IEEE Security & Privacy (2016)

What's a Special Character Anyway? Effects of Ambiguous Terminology in Password Rules paper icon  - Yee-Yin Choong & Kristen Greene. Proceedings of the Human Factors and Ergonomics Society Annual Meeting (2016)

Password Usability presentation icon - Yee-Yin Choong (Oct 23, 2015)

Employee Password Usability Study presentation icon - Yee-Yin Choong (Sep 10, 2015)

What 4,500+ people can tell you – Employees' Attitudes toward Organizational Password Policy Do Matter paper icon  - Yee-Yin Choong & Mary F. Theofanos. Proceedings of the 3rd International Conference on Human Aspects of Information Security, Privacy, and Trust (2015)

Effects of Password Permutation on Subjective Usability Across Platforms paper icon  - Kristen Greene. Proceedings of HCI International (2015)

Human Generated Passwords - The Impacts of Password Requirements and Presentation Styles paper icon  - Paul Y. Lee & Yee-Yin Choong. Proceedings of HCI International (2015)

The Authentication Equation: A Tool to Visualize the Convergence of Security and Usability of Text-Based Passwords paper icon  - Cathryn A. Ploehn & Kristen Greene Proceedings of HCI International (2015)

Development of a Scale to Assess the Linguistic and Phonological Difficulty of Passwords paper icon - Jennifer R. Bergstrom, Stefan A. Frisch, David C. Hawkins, Joy Hackenbracht, Kristen Greene, Mary F. Theofanos, & Brian Griepentrog. Proceedings of the 6th International Conference on Cross-Cultural Design (2014)

United States Federal Employees' Password Management Behaviors paper icon  – A Department of Commerce Case Study - Yee-Yin Choong, Mary F. Theofanos, & Hung-Kung Liu. NISTIR 7991 (2014)

Character Strings, Memory and Passwords: What a Recall Study Can Tell Us paper icon  - Brian C. Stanton & Kristen K. Greene. Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS) (2014)

A Cognitive-Behavioral Framework of User Password Management Lifecycle paper icon  – Yee-Yin Choong. Proceedings of HCI International (2014)


Password Policy Analysis

Password Policy Languages: Usable Translation from the Informal to the Formal paper icon – Michelle Steves, Mary Theofanos, Celia Paulsen, & Athos Ribeiro. Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust (2015)

Clear, Unambiguous Password Policies: An Oxymoron? paper icon  – Michelle Steves, Kevin Killourhy, & Mary F. Theofanos Proceedings of the 6th International Conference on Cross-Cultural Design (2014)

Taxonomic Rules for Password Policies: Translating the Informal to the Formal Language paper icon - Kevin Killourhy, Yee-Yin Choong, & Mary Theofanos. NISTIR 7970 (2013)

Usability Research in Support Of Cyber-Security: A Password Policy Taxonomy presentation icon – Kevin Killourhy (May 7, 2008)

 

Youth Passwords - see Youth Security

 

Cryptography

Organizational Cryptographic Product Development

Organizational Views of NIST Cryptographic Standards and Testing and Validation Programs paper icon  – Julie Haney, Mary Theofanos, Yasemin Acar, & Sandra S. Prettyman. NISTIR 8241 (2018)

"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products paper icon  - Julie M. Haney,  Mary F. Theofanos, Yasemin Acar & Sandra S. Prettyman. Proceedings of the Symposium on Usable Privacy and Security (SOUPS) (2018). 

Organizational Practices in Cryptographic Development and Testing paper icon  - Julie M. Haney, Simson L. Garfinkel, & Mary F. Theofanos. Proceedings of the IEEE Conference on Communications and Network Security (CNS) (2017). 


Usable Key Management

Usability and Key Management presentation icon – Mary Theofanos (Jun 8, 2009)

 

Cybersecurity Adoption and Awareness

Cybersecurity Awareness and Training

Measuring the Effectiveness of U.S. Government Security Awareness Programs: A Mixed-Methods Study paper icon - Jody L. Jacobs, Julie M. Haney, & Susanne M. Furman. Workshop on Security Information Workers (2022).

An Investigation of Roles, Backgrounds, Knowledge, and Skills of U.S. Government Security Awareness Professionals  paper icon- Julie M. Haney, Jody L. Jacobs, & Susanne M. Furman. ACM SIGMIS Computers and People Research Conference (2022).

NIST Cybersecurity Role-based Training Study Presentation presentation icon - Jody Jacobs, Julie Haney, & Susanne Furman. Presented at the Federal Information Security Educators' (FISSEA) Spring Forum (2022). Recorded presentation  video icon

NISTIR 8420 “Federal Cybersecurity Awareness Programs: A Mixed Methods Research Study” paper icon - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)

NISTIR 8420A “Approaches and Challenges of Federal Cybersecurity Awareness Programs” paper icon - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)

NISTIR 8420B “The Federal Cybersecurity Awareness Workforce: Professional Backgrounds, Knowledge, Skills, and Development Activities” paper icon - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)

NIST Security Awareness Study  presentation icon- Jody Jacobs, Julie Haney, & Susanne Furman. Presented at the Federal Information Security Educators' (FISSEA) Fall Forum (September 2021). Recorded presentation video icon

Exploring Government Security Awareness Programs: A Mixed Methods Approach paper icon - Jody L. Jacobs, Julie M. Haney, Susanne M. Furman, & Fern Barrientos. Workshop on Security Information Workers and poster session at Symposium on Usable Privacy and Security (2021). 

Security Awareness Training for the Workforce: Moving Beyond "Check-the-box" Compliance paper icon - Julie M. Haney & Wayne Lutters. Computer (2020).

Security Awareness in Action: A Case Study [extended abstract] paper icon- Julie M. Haney & Wayne G. Lutters. 5th Workshop on Security Information Workers (WSIW) at the Symposium on Usable Privacy and Security (SOUPS) (2019).

 

Cybersecurity Advocates

Cybersecurity Advocates: Force Multipliers in Security Behavior Change paper icon - Julie Haney, Wayne Lutters, & Jody Jacobs. IEEE Security and Privacy (2021).

Cybersecurity Advocates: Discovering the Characteristics and Skills for an Emergent Role report icon - Julie M. Haney & Wayne Lutters. Information and Computer Security (2021).

Motivating Cybersecurity Advocates: Implications for Recruitment and Retention paper icon - Julie M. Haney & Wayne G. Lutters.  ACM SIGMIS Computers & Personnel Research (2019)

"It's Scary...It's Confusing...It's Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security [presentation] presentation icon - Julie Haney. Presented at FISSEA Conference (June 27, 2019)

 

Internet of Things

Consumer Perspectives on Loss of Support for Smart Home Devices paper icon - Julie M. Haney & Susanne M. Furman. 6th Workshop on Technology and Consumer Protection (ConPro '22) (2022). 
 
"It's the Company, the Government, You and I": User Perceptions of Responsibility for Smart Home Privacy and Security paper icon - Julie Haney, Yasemin Acar, & Susanne Furman. USENIX Security Symposium (2021).
 
Smart Home Consumers' Privacy and Security Perceptions and Practices presentation icon - Julie Haney and Susanne Furman. Presented at Smart City and Smart Home Virtual Exhibition (2020). Recorded presentation video icon
 
NISTIR 8330 Research Report: User Perceptions of Smart Home Security and Privacy paper icon - Julie M. Haney, Susanne M. Furman, & Yasemin Acar (2020).
 
Toward Usable Updates for Smart Home Devices document image - Julie M. Haney & Susanne M. Furman. Workshop on Socio-technical Aspects in Security (STAST) (2020).
 
Smart Home Updates: User Perceptions and Experiences poster icon - Julie M. Haney & Susanne M. Furman. Poster presented at Symposium on Usable Privacy and Security (SOUPS) (2020).
 
Smart Home Security and Privacy Mitigations: Consumer Perceptions, Practices, and Challenges paper icon - Julie M. Haney, Susanne M. Furman, & Yasemin Acar. Proceedings of the HCI for Cybersecurity, Privacy and Trust affiliated conference at HCI International (2020).
 
Human Factors in Smart Home Technologies Workshop Summary Report paper icon - Susanne Furman & Julie Haney. (2019)
 
Consumer Perceptions of Smart Home Privacy and Security presentation icon - Julie Haney, Susanne Furman, & Yasemin Acar. Presented at the NIST Human Factors in Smart Home Technologies Workshop (September 24, 2019)
 

Perceptions of Smart Home Privacy and Security Responsibility, Concerns, and Mitigations paper icon- Julie Haney, Susanne Furman, Yasemin Acar, & Mary Theofanos. Extended abstract from poster presented at Symposium on Usable Privacy and Security (SOUPS) (2019).

 

Methodologies

Investigating Youths' Learning of Online Safety and Privacy from Others: A Discussion of Study Design and Statistical Analysis Considerations paper icon - Kerrianne Buchanan, Yee-Yin Choong, and Olivia Murphy. Workshop on Kids' Online Privacy and Security (2022).

Lessons Learned and Suitability of Focus Groups in Security Information Workers Research paper icon - Julie M. Haney, Jody L. Jacobs, Fernando Barrientos, & Susanne M. Furman. Proceedings of the HCI for Cybersecurity, Privacy and Trust affiliated conference at HCI International (2022).

The Power of Qualitative Methods: Aha Moments in Exploring Cybersecurity and Trust paper icon  - Brian C. Stanton, Mary F. Theofanos, Susanne M. Furman, & Sandra S. Prettyman. User Experience Magazine (2016)

 

Phishing

NIST Phish Scale

 The NIST Phish Scale: Method for rating human phishing detection difficulty (tutorial) presentation icon - Shaneé Dawkins & Jody Jacobs. Presented at Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) (2021).

Scaling the Phish: Advancing the NIST Phish Scale paper icon - Fernando Barrientos, Jody Jacobs, & Shaneé Dawkins. Poster session at International Conference on Human-Computer Interaction (HCII) (2021).

The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails (media article) (2020)

The New NIST Phish Scale, Revealing Why End Users Click  presentation icon - Shaneé Dawkins, Kristen Greene, & Jody Jacobs. Presented at SecureWorld Expo (2020)

Categorizing Human Phishing Difficulty: A Phish Scale paper icon - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Journal of Cybersecurity (2020)

Introducing Phish Scale video icon (2020)

A Phish Scale: Rating Human Phishing Message Detection Difficulty paper icon - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)

 

Phishing Behaviors

No Phishing Beyond This Point paper icon  - Kristen Greene, Michelle Steves, & Mary Theofanos. IEEE Computer (2018)

You've Been Phished video icon (2018)

ISPAB presentation - User Context: An Explanatory Variable in Phishing Susceptibility presentation icon- Kristen Greene, Michelle Steves, & Mary Theofanos. (June 21, 2018)

User Context: An Explanatory Variable in Phishing Susceptibility paper icon  – Kristen K. Greene, Michelle P. Steves, Mary F. Theofanos, & Jennifer Kostick. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2018)

Exploratory Lens Model of Decision-Making in Potential Phishing Attack Scenario paper icon - Franklin Tamborello & Kristen Greene. NISTIR 8194 (2017)

 

Privacy

Differential Privacy video icon (2018)

Non-breach Privacy Events paper icon - Simson L Garfinkel & Mary Theofanos. IEEE Security & Privacy (2018)

Preserving Privacy – More Than Reading a Message paper icon - Susanne M. Furman & Mary F. Theofanos. Proceedings of the International Conference on Universal Access in Human-Computer Interaction (2014)

 

Usable Security (general)

Is Usable Security an Oxymoron? paper icon - Mary Theofanos. IEEE Computer (2020).

Shouldn't All Security Be Usable? paper icon  - Mary Frances Theofanos & Shari Lawrence Pfleeger. IEEE Security & Privacy (2011)

ISPAB Panel on Usable Security presentation icon – Mary Theofanos & Ellen Kowalczyk (Oct 29, 2010)

Usability Research in Support of Cybersecurity presentation icon – Mary Theofanos (May 7, 2008)

Poor Usability: The Inherent Insider Threat presentation icon  – Mary Theofanos (Mar 21, 2008)

 

User Perceptions & Behaviors

Pandemic Parallels: What can cybersecurity learn from COVID? report icon - Steven Furnell, Julie Haney, & Mary Theofanos. IEEE Computer (2021)

Be Prepared: How US Government Experts Think About Cybersecurity paper icon  - Mary F. Theofanos, Brian C. Stanton, Sandra S. Prettyman, Susanne M. Furman, & Simson L. Garfinkel. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2017)

Security Fatigue paper icon  - Brian C. Stanton, Sandra S. Prettyman, Mary F. Theofanos, & Susanne M. Furman. IT Professional (2016)

Cybersecurity Fatigue video icon (2016)

Privacy and Security in the Brave New World: The Use of Multiple Mental Models paper icon  - Susanne M. Furman, Mary F. Theofanos, Brian C. Stanton, & Sandra S. Prettyman. Proceedings of HCI International (2015)

Basing Cybersecurity Training on User Perceptions paper icon  - Susanne M. Furman, Mary Frances Theofanos, Yee-Yin Choong, & Brian Stanton. IEEE Security & Privacy (2012)

 

Youth Security

Challenges to Building Youth's Online Safety Knowledge from a Family Perspective: Results from a Youth/Parent Dyad Study paper icon - Olivia Murphy, Yee-Yin Choong, & Kerrianne Buchanan. Workshop on Kids' Online Privacy and Safety (2022).

Investigating Youths' Learning of Online Safety and Privacy from Others: A Discussion of Study Design and Statistical Analysis Considerations paper icon - Kerrianne Buchanan, Yee-Yin Choong, and Olivia Murphy. Workshop on Kids' Online Privacy and Safety (2022).

Parenting Digital Natives in a Tech World: Research Findings of Children's and Parents' Password Knowledge & Practices presentation icon - Yee-Yin Choong (October 25, 2021)

"Passwords Keep Me Safe" – Understanding What Children Think about Passwords report icon - Mary Theofanos, Yee-Yin Choong, & Olivia Murphy. USENIX Security Symposium  (2021)

“Passwords protect my stuff”— A Study of Children’s Password Practices paper icon- Yee-Yin Choong, Mary F. Theofanos, Karen Renaud, & Suzanne Prior. Journal of Cybersecurity (December 2019)

Case Study – Exploring Children’s Password Knowledge and Practices paper icon - Yee-Yin Choong, Mary F. Theofanos, Karen Renaud, & Suzanne Prior. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)

Created November 17, 2016, Updated September 07, 2022