Empirical and Behavioral Security

Usable Security

Understanding and Changing User Bahavior. User-Friendly Cryptographic Tools. Privacy and Security in IoT.


Disruptive technologies are proliferating ever more rapidly, and in addition, ever more devices are interconnected and exchange data. Besides plenty of opportunities, this always-online paradigm therewith also poses significant challenges to users. As it is difficult to understand the underlying information-sharing models, it's difficult to guage the down-stream effects of choices, and hence managing security and privacy has become complex beyond human capabilities. Moreover, tools to ensure ones privacy and security are often hard to use, or worse, rather than support users, get in their way. The result is that the Internet ecosystem is highly susceptible to a variety of attacks and disclosure of sensitive information, simply because the human element in security is often left unattended. We address this by focusing on the core human, behavioral aspects of information security and privacy. Our goal is to understand why humans at different levels of expertise struggle with security systems and how we can design easily usable security systems that fulfill the actual needs of the user.


Understanding and Changing User Behavior. Human error is responsible for the majority of security breaches. We study why users are often incapable of making sound security decisions by investigating their mental models and reasoning behind decision-making. Based on these findings, we apply user-oriented design approaches to design security mechanisms that matter to users. We thereby focus on different groups of users ranging from knowledgeable administrators who manage complex infrastructures to end users.

Making Cryptographic Tools more User-Friendly. Cryptographic tools and protocols have become an essential part of today's Internet. Users at different levels of expertise interact with these concepts but do not manage to use them in the most secure manner due to a lack understanding of cryptographic fundamentals. As a result, these tools are often not used in the most secure manner. To address this, we focus on improving the usability aspects of cryptographic protocols, ranging from end users interacting with cryptocurrencies to administrators and developers interacting with TLS, NaCl and other cryptographic APIs.

Privacy and Security in the Internet of Things. Due to the digitization of everyday things, users, bystanders and their environment are continuously monitored by cameras and other integrated sensors. This implies major challenges for digital privacy, but before we can provide support that users need, we need to understand what users perceive as threats to their privacy, and learn how to express the risks that they take. To this end, we study user-friendly and tangible privacy meditation in connected environments.