"Perfect is the Enemy of Good": The CISO's Role in Enterprise Security as a Business EnablerChief Information Security Officers (CISOs) are responsible for setting and executing organizations' information security strategies. This role has only grown in importance as a result of today's increasingly high-stakes threat landscape. To understand these key decision-makers, we interviewed 16 current and former CISOs to understand how they build a security strategy and the day-to-day obstacles that they face. Throughout, we find that the CISO role is strongly shaped by a business enablement perspective, driven by broad organizational goals beyond solely technical protection. Within that framing, we describe the most salient concerns for CISOs, isolate key decision-making factors they use when prioritizing security investments, and surface practical complexities and pain points that they face in executing their strategy. Our results surface opportunities to help CISOs better navigate the complex task of managing organizational risk, as well as lessons for how security tools can be made more deployable in practice.2025KRKimberly Ruth et al.Stanford UniversityCybersecurity Training & AwarenessCHI
A Qualitative Study of Adoption Barriers and Challenges for Passwordless Authentication in German Public AdministrationsPublic administrations provide critical services and manage sensitive data for a country's citizens. Recent phishing campaigns targeting public sector employees highlight their attractiveness as targets. Deploying state-of-the-art authentication technologies, such as FIDO2, can improve overall security. We conducted a mixed-methods study in Germany to understand better the practices and challenges of deploying passwordless authentication in the public sector. First, we conducted an online survey (N=108) among German public sector employees to gain insights into their experiences and challenges. Next, we partnered with an e-government vendor and performed an in-situ experiment. We let 11 employees from the public sector experience FIDO2 under real-world conditions. Our results show that only a minority of our participants were aware of current passwordless authentication procedures. In our experiment, FIDO2-based methods left an overall positive impression. Hierarchical and heterogeneous public sector structures and the need for more technical expertise and equipment were barriers to adoption.2025JHJan-Ulrich Holtgrave et al.CISPA Helmholtz Center for Information SecurityPasswords & AuthenticationPrivacy Perception & Decision-MakingCHI
A Qualitative Study on How Usable Security and HCI Researchers Judge the Size and Importance of Odds Ratio and Cohen's d Effect SizesResearchers often place a strong focus on statistical significance when reporting the results of statistical tests. However, effect sizes are reported less frequently, and interpretation in the context of the study and the research field is even rarer. These interpretations of effect sizes are, however, necessary to understand the practical importance of a result for the community. To explore how Usable Security & Privacy (USP) and HCI researchers interpret effect sizes and make judgments on practical importance, we conducted survey and interview studies with a total of 63 researchers at CHI and SOUPS 2023. Our studies focused on Cohen's d and odds ratios in two USP and one HCI scenario. We analyzed which artifacts researchers consider when judging effect size, and found misconceptions and variation between the participants, highlighting how difficult judging statistics can be. Based on our findings, we make concrete recommendations for improved reporting practices around effect sizes.2025AOAnna-Marie Ortloff et al.University of BonnUser Research Methods (Interviews, Surveys, Observation)Research Ethics & Open ScienceCHI
Understanding the Security Advice Mechanisms of Low Socioeconomic PakistanisLow socioeconomic populations face severe security challenges while being unable to access traditional written advice resources. We present the first study to explore the security advice landscape of low socioeconomic people in Pakistan. With 20 semi-structured interviews, we uncover how they learn and share security advice and what factors enable or limit their advice sharing. Our findings highlight that they heavily rely on community advice and intermediation to establish and maintain security-related practices (such as passwords). We uncover how shifting social environments shape advice dissemination, e.g., across different workplaces. Participants leverage their social structures to protect each other against threats that exploit their financial vulnerability and lack of digital literacy. However, we uncover barriers to social advice mechanisms, limiting their effectiveness, which may lead to increased security and privacy risks. Our results lay the foundation for rethinking security paradigms and advice for this vulnerable population.2025SHSumair Ijaz Hashmi et al.CISPA Helmholtz Center for Information Security; Saarland UniversityPrivacy by Design & User ControlDark Patterns RecognitionEmpowerment of Marginalized GroupsCHI
Permission Rationales in the Web Ecosystem: An Exploration of Rationale Text and Design PatternsModern web applications use features like camera and geolocation for personalized experiences, requiring user permission via browser prompts. To explain these requests, applications provide rationales—contextual information on why permissions are needed. Despite their importance, little is known about how often rationales appear on the web or their influence on user decisions. This paper presents the first large-scale study of how the web ecosystem handles permission rationales, covering three areas: (i) identifying webpages that use permissions, (ii) detecting and classifying permission rationales, and (iii) analyzing their attributes to understand their impact on user decisions. We examined over 770K webpages from Chrome telemetry, finding 3.6K unique rationale texts and 749 rationale UIs across 85K pages. We extracted key rationale attributes and assessed their effect on user behavior by cross-referencing them with Chrome telemetry data. Our findings reveal nine key insights, providing the first evidence of how different rationales affect user decisions.2025YEYusra Elbitar et al.CISPA Helmholtz Center for Information SecurityPasswords & AuthenticationPrivacy Perception & Decision-MakingCHI
A Comparative Long-Term Study of Fallback Authentication SchemesFallback authentication, the process of re-establishing access to an account when the primary authenticator is unavailable, holds critical significance. Approaches range from secondary channels like email and SMS to personal knowledge questions (PKQs) and social authentication. A key difference to primary authentication is that the duration between enrollment and authentication can be much longer, typically months or years. However, few systems have been studied over extended timeframes, making it difficult to know how well these systems truly help users recover their accounts. We also lack meaningful comparisons of schemes as most prior work examined two mechanisms at most. We report the results of a long-term user study of the usability of fallback authentication over 18 months to provide a fair comparison of the four most commonly used fallback authentication methods. We show that users prefer email and SMS-based methods, while mechanisms based on PKQs and trustees lag regarding successful resets and convenience.2024LLLeona Lassak et al.Ruhr University BochumPasswords & AuthenticationPrivacy Perception & Decision-MakingCHI
Analyzing Security and Privacy Advice During the 2022 Russian Invasion of Ukraine on TwitterThe Russian Invasion of Ukraine in 2022 resulted in a rapidly changing cyber threat environment globally and incentivized the sharing of security and privacy advice on social media. Previous research found a strong impact of online security advice on end-user behavior. Twitter is an important platform for sharing information in crises. We examined 306 tweets with security and privacy advice related to the Ukrainian war, and created a taxonomy of 224 unique pieces of advice in seven categories, targeted at individuals or organizations in Ukraine and elsewhere. While our findings include untargeted and generic advice known from previous research, we identify novel advice specific to the invasion, offers for individual consultation, and misinformation on security and privacy advice as a new threat. Our findings highlight the strengths and shortcomings of the security and privacy advice given online during the invasion and establish areas for improvements and future research.2024JSJuliane Schmüser et al.CISPAPrivacy by Design & User ControlPrivacy Perception & Decision-MakingOnline Harassment & Counter-ToolsCHI
Mental Models, Expectations and Implications of Client-Side Scanning: An Interview Study with ExpertsClient-Side Scanning (CSS) is discussed as a potential solution to contain the dissemination of child sexual abuse material (CSAM). A significant challenge associated with this debate is that stakeholders have different interpretations of the capabilities and frontiers of the concept and its varying implementations. In this paper, we explore stakeholders' understandings of the technology and the expectations and potential implications in the context of CSAM by conducting and analyzing 28 semi-structured interviews with a diverse sample of experts. We identified mental models of CSS and the expected challenges. Our results show that CSS is often a preferred solution in the child sexual abuse debate due to the lack of an alternative. Our findings illustrate the importance of further interdisciplinary discussions to define and comprehend the impact of CSS usage on society, particularly vulnerable groups such as children.2024DBDivyanshu Bhardwaj et al.CISPA Helmholtz Center for Information SecurityPrivacy by Design & User ControlPrivacy Perception & Decision-MakingTechnology Ethics & Critical HCICHI
In Focus, Out of Privacy: The Wearer's Perspective on the Privacy Dilemma of Camera GlassesThe rising popularity of camera glasses challenges societal norms of recording bystanders and thus requires efforts to mediate privacy preferences. We present the first study on the wearers' perspectives and explore privacy challenges associated with wearing camera glasses when bystanders are present. We conducted a micro-longitudinal diary study (N=15) followed by exit interviews with existing users and people without prior experience. Our results show that wearers consider the currently available privacy indicators ineffective. They believe the looks and interaction design of the glasses conceal the technology from unaware people. Due to the lack of effective privacy-mediating measures, wearers feel emotionally burdened with preserving bystanders' privacy. We furthermore elicit how this sentiment impacts their usage of camera glasses and highlight the need for technical and non-technical solutions. Finally, we compare the wearers' and bystanders' perspectives and discuss the design space of a future privacy-preserving ecosystem for wearable cameras.2024DBDivyanshu Bhardwaj et al.CISPA Helmholtz Center for Information SecurityPrivacy by Design & User ControlPrivacy Perception & Decision-MakingParticipatory DesignCHI
Investigating Security Folklore: A Case Study on the Tor over VPN PhenomenonUsers face security folklore in their daily lives in the form of security advice, myths, and word-of-mouth stories. Using a VPN to access the Tor network, i.e., Tor over VPN, is an interesting example of security folklore because of its inconclusive security benefits and its occurrence in pop-culture media. Following the Theory of Reasoned Action, we investigated the phenomenon with three studies: (1) we quantified the behavior on real-world Tor traffic and measured a prevalence of 6.23\%; (2) we surveyed users' intentions and beliefs, discovering that they try to protect themselves from the Tor network or increase their general security; and (3) we analyzed online information sources, suggesting that perceived norms and ease-of-use play a significant role while behavioral beliefs about the purpose and effect are less crucial in spreading security folklore. We discuss how to communicate security advice effectively and combat security misinformation and misconceptions.2023MFMatthias Fassl et al.Security and PrivacyCSCW
A Psychometric Scale to Measure Individuals' Value of Other People's Privacy (VOPP)Researchers invested enormous efforts to understand and mitigate the concerns of users as technologies collect their private data. However, users often undermine \emph{other} people's privacy when, e.g., posting other people's photos online, granting mobile applications to access contacts, or using technologies that continuously sense the surrounding. Research to understand technology adoption and behaviors related to collecting and sharing data about non-users has been severely lacking. An essential step to progress in this direction is to identify and quantify factors that affect technology's use. Toward this goal, we propose and validate a psychometric scale to measure how much an individual values \emph{other} people's privacy. We theoretically grounded the appropriateness and relevance of the construct and empirically demonstrated the scale's internal consistency and validity. This scale will advance the field by enabling researchers to predict behaviors, design adaptive privacy-enhancing technologies, and develop interventions to raise awareness and mitigate privacy risks.2023RHRakibul Hasan et al.Arizona State UniversityAI Ethics, Fairness & AccountabilityPrivacy by Design & User ControlPrivacy Perception & Decision-MakingCHI
Why I Can't Authenticate -- Understanding the Low Adoption of Authentication Ceremonies with AutoethnographyAuthentication ceremonies detect and mitigate Man-in-the-Middle (MitM) attacks on end-to-end encrypted messengers, such as Signal, WhatsApp, or Threema. However, prior work found that adoption remains low as non-expert users have difficulties using them correctly. Anecdotal evidence suggests that security researchers also have trouble authenticating others. Since their issues are probably unrelated to user comprehension or usability, the root causes may lie deeper. This work explores these root causes using autoethnography. The first author kept a five-month research diary of their experience with authentication ceremonies. The results uncover points of failure while planning and conducting authentication ceremonies. They include cognitive load, forgetfulness, social awkwardness, and explanations required by a communication partner. Additionally, this work identifies and discusses how sociocultural aspects affect authentication ceremonies. Lastly, this work discusses a design approach for cooperative security that employs cultural transcoding to improve sociocultural aspects of security by design.2023MFMatthias Fassl et al.CISPA Helmholtz Center for Information SecurityPasswords & AuthenticationPrivacy Perception & Decision-MakingDark Patterns RecognitionCHI
Exploring User-Centered Security Design for Usable Authentication CeremoniesSecurity technology often follows a systems design approach that focuses on components instead of users. As a result, the users' needs and values are not sufficiently addressed, which has implications on security usability. In this paper, we report our lessons learned from applying a user-centered security design process to a well-understood security usability challenge, namely key authentication in secure instant messaging. Users rarely perform these key authentication ceremonies, which makes their end-to-end encrypted communication vulnerable. Our approach includes collaborative design workshops, an expert evaluation, iterative storyboard prototyping, and an online evaluation. While we could not demonstrate that our design approach resulted in improved usability or user experience, we found that user-centered prototypes can increase the users' comprehension of security implications. Hence, prototypes based on users' intuitions, needs, and values are useful starting points for approaching long-standing security challenges. Applying complementary design approaches may improve usability and user experience further.2021MFMatthias Fassl et al.CISPA Helmholtz Center for Information Security, Saarland UniversityPrivacy by Design & User ControlPasswords & AuthenticationCHI