July 24-26, 2013
Newcastle, UK


Call for papers





Workshop on Risk Perception in IT Security and Privacy


The workshop will be held in Northumbria Building 433

9 a.m. Perceptions

  • Internet Risk Perception: Severity, Likelihood, and Benefit. Daniel LeBlanc, Robert Biddle
  • Too Much, Too Late: What Just-in-Time Notifications Really Indicate. David G. Gordon, Janice Tsai
  • Perception of risk of disclosure of health information. Ester Moher, Khaled El Emam (paper, slides)
  • Beyond usability: Security Interactions as Risk Perceptions. L Jean Camp (paper)

10:30 a.m. Break

11 a.m. Mobile

  • Risk Management in the Era of BYOD. T. Andrew Yang, Alan T. Yang (not presented) (paper and slides)
  • Visualizing Risk by Example: Demonstrating Threats Arising From Android Apps. M. Hettig, E. Kiss, J.-F. Kassel, S. Weber, M. Harbach, M. Smith (paper, slides)
  • Perceived Security Risks in Mobile Interaction. Larry Koved, Shari Trewin, Cal Swart, Kapil Singh, Pau-Chen Cheng, Suresh Chari (paper)

Noon - Lunch

1 p.m. Infrastructure

  • Using Attacker Capabilities and Motivations in Estimating Security Risk. Lotfi ben Othmane, Harold Weffers, Martijn Klabbers (paper)
  • Risk Perception in IT Security. Mary Ellen Zurko, Mike Lake (paper, slides)
  • The Risk of Propagating Standards. Matt Bishop, Candice Hoke (paper, slides)

2:30 p.m. Break

3 p.m. Personalization

  • Risk Perception and the Acceptance of New Security Technology. Marian Harbach, Sascha Fahl, Matthew Smith (paper, slides)
  • Can we afford to remain apathetic towards security apathy? Alexander Mirnig, Sandra Trösterer, Elke Beck, Manfred Tscheligi (paper, slides)
  • Should the Users be Informed? On Differences in Risk Perception between Android and iPhone Users. Zinaida Benenson, Lena Reinfelder (paper, slides)
  • Towards Optimal Risk Mitigation Through Individualization. Serge Egelman, Eyal Peer (slides)

4:30 p.m. Workshop wrap-up


[plain text] [HTML]

This workshop is an opportunity to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy.

See important dates below.

Submission Deadline: June 7, 2013, 5pm PDT
Notification Deadline: June 15, 2013 5pm PDT
Anonymization: Papers are NOT to be anonymized
Length: 1-2 page position statements
Formatting: Use SOUPS MS Word or LaTeX templates
Submission site:
More guidance: Read this CFP in detail and see the common pitfalls document
Workshop Date: Wednesday, July 24, 2013


Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology.

For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems. This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc. Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices.

While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood. How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood. Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions.

In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk.

The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Topics of interest include:

  • Human decision and different attack types: Malware, eavesdropping, inadvertent loss / disclosure of information, phishing, browser attacks, etc.
  • Research methods and metrics for assessing perception of risk
  • Assessing value of assets and resources at risk
  • Communicating and portrayal of risk - security indicators, status indicators, etc.
  • Organizational versus personal risk
  • The psychology of risk perception
  • Behavioral aspects of risk perception
  • Real versus perceived risk
  • Other topics related to measuring IT risk and/or user perception of IT risk

The goal of this workshop is to explore these and related topics across the broad range of IT security contexts, including enterprise system, personal systems, and especially mobile and embedded systems. This workshop provides an informal and interdisciplinary setting that includes the intersection of security, psychological, and behavioral science. Everyone who attends the workshop participates. Panel discussions will be organized around topics of interest where the workshop participants will be given an opportunity to give brief presentations, which may include current or prior work in this area, as well as pose challenges in IT security and privacy risk perception.


We invite authors to submit the following types of papers using the SOUPS 2-column formatting template (available here for MS Word or LaTeX):

We are soliciting 1-2 page position statements that express the nature of your interest in the workshop, the aspects of risk perception of interest to you including the topic(s) that you would like to discuss during the workshop, including the panel discussions. Position statements must be in PDF format, preferably using the SOUPS formatting template(LaTeX or MS Word). Submissions should not be blinded.

Submissions are to be made through EasyChair:

Email inquiries may be sent to to:


Paper submission deadline - May 30, 2013, 5pm PDT
Notification of paper acceptance - June 10, 2013 5pm PDT


Larry Koved
IBM T. J. Watson Research Center

L Jean Camp
Indiana University