Workshop on Risk Perception in IT Security and Privacy
The workshop will be held in Northumbria Building 433
9 a.m. Perceptions
- Internet Risk Perception: Severity, Likelihood, and Benefit. Daniel LeBlanc, Robert Biddle
- Too Much, Too Late: What Just-in-Time Notifications Really Indicate. David G. Gordon, Janice Tsai
- Perception of risk of disclosure of health information.
Ester Moher, Khaled El Emam
- Beyond usability: Security Interactions as Risk
Perceptions. L Jean Camp (paper)
10:30 a.m. Break
11 a.m. Mobile
- Risk Management in the Era of BYOD. T. Andrew Yang, Alan T. Yang
(paper and slides)
- Visualizing Risk by Example: Demonstrating Threats Arising
From Android Apps. M. Hettig, E. Kiss, J.-F. Kassel, S. Weber, M. Harbach, M. Smith
- Perceived Security Risks in Mobile Interaction. Larry
Koved, Shari Trewin, Cal Swart, Kapil Singh, Pau-Chen Cheng, Suresh Chari
Noon - Lunch
1 p.m. Infrastructure
- Using Attacker Capabilities and Motivations in Estimating
Security Risk. Lotfi ben Othmane, Harold Weffers, Martijn Klabbers
- Risk Perception in IT Security. Mary Ellen Zurko, Mike Lake
- The Risk of Propagating Standards. Matt Bishop, Candice Hoke
2:30 p.m. Break
3 p.m. Personalization
- Risk Perception and the Acceptance of New Security Technology.
Marian Harbach, Sascha Fahl, Matthew Smith
- Can we afford to remain apathetic towards security apathy?
Alexander Mirnig, Sandra Trösterer, Elke Beck, Manfred Tscheligi
- Should the Users be Informed? On Differences in Risk Perception
between Android and iPhone Users. Zinaida Benenson, Lena Reinfelder
- Towards Optimal Risk Mitigation Through Individualization.
Serge Egelman, Eyal Peer
4:30 p.m. Workshop wrap-up
CALL FOR PAPERS
[plain text] [HTML]
This workshop is an opportunity to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy.
See important dates below.
June 7, 2013, 5pm PDT
June 15, 2013 5pm PDT
Papers are NOT to be anonymized
1-2 page position statements
Use SOUPS MS Word or LaTeX templates
Read this CFP in detail and see the common pitfalls document
Wednesday, July 24, 2013
SCOPE AND FOCUS
Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology.
For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems. This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc. Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices.
While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood. How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood. Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions.
In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk.
The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Topics of interest include:
- Human decision and different attack types: Malware, eavesdropping, inadvertent loss / disclosure of information, phishing, browser attacks, etc.
- Research methods and metrics for assessing perception of risk
- Assessing value of assets and resources at risk
- Communicating and portrayal of risk - security indicators, status indicators, etc.
- Organizational versus personal risk
- The psychology of risk perception
- Behavioral aspects of risk perception
- Real versus perceived risk
- Other topics related to measuring IT risk and/or user perception of IT risk
The goal of this workshop is to explore these and related topics across the broad range of IT security contexts, including enterprise system, personal systems, and especially mobile and embedded systems. This workshop provides an informal and interdisciplinary setting that includes the intersection of security, psychological, and behavioral science. Everyone who attends the workshop participates. Panel discussions will be organized around topics of interest where the workshop participants will be given an opportunity to give brief presentations, which may include current or prior work in this area, as well as pose challenges in IT security and privacy risk perception.
We invite authors to submit the following types of papers using the
SOUPS 2-column formatting template (available here for MS
Word or LaTeX):
We are soliciting 1-2 page position statements that express the nature of your interest in the workshop, the aspects of risk perception of interest to you including the topic(s) that you would like to discuss during the workshop, including the panel discussions. Position statements must be in PDF format, preferably using the SOUPS formatting template(LaTeX or MS Word). Submissions should not be blinded.
Submissions are to be made through EasyChair: https://www.easychair.org/conferences/?conf=rpit2013
Email inquiries may be sent to to: RiskPerception2013@gmail.com.
Paper submission deadline - May 30, 2013, 5pm PDT
Notification of paper acceptance - June 10, 2013 5pm PDT
IBM T. J. Watson Research Center
L Jean Camp