Title: Workshop on Risk Perception in IT Security and Privacy  http://cups.cs.cmu.edu/soups/2013/risk.html SCOPE AND FOCUS  Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology.  For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems.   This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc.   Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices.  While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood.  How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood.  Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions.  In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk.   The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy.  Topics of interest include: * Human decision and different attack types: Malware, eavesdropping, inadvertent loss / disclosure of information, phishing, browser attacks, etc. * Research methods and metrics for assessing perception of risk * Assessing value of assets and resources at risk * Communicating and portrayal of risk - security indicators, status indicators, etc. * Organizational versus personal risk * The psychology of risk perception * Behavioral aspects of  risk perception * Real versus perceived risk * Other topics related to measuring IT risk and/or user perception of IT risk The goal of this workshop is to explore these and related topics across the broad range of IT security contexts, including enterprise system, personal systems, and especially mobile and embedded systems. This workshop provides an informal and interdisciplinary setting that includes the intersection of security, psychological, and behavioral science.  Everyone who attends the workshop participates. Panel discussions will be organized around topics of interest where the workshop participants will be given an opportunity to give brief presentations, which may include current or prior work in this area, as well as pose challenges in IT security and privacy risk perception. SUBMISSIONS  We are soliciting 1-2 page position statements that express the nature of your interest in the workshop, the aspects of risk perception of interest to you including the topic(s) that you would like to discuss during the workshop, including the panel discussions. Position statements must be in PDF format, preferably using the SOUPS formatting template(LaTeX or MS Word).  Submissions should not be blinded.  Submissions are to be made through EasyChair: https://www.easychair.org/conferences/?conf=rpit2013 Email inquiries may be sent to to: RiskPerception2013@gmail.com.  IMPORTANT DATES  Submission: May 30, 2012  Notification of acceptance: June 10, 2013  ORGANIZERS:  Larry Koved  IBM T. J. Watson Research Center  koved@us.ibm.com  L Jean Camp  Indiana University  ljcamp@indiana.edu