Symposium On Usable Privacy and Security

In-cooperation with USENIX


The entire SOUPS proceedings can be found at the USENIX website, or click below to directly access a specific paper.

Wednesday, July 22


8-9 am
registration, tea/coffee
9-10:30 am
morning workshop sessions part 1
10:30-11 am
11 am-12:30 pm
morning workshop sessions part 2
12:30-1:30 pm
1:30-3 pm
afternoon workshop sessions part 1
3-3:30 pm
3:30-5 pm
afternoon workshop sessions part 2
5:15-7 pm
poster session with dinner reception

Thursday, July 23 – John Karat Day

John Karat

On Thursday, July 23, SOUPS will honor the memory of John Karat with a short tribute during our opening session. If you have a Hawaiian-style shirt, we ask that you wear it on July 23, as that is what John always wore when he attended SOUPS. John was one of the original SOUPS program committee members and a mentor to many in the SOUPS community. John retired as a Research Staff Member at the IBM TJ Watson Research Center in 2010. While at IBM, John conducted HCI research on a variety of topics including privacy, personalization, and information management. John was co-leader of the IBM Privacy Research Institute, established to advance the importance of privacy issues in IT globally. John passed away in June of pancreatic cancer.

8-9 am
9-9:30 am
welcome and awards presentation
Distinguished Poster Awards
Distinguished Paper Award
IAPP SOUPS Privacy Award
9:30-10:30 am
keynote speaker: Valerie Steeves
10:30-11 am
11 am-12:30 pm
session chair: Andrew Patrick
A Design Space for Effective Privacy Notices
Florian Schaub (Carnegie Mellon University), Rebecca Balebako (RAND Corporation), Adam L. Durity (Google), and Lorrie Faith Cranor (Carnegie Mellon University)
"WTH..!?!" Experiences, reactions, and expectations related to online privacy panic situations
Julio Angulo (Karlstad University) and Martin Ortlieb (Google)
“My Data Just Goes Everywhere:” User Mental Models of the Internet and Implications for Privacy and Security [IAPP SOUPS Privacy Award]
Ruogu Kang (HCII, CMU), Laura Dabbish (HCII & Heinz, CMU), Nathaniel Fruchter (Heinz, CMU), and Sara Kiesler (HCII, CMU)
User Perceptions of Sharing, Advertising, and Tracking
Farah Chanchary and Sonia Chiasson (School of Computer Science, Carleton University)
12:30-1:30 pm
1:30-3 pm
session chair: Simson Garfinkel
Leading Johnny to Water: Designing for Usability and Trust
Erinn Atwater, Cecylia Bocovich, Urs Hengartner, Ed Lank, and Ian Goldberg (University of Waterloo)
Usability of Augmented Reality for Revealing Secret Messages to Users but Not Their Devices
Sarah J Andrabi, Michael K Reiter, and Cynthia Sturton (University of North Carolina, Chapel Hill)
Unpacking security policy compliance: Exploring motivators and barriers of employees’ security behaviors
John M Blythe, Lynne Coventry, and Linda Little (PaCT Lab, Northumbria University)

Lightning Talks and Demos : Design and Compliance

Demo How to Conduct an fMRI Study to Examine Usable Privacy and Security. Bonnie Brinton Anderson, C. Brock Kirwan, and Anthony Vance (Brigham Young University).

LT Towards a Model of Information Healthcare. Ivan Flechais (Oxford University).

LT The conundrum of secure email. Scott Ruoti (Brigham Young University).

3-3:30 pm
3:30-5 pm
session chair: Serge Egelman
"I Added '!' At The End To Make It Secure": Observing Password Creation in the Lab
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor (Carnegie Mellon University)
Social Media as a Resource of Security Experiences: A Qualitative Analysis of #Password Tweets
Paul Dunphy, Vasilis Vlachokyriakos, and Anja Thieme (Newcastle University), James Nicholson (Northumbria University), John McCarthy (University College Cork), and Patrick Olivier (Newcastle University)
“I’m Stuck!”: A Contextual Inquiry of People with Visual Impairment in Authentication
Bryan Dosono, Jordan Hayes, and Yang Wang (Syracuse University)

Lightning Talks and Demos : Authentication Experience

Demo Usable Transparency with the Data Track: A tool for visualizing data disclosures. Julio Angulo, Simone Fischer-Hübner, Tobias Pulls, Erik Wästlund (Karlstad University).

LT Usability is Not Enough: Design for Security Engagement. Ame Elliott (Simply Secure).

LT Seniors’ online safety and social isolation - addressing two problems with one design approach. Cosmin Munteanu (University of Toronto).

5:30-8 pm
The SOUPS dinner will be held at the Canadian Museum of History Guests will have an opportunity to tour the museum before dinner. Busses will leave Carleton at 5:15 pm. Dinner will be served at 7 pm. Busses will return to Carleton and Albert@Bay Hotel at 8, 8:30, and 9 pm.

Friday, July 24

8-9 am
9-10:30 am
session chair: Alain Forget
Where Have You Been? Using Location-Based Security Questions for Fallback Authentication
Alina Hang (Media Informatics Group, University of Munich (LMU)), Alexander De Luca (Google), Michael Richter (Media Informatics Group, University of Munich (LMU)), Matthew Smith (Usable Security and Privacy Lab, University of Bonn), and Heinrich Hussmann (Media Informatics Group, University of Munich (LMU))
The Impact of Cues and User Interaction on the Memorability of System-Assigned Recognition-Based Graphical Passwords
Mahdi Nasrullah Al-Ameen, Kanis Fatema, Matthew Wright, and Shannon Scielzo (The University of Texas at Arlington)
On the Memorability of System-generated PINs: Can Chunking Help?
Jun Ho Huh (Honeywell ACS Labs), Hyoungshick Kim (Sungkyunkwan University), Rakesh B. Bobba (Oregon State University), Masooda N. Bashir (University of Illinois, Urbana-Champaign), and Konstantin Beznosov (University of British Columbia)
Evaluating the Effectiveness of Using Hints for Autobiographical Authentication: A Real Life Study
Yusuf Albayram and Mohammad Maifi Hasan Khan (Department of Computer Science and Engineering University of Connecticut)
10:30-11 am
11 am-12:30 pm
session chair: Sonia Chiasson
Usability and Security Perceptions of Implicit Authentication: Convenient, Secure, Sometimes Annoying
Hassan Khan, Urs Hengartner, and Daniel Vogel (University of Waterloo)
Understanding the Inconsistencies between Text Descriptions and the Use of Privacy-sensitive Resources of Mobile Apps
Takuya Watanabe (Waseda University), Mitsuaki Akiyama (NTT), and Tetsuya Sakai, Hironori Washizaki, and Tatsuya Mori (Waseda University)
On the Impact of Touch ID on iPhone Passcodes
Ivan Cherapau, Ildar Muslukhov, Nalin Asanka, and Konstantin Beznosov (The University of British Columbia)
Learning Random Secrets for Unlocking Mobile Devices
Stuart Schechter (Microsoft Research) and Joseph Bonneau (Stanford University & EFF)
12:30-1:30 pm
1:30-3 pm
session chair: Matthew Smith
Too Much Knowledge? Security Beliefs and Protective Behaviors Among US Internet Users
Rick Wash and Emilee Rader (Michigan State University)
Security Practices for Households Bank Customers in the Kingdom of Saudi Arabia.
Deena Alghamdi, Ivan Flechais, and Marina Jirotka (Oxford University)
" one can hack my mind": Comparing Expert and Non-Expert Security Practices
Iulia Ion, Rob Reeder, and Sunny Consolvo (Google)
A Human Capital Model for Mitigating Security Analyst Burnout [Distinguished Paper Award]
Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Jacob Case, Xinming Ou, and Michael Wesch (Kansas State University), John McHugh (RedJack LLC), and Siva Raj Rajagopalan (Honeywell ACS)
3-3:15 pm
3:15-4:30 pm
panel: Influenced or Ill-Advised? Ethical Considerations for Persuasive Technology in Usable Security

This panel will discuss the ethical aspects of designing and deploying persuasive technology in the area of usable security. In some cases it is clear what the obvious desired behaviours are and as such designing persuasive systems is both desirable and achievable. However, in many cases it is not always clear – or unanimously agreed amongst the community – what the target behaviour should be. Especially in these cases it is questionable what the role of persuasive technology is and whether it should be deployed at all in these situations.

  • Robert Biddle (Carleton University)
  • Lynne Coventry (Northumbria University)
  • Serge Egelman (UC Berkeley)
  • Stuart Schechter (Microsoft Research)
  • Rebecca Balebako (RAND Corporation)
  • Moderator: James Nicholson (Northumbria University)
4:30 pm
SOUPS social


Online Privacy For Kids: What Works, What Doesn't

Valerie Steeves Valerie Steeves, B.A., J.D., Ph.D. is an Associate Professor in the Department of Criminology at the University of Ottawa in Ottawa, Canada. She is the lead researcher on MediaSmart's Young Canadian in a Wired World project (YCWW), which has been tracking young people's use of new media since 1999. With Jane Bailey, she co-leads the eGirls Project, an examination of the performance of gender on social media. She is also a co-editor of Transparent Lives: Surveillance in Canada, a 2014 multi-disciplinary report that maps out seven main trends in emerging surveillance practices, and the author of a series of award-winning multi-media games designed to teach young people how to protect their human rights online. Professor Steeves received her J.D. from the University of Toronto and was called to the Bar of Ontario in 1984.

SOUPS 2015 Posters

What to do when your cover's been blown: Public perceptions of re-identification attacks
Ester Moher (Children's Hospital of Eastern Ontario), Khaled El Emam (University of Ottawa, Children's Hospital of Eastern Ontario)
H4Plock: Supporting Mobile User Authentication through Gestural Input and Tactile Output
Abdullah Ali (University of Maryland, Baltimore County), Ravi Kuber (University of Maryland, Baltimore County), Adam J. Aviv (United States Naval Academy)
Protecting Personal Health Information: The Roles of Context, Framing and Priming in Privacy-Related Choices
Vanessa Boothroyd (Privacy Analytics, Inc.), Ester Moher (University of Ottawa, Children's Hospital of Eastern Ontario), Khaled El Emam (Privacy Analytics, Inc., CHEO)
Alternative Keyboard Layouts for Improved Password Entry and Creation on Mobile Devices
Ethan Genco, Ryan Kelly, Cody Vernon, Adam J. Aviv (United States Naval Academy)
Do bigger grids sizes mean better passwords? 3x3 vs. 4x4 Grid Sizes for Android Unlock Patterns
Devon Budzitowski (United States Naval Academy), Adam J. Aviv (United States Naval Academy), Ravi Kuber (University of Maryland, Baltimore County)
Using Authorization Logic to Capture User Policies in Mobile Ecosystems
Joseph Hallett, David Aspinal (University of Edinburgh)
How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity
Elissa M. Redmiles, Amelia Malone, Michelle L. Mazurek (University of Maryland)
User-Generated Free-Form Gestures for Authentication: Security and Memorability
Michael Sherman, Gradeigh D. Clark, Yulong Yang, Shridatt Sugrim (Rutgers University), Arttu Modig (University of Helsinki), Janne Lindqvist (Rutgers University), Antti Oulasvirta (Max Planck Institute for Informatics and Saarland University), Teemu Roos (University of Helsinki)
Who is behind the Onion? Understanding Tor-Relay Operators
Hsiao-Ying Huang, Masooda Bashir (University of Illinois at Urbana-Champaign)
Using Signal Detection Theory to Measure Phishing Detection Ability and Behavior
Casey Canfield, Baruch Fischhoff, Alex Davis (Carnegie Mellon University)
Usability Problems with Password Creation Systems: Results from Expert and User Evaluation
Saja Althubaiti, Helen Petrie (University of York)
A Framework for Comparative Usability Studies on Secure Device Pairing
Achal Channarasappa, Pranita Ramakrishnan, Joshua Tan, Jeremy Thomas (Carnegie Mellon University)
An Investigation into a Usable Identity Binding Service
Tristan Lewis (MITRE), William Kim, Jill L. Drury (MITRE)
Burning Up Privacy on Tinder
Cali Stenson, Ana Balcells, Megan Chen (Wellesley College)
Why aren't Users Using Protection? Investigating the Usability of Smartphone Locking
Nicholas Micallef (Glasgow Caledonian University), Mike Just (Heriot-Watt University), Lynne Baillie (Heriot-Watt University), Martin Halvey (Strathclyde University), Gunes Kayacik (FICO)
Towards a Model of Information Healthcare for Household Data Security
Ivan Flechais (University of Oxford)
Geo-Phisher: The Design of a Global Phishing Trend Visualization Tool
Leah Zhang-Kennedy, Elias Fares, Sonia Chiasson, Robert Biddle (Carleton University)
How Do Experts Manage Their Passwords?
Elizabeth Stobert, Robert Biddle (Carleton University)
Improving Older Adults' Online Security: An Exercise in Participatory Design
Cosmin Munteanu (University of Toronto Mississauga), Calvin Tennakoon, Jillian Garner, Alex Goel, Mabel Ho, Clare Shen, Richard Windeyer (University of Toronto)
Password Strength Meters using Social Influence
Takahiro Ohyama, Akira Kanaoka (Toho University)
A Decade of SOUPS: An Analysis of Ingredients
Therese L. Williams, Nitin Agarwal, Rolf T. Wigand (University of Arkansas at Little Rock)
Authentication melee: A usability analysis of seven web authentication systems
Scott Ruoti, Brent Roberts, Kent Seamons (Brigham Young University)
Distinguished Poster Award
Measuring the Contribution of Novices in Penetration Testing
Rebecca Balebako, Akhil Shah, Kenneth Kuhn, Sherban Drulea, Christopher Skeels, Lara Schmidt (RAND Corporation)
You Can Do Better — Motivational Statements in Password-Meter Feedback
David Eargle (University of Pittsburgh), John Godfrey, Hsin Miao, Scott Stevenson, Rich Shay, Blase Ur, Lorrie Cranor (Carnegie Mellon University)
Distinguished Poster Award
Password Rehearsal Memory Games
Michael Lutaaya, Sonia Chiasson (Carleton University)
Comparisons of Data Collection Methods for Android Graphical Pattern Unlock
Adam J. Aviv (United States Naval Academy), Jeanne Luning-Prak (Broadneck High School)
Collaborative Security Code-Review: Towards Aiding Developers Ensure Software-Security
Hala Assal, Jeff Wilson, Sonia Chiasson, Robert Biddle (Carleton University)
Preliminary Investigation on Psychological Traits of Users Prone to be damaged by Cyber-attack
Takeaki Terada, Yoshinori Katayama, Satoru Torii, Hiroshi Tsuda (Fujitsu Limited)
Your Location has been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging
Hazim Almuhimedi, Florian Schaub, Norman Sadeh (Carnegie Mellon University), Idris Adjerid (University of Notre Dame), Alessandro Acquisti, Joshua Gluck, Lorrie Faith Cranor, Yuvraj Agarwal (Carnegie Mellon University)
Distinguished Poster Award
Digital signature services for users - Improving user experience to support trust among work partners
Lorraine Tosi, Aurélien Bénel, Karine Lan (Université de Technologie de Troyes)