research-article

Comparative eye tracking of experts and novices in web single sign-on

Authors:

Majid Arianezhad,

Timothy Kelley,

Douglas StebilaAuthors Info & Claims

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Pages 105 - 116

https://doi.org/10.1145/2435349.2435362

Published: 18 February 2013 Publication History

Abstract

Security indicators in web browsers alert users to the presence of a secure connection between their computer and a web server; many studies have shown that such indicators are largely ignored by users in general. In other areas of computer security, research has shown that technical expertise can decrease user susceptibility to attacks.

In this work, we examine whether computer or security expertise affects use of web browser security indicators. Our study takes place in the context of web-based single sign-on, in which a user can use credentials from a single identity provider to login to many relying websites; single sign-on is a more complex, and hence more difficult, security task for users. In our study, we used eye trackers and surveyed participants to examine the cues individuals use and those they report using, respectively.

Our results show that users with security expertise are more likely to self-report looking at security indicators, and eye-tracking data shows they have longer gaze duration at security indicators than those without security expertise. However, computer expertise alone is not correlated with recorded use of security indicators. In survey questions, neither experts nor novices demonstrate a good understanding of the security consequences of web-based single sign-on.

References

[1]

The OAuth 1.0 protocol, April 2010. RFC 5849.

[2]

L. F. Cranor, editor. Proc. 7th Symposium on Usable Privacy and Security (SOUPS) 2011. ACM, 2011.

[3]

R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In Proc. SIGCHI Conference on Human Factors in Computing Systems (CHI) 2006, pages 581--590. ACM, 2006.

Digital Library

[4]

S. Egelman. Trust me: Design patterns for constructing trustworthy trust indicators. PhD thesis, Carnegie Mellon University, April 2009.

Digital Library

[5]

Electronic Frontier Foundation. The EFF SSL Observatory, 2010.

[6]

B. Friedman, D. Hurley, D. C. Howe, E. W. Felten, and H. Nissenbaum. Users' conceptions of web security: a comparative study. In Proc. CHI '02 Extended Abstracts on Human Factors in Computing Systems, pages 746--747. ACM, 2002.

Digital Library

[7]

T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 50(10):94--100, October 2007.

Digital Library

[8]

J. Kruschke. Doing Bayesian Data Analysis: A Tutorial with R and BUGS. Academic Press, 1st edition, 2010.

Digital Library

[9]

M. Olson. Janrain social login and social sharing trends across the web for Q3 2012, October 2012.

[10]

OpenID Foundation. Specifications, 2010.

[11]

A. Patrick. Commentary on research on new security indicators, March 2007.

[12]

S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In Proc. IEEE Symposium on Security and Privacy (S&P) 2007, pages 51--65. IEEE Press, 2007.

Digital Library

[13]

A. Smith and G. Roberts. Bayesian computation via the Gibbs sampler and related Markov Chain Monte Carlo methods. J. Royal Statistical Society. Series B (Methodological), 55(1):3--23, 1993.

[14]

J. Sobey, R. Biddle, P. van Oorschot, and A. S. Patrick. Exploring user reactions to new browser cues for extended validation certificates. In S. Jajodia and J. Lopez, editors, Proc. 13th European Symposium on Research in Computer Security (ESORICS) 2008, volume 5283 of LNCS, pages 411--427. Springer, 2008.

Digital Library

[15]

A. Sotirakopoulos, K. Hawkey, and K. Beznosov. "I did it because I trusted you": Challenges with the study environment biasing participant behaviours. In SOUPS Usable Security Experiment Reports (USER) Workshop, 2010.

[16]

A. Sotirakopoulos, K. Hawkey, and K. Beznosov. On the challenges in usable security lab studies: Lessons learned from replicating a study on SSL warnings. In Cranor {2}.

Digital Library

[17]

D. Stebila. Reinforcing bad behaviour: the misuse of security indicators on popular websites. In Proc. 22nd Australasian Conf. on Computer-Human Interaction (OzCHI) 2010, pages 248--251. ACM, 2010.

Digital Library

[18]

S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov. What makes users refuse web single sign-on?: an empirical investigation of OpenID. In Cranor {2}, pages 4:1--4:20.

Digital Library

[19]

J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying wolf: An empirical study of SSL warning effectiveness. In Proc. 18th USENIX Security Symposium, 2009.

Digital Library

[20]

T. Whalen and K. M. Inkpen. Gathering evidence: use of visual security cues in web browsers. In K. M. Inkpen and M. van de Panne, editors, Proc. Graphics Interface 2005, volume 112 of Graphics Interface, pages 137--144. Canadian Human-Computer Communications Society, 2005.

Digital Library

[21]

R. T. Wright and K. Marett. The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived. J. Management Info. Sys., 27(1):273--303, July 2010.

Digital Library

Cited By

Das SKim DAbbott JCamp LFarzan RLópez CCardoso Llach DQuercia DMustafa MNiu SWong-Villacrés M(2024)User-Centered Phishing Detection through Personalized Edge ComputingCompanion Publication of the 2024 Conference on Computer-Supported Cooperative Work and Social Computing10.1145/3678884.3681864(283-287)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1145/3678884.3681864
Grootjen JWeingärtner HMayer S(2024)Uncovering and Addressing Blink-Related Challenges in Using Eye Tracking for Interactive SystemsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642086(1-23)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642086
Petrie HSreekumar GShahandashti S(2024)Understanding Users’ Mental Models of Federated Identity Management (FIM): Use of a New Tangible Elicitation MethodHuman Aspects of Information Security and Assurance10.1007/978-3-031-72559-3_21(308-322)Online publication date: 28-Nov-2024
https://doi.org/10.1007/978-3-031-72559-3_21
Show More Cited By

Index Terms

Comparative eye tracking of experts and novices in web single sign-on
1. Human-centered computing
  1. Human computer interaction (HCI)

Recommendations

Reinforcing bad behaviour: the misuse of security indicators on popular websites
OZCHI '10: Proceedings of the 22nd Conference of the Computer-Human Interaction Special Interest Group of Australia on Computer-Human Interaction

Before making a security or privacy decision, Internet users should evaluate several security indicators in their browser, such as the use of HTTPS (indicated via the lock icon), the domain name of the site, and information from extended validation ...
Experts vs. novices: applying eye-tracking methodologies in colonoscopy video screening for polyp search
ETRA '14: Proceedings of the Symposium on Eye Tracking Research and Applications

We present in this paper a novel study aiming at identifying the differences in visual search patterns between physicians of diverse levels of expertise during the screening of colonoscopy videos. Physicians were clustered into two groups -experts and ...
Experts vs. novices: applying eye-tracking methodologies in colonoscopy video screening for polyp search
ETRA '14: Proceedings of the Symposium on Eye Tracking Research and Applications

We present in this paper a novel study aiming at identifying the differences in visual search patterns between physicians of diverse levels of expertise during the screening of colonoscopy videos. Physicians were clustered into two groups -experts and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

February 2013

400 pages

ISBN:9781450318907

DOI:10.1145/2435349

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Lujo Bauer
Carnegie Mellon University, USA
,
Publications Chair:
Jaehong Park
University of Texas at San Antonio, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 February 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'13

Sponsor:

SIGSAC

CODASPY'13: Third ACM Conference on Data and Application Security and Privacy

February 18 - 20, 2013

Texas, San Antonio, USA

Acceptance Rates

CODASPY '13 Paper Acceptance Rate 24 of 107 submissions, 22%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
473
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Das SKim DAbbott JCamp LFarzan RLópez CCardoso Llach DQuercia DMustafa MNiu SWong-Villacrés M(2024)User-Centered Phishing Detection through Personalized Edge ComputingCompanion Publication of the 2024 Conference on Computer-Supported Cooperative Work and Social Computing10.1145/3678884.3681864(283-287)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1145/3678884.3681864
Grootjen JWeingärtner HMayer S(2024)Uncovering and Addressing Blink-Related Challenges in Using Eye Tracking for Interactive SystemsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642086(1-23)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642086
Petrie HSreekumar GShahandashti S(2024)Understanding Users’ Mental Models of Federated Identity Management (FIM): Use of a New Tangible Elicitation MethodHuman Aspects of Information Security and Assurance10.1007/978-3-031-72559-3_21(308-322)Online publication date: 28-Nov-2024
https://doi.org/10.1007/978-3-031-72559-3_21
Alt FHassib MDistler V(2023)Human-centered Behavioral and Physiological SecurityProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633504(48-61)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633504
Karegar FPettersson JFischer-Hübner S(2020)The Dilemma of User Engagement in Privacy NoticesACM Transactions on Privacy and Security10.1145/337229623:1(1-38)Online publication date: 8-Feb-2020
https://dl.acm.org/doi/10.1145/3372296
Katsini CAbdrabou YRaptis GKhamis MAlt FBernhaupt RMueller FVerweij DAndres JMcGrenere JCockburn AAvellino IGoguey ABjørn PZhao SSamson BKocielnik R(2020)The Role of Eye Gaze in Security and Privacy Applications: Survey and Future HCI Research DirectionsProceedings of the 2020 CHI Conference on Human Factors in Computing Systems10.1145/3313831.3376840(1-21)Online publication date: 21-Apr-2020
https://dl.acm.org/doi/10.1145/3313831.3376840
Das SAbbott JGopavaram SBlythe JCamp L(2020)User-Centered Risk Communication for Safer BrowsingFinancial Cryptography and Data Security10.1007/978-3-030-54455-3_2(18-35)Online publication date: 14-Feb-2020
https://dl.acm.org/doi/10.1007/978-3-030-54455-3_2
Kelley TAmon MBertenthal B(2018)Statistical Models for Predicting Threat Detection From Human BehaviorFrontiers in Psychology10.3389/fpsyg.2018.004669Online publication date: 16-Apr-2018
https://doi.org/10.3389/fpsyg.2018.00466
Karegar FGerber NVolkamer MFischer-Hübner SHaddad HWainwright RChbeir R(2018)Helping john to make informed decisions on using social loginProceedings of the 33rd Annual ACM Symposium on Applied Computing10.1145/3167132.3167259(1165-1174)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.1145/3167132.3167259
Karegar FLindegren DPettersson JFischer-Hübner S(2018)User Evaluations of an App Interface for Cloud-Based Identity ManagementAdvances in Information Systems Development10.1007/978-3-319-74817-7_13(205-223)Online publication date: 28-Mar-2018
https://doi.org/10.1007/978-3-319-74817-7_13
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten