7th Workshop on Security Information Workers

The human element is often considered the weakest element in security. Although many kinds of humans interact with systems that are designed to be secure, one particular type of human is especially important, the security and privacy information workers who develop, use, and manipulate privacy and security-related information and data as a significant part of their jobs. Security/privacy information workers include:

  • Software developers, who design and build software that manages and protects sensitive information;
  • Security and system administrators, who deploy and manage security-sensitive software and hardware systems;
  • IT professionals whose decisions have impact on end users' security and privacy;
  • Intelligence analysts, who collect and analyze data about security matters to understand information and make predictions;
  • Security consultants and educators, who provide guidance to individuals and organizations on practicing good security behaviors and implementing security technologies; and
  • Privacy engineers and professionals, who ensure that privacy considerations are built into products and who help develop privacy policies

This workshop aims to develop and stimulate discussion about security information workers. We will consider topics including but not limited to:

  • Empirical studies of security/privacy information workers, including case studies, experiments, field studies, and surveys;
  • New tools designed to assist security/privacy information workers;
  • Infrastructure for better understanding security/privacy information workers;
  • Information visualization and other techniques designed to help security/privacy information workers do their jobs;
  • Evaluations of tools and techniques for security/privacy information workers

Successful submissions to this workshop will explicitly be informed by an understanding of how security/privacy information workers do their jobs, and the results will explicitly address how we understand these workers.

We solicit papers describing new research contributions in this area as well as case studies, work in progress, preliminary results, novel ideas, and position papers. Papers should be atmost six pages (excluding references) using the SOUPS template format (MS Word or LaTeX).
Submissions should be fully anonymized. Submissions may be made at https://wsiw2021.usenix.hotcrp.com/.

A word about paper length. Papers should be succinct, but thorough in presenting the work. Typical papers will be 5-6 pages long (plus references) but papers can be shorter (e.g. 2-3 pages) if, for example, they present an novel idea with limited preliminary results or a position likely to drive a lively discussion. Shorter, more focused papers are encouraged and will be reviewed like any other paper. If you only need 2 or 4 pages (plus references) to clearly explain your work or idea, please submit a paper of that length. Reviewers will be instructed to assess the value of the talk to the workshop audience irrespective of the paper length; however, we stress again that the presentation should be sufficiently thorough for reviewers to make this evaluation.

Workshop papers will be made available to attendees prior to the workshop. However, they will not appear in the official SOUPS proceedings. Paper presentations will be approximately 10-12 minutes in length followed by 5 minutes of questions and answers. Presentations will be made remotely using Zoom.

The workshop will feature a keynote talk and paper presentations, as well as breakout sessions to provide an opportunity for smaller group interactive discussion about related topics of interest, which may include methods, challenges, and future directions in security information workers research.

The deadline for submissions is June 10th 23:59 AoE (extended) May 27 23:59 AoE (Anywhere on Earth).

You can find out more at http://security-information-workers.org/
or by emailing wsiw@sec.uni-hannover.de.

Agenda

Sunday, August 8, 2021, 11:00 – 14:30 Eastern Daylight Time

Time
11:00 – 11:15 Welcome and workshop agenda
11:15 – 11:35A Privacy Testbed for IT Professionals: Use Cases and Design Considerations - Joseph Gardiner (University of Bristol), Mohammad Tahaei (University of Bristol), Jacob Halsey (University of Bristol), Tariq Elahi (University of Edinburgh), Awais Rashid (University of Bristol)
Abstract: We propose a testbed to assist IT professionals in evaluating privacy properties of software systems. The goal of the testbed, currently under construction, is to help IT professionals systematically evaluate and understand the privacy behavior of applications. We first provide three use cases to support developers and privacy engineers, and then describe key design considerations for the testbed.
11:35 – 11:55Exploring Government Security Awareness Programs: A Mixed-Methods Approach – Jody Jacobs, Julie Haney, Susanne Furman, Fern Barrientos (National Institute of Standards and Technology)
Abstract: Organizational security awareness programs are often underfunded and rely on part-time security awareness professionals who may lack sufficient background, skills, or re-sources necessary to manage an effective and engaging program. U.S. government organizations, in particular, face challenges due to strict security awareness requirements that often result in success being measured by training completion rates rather than impact on employees’ attitudes and behaviors. However, no prior research has explored security awareness in the government sector. To address this gap, we are conducting an in-progress, mixed-methods research effort to understand the needs, challenges, and practices of U.S. government security awareness programs. This understanding will inform the creation of resources for security awareness professionals, including examples of successful practices and strategies, lessons learned, and suggestions for building a team having the appropriate knowledge and skills. While focused on the U.S. government, our findings may also have implications for organizational security awareness programs in other sectors.
11:55 – 12:15Components of a Model of Cybersecurity Behavior Adoption – Cori Faklaris (Carnegie Mellon University)
Abstract: Our research focuses on understanding how attitudes and social influences act on end users in the process of cybersecurity behavior adoption (or non-adoption). This work draws on five expectancy-value models and on four stage models that have been applied successfully in social psychology, marketing, and public health. In this talk, we will first give an overview of these models. We then will present the progress of our empirical mixed-methods research to validate a model of cybersecurity behavior adoption that identifies the relevant (1) attitudes and (2) social influences acting at each step, along with (3) tech characteristics that are associated with sustained adoption. We will conclude with remarks on how our work can be of use to cybersecurity teams tasked with boosting awareness and/or adoption.
12:15 – 12:30Break
12:30 – 13:30Keynote: Choosing Better Open Source: Lessons from the Real World – Michaela Demeter (Intel)
13:30 – 13:45Break
13:45 – 14:05What Makes Security-Related Code Examples Different - Azadeh Mokhberi, Tiffany Quon, Konstantin Beznosov (University of British Columbia)
Abstract: Developers relying on code examples (CEs) in software engineering can impact code security. We Developers relying on code examples (CEs) in software engineering can impact code security. We conducted semi-structured interviews with seven professional developers to investigate developers’ habits, challenges, and strategies in the life cycle of using security-related code examples (SRCEs), with a focus on exploring the differences between security- and non-security-related CEs. Results indicate that a lack of adequately differentiating between SRCEs and non-security-related code examples (NSRCEs) is a reason for introducing vulnerabilities into the code. We found that developers had a habit of reusing vulnerable code from their previous projects. This code reuse unintentionally introduced the same vulnerability into new projects, while that vulnerability had already been fixed in later iterations of the original resource the CE had been taken from. Our results highlight that professional developers need the same number of such CEs even as they gain experience over time, while this may not be the case for NSRCEs.
14:05 – 14:25Recording of Personal Health Information in the Age of Smartphones - Raghav V. Sampangi (Dalhousie University), Carla Ann Heggie (Dalhousie University), Simeon Kanev (Alliance for Healthier Communities)
Abstract: The ubiquity of smartphones and other mobile devices offers a range of conveniences, including giving patients the ability to record discussions during healthcare appointments that may contain medical advice and opinion, which constitute personal health information (PHI). We explore the dimensions of re-cording PHI, with a focus on privacy, ethics, and security aspects of these type of recordings in the Canadian context. We note that there does not appear to be much guidance in healthcare policy which dictates the boundaries of the relationship between the patient and healthcare professional. In Canadian law, the concept of one party consent allows patients to record interactions with healthcare professionals without the need for their consent. While not illegal, this could result in issues such as erosion of trust, changed power dynamics, accountability, etc. In this paper, we recommend guidelines, founded in Privacy by Design fundamental principles, for application developers to inform patients or caregivers about the potential risks of recording their interactions with healthcare professionals. Our next steps are to evaluate the guidelines we recommend, to continue exploring the various dimensions around recording and PHI, and to develop and evaluate technological solutions for the same.
14:25 – 14:30Closing remarks

Important Dates

Workshop paper submission deadlineThursday June 10, 2021 (extended) May 27, 2021
Workshop paper acceptance notification to authorsMonday, June 21, 2021
Workshop camera-ready papers dueWednesday, June 30, 2021
WorkshopSunday, August 8, 2021

Registration

To register for WSIW'21 please visit https://umdsurvey.umd.edu/jfe/form/SV_bjFxZUu7zv0fYpw.

Quarterly WSIW

Our third quarterly WSIW event will be May 3 at 11:00am EDT to 12:30pm! If you’d like to do a short talk on a WIP, have a suggestion for a speaker, or want to talk about another topic of interest to the community, send a quick email with a short description of the talk to wsiw@sec.uni-hannover.de. Looking forward to “seeing” you all and having some great discussions!
We do have a slack channel - email us if you want to be invited. The agenda for the third quarterly WSIW event is available here.

Organizing Committee / Program Committee Chairs

Web Chair