The human element is often considered the weakest element in security. Although many kinds of humans interact with systems that are designed to be secure, one particular type of human is especially important, the security and privacy information workers who develop, use, and manipulate privacy and security-related information and data as a significant part of their jobs. Security/privacy information workers include:
This workshop aims to develop and stimulate discussion about security information workers. We will consider topics including but not limited to:
Successful submissions to this workshop will explicitly be informed by an understanding of how security/privacy information workers do their jobs, and the results will explicitly address how we understand these workers.
We solicit papers describing new research contributions in this area as well as case studies,
work in progress, preliminary results, novel ideas, and position papers. Papers should be atmost six pages (excluding references) using the SOUPS template format (MS Word or LaTeX).
Submissions should be fully anonymized. Submissions may be made at https://wsiw2021.usenix.hotcrp.com/.
A word about paper length. Papers should be succinct, but thorough in presenting the work. Typical papers will be 5-6 pages long (plus references) but papers can be shorter (e.g. 2-3 pages) if, for example, they present an novel idea with limited preliminary results or a position likely to drive a lively discussion. Shorter, more focused papers are encouraged and will be reviewed like any other paper. If you only need 2 or 4 pages (plus references) to clearly explain your work or idea, please submit a paper of that length. Reviewers will be instructed to assess the value of the talk to the workshop audience irrespective of the paper length; however, we stress again that the presentation should be sufficiently thorough for reviewers to make this evaluation.
Workshop papers will be made available to attendees prior to the workshop. However, they will not appear in the official SOUPS proceedings. Paper presentations will be approximately 10-12 minutes in length followed by 5 minutes of questions and answers. Presentations will be made remotely using Zoom.
The workshop will feature a keynote talk and paper presentations, as well as breakout sessions to provide an opportunity for smaller group interactive discussion about related topics of interest, which may include methods, challenges, and future directions in security information workers research.
The deadline for submissions is June 10th 23:59 AoE (extended)
May 27 23:59 AoE (Anywhere on Earth).
Sunday, August 8, 2021, 11:00 – 14:30 Eastern Daylight Time
|11:00 – 11:15
|Welcome and workshop agenda
|11:15 – 11:35
|A Privacy Testbed for IT Professionals: Use Cases and Design Considerations - Joseph Gardiner (University of Bristol), Mohammad Tahaei (University of Bristol), Jacob Halsey (University of Bristol), Tariq Elahi (University of Edinburgh), Awais Rashid (University of Bristol)
Abstract: We propose a testbed to assist IT professionals in evaluating privacy properties of software systems. The goal of the testbed, currently under construction, is to help IT professionals systematically evaluate and understand the privacy behavior of applications. We first provide three use cases to support developers and privacy engineers, and then describe key design considerations for the testbed.
|11:35 – 11:55
|Exploring Government Security Awareness Programs: A Mixed-Methods Approach – Jody Jacobs, Julie Haney, Susanne Furman, Fern Barrientos (National Institute of Standards and Technology)
Abstract: Organizational security awareness programs are often underfunded and rely on part-time security awareness professionals who may lack sufficient background, skills, or re-sources necessary to manage an effective and engaging program. U.S. government organizations, in particular, face challenges due to strict security awareness requirements that often result in success being measured by training completion rates rather than impact on employees’ attitudes and behaviors. However, no prior research has explored security awareness in the government sector. To address this gap, we are conducting an in-progress, mixed-methods research effort to understand the needs, challenges, and practices of U.S. government security awareness programs. This understanding will inform the creation of resources for security awareness professionals, including examples of successful practices and strategies, lessons learned, and suggestions for building a team having the appropriate knowledge and skills. While focused on the U.S. government, our findings may also have implications for organizational security awareness programs in other sectors.
|11:55 – 12:15
|Components of a Model of Cybersecurity Behavior Adoption – Cori Faklaris (Carnegie Mellon University)
Abstract: Our research focuses on understanding how attitudes and social influences act on end users in the process of cybersecurity behavior adoption (or non-adoption). This work draws on five expectancy-value models and on four stage models that have been applied successfully in social psychology, marketing, and public health. In this talk, we will first give an overview of these models. We then will present the progress of our empirical mixed-methods research to validate a model of cybersecurity behavior adoption that identifies the relevant (1) attitudes and (2) social influences acting at each step, along with (3) tech characteristics that are associated with sustained adoption. We will conclude with remarks on how our work can be of use to cybersecurity teams tasked with boosting awareness and/or adoption.
|12:15 – 12:30
|12:30 – 13:30
|Keynote: Choosing Better Open Source: Lessons from the Real World – Michaela Demeter (Intel)
|13:30 – 13:45
|13:45 – 14:05
|What Makes Security-Related Code Examples Different - Azadeh Mokhberi, Tiffany Quon, Konstantin Beznosov (University of British Columbia)
Abstract: Developers relying on code examples (CEs) in software engineering can impact code security. We Developers relying on code examples (CEs) in software engineering can impact code security. We conducted semi-structured interviews with seven professional developers to investigate developers’ habits, challenges, and strategies in the life cycle of using security-related code examples (SRCEs), with a focus on exploring the differences between security- and non-security-related CEs. Results indicate that a lack of adequately differentiating between SRCEs and non-security-related code examples (NSRCEs) is a reason for introducing vulnerabilities into the code. We found that developers had a habit of reusing vulnerable code from their previous projects. This code reuse unintentionally introduced the same vulnerability into new projects, while that vulnerability had already been fixed in later iterations of the original resource the CE had been taken from. Our results highlight that professional developers need the same number of such CEs even as they gain experience over time, while this may not be the case for NSRCEs.
|14:05 – 14:25
|Recording of Personal Health Information in the Age of Smartphones - Raghav V. Sampangi (Dalhousie University), Carla Ann Heggie (Dalhousie University), Simeon Kanev (Alliance for Healthier Communities)
Abstract: The ubiquity of smartphones and other mobile devices offers a range of conveniences, including giving patients the ability to record discussions during healthcare appointments that may contain medical advice and opinion, which constitute personal health information (PHI). We explore the dimensions of re-cording PHI, with a focus on privacy, ethics, and security aspects of these type of recordings in the Canadian context. We note that there does not appear to be much guidance in healthcare policy which dictates the boundaries of the relationship between the patient and healthcare professional. In Canadian law, the concept of one party consent allows patients to record interactions with healthcare professionals without the need for their consent. While not illegal, this could result in issues such as erosion of trust, changed power dynamics, accountability, etc. In this paper, we recommend guidelines, founded in Privacy by Design fundamental principles, for application developers to inform patients or caregivers about the potential risks of recording their interactions with healthcare professionals. Our next steps are to evaluate the guidelines we recommend, to continue exploring the various dimensions around recording and PHI, and to develop and evaluate technological solutions for the same.
|14:25 – 14:30
|Workshop paper submission deadline
|Thursday June 10, 2021 (extended)
|Workshop paper acceptance notification to authors
|Monday, June 21, 2021
|Workshop camera-ready papers due
|Wednesday, June 30, 2021
|Sunday, August 8, 2021