Workshop on Security Fatigue

All sessions will be held in Denver Ballroom 5–6 unless otherwise noted.
Papers are available for download below to registered attendees now and to everyone beginning June 22, 2016. Paper abstracts are available to everyone now. Copyright to the individual works is retained by the author[s].

Downloads for Registered Attendees

Attendee Files 
Workshop on Security Fatigue Paper Archive (ZIP)

 

Wednesday, June 22, 2016

1:40 pm–1:45 pm Wednesday

Welcome Remarks

Sandra Spickard Prettyman, President, Culture Catalyst
1:40 pm–2:00 pm Wednesday

Introduction to Security Fatigue

Brian Stanton, National Institute of Standards and Technology (NIST) and SOUPS 2016 Organizer
2:00 pm–3:00 pm Wednesday

Papers

Beliefs about Cybersecurity Rules and Passwords: A Comparison of Two Survey Samples of Cybersecurity Professionals Versus Regular Users

Ross Koppel, University of Pennsylvania; Jim Blythe, University of Southern California; Vijay Kothari and Sean Smith, Dartmouth College

In this paper we explore the differential perceptions of cybersecurity professionals and general users regarding access rules and passwords. We conducted a preliminary survey involving 28 participants: 15 cybersecurity professionals and 13 general users. We present our preliminary findings and explain how such survey data might be used to improve security in practice. We focus on user fatigue with access rules and passwords.

Available Media

Applying Cognitive Control Modes to Identify Security Fatigue Hotspots

Simon Parkin, Kat Krol, Ingolf Becker, and M. Angela Sasse, University College London

Security tasks can burden the individual, to the extent that security fatigue promotes had security habits. Here we revisit a series of user-centred studies of security mechanisms as part of regular routines, such as two-factor authentication. These studies inform reflection upon the perceived contributors and consequences of fatigue, and strategies that a person may adopt in response to feeling overburdened by security. The fatigue produced by security tasks is then framed using a model of cognitive control modes, which explores human performance and error. Security tasks are then considered in terms of modes such as unconscious routines and knowledge-based ad-hoc approaches. Conscious attention can support adaptation to novel security situations, but is error-prone and tiring; both simple security routines and technology-driven automation can minimise e ffort, but may miss cues from the environment that a nuanced response is required.

Available Media

Putting Your Passwords on Self-destruct Mode: Beating Password Fatigue

Huascar Sanchez and John Murray, SRI International

Many people feel overwhelmed by the number of Web accounts they need to access on a regular basis, because of the quantity of passwords that have to be updated, especially in the context of many frequent password change mandates. This sense of challenge has been referred to as Password Fatigue and is essentially defined as simply having too many passwords to remember (or deal with) on an erratic schedule and/or inconsistent basis.

People who suffer password fatigue are simply too exhausted from all the passwords they have to remember and all the work it takes to keep them up to date. Although there exist shortcuts and some handy tools for automating this process, at the end of day, it all comes down to people's own time and attention. Both of which are in short supply.

Available Media
3:00 pm–3:30 pm Wednesday

Break with Refreshments

Ballroom Foyer
3:30 pm–4:00 pm Wednesday

Activity and Discussion: Can You Identify Security Fatigue?

Sandra Spickard Prettyman, President, Culture Catalyst and Brian Stanton, National Institute of Standards and Technology (NIST) and SOUPS 2016 Organizer
4:05 pm–4:25 pm Wednesday

Discussion: NIST Security Fatigue Findings

Brian Stanton, National Institute of Standards and Technology
4:30 pm–5:00 pm Wednesday

Discussion: Developing a Security Fatigue Research Agenda

Simson Garfinkel, National Institute of Standards and Technology
5:15 pm–7:00 pm Wednesday

SOUPS 2016 Poster Session and Happy Hour

Colorado Ballroom A–E