Angela Sasse

Angela Sasse
Ruhr-Universität Bochum | RUB · Horst Görtz In­sti­tu­te of IT-Se­cu­ri­ty (HGI)

PhD Computer Science, University of Birmingham

About

366
Publications
103,370
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
12,827
Citations
Introduction
Angela Sasse is the Professor of Human-Centre Security at Ruhr University Bochum in Germany, and also still part-time Professor of Human-Centred Technology in the Department of Computer Science, University College London where started her research and teaching in 1990. A researcher in Human-computer Interaction and User Experience by background, her research has focussed on Security, Privacy, Identity and Trust. since the late 90s; her current project is 'Human-Centred Security'.
Additional affiliations
May 2013 - present
University of Oxford
Position
  • Oxford Martin Fellow
Description
  • Co-Chair (with Prof. bill dutton) of Dimension 2
November 1990 - present
University College London
Position
  • Professor (Full)
Position
  • Human Factors in Security

Publications

Publications (366)
Article
Mit Trainings und simulierten Phishing-Angriffen soll das medizinische Personal sensibilisiert werden, um sich Zeit für die IT-Sicherheit zu nehmen. Angesichts des Zeitdrucks und der Personalknappheit stellt sich die Frage, woher es diese Zeit nehmen soll – zumal die Sicherheitsrichtlinien und Systeme Frust verursachen. Stattdessen sollte man auf d...
Conference Paper
Security Awareness ist in aller Munde. Immer mehr Organisationen setzen darauf ihre Mitarbeitenden mithilfe von Online-Trainings und simulierten Phishing-Angriffen für Cyberangriffe zu sensibilisieren. Für das Management und typischerweise technisch fokussierte IT-Security Entscheider:innen ist es einfach ein Training von der Stange zu kaufen und e...
Chapter
Full-text available
Over the past decade, researchers investigating IT security from a socio-technical perspective have identified the importance of trust and collaboration between different stakeholders in an organisation as the basis for successful defence. Yet, when employees do not follow security rules, many security practitioners attribute this to them being “we...
Conference Paper
Full-text available
Security awareness is big business-virtually every organization in the Western world provides some form of awareness or training, mostly bought from external vendors. However, studies and industry reports show that these programs have little to no effect in terms of changing the security behavior of employees. We explain the conditions that enable...
Conference Paper
The security threat emanating from macro viruses is currently on the rise. Macros are deactivated by default, but when opening a Microsoft Office document with embedded macros, users are presented with a warning message and a one-click option to activate the macro. The aim of the study was to investigate how users interact with this design, to what...
Conference Paper
Full-text available
Over the past decade, researchers investigating IT security from a socio-technical perspective have identified the importance of trust and collaboration between different stakeholders in an organisation as the basis for successful defence. Yet, when employees do not follow security rules, many security practitioners attribute this to them being "we...
Chapter
In an attempt to stop phishing attacks, an increasing number of organisations run Simulated Phishing Campaigns to train their staff not to click on suspicious links. Organisations can buy toolkits to craft and run their own campaigns, or hire a specialist company to provide such campaigns as a service. To what extent this activity reduces the vulne...
Chapter
A Virtual Private Network (VPN) helps to mitigate security and privacy risks of data transmitting on unsecured network such as public Wi-Fi. However, despite awareness of public Wi-Fi risks becoming increasingly common, the use of VPN when using public Wi-Fi is low. To increase adoption, understanding factors driving user decision to adopt a VPN ap...
Conference Paper
A Virtual Private Network (VPN) helps to mitigate security and privacy risks of data transmitting on unsecured network such as public Wi-Fi. However, despite awareness of public Wi-Fi risks becoming increasingly common, the use of VPN when using public Wi-Fi is low. To increase adoption, understanding factors driving user decision to adopt a VPN ap...
Preprint
A Virtual Private Network (VPN) helps to mitigate security and privacy risks of data transmitting on unsecured network such as public Wi-Fi. However, despite awareness of public Wi-Fi risks becoming increasingly common, the use of VPN when using public Wi-Fi is low. To increase adoption, understanding factors driving user decision to adopt a VPN ap...
Article
Full-text available
Zusammenfassung Phishing-Angriffe sind kein neues Phänomen, aber nach wie vor eine große Gefahr für jede Institution. Um die Resistenz der Angestellten gegen Phishing-Angriffe zu erheben oder zu verbessern, führen zahlreiche Einrichtungen Phishing-Kampagnen durch, bei denen (simulierte) Phishing-Nachrichten an die Angestellten verschickt werden. De...
Article
Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a ser...
Conference Paper
Controlling asset-access has traditionally been considered a matter for systems in which assets reside. Centralized approaches to access control are, however, problematic for the IoT. One reason for this is that devices may not be confined to a single system of control. In this abstract, we argue for a new paradigm in which assets are empowered to...
Conference Paper
We view foreign interference in US and UK elections via social manipulation through the lens of usable security. Our goal is to provide advice on what interventions on the socio-technical election system are likely to work, and which are likely to fail. Strategies that the usable security literature indicates are likely to work are those that (1) a...
Conference Paper
A security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-...
Conference Paper
Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a ser...
Conference Paper
Security experts often question why some users take actions that could expose them to security and privacy risks. Using unsecured Wi-Fi networks is one common example. Even though mobile data is now a more secure means to connect to the Internet, and is becoming faster and more affordable, many users continue to use unsecured Wi-Fi. To identify ris...
Conference Paper
Full-text available
Many security experts bemoan that consumers behave insecurely. Yet, current approaches to improving behavior either fail to consider when people may be most receptive to an intervention, or only consider experiences of threat (e.g., getting hacked) when identifying opportune moments for behavior change. We instead explore how an exemplar, positive...
Conference Paper
Full-text available
mHealth applications ("apps") must be searched for and downloaded prior to use, creating a potential barrier to uptake. Integrating health interventions into existing online social environments removes this barrier. However, little is known about the effects of linking sensitive health information to existing online identities. Our qualitative anal...
Conference Paper
Many people find public Wi-Fi networks convenient but these networks harbor security and privacy risks. As public knowledge of these risks becoming common, we investigated whether the risks were still at large and what factors influenced users to use the networks — being the first study to draw evidence from Japan. Adapting the methodology from a p...
Article
The advent of the sixth Android version brought a significant security and privacy advancement to its users. The platform’s security model has changed dramatically, allowing users to grant or deny access to resources when requested by applications during run-time. This improvement changed the traditional coarse-grained permission system and it was...
Article
We set out to investigate how customers comprehend bank terms and conditions (T&Cs). If T&Cs are incomprehensible, then it is unreasonable to expect customers to comply with them. An expert analysis of 30 bank contracts across 25 countries found that in most cases the contract terms were too vague to be understood; in some cases they differ by prod...
Article
The dataset contains the survey responses and analysis files for the paper to be presented at published at USEC 2018 in San Diego, CA, US.
Conference Paper
Full-text available
Background: Research has shown that users do not use encryption and fail to understand the security properties which encryption provides. We hypothesise that one contributing factor to failed user understanding is poor explanations of security properties, as the technical descriptions used to explain encryption focus on structural mental models. Pu...
Conference Paper
Full-text available
Background. Since Whitten and Tygar’s seminal study of PGP 5.0 in 1999, there have been continuing efforts to produce email encryption tools for adoption by a wider user base, where these efforts vary in how well they consider the usability and utility needs of prospective users. Aim. We conducted a study aiming to assess the user experience of two...
Conference Paper
Background: We reflect on a methodology for developing scenario-based security behaviour surveys that evolved through deployment in two large partner organisations (A & B). In each organisation, scenarios are grounded in workplace tensions between security and employees’ productive tasks. These tensions are drawn from prior interviews in the organi...
Article
Full-text available
Coding and analysis for a paper presented at Learning from Authoritative Security Experiment Results (LASER) 2017.
Article
Full-text available
The study presented in this article investigated to what extent bank customers understand the terms and conditions (T&Cs) they have signed up to. If many customers are not able to understand T&Cs and the behaviours they are expected to comply with, they risk not being compensated when their accounts are breached. An expert analysis of 30 bank contr...
Conference Paper
Full-text available
Fraud victims are often refused a refund by their bank on the grounds that they failed to comply with their bank’s terms and conditions about PIN safety. We, therefore, conducted a survey of how many PINs people have, and how they manage them. We found that while only a third of PINs are ever changed, almost half of bank customers write at least on...
Conference Paper
Application sandboxes are an essential security mechanism to contain malware, but are seldom used on desktops. To understand why this is the case, we interviewed 13 expert users about app appropriation decisions they made on their desktop computers. We collected 201 statements about app appropriation decisions. Our value-sensitive empirical analysi...
Conference Paper
Application sandboxes are an essential security mechanism to contain malware, but are seldom used on desktops. To understand why this is the case, we interviewed 13 expert users about app appropriation decisions they made on their desktop computers. We collected 201 statements about app appropriation decisions. Our value-sensitive empirical analysi...
Conference Paper
Full-text available
Usable security research to date has focused on making users more secure, by identifying and addressing usability issues that lead users to making mistakes, or by persuading users to pay attention to security and make secure choices. However, security goals were set by security experts, who were unaware that users often have other priorities and va...
Conference Paper
The computer security community has advocated widespread adoption of secure communication tools to counter mass surveillance. Several popular personal communication tools (e.g., WhatsApp, iMessage) have adopted end-to-end encryption, and many new tools (e.g., Signal, Telegram) have been launched with security as a key selling point. However it rema...
Conference Paper
Full-text available
Security managers define policies and procedures to express how employees should behave to 'do their bit' for information security. They assume these policies are compatible with the business processes and individual employees' tasks as they know them. Security managers usually rely on the 'official' description of how those processes are run; the...
Conference Paper
Full-text available
The computer security community has advocated widespread adoption of secure communication tools to protect personal privacy. Several popular communication tools have adopted end-to-end encryption (e.g., WhatsApp, iMessage), or promoted security features as selling points (e.g., Telegram, Signal). However, previous studies have shown that users may...
Conference Paper
Full-text available
Mass-marketing frauds (MMFs) are on the increase. Given the amount of monies lost and the psychological impact of MMFs there is an urgent need to develop new and effective methods to prevent more of these crimes. This paper reports the early planning of automated methods our interdisciplinary team are developing to prevent and detect MMF. Important...
Article
Application sandboxes are an essential security mechanism to contain malware. Yet, they are seldom used on Desktops. We hypothesise this is because sandboxes are incompatible with plugins, and with APIs used to implement a wide variety of Desktop features. To verify this, we interviewed 13 expert users about their app appropriation decisions, and i...
Conference Paper
Full-text available
The Android operating system changed its security and privacy-related permission model recently, offering its users the ability to control resources that applications are allowed to access on their devices. This major change to the traditional coarse-grained permission system was anticipated for a long time by privacy-aware users. This paper presen...
Conference Paper
Full-text available
Public Wi-Fi networks are now widely available in many countries. Though undoubtedly convenient, such networks have potential security and privacy risks. The aim of this study was to understand if people are aware of those risks, and - if so - why they decide to take them. We set up an experimental free Wi-Fi network at 14 locations in central Lond...
Article
Dataset for the paper "Permissions Snapshots: Assessing Users’ Adaptation to the Android Runtime Permission Model" published at WIFS 2016
Article
This special issue of IEEE Security & Privacy features three articles and a roundtable discussion that examine the relationship between security and usability in detail to identify the perceptions, processes, and practices that underlie these continuing challenges and to identify what needs to change to advance the field.
Article
Full-text available
Usable security assumes that when security functions are more usable, people are more likely to use them, leading to an improvement in overall security. Existing software design and engineering processes provide little guidance for leveraging this in the development of applications. Three case studies explore organizational attempts to provide usab...
Article
Guest editors M. Angela Sasse and Matthew Smith discuss the origins of the security-usability tradeoff myth with leading academic experts Heather Lipford and Kami Vaniea and industry expert Cormac Herley.
Article
Full-text available
Over the past 15 years, researchers have identified an increasing number of security mechanisms that are so unusable that the intended users either circumvent them or give up on a service rather than suffer the security. With hindsight, the reasons can be identified easily enough: either the security task itself is too cumbersome and/or time-consum...
Conference Paper
Full-text available
Security tasks can burden the individual, to the extent that security fatigue promotes habits that undermine security. Here we revisit a series of user-centred studies which focus on security mechanisms as part of regular routines, such as two-factor authentication. By examining routine security behaviours, these studies expose perceived contributo...
Conference Paper
Full-text available
Organisational security policies are often written without sufficiently taking in to account the goals and capabilities of the employees that must follow them. Effective security management requires that security managers are able to assess the effectiveness of their policies, including their impact on employee behaviour. We present a methodology f...
Conference Paper
Full-text available
We set out to investigate how customers comprehend bank terms and conditions (T&Cs). If T&Cs are incomprehensible, then it is unreasonable to expect customers to comply with them. An expert analysis of 30 bank contracts across 25 countries found that in most cases the contract terms were too vague to be understood; in some cases they differ by prod...
Conference Paper
Background: Human beings are an integral part of computer security, whether we actively participate or simply build the systems. Despite this importance, understanding users and their interaction with security is a blind spot for most security practitioners and designers. / Aim: Define principles for conducting experiments into usable security and...
Conference Paper
Full-text available
Background: A person’s security behavior is driven by underlying mental constructs, perceptions and beliefs. Examination of security behavior is often based on dialogue with users of security, which is analysed in textual form by qualitative research methods such as Qualitative Coding (QC). Yet QC has drawbacks: security issues are often time-sensi...
Article
Full-text available
Security and usability issues with passwords suggest a need for a new authentication scheme. Several alternatives involve a physical device or token. We investigate one such alternative, Pico: an authentication scheme that utilizes multiple wearable devices. We present the grounded theory results of a series of semi-structured interviews for explor...
Conference Paper
Reputation systems in current electronic marketplaces can easily be manipulated by malicious sellers in order to appear more reputable than appropriate. We conducted a controlled experiment with 40 UK and 41 German participants on their ability to detect malicious behavior by means of an eBay-like feedback profile versus a novel interface involving...
Conference Paper
Full-text available
Fraud victims are often refused a refund by their bank on the grounds that they failed to comply with their bank’s terms and conditions about PIN safety. We, therefore, conducted a survey of how many PINs people have, and how they manage them. We found that while only a third of PINs are ever changed, almost half of bank customers write at least on...
Conference Paper
Full-text available
CAPTCHAs are difficult for humans to use, causing frustration. Alternatives have been proposed, but user studies equate usability to solvability. We consider the user perspective to include workload and context of use. We assess traditional text-based CAPTCHAs alongside PlayThru, a 'gamified' verification mechanism, and NoBot, which uses face biome...
Conference Paper
Full-text available
Security and usability issues with passwords suggest a need for a new authentication scheme. Several alternatives involve a physical device or token. We investigate one such alternative, Pico: an authentication scheme that utilizes multiple wearable devices. We present the grounded theory results of a series of semi-structured interviews for explor...
Article
Full-text available
Research on large shared medical datasets and data-driven research are gaining fast momentum and provide major opportunities for improving health systems as well as individual care. Such Open Data can shed light on the causes of disease and effects of treatment including adverse reactions side-effects of treatments, while also facilitating analyses...
Conference Paper
Full-text available
Biometric technologies have the potential to reduce the effort involved in securing personal activities online, such as purchasing goods and services. Verifying that a user session on a website is attributable to a real human is one candidate application, especially as the existing CAPTCHA technology is burdensome and can frustrate users. Here we e...
Conference Paper
Organisations often provide helpdesk services to users, to resolve any problems that they may have in managing passwords for their provisioned accounts. Helpdesk logs record password change events and support requests, but overlook the impact of compliance upon end-user productivity. System managers are not incentivised to investigate these impacts...
Conference Paper
In light of recent revelations of mass state surveillance of phone and Internet communications, many solutions now claim to provide secure messaging. This includes both a broad range of new projects and several widely adopted applications that have added security features. However, despite the demand for better solutions, there is no clear winner i...
Conference Paper
Full-text available
We introduce a new methodology for identifying the factors that drive employee security behaviors in organizations, based on a wellknown paradigm from psychology, the Johari Window. An analysis of 93 interviews with staff from 2 multinational organizations revealed that security behavior is driven by a combination of risk understanding and emotiona...
Conference Paper
Full-text available
The security and usability issues associated with passwords have encouraged the development of a plethora of alternative authentication schemes. These aim to provide stronger and/or more usable authentication, but it is hard for the developers to anticipate how users will perform with and react to such schemes. We present a case study of a one-time...
Chapter
The security and usability issues associated with passwords have encouraged the development of a plethora of alternative authentication schemes. These aim to provide stronger and/or more usable authentication, but it is hard for the developers to anticipate how users will perform with and react to such schemes. We present a case study of a one-time...
Article
Full-text available
Users will pay attention to reliable and credible indicators of a risk they want to avoid. More accurate detection and better security tools are necessary to regain users' attention and respect.
Article
Full-text available
Over the past decade,security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past research has treated compliance as a binary decision: people comply or they do not. From our analysis of 118 in depth interviews with individuals (employees in a large multinatio...
Conference Paper
Full-text available
Current approaches to information security focused on deploying security mechanisms, creating policies and communicating those to employees. Little consideration was given to how policies and mechanisms affect trust relationships in an organization, and in turn security behavior. Our analysis of 208 in-depth interviews with employees in two large m...