Kami Vaniea

Kami Vaniea
University of Waterloo | UWaterloo · Department of Electrical & Computer Engineering

PhD

About

73
Publications
62,789
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,944
Citations
Introduction
I am a human factors in cyber security and privacy researcher. I am interested in all aspects of how people interact with security and privacy technologies.
Additional affiliations
August 2015 - October 2023
University of Edinburgh
Position
  • Professor (Associate)
Description
  • I am a Reader (Assistant Professor) in Cyber Security and Privacy. My research is on the human factors of security and privacy technologies. I am also the head of the Technology Usability Lab in Privacy and Security (TULiPS).
August 2014 - July 2015
Indiana University Bloomington
Position
  • Professor (Assistant)
August 2012 - July 2014
Michigan State University
Position
  • PostDoc Position

Publications

Publications (73)
Conference Paper
Full-text available
Installing security-relevant software updates is one of the best computer protection mechanisms. However, users do not always choose to install updates. Through interviewing non-expert Windows users, we found that users frequently decide not to install future updates, regardless of whether they are important for security, after negative experiences...
Conference Paper
Full-text available
Updates alter the way software functions by fixing bugs, changing features, and modifying the user interface. Sometimes changes are welcome, even anticipated, and sometimes they are unwanted leading to users avoiding potentially unwanted updates. If users delay or do not install updates it can have serious security implications for their computer....
Conference Paper
Full-text available
Common anti-phishing advice tells users to mouse over links, look at the URL, and compare to the expected destination, implicitly assuming that they are able to read the URL. To test this assumption, we conducted a survey with 1929 participants recruited from the Amazon Mechanical Turk and Prolific Academic platforms. Participants were shown 23 URL...
Conference Paper
Full-text available
We analyse Stack Overflow (SO) to understand challenges and confusions developers face while dealing with privacy-related topics. We apply topic modelling techniques to 1,733 privacy-related questions to identify topics and then qualitatively analyse a random sample of 315 privacy-related questions. Identified topics include privacy policies, priva...
Preprint
Full-text available
Phishing is one of the most prevalent and expensive types of cybercrime faced by organizations and individuals worldwide. Most prior research has focused on various technical features and traditional representations of text to characterize phishing emails. There is a significant knowledge gap about the qualitative traits embedded in them, which cou...
Preprint
Full-text available
System administrators, similar to end users, may delay or avoid software patches, also known as updates, despite the impact their timely application can have on system security. These admins are responsible for large, complex, amalgamated systems and must balance the security related needs of their organizations, which would benefit from the patch,...
Conference Paper
Full-text available
In theory, consent dialogs allow users to express privacy preferences regarding how a website and its partners process users' personal data. In reality, dialogs often employ subtle design techniques known as dark patterns that nudge users towards accepting more cookies than the user would otherwise accept. We build a system, DarkDialogs, that can a...
Article
Full-text available
In theory, consent dialogs allow users to express privacy preferences regarding how a website and its partners process the user's personal data. In reality, dialogs often employ subtle design techniques known as dark patterns that nudge users towards accepting more data processing than the user would otherwise accept. Dark patterns undermine user a...
Article
Full-text available
Twitter accounts are public by default, but Twitter gives the option to create protected accounts, where only approved followers can see their tweets. The publicly visible information changes based on the account type and the visibility of tweets also depends solely on the poster's account type which can cause unintended disclosures especially when...
Article
Full-text available
To make privacy a first-class citizen in software, we argue for equipping developers with usable and responsibly-designed tools, as well as providing support from organizations, educators, and regulators. We discuss the challenges with the successful integration of privacy features and propose solutions for stakeholders to help developers perform p...
Article
Full-text available
Attackers attempt to create successful phishing campaigns by sending out trustworthy-looking emails with a range of variations, such as adding the recipient name in the subject line or changing URLs in email body. These tactics are used to bypass filters and make it difficult for the information system teams to block all emails even when they are a...
Preprint
Full-text available
Twitter accounts are public by default, but Twitter gives the option to create protected accounts, where only approved followers can see their tweets. The publicly visible information changes based on the account type and the visibility of tweets also depends solely on the poster's account type which can cause unintended disclosures especially when...
Preprint
Full-text available
To make privacy a first-class citizen in software, we argue for equipping developers with usable tools, as well as providing support from organizations, educators, and regulators. We discuss the challenges with the successful integration of privacy features and propose solutions for stakeholders to help developers perform privacy-related tasks.
Conference Paper
Full-text available
Privacy tasks can be challenging for developers, resulting in privacy frameworks and guidelines from the research community which are designed to assist developers in considering privacy features and applying privacy enhancing technologies in early stages of software development. However, how developers engage with privacy design strategies is not...
Article
Date of birth (DOB) has historically been considered as private information and safe to use for authentication, but recent years have seen a shift towards wide public sharing. In this work we characterize how modern social media users are approaching the sharing of birthday wishes publicly online. Over 45 days, we collected over 2.8M tweets wishing...
Conference Paper
Full-text available
Reliably recruiting participants who have programming skills is an ongoing challenge for empirical studies involving software development technologies, often leading to the use of crowdsourcing platforms and computer science (CS) students. In this work, we use five existing survey instruments to explore the programming skills, privacy and security...
Article
Full-text available
Privacy tasks can be challenging for developers, resulting in privacy frameworks and guidelines from the research community which are designed to assist developers in considering privacy features and applying privacy enhancing technologies in early stages of software development. However, how developers engage with privacy design strategies is not...
Preprint
Full-text available
Changing a Twitter account's privacy setting between public and protected changes the visibility of past tweets. By inspecting the privacy setting of over 100K Twitter users over 3 months, we noticed that over 40% of those users change their privacy setting at least once with around 16% changing it over 5 times. This motivated us to explore the rea...
Preprint
Full-text available
Date of birth (DOB) has historically been considered as private information and safe to use for authentication, but recent years have seen a shift towards wide public sharing. In this work we characterize how modern social media users are approaching the sharing of birthday wishes publicly online. Over 45 days, we collected over 2.8M tweets wishing...
Article
Full-text available
Malicious communications aimed at tricking employees are a serious threat for organizations, necessitating the creation of procedures and policies for quickly respond to ongoing attacks. While automated measures provide some protection, they cannot completely protect an organization. In this case study, we use interviews and observations to explore...
Article
Full-text available
Iterative design, implementation, and evaluation of prototype systems is a common approach in Human-Computer Interaction (HCI) and Usable Privacy and Security (USEC); however, research involving physical prototypes can be particularly challenging. We report on twelve interviews with established and nascent USEC researchers who prototype security an...
Chapter
Full-text available
The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate l...
Conference Paper
Full-text available
Evaluating novel authentication systems is often costly and timeconsuming. In this work, we assess the suitability of using Virtual Reality (VR) to evaluate the usability and security of real-world authentication systems. To this end, we conducted a replication study and built a virtual replica of CueAuth [52], a recently introduced authentication...
Article
Intelligent personal assistants (IPA), such as Amazon Alexa and Google Assistant, are becoming increasingly present in multi-user households leading to questions about privacy and consent, particularly for those who do not directly own the device they interact with. When these devices are placed in shared spaces, every visitor and cohabitant become...
Preprint
Full-text available
The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate l...
Conference Paper
Full-text available
Advertising networks enable developers to create revenue, but using them potentially impacts user privacy and requires developers to make legal decisions. To understand what privacy information ad networks give developers, we did a walkthrough of four popular ad network guidance pages with a senior Android developer by looking at the privacy-relate...
Conference Paper
Full-text available
Software development teams are responsible for making and implementing software design decisions that directly impact end-user privacy, a challenging task to do well. Privacy Champions—people who strongly care about advocating privacy—play a useful role in supporting privacy-respecting development cultures. To understand their motivations, challeng...
Conference Paper
Full-text available
Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development requiring them to be able to understand and act on tools’ notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were show...
Article
Full-text available
There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits...
Conference Paper
Full-text available
Applying regular patches is vital for the timely correction of security vulnerabilities, but installing patches also risks disrupting working systems by potentially introducing unknown errors. System administrators must manage the challenges of patching using a combination of reliance on best practice and available information to best match their o...
Conference Paper
Full-text available
There is a growing need for usable and secure authentica-tion in virtual reality (VR). Established concepts (e.g., 2D graphical PINs) are vulnerable to observation attacks, and proposed alternatives are relatively slow. We present Ru-bikAuth, a novel authentication scheme for VR where users authenticate quickly by selecting digits from a virtual 3D...
Conference Paper
Full-text available
The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate l...
Conference Paper
Full-text available
When detecting phishing websites, both humans and computers rely on aspects of the website (features) to aid in their decision making. In this work, we conduct a review of URL-based phishing features that appear in publications targeting human-facing and automated anti-phishing approaches. We focus on both humans and computers to obtain a more comp...
Conference Paper
Full-text available
Frequent exposure to disturbing content on social media such as posts, sharing, accident news, or even photos of puppies could adversely impact users' online experience or well-being. Several protection mechanisms exist to provide users with control over content feeding into their personal spaces; such as sensitive and "show less often" markers. Be...
Conference Paper
Full-text available
Online safety regularly depends on users' ability to know either where a URL is likely to lead or identify when they are on a site other than they expect. Unfortunately, the combination of low URL reading ability in the general population and the use of hard-to-detect approaches like look-alike letters makes the reading of URLs quite challenging fo...
Conference Paper
Full-text available
Topics in Computer Security, such as firewalls, can seem inaccessible or very difficult to beginners. That perceived inaccessibility is a serious problem at a time when countries like the United Kingdom are facing a shortage of skilled computer security professionals and consequently need more students to consider careers in the area. This project...
Article
Full-text available
Based upon a study of how to capture data from Internet of Things (IoT) devices, this paper explores the challenges for data centric design ethnography. Often purchased to perform specific tasks, IoT devices exist in a complex ecosystem. This paper describes a study that used a variety of methods to capture the interactions an IoT device engaged in...
Conference Paper
Major online messaging services such as Facebook Messenger and WhatsApp are starting to provide users with real-time information about when people read their messages, while useful, the feature has the potential to negatively impact privacy as well as cause concern over access to self. We report on two surveys using Mechanical Turk which looked at...
Conference Paper
Social networking sites are starting to provide users with services that expose information about their audiences' composition and behavior, such as LinkedIn's 'Who's viewed my profile' feature. Providing information about content viewers to content publishers, however, raises new privacy concerns for viewers themselves, possibly creating a chillin...
Article
Guest editors M. Angela Sasse and Matthew Smith discuss the origins of the security-usability tradeoff myth with leading academic experts Heather Lipford and Kami Vaniea and industry expert Cormac Herley.
Conference Paper
Full-text available
Managing privacy in mobile instant messaging is a challenge for designers and users alike. If too many options are provided, the privacy controls can become complex to understand and unwieldy to manipulate. Conversely, providing too few controls leaves users without the ability to adequately express their privacy preferences. Further complicating t...
Conference Paper
Full-text available
Mobile Instant Messaging (MIM) applications (apps) such as WhatsApp Messenger enable easy communication and open new issues of information control and privacy management. We investigate WhatsApp to understand how Arab people manage their privacy on MIM apps. We find that WhatsApp's design decisions around adding contacts result in privacy issues of...
Conference Paper
Full-text available
Research on online behavioral advertising has focused on users' attitudes towards sharing and what information they are willing to share. An unexplored area in this domain is how users' knowledge of how to protect their information differs from their self-efficacy about executing privacy protection behavior. The results of a 179-participant online...
Patent
A collaboration system is described for sharing files. The collaboration system operates by receiving an Email message from a sender, the Email message specifying an attachment item (such as a file) and one or more recipients. The Email message also specifies a sender code assigned to the sender for the particular attachment item. The collaboration...
Conference Paper
Full-text available
When security updates are not installed, or installed slowly, end users are at an increased risk for harm. To improve security, soft-ware designers have endeavored to remove the user from the soft-ware update loop. However, user involvement in software updates remains necessary; not all updates are wanted, and required reboots can negatively impact...
Conference Paper
Full-text available
Despite the large amount of computer security information available to them, end users are often thought of as the weakest link in computer security. The information they have access to comes in many formats: news articles, news broadcasts, education documents, books, stories, and many more. However, inefficient or inconsistent communication betwee...
Conference Paper
Full-text available
We take a detailed look at how users, while focusing on non-permission tasks, notice and fix access-control permission errors depending on where the access-control policy is spatially located on a photo-sharing website. The access-control policy was placed on an online photo-sharing website under the photo or album, on the sidebar, or on a separate...
Conference Paper
Full-text available
In a series of studies, we investigated a user interface intended to help users stay aware of their access-control policy even when they are engaged in another activity as their primary task. Methodological issues arose in each study, which impacted the results. We describe the difficulties encountered during each study, and changes to the methodol...
Conference Paper
Full-text available
In access-control systems, policy rules conflict when they prescribe different decisions (allow or deny) for the same access. We present the results of a user study that demonstrates the significant impact of conflict-resolution method on policy-authoring usability. In our study of 54 participants, varying the conflict-resolution method yielded sta...
Conference Paper
Full-text available
As digital content becomes more prevalent in the home, non-technical users are increasingly interested in sharing that content with others and accessing it from multiple devices. Not much is known about how these users think about controlling access to this data. To better understand this, we conducted semi-structured, in-situ interviews with 33 us...
Conference Paper
Full-text available
In this work we ask the question: what are the challenges of managing a physical or file system access-control pol- icy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identi-...
Conference Paper
Full-text available
The goal of the research study reported here was to investigate policy authors' ability to take descriptions of changes to policy situations and author high-quality, complete policy rules that would parse with high accuracy. As a part of this research, we investigated ways in which we could assist policy authors in writing policies. This paper pres...
Conference Paper
Full-text available
Significant effort has been invested in developing expressive and flexible access-control languages and systems. How- ever, little has been done to evaluate these systems in prac- tical situations with real users, and few attempts have been made to discover and analyze the access-control policies that users actually want to implement. We report on...
Conference Paper
Full-text available
ABSTRACT Grey is a smartphone-based,system by which a user can exercise her authority to gain access to rooms in our university building, and by which she can delegate that authority to other users. We present findings from a trial of Grey, with emphasis on how common usability principles manifest themselves in a smartphone-based security applicati...
Conference Paper
Full-text available
We describe our current work in developing novel mechanisms for managing security and privacy in pervasive computing environments. More specifically, we have developed and evaluated three different applications, including a contextual instant messenger, a people finder application, and a phone-based application for access control. We also draw out...
Article
Full-text available
Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little work has been done to evaluate these theoretically interesting systems in practical situations with real users, and few attempts have been made to discover and analyze the access-control policies that users actually want...
Article
Full-text available
Managing large sets of access-control rules is a complex task for security administrators. Each addition, deletion or mod-ification of a rule causes many potential and unknown side effects ranging from rule conflicts to security breaches. Secu-rity researchers have attempted to alleviate this problem by proposing algorithms and tools which analyze...

Questions

Question (1)
Question
I am teaching a course in Human Computer Interaction and an looking for some good online tools that will let students mock up an interactive user interface and share it with other students. 

Network

Cited By