Karen RenaudUniversity of Strathclyde · Department of Computer and Information Sciences
Karen Renaud
Doctor of Computer Science
About
353
Publications
118,110
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,950
Citations
Publications
Publications (353)
Purpose
The purpose of this study was to investigate the role of grace in the aftermaths of adverse cybersecurity incidents. Adverse incidents are an inescapable fact of life in organizational settings; consequences could be significant and costly. Increasingly, the cause may be a cybersecurity exploit, such as a well-targeted phishing email. In th...
Purpose
Adverse cyber events, like death and taxes, have become inevitable. They are an increasingly common feature of organisational life. Their aftermaths are a critical and under-examined context and dynamic space within which to examine trust. In this paper, we address this deficit.
Design/methodology/approach
Drawing on pertinent theory and r...
Citizens face online privacy threats from social media, online service providers and governments. Privacy-enhancing tools (PETs) can prevent privacy invasion, but the uptake of these is limited. We developed a novel conceptual framework for privacy self-protection, consisting of a classification framework of four distinct privacy threats and our ow...
Citizens face online privacy threats from social media, organisations and governments. Privacy-enhancing tools (PETs) can help people to preserve their privacy, but the uptake of these is limited. We developed a conceptual framework for privacy self-protection, using a classification framework of four distinct privacy threats and our own novel stag...
Policy pushes are essential in furthering moral needs; this also applies to inclusive security and privacy. Sen's
capability approach
is ideally placed to frame inclusive cybersecurity policies to facilitate an equitable and secure digital-first society.
There are widespread concerns about the online harms to children operating online. As such, governments have enacted laws to require online service providers to deploy age verification to prevent such harms. We investigate the following three research questions regarding this topic: (1) To what extent have different governments legislated age verif...
This position paper briefly discusses nudging, its use by autonomous agents, potential risks and ethical considerations while creating such systems. Instead of taking a normative approach, which guides all situations, the paper proposes a risk-driven questions-and-answer approach. The paper takes the position that this is a pragmatic method, that i...
The ‘insider threat’ is often discussed as though it is a single phenomenon. In fact, there are several species of threat and it's important to understand the differences between them. This article suggests a new taxonomy for insider threats and how to deal with them.
Deceptive techniques known as dark patterns specifically target online users. Children are particularly vulnerable as they might lack the skills to recognise and resist these deceptive attempts. To be effective, interventions to forewarn and forearm should build on a comprehensive understanding of children’s existing mental models. To this end, we...
Purpose
This study aims to investigate how phishers apply persuasion principles and construct deceptive URLs in mobile instant messaging (MIM) phishing.
Design/methodology/approach
In total, 67 examples of real-world MIM phishing attacks were collected from various online sources. Each example was coded using established guidelines from the litera...
Insiders have the potential to do a great deal of damage, given their legitimate access to organisational assets and the trust they enjoy. Organisations can only mitigate insider threats if they understand what the different kinds of insider threats are, and what tailored measures can be used to mitigate the threat posed by each of them. Here, we d...
The popularity of Mobile Instant Messaging (MIM) Applications (apps) presents cybercriminals with a new venue for sending deceptive messages, known as ‘Phishing’. MIM apps often lack technical safeguards to shield users from these messages. The first step towards developing anti-phishing solutions to identify phishing messages in any attack vector...
Users of mobile instant messaging (MIM) applications (apps) are increasingly targeted by phishing attacks. MIM apps often lack technical countermeasures for protecting users from phishing. Thus, users need to take preventive measures against phishing threats. Measures include awareness of the threat and the adoption of phishing preventive behaviour...
The UK government responsibilizes its citizens when it comes to their cyber security, as do other countries. Governments provide excellent advice online, but do not provide any other direct support. Responsibilization is viable when: (1) risk management activities require only ubiquitous skills, (2) a failure to manage the risk does not affect othe...
One of the more striking recent miscarriages of justice was perpetrated by the UK's Post Office when subpostmasters and subpostmistresses were prosecuted for fraud that actually arose from malfunctioning software. Over 700 were victimised, losing homes and livelihoods. We first use a zemiological lens to examine the harms caused by these events at...
Purpose
Smart-home security involves multilayered security challenges related to smart-home devices, networks, mobile applications, cloud servers and users. However, very few studies focus on smart-home users. This paper aims to fill this gap by investigating the potential interests of adult smart-home users in cybersecurity awareness training and...
Responsibilizing governments provide advice about how to manage a variety of risks. If citizens do not heed the advice and things go wrong, they are expected to accept the adverse consequences without complaint. However, in some cases, citizens are unable or unwilling to embrace these government assigned responsibilities and to act on the advice, f...
Online users are responsible for protecting their online privacy themselves: the mantra is custodiat te (protect yourself). Even so, there is a great deal of evidence pointing to the fact that online users generally do not act to preserve the privacy of their personal information, consequently disclosing more than they ought to and unwisely divulgi...
Reflecting on the impact of COVID-19 on teaching and learning, this study investigates the possible shifts from short-term reactive educational delivery approaches to a more strategic, innovative, and sustainable approach to teaching and learning. This study aimed to understand the evolution of perceptions and experiences of academics during, and a...
Software runs our modern day lives: our shopping, our transport and our medical devices. Hence, no citizen can escape the consequences of poor software engineering. A closely-aligned concern, which also touches every aspect of our lives, is cyber security. Software has to be developed with cybersecurity threats in mind, in order to design resistanc...
Employees play a critical role in improving workplace cyber security, which builds on widespread security knowledge and expertise. To maximise knowledge levels, organisations run awareness and training course. Yet, they should also encourage and facilitate Security Knowledge Sharing (SKS). To facilitate such sharing, we used a bespoke App which dep...
The move to ‘digital first’ has led to increasing dependence on online services, which increases susceptibility to security incidents. ¹ Human behaviours can compromise organisational information security, with myriad perpetrators willing to exploit the human propensity to trust in order to achieve such compromises. ² Phishing emails – which presen...
The COVID-19 pandemic and the subsequent emergency measures had a fundamental and disruptive impact on societies and, in particular, on the educational sector. The transition of the modality of educational delivery from face-to-face to online occurred within days; this research study considered the concepts of digital trust and digital access, usin...
When we use secure computer systems, we engage with carefully orchestrated and ordered interactions called “security ceremonies”, all of which exist to assure security. A great deal of attention has been paid to improving the usability of these ceremonies over the last two decades, to make them easier for end-users to engage with. Yet, usability im...
The successful use of Information and Communication Technologies (ICTs) by Small to Medium Enterprises (SMEs) remains a persistent problem within developing economies where they face several technical and skills-related challenges. Although cloud services can mitigate some of these challenges, many SMEs fail to adopt cloud
services. Therefore, the...
Background. Nation states unleash cyber attacks targeting other nation states (e.g. WannaCry, SolarWinds), termed “offensive cyber operations”. When such aggressions are deemed, according to the UN Charter, to constitute a threat to the peace, breach of the peace, or act of aggression towards a nation state, governments might choose to respond. Res...
It has been argued that human-centred security design needs to accommodate the considerations of three dimensions: (1) security, (2) usability and (3) accessibility. The latter has not yet received much attention. Now that governments and health services are increasingly requiring their citizens/patients to use online services, the need for accessi...
Background: Socially desirable responding within the context of self-reported surveys is a
well-known and persistent problem that plagues quantitative studies. Such forms of
responding are particularly problematic within the context of personality-based studies that investigate privacy-related decision-making. In such instances, certain respondents...
As the creators, designers, coders, testers, users, and occasional abusers of all software systems-including cyber security systems - humans should be at the centre of all design and development efforts. Despite this, most software engineering and cyber security research and practices tend to be function, data, or process oriented. In contrast, hum...
Password manager applications have the potential to alleviate password pain and improve password strength, yet they are not widely adopted. Password managers are dissimilar to other kinds of software tools, given that the leakage of the credentials they store could give a hacker access to all the individual's online accounts. Moreover, adoption req...
Online users require a working knowledge of password “best practice”, as well as the ability to apply such knowledge. Children increasingly operate as independent agents online, and thus also need to be aware of password “best practice”. To meet this need, the Scottish curriculum for excellence includes lessons about password “best practice”. Hence...
Social media platforms can deliver benefits for their users. They help people to stay in touch with each other and to have control over how they present themselves to their contacts on these platforms. In some cases, these benefits lead to excessive usage, which can diminish individual wellbeing, and compromise relationships with significant others...
Supporting users with secure password creation is a well-explored yet unresolved research topic. A promising intervention is the password meter, i.e. providing feedback on the user's password strength as and when it is created. However, findings related to the password meter's effectiveness are varied. An extensive literature review revealed that,...
Purpose
Boards of Directors and other organisational leaders make decisions about the information security governance systems to implement in their companies. The increasing number of cyber-breaches targeting businesses makes this activity inescapable. Recently, researchers have published comprehensive lists of recommended cyber measures, specifica...
In 2020, a global pandemic led to lockdowns, and subsequent social and business restrictions. These required overnight implementation of emergency measures to permit continued functioning of vital industries. Digital technologies and platforms made this switch feasible, but it also introduced several cyber related vulnerabilities, which students mi...
In this paper, we report on the literature related to understanding young learners' mental models related to deceptive "dark patterns" used by malicious agents online: so-called sludge. We also discuss elicitation of mental models, particularly when carrying out activities to reveal the mental models of young learners. In addition, we review the et...
Fear appeals are used in many domains. Cybersecurity researchers are also starting to experiment with fear appeals, many reporting positive outcomes. Yet there are ethical concerns related to the use of fear to motivate action. In this paper, we explore this aspect from the perspectives of cybersecurity fear appeal deployers and recipients. We comm...
The sociologist Norbert Elias argued that the ability to take responsibility is
part of a ‘civilizing process’. Neoliberal governments appear to agree with this,
because they have ‘responsibilised’ their citizens in many domains. Pellandini-
Simányi and Conte explain that the concept of responsibilisation refers to the
assigning of responsibility t...
Citizens of the hyper-connected world face tremendous challenges in managing their personal online risks; that is to preserve their cyber safety, cyber security and cyber privacy. Governments allocate significant resources to raising awareness about these three areas among their citizens to equip them to manage their online risks. To ensure maximum...
The pandemic and subsequent ‘lockdowns’ dramatically changed the educational landscape of higher education institutions. Before-COVID-19, traditional universities had choices in pedagogical practice, which included a variety of teaching delivery modes. Overnight, a single mode of delivery became the only option for traditional higher education inst...
Purpose
There is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precau...
Purpose
The purpose of this paper is to reveal the lived experiences of dyslexics in engaging with all kinds of alphanumeric authentication mechanisms.
Design/methodology/approach
A significant proportion of the world’s population experiences some degree of dyslexia, which can lead to spelling, processing, sequencing and retention difficulties. Pa...
https://www.wsj.com/articles/what-keeps-people-from-using-password-managers-11623086700
Software invisibly permeates our everyday lives: operating devices in our physical world (traffic lights and cars), effecting our business transactions and powering the vast World Wide Web. We have come to rely on such software to work correctly and efficiently. The generally accepted narrative is that any software errors that do occur can be trace...
The human–computer interaction for development (HCI4D) field emerged at the intersection of the fields of information and communication technology for development (ICT4D) and human–computer interaction (HCI). In 2010, Michael Best nominated HCI4D as one of ICT4D’s “grand challenges”. This HCI4D field is now entering its second decade, and it is imp...
Software is developed specifically for children and this often requires them to authenticate themselves, usually by entering a password. Password hygiene is important for children, because the principles they learn in early life will often endure across their life span. Children learn from their parents, siblings, teachers, and peers. They also lea...
This paper reports on a three-part investigation into people’s perceptions of cybersecurity, based on their lived experiences. We sought thereby to reveal issues located within the Johari grid’s “Blind Spot” quadrant. We utilized research methodologies from both the Arts and Science in order firstly to identify blind spot issues, and secondly to ex...
Nudging is a promising approach, in terms of influencing people to make advisable choices in a range of domains, including cybersecurity. However, the processes underlying the concept and the nudge’s effectiveness in different contexts, and in the long term, are still poorly understood. Our research thus first reviewed the nudge concept and differe...
The COVID-19 pandemic has caused major disruptions across the world; universities have not been exempt. This has included disruptions in not only the delivery of traditional in-person classes, but also research. In this paper, we detail the efforts undertaken to modify the research protocols originally developed for a longitudinal experiment design...
Textual passwords are problematic for young children, whose cognitive, memory and linguistic capabilities are still developing. A possible alternative to using text for authentication systems for young children is drawings. In this paper, we describe an authentication system called KidsDoodlePass, which use simple drawings (“doodles”) that the chil...
Governments and businesses are moving online with alacrity, driven by potential cost savings, changing consumer and citizen expectations, and the momentum towards general digital provision. Services are legally required to be inclusive and accessible. Now consider that almost every online service, where people have to identify themselves, requires...
End-to-end verifiable Internet voting enables a high level of election integrity. Cast-as-intended verification, in particular, allows voters to verify that their vote has been correctly cast, even in the presence of malicious voting devices. One cast-as-intended verification approach is code-based verification, used since 2015 in legally-binding S...
USB drives are a great way of transferring and backing up files. The problem is that they are easily lost, and users do not understand how to secure or properly erase them. When used to store private and sensitive information, this constitutes a risk that users may be unaware of. Consider that people sell used USB drives online -- presumably either...
On the 23rd March 2020, the UK entered a period of lockdown in the face of a deadly pandemic. While some were unable to work from home, many organisations were forced to move their activities online. Here, we discuss the technologies they used, from a privacy and security perspective. We also mention the communication failures that have exacerbated...
Governments can intervene to a greater or lesser extent in managing the risks that citizens face. They can adopt a maximal intervention approach (e.g., COVID‐19) or a hands‐off approach (e.g., unemployment), effectively “responsibilizing” their citizens. To manage the cyber risk, governments publish cyber‐related policies. This article examines the...
The “privacy paradox” is the term used to describe the disconnect between self-reported privacy value attributions and actions actually taken to protect and preserve personal privacy. This phenomenon has been investigated in a number of domains and we extend the body of research with an investigation in the IoT domain. We presented participants wit...
Employees play a crucial role in enhancing information security in the workplace, and this requires everyone having the requisite security knowledge and know-how. To maximise knowledge levels, organisations should encourage and facilitate Security Knowledge Sharing (SKS) between employees. To maximise sharing, we need first to understand the mechan...
Many mobile apps are developed specifically for use by children. As a consequence, children become actors in world where they use passwords to authenticate themselves from a very young age. As such, there is a need for guidance to inform educators and parents about how to prepare children for responsible password practice. Very little attention has...
Purpose
To investigate the links between IC and the protection of data, information and knowledge in universities, as organizations with unique knowledge-related foci and challenges.
Design/methodology/approach
The authors gathered insights from existing IC-related research publications to delineate key foundational aspects of IC, identify and pro...
Purpose
Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a cou...
Network
Cited