L. Jean Camp

L. Jean Camp
Indiana University Bloomington | IUB · Department of Informatics & Department of Computer Science

PhD Engineering and Public Policy

About

308
Publications
98,623
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,354
Citations
Citations since 2016
94 Research Items
1878 Citations
20162017201820192020202120220100200300
20162017201820192020202120220100200300
20162017201820192020202120220100200300
20162017201820192020202120220100200300
Introduction
Professor L. Jean Camp's is at Indiana's Luddy School of Informatics, Computing, & Engineering. Her research focus is computing risk: identification, mitigation, and communication of risks to security & privacy. Her research can be classified as research insecure networking, Human-computer Interaction and usability; or under ICT policy. Risk communication is a full stack problem: different risks require different interventions. I regret I must decline private requests for feedback.

Publications

Publications (308)
Article
Purpose Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data breaches and subsequent financial losses. To study the user side, this paper aims to conduct a literature review and user study. Design/methodology/approach To inves...
Chapter
Manufacturer Usage Description (MUD) is an Internet Engineering Task Force (IETF) standard designed to protect IoT devices and networks by creating an out-of-the-box access control list for an IoT device. Access control list of each device is defined in its MUD-File and may contain possibly hundreds of access control rules. As a result, reading and...
Article
Full-text available
Enrollment apps for COVID-19 vaccinations are meant to be privacy-enhancing, but poor design puts privacy at risk. We report on a qualitative exploration of the experiences of older adults attempting to register for vaccination. We engaged in a think-aloud protocol with six participants over age 65 over Zoom as they used the New York state vaccinat...
Preprint
Full-text available
Secure installation of Internet of Things (IoT) devices requires configuring access control correctly for each device. In order to enable correct configuration the Manufacturer Usage Description (MUD) has been developed by Internet Engineering Task Force (IETF) to automate the protection of IoT devices by micro-segmentation using dynamic access con...
Preprint
Full-text available
Public Key Infrastructure (PKI) is the foundation of secure and trusted transactions across the Internet. This paper presents an evaluation of web-based PKI incidents in two parts. We began with a qualitative study where we captured security and policy experts' perceptions of PKI in a set of interviews. We interviewed 18 experts in two conferences...
Conference Paper
Full-text available
Public Key Infrastructure (PKI) is the foundation of secure and trusted transactions across the Internet. Public key certificates are issued and validated by Certificate Authorities (CAs), which have their trust-of-anchor certificates in Root Program Operators' stores. These CAs provide certificates that attest to the integrity of the ownership of...
Chapter
Multi-factor authentication (MFA) is a useful measure for strengthening authentication. Despite its security effectiveness, the adoption of MFA tools remains low. To create more human-centric authentication solutions, we designed and evaluated the efficacy of a risk-reduction-based incentivization model and implemented our proposed model in a large...
Preprint
Full-text available
Manufacturer Usage Description (MUD) is an Internet Engineering Task Force (IETF) standard designed to protect IoT devices and networks by creating an out-of-the-box access control list for an IoT device. %The protocol defines a conceptually straightforward method to implement an isolation-based defensive mechanism based on the rules that are intro...
Chapter
Full-text available
Secure installation of Internet of Things (IoT) devices requires configuring access control correctly for each device. In order to enable correct configuration Manufacturer Usage Description (MUD) has been developed by Internet Engineering Task Force (IETF) to automate the protection of IoT devices by micro-segmentation using dynamic access control...
Conference Paper
Full-text available
Willingness-To-Pay (WTP) is the most a person is willing to pay for a good or service. Conversely, Willingness-To-Accept (WTA) is the minimum amount a person is willing to accept for giving up a good or service. People often attribute a higher value for privacy in the WTA condition when compared to the WTP condition. In behavioral economics of priv...
Article
Purpose The purpose of this paper is to propose practical and usable interactions that will allow more informed, risk-aware comparisons for individuals during app selections. The authors include an explicit argument for the role of human decision-making during app selection and close with a discussion of the strengths of a Bayesian approach to eval...
Conference Paper
Full-text available
Phishing is a ubiquitous global problem that is both the simple crime of theft of authenticating information and the first step in advanced persistent attack chains. Despite receiving worldwide attention and investments in targeted anti-phishing campaigns, a large proportion of people are still vulnerable to phishing. This is not only due to the ev...
Conference Paper
Full-text available
Multi-factor authentication (MFA) is a useful measure for strengthening authentication. Despite its security effectiveness, the adoption of MFA tools remains low. To create more human-centric authentication solutions, we designed and evaluated the efficacy of a risk-reduction-based incentivization model. We examined the real-life use of MFA and dev...
Article
Full-text available
The on-going COVID-19 pandemic has brought surveillance and privacy concerns to the forefront, given that contact tracing has been seen as a very effective tool to prevent the spread of infectious disease and that public authorities and government officials hope to use it to contain the spread of COVID-19. On the other hand, the rejection of contac...
Preprint
Full-text available
Computer security and user privacy are critical issues and concerns in the digital era due to both increasing users and threats to their data. Separate issues arise between generic cybersecurity guidance (i.e., protect all user data from malicious threats) and the individualistic approach of privacy (i.e., specific to users and dependent on user ne...
Article
Full-text available
Despite the robust structure of the Internet, it is still susceptible to disruptive routing updates that prevent network traffic from reaching its destination. Our research shows that BGP announcements that are associated with disruptive updates tend to occur in groups of relatively high frequency, followed by periods of infrequent activity. We hyp...
Conference Paper
Older adults access critical resources online, including bank, retirement, and health insurance accounts. Thus, it is necessary to protect their accounts so they can confidently use these services that are increasingly being moved online. Two-factor authentication (2FA) protects online assets through efficient and robust authentication, but adoptio...
Conference Paper
Exposure of passwords for authentication and access management is a ubiquitous and constant threat. Yet, reliable solutions, including multi-factor authentication (MFA), face issues with widespread adoption. Prior research shows that making MFA mandatory helps with tool adoption but is detrimental to users' mental models and leads to security-avoid...
Article
Computer security and user privacy are critical issues and concerns in the digital era due to both increasing users and threats to their data. Separate issues arise between generic cybersecurity guidance (i.e., protect all user data from malicious threats) and the individualistic approach of privacy (i.e., specific to users and dependent on user ne...
Article
Full-text available
Android and iOS mobile operating systems use permissions to enable phone owners to manage access to their device's resources. Both systems provide resource access dialogues at first use and per-resource controls. Android continues to offer permission manifests in the Android PlayStore for older apps but is transitioning away from this. Neither mani...
Article
Full-text available
Computer security and user privacy are critical issues and concerns in the digital era due to both increasing users and threats to their data. Separate issues arise between generic cybersecurity guidance (i.e., protect all user data from malicious threats) and the individualistic approach of privacy (i.e., specific to users and dependent on user ne...
Conference Paper
Full-text available
The severity of COVID-19 and the need for contact tracing has resulted in new urgency for investigating two mutually exclusive narratives about the importance of privacy. The assertion by some technology advocates that privacy is no longer an issue in the face of a pandemic has been repeatedly reported; while others advocated for its centrality. Th...
Chapter
In the age of ubiquitous technologies, security- and privacy-focused choices have turned out to be a significant concern for individuals and organizations. Risks of such pervasive technologies are extensive and often misaligned with user risk perception, thus failing to help users in taking privacy-aware decisions. Researchers usually try to find s...
Chapter
Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on...
Conference Paper
Full-text available
The purpose of this study is to understand the privacy concerns and behavior of non-WEIRD populations in online mes-saging platforms. Analysis of surveys (n = 674) of WhatsApp users in Saudi Arabia and India revealed that Saudis had significantly higher concerns about being contacted by strangers. In contrast, Indians showed significantly higher co...
Chapter
Solutions to phishing have included training users, stand-alone warnings, and automatic blocking. We integrated personalized blocking, filtering, and alerts into a single holistic risk-management tool, which leverages simple metaphorical cartoons that function both as risk communication and controls for browser settings. We tested the tool in two e...
Poster
Conversational agents have transcended into multiple industries with increased ability for user engagement in intelligent conversation. Conversations with chatbots are different from interpersonal communication in terms of turn-taking, intentions, and behavior. We study de-identified chat logs across 30 conversations with a well-recognized chatbot...
Conference Paper
Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on...
Preprint
Full-text available
Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on...
Preprint
Full-text available
In the age of ubiquitous technologies, security- and privacy-focused choices have turned out to be a significant concern for individuals and organizations. Risks of such pervasive technologies are extensive and often misaligned with user risk perception, thus failing to help users in taking privacy-aware decisions. Researchers usually try to find s...
Conference Paper
Full-text available
Today, Internet of Things (IoT) devices, web browsers, phones, and even cars may be fingerprinted for tracking, and their connections routed through or to malicious entities. When IoT devices interact with a remote service, the integrity or authentication of that service is not guaranteed. IoT and other edge devices could be subject to man-in-the-m...
Article
Internet of Things (IoT) security depends on the kindness of strangers, including in discovering, disclosing, and mitigating vulnerabilities. Multiple organizations have published best practices for producing secure IoT devices. We analyze two hubs, identify vulnerabilities, and detail how best practices would have prevented the flaws.
Article
The current state of the Internet of Things (IoT) is woefully insecure, and reaching a secure state requires addressing several serious gaps. Based on discussions with practitioners and researchers, we identify key gaps and research challenges that must be overcome to chart a path toward a secure IoT.
Preprint
Full-text available
Vulnerabilities in components of the Public Key Infrastructure (PKI) have resulted in significant risks, as a secure PKI is needed by all the stakeholders on the Internet. Previous analyzes of PKI failures have focused on specific cases and components: identifying vulnerabilities, incidents, and responses. In contrast, here we provide a meta-analys...
Article
This report on a radically different approach to the integrated threats on the web: phishing, pharming, cross site scripting, and rogue CAs are all presented using a single control. Individuals choose to take risks or not with the push of a button. With no training or changes, laboratory tests showed highly significant improvements in phishing resi...
Book
This book constitutes the refereed proceedings of two workshops held at the 24th International Conference on Financial Cryptography and Data Security, FC 2020, in Kota Kinabalu, Malaysia, in February 2020. The 39 full papers and 3 short papers presented in this book were carefully reviewed and selected from 73 submissions. The papers feature four W...
Conference Paper
Two-factor authentication (2FA) technologies are designed to increase the security and usability of authentica-tion. Adoption of 2FA hardware devices that generate one-time passwords has proven to be effective as a risk mitigating strategy. Despite 2FA addressing user data security concerns, individuals appear either disinterested or unable to adop...
Article
Full-text available
Two-Factor Authentication (2FA) provides effective protection for online accounts by providing efficient and highly robust access control. Adoption and usability, however, remain challenges for such technologies. Most research on 2FA focuses on students or employees in the tech sector. For example, our research with student populations found that l...
Article
Full-text available
In the age of ubiquitous technologies how can we coherently extend trust to our often inscrutable electronic networked environment? We focus on answering this question in the mobile marketplace, examining how warnings and risk indicators can enable people to choose more secure and privacy-preserving apps. We began the evaluation with participants c...
Conference Paper
Early educational engagement is critical to the long-term development of cybersecurity abilities. Yet many schools have limited funds and expertise for cybersecurity education. Our center has been field testing project based, pedagogically sound, engaging educational experiences with the goal offering activities that can be taken to schools. Here w...
Conference Paper
Full-text available
In this work, we report on a comprehensive analysis of PKI resulting from Certificate Authorities' (CAs) behavior using over 1300 instances. We found several cases where CAs designed business models that favored the issuance of digital certificates over the guidelines of the CA Forum, root management programs, and other PKI requirements. Examining...
Conference Paper
The Public Key Infrastructure (PKI) is the foundation which enables secure and trusted transactions across the Internet. PKI is subject to both continuous attacks and regular improvements; for example, advances in cryptography have led to rejections of previously trusted algorithms (i.e., SHA1, MD5). Yet there have also been organizational failures...
Preprint
Full-text available
Traditional single-factor authentication possesses several critical security vulnerabilities due to single-point failure feature. Multi-factor authentication (MFA), intends to enhance security by providing additional verification steps. However, in practical deployment, users often experience dissatisfaction while using MFA, which leads to non-adop...
Preprint
Full-text available
Security vulnerabilities of traditional single factor authentication has become a major concern for security practitioners and researchers. To mitigate single point failures, new and technologically advanced Multi-Factor Authentication (MFA) tools have been developed as security solutions. However, the usability and adoption of such tools have rais...
Conference Paper
Full-text available
Two-factor authentication (2FA) provides protection for on-line accounts through efficient and highly robust access control. Adoption and usability, however, remain challenging for such security tools and technologies. Most current research on 2FA focuses on convenience samples of experts in the technology sector while neglecting non-experts. As ol...
Conference Paper
Traditional single-factor authentication possesses several critical security vulnerabilities due to single-point failure feature. Multi-factor authentication (MFA), intends to enhance security by providing additional verification steps. However, in practical deployment, users often experience dissatisfaction while using MFA, which leads to non-adop...
Conference Paper
Security vulnerabilities of traditional single factor authentication has become a major concern for security practitioners and researchers. To mitigate single point failures, new and technologically advanced Multi-Factor Authentication (MFA) tools have been developed as security solutions. However, the usability and adoption of such tools have rais...
Article
Full-text available
Manufacturer Usage Description (MUD) is a proposed IETF standard enabling local area networks (LAN) to automatically configure their access control when adding a new IoT device based on the recommendations provided for that device by the manufacturer. MUD has been proposed as an isolation-based defensive mechanism with a focus on devices in the hom...
Preprint
Full-text available
Despite the robust structure of the Internet, it is still susceptible to disruptive routing updates that prevent network traffic from reaching its destination. In this work, we propose a method for early detection of large-scale disruptions based on the analysis of bursty BGP announcements. We hypothesize that the occurrence of large-scale disrupti...
Conference Paper
Full-text available
Computer security is a complex global phenomenon where different populations interact, and the infection of one person creates risk for another. Given the dynamics and scope of cyber campaigns, studies of local resilience without reference to global populations are inadequate. In this paper, we describe a set of minimal requirements for implementin...
Article
Full-text available
In this work, we report on a comprehensive analysis of PKI resulting from Certificate Authorities’ (CAs) behavior using over 1300 instances. We found several cases where CAs designed business models that favored the issuance of digital certificates over the guidelines of the CA Forum, root management programs, and other PKI requirements. Examining...
Chapter
Full-text available
Why do individuals choose to use (or not use) Two Factor Authentication (2FA)? We sought to answer this by implementing a two-phase study of the Yubico Security Key. We analyzed acceptability and usability of the Yubico Security Key, a 2FA hardware token implementing Fast Identity Online (FIDO). This token has notable usability attributes: tactile...
Conference Paper
Individual concerns about account takeover and subversion are well-documented. Surveys indicate that concerns for the privacy and security of online accounts are widely shared. Adopting Two-Factor Authentication (2FA) is an action that individuals can take to secure their own accounts, including many popular consumer-facing services. Given that, wh...
Conference Paper
Full-text available
Passwords are the primary, most widely used single sign-on and multiple point authentication scheme adapted across the globe. Yet password policies vary greatly and there is little empirical research on how these policies impinge reuse. For our research, we studied the password policies of twenty-two universities and analyzed 1.3 billion email addr...
Conference Paper
Full-text available
WhatsApp messaging platform incorporates information that poses privacy challenges, including Last Seen, Live Location, and personal profile information. The largest population of mobile messaging applications users in India use WhatsApp. Yet research on Indian perspectives towards privacy and security in such networking platforms is sparse. We que...
Conference Paper
WhatsApp, a leading platform for mobile messaging, with the largest user base being in India, incorporates features like Last Seen, Live Location, and sharing defaults which pose privacy challenges. Our study evaluates the risk perception of WhatsApp users in India, by analyzing their perceptions on several features. We implemented a survey, queryi...
Article
Full-text available
The increasing threat of insider attacks has resulted in a correlated increase in incentives to monitor trusted insiders. Measures of volumes of access, detailed background checks, and statistical characterizations of employee behaviors are all commonly used to mitigate the insider threat. These traditional approaches usually rely on supervised lea...
Poster
Full-text available
Individuals in the mobile ecosystem can putatively protect their privacy with the use of permissions. This requires that mobile device owners understand permissions and their privacy implications. Research has found that neither users nor app developers have a well-grounded understanding of the interactions between permissions and privacy. We exami...
Poster
Full-text available
2012. Risk communication design: video vs. text. In Privacy Enhancing Technologies. Springer, 279-298. Phishing is one of the oldest and most common types of cyber attacks. It has increased many fold since 2016. However, millions of users still fall prey to such attacks often by clicking on malicious websites. Our aim is to derive simple and user f...
Article
Full-text available
Individual concerns about account takeover and subversion are well-documented. Surveys indicate that concerns for the privacy and security of online accounts are widely shared. Adopting Two-Factor Authentication (2FA) is an action that individuals can take to secure their own accounts, including many popular consumer-facing services. Given that, wh...