Kirstie Hawkey

Bio: Kirstie Hawkey is an academic researcher from Dalhousie University. The author has contributed to research in topics: Privacy software & Information privacy. The author has an hindex of 26, co-authored 85 publications receiving 1850 citations. Previous affiliations of Kirstie Hawkey include University of British Columbia.

An integrated view of human, organizational, and technological challenges of IT security management

Abstract: Purpose – The purpose of this study is to determine the main challenges that IT security practitioners face in their organizations, including the interplay among human, organizational, and technological factors.Design/methodology/approach – The data set consisted of 36 semi‐structured interviews with IT security practitioners from 17 organizations (academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to identify the challenges that security practitioners face.Findings – A total of 18 challenges that can affect IT security management within organizations are indentified and described. This analysis is grounded in related work to build an integrated framework of security challenges. The framework illustrates the interplay among human, organizational, and technological factors.Practical implications – The framework can help organizations identify potential challenges when implementing security standards, and...

Preparation, detection, and analysis: the diagnostic work of IT security incident response

Abstract: Purpose – The purpose of this paper is to examine security incident response practices of information technology (IT) security practitioners as a diagnostic work process, including the preparation phase, detection, and analysis of anomalies.Design/methodology/approach – The data set consisted of 16 semi‐structured interviews with IT security practitioners from seven organizational types (e.g. academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to analyze diagnostic work during security incident response.Findings – The analysis shows that security incident response is a highly collaborative activity, which may involve practitioners developing their own tools to perform specific tasks. The results also show that diagnosis during incident response is complicated by practitioners' need to rely on tacit knowledge, as well as usability issues with security tools.Research limitations/implications – Owing to the...

What makes users refuse web single sign-on?: an empirical investigation of OpenID

Abstract: OpenID is an open and promising Web single sign-on (SSO) solution. This work investigates the challenges and concerns web users face when using OpenID for authentication, and identifies what changes in the login flow could improve the users' experience and adoption incentives. We found our participants had several behaviors, concerns, and misconceptions that hinder the OpenID adoption process: (1) their existing password management strategies reduce the perceived usefulness of SSO; (2) many (26%) expressed concerns with single-point-of-failure related issues; (3) most (71%) held the incorrect belief that the OpenID credentials are being given to the content providers; (4) half exhibited an inability to distinguish a fake Google login form, even when prompted; (5) many (40%) were hesitant to consent to the release of their personal profile information; and (6) many (36%) expressed concern with the use of SSO on websites that contain valuable personal information or, conversely, are not trustworthy. We also found that with an improved affordance and privacy control, more than 60% of study participants would use Web SSO solutions on the websites they trust.

On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings

Abstract: We replicated and extended a 2008 study conducted at CMU that investigated the effectiveness of SSL warnings. We adjusted the experimental design to mitigate some of the limitations of that prior study; adjustments include allowing participants to use their web browser of choice and recruiting a more representative user sample. However, during our study we observed a strong disparity between our participants actions during the laboratory tasks and their self-reported "would be" actions during similar tasks in everyday computer practices. Our participants attributed this disparity to the laboratory environment and the security it offered. In this paper we discuss our results and how the introduced changes to the initial study design may have affected them. Also, we discuss the challenges of observing natural behavior in a study environment, as well as the challenges of replicating previous studies given the rapid changes in web technology. We also propose alternatives to traditional laboratory study methodologies that can be considered by the usable security research community when investigating research questions involving sensitive data where trust may influence behavior.

Do windows users follow the principle of least privilege?: investigating user account control practices

Abstract: The principle of least privilege requires that users and their programs be granted the most restrictive set of privileges possible to perform required tasks in order to limit the damages caused by security incidents. Low-privileged user accounts (LUA) and user account control (UAC) in Windows Vista and Windows 7 are two practical implementations of this principle. To be successful, however, users must apply due diligence, use appropriate accounts, and respond correctly to UAC prompts. With a user study and contextual interviews, we investigated the motives, understanding, behaviour, and challenges users face when working with user accounts and the UAC. Our results show that 69% of participants did not apply the UAC approach correctly. All 45 participants used an administrator user account, and 91% were not aware of the benefits of low-privilege user accounts or the risks of high-privilege ones. Their knowledge and experience were limited to the restricted rights of low-privilege accounts. Based on our findings, we offer recommendations to improve the UAC and LUA approaches.

Privacy in the digital age: a review of information privacy research in information systems

Abstract: Information privacy refers to the desire of individuals to control or have some influence over data about themselves. Advances in information technology have raised concerns about information privacy and its impacts, and have motivated Information Systems researchers to explore information privacy issues, including technical solutions to address these concerns. In this paper, we inform researchers about the current state of information privacy research in IS through a critical analysis of the IS literature that considers information privacy as a key construct. The review of the literature reveals that information privacy is a multilevel concept, but rarely studied as such. We also find that information privacy research has been heavily reliant on studentbased and USA-centric samples, which results in findings of limited generalizability. Information privacy research focuses on explaining and predicting theoretical contributions, with few studies in journal articles focusing on design and action contributions. We recommend that future research should consider different levels of analysis as well as multilevel effects of information privacy. We illustrate this with a multilevel framework for information privacy concerns. We call for research on information privacy to use a broader diversity of sampling populations, and for more design and action information privacy research to be published in journal articles that can result in IT artifacts for protection or control of information privacy.

Android permissions: user attention, comprehension, and behavior

Abstract: Android's permission system is intended to inform users about the risks of installing applications. When a user installs an application, he or she has the opportunity to review the application's permission requests and cancel the installation if the permissions are excessive or objectionable. We examine whether the Android permission system is effective at warning users. In particular, we evaluate whether Android users pay attention to, understand, and act on permission information during installation. We performed two usability studies: an Internet survey of 308 Android users, and a laboratory study wherein we interviewed and observed 25 Android users. Study participants displayed low attention and comprehension rates: both the Internet survey and laboratory study found that 17% of participants paid attention to permissions during installation, and only 3% of Internet survey respondents could correctly answer all three permission comprehension questions. This indicates that current Android permission warnings do not help most users make correct security decisions. However, a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension. We present recommendations for improving user attention and comprehension, as well as identify open challenges.

E-commerce product recommendation agents: use, characteristics, and impact

Abstract: Recommendation agents (RAs) are software agents that elicit the interests or preferences of individual consumers for products, either explicitly or implicitly, and make recommendations accordingly RAs have the potential to support and improve the quality of the decisions consumers make when searching for and selecting products online They can reduce the information overload facing consumers, as well as the complexity of online searches Prior research on RAs has focused mostly on developing and evaluating different underlying algorithms that generate recommendations This paper instead identifies other important aspects of RAs, namely RA use, RA characteristics, provider credi'r, and user-RA interaction, which influence users' decision-making processes and outcomes, as well as their evaluation of RAs It goes beyond generalized models, such as TAM, and identifies the RA-specific features, such as RA input, process, and output design characteristics, that affect users' evaluations, including their assessments of the usefulness and ease-of-use of RA applications Based on a review of existing literature on e-commerce RAs, this paper develops a conceptual model with 28 propositions derived from five theoretical perspectives The propositions help answer the two research questions: (1) How do RA use, RA characteristics, and other factors influence consumer decision making processes and outcomes? (2) How do RA use, RA characteristics, and other factors influence users' evaluations of RAs? By identifying the critical gaps between what we know and what we need to know, this paper identifies potential areas of future research for scholars It also provides advice to information systems practitioners concerning the effective design and development of RAs

The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes

Abstract: We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.