[ Publications of year 2023 ]
| Articles in journals or book chapters (1) |
-
Anne C. Tally,
Jacob Abbott,
Ashley Bochner,
Sanchari Das,
and Christena Nippert-Eng.
What Mid-Career Professionals Think, Know, and Feel About Phishing: Opportunities for University IT Departments to Better Empower Employees in Their Anti-Phishing Decisions.
Proc. ACM Hum.-Comput. Interact.,
7(CSCW1),
April 2023.
Keywords: anti-phishing training, work context, organizations, user studies, IT departments, workplace, phishing, human factors, anti-phishing policy, security, organizational security.@Article{ tally2023midcareer,
author = {Tally, Anne C. and Abbott, Jacob and Bochner, Ashley and Das, Sanchari and Nippert-Eng, Christena},
title = {What Mid-Career Professionals Think, Know, and Feel About Phishing: Opportunities for University IT Departments to Better Empower Employees in Their Anti-Phishing Decisions},
year = {2023},
issue_date = {April 2023},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {7},
number = {CSCW1},
url = {https://doi.org/10.1145/3579547},
doi = {10.1145/3579547},
abstract = {Phishing attacks, in which deceptive messages purporting to be from a legitimate contact are used to trick recipients and acquire sensitive information for the purposes of committing fraud, are a substantial and growing problem for organizations. IT departments and professionals may put in place a variety of institutional responses to thwart such attacks, but an organization's susceptibility to phishing also depends on the decisions and actions of individual employees. These employees may have little phishing expertise but still need to react to such attempts on a daily basis. Based on 24 semi-structured interviews with mid-career office workers (70.8\% women, averaging 44 years old, with a bachelor's degree or more) at two universities in the midwestern United States, we find that employees self-describe a wide range of levels of awareness of, and confidence, competency and investment in, the organization's proscribed anti-phishing policies and practices. These employees also describe variation in the ways they would prefer to increase their perceived performance levels in all of these areas. In this paper, we argue that in order to empower employees to be better collaborators in an organization's anti-phishing efforts, organizations should embrace a range of efforts akin to the range of expertise among the users themselves. We make four such empowering recommendations for organizations to consider incorporating into their existing anti-phishing policies and practices, including suggestions to 1) embrace educating non-expert users more fully on organizational processes and consequences, 2) provide employees with a standing one-to-one communication channel between them and an IT phishing point-of-contact, 3) keep employees in the loop once phishing reports are made, and 4) avoid testing employees with "gotcha" assessments.},
journal = {Proc. ACM Hum.-Comput. Interact.},
month = {apr},
articleno = {113},
numpages = {27},
keywords = {anti-phishing training, work context, organizations, user studies, IT departments, workplace, phishing, human factors, anti-phishing policy, security, organizational security} }
| Conference publications (5) |
-
Dalyapraz Manatova,
L. Jean Camp,
Julia R. Fox,
Sandra Kuebler,
Maria A. Shardakova,
and Inna Kouper.
An Argument for Linguistic Expertise in Cyberthreat Analysis: LOLSec in Russian Language eCrime Landscape.
In ,
pages 170--176,
July 2023.
IEEE Computer Society.
Note: ISSN: 2768-0657.
Abstract: In this position paper, we argue for a holistic perspective on threat analysis and other studies of state-sponsored or state-aligned eCrime groups. Specifically, we argue that understanding eCrime requires approaching it as a sociotechnical system and that studying such a system requires combining linguistic, regional, professional, and technical expertise. To illustrate it, we focus on the discourse of the Conti ransomware group in the context of the Russian invasion of Ukraine. We discuss the background of this group and their actions and argue that the technical approach alone can lose the important aspects specific to the cultural and linguistic context, such as language, slang and humor. We provide examples of how the discourse and threats from such groups can be easily misunderstood without appropriate linguistic and domain expertise. @InProceedings{ manatova_argument_2023,
title = {An {Argument} for {Linguistic} {Expertise} in {Cyberthreat} {Analysis}: {LOLSec} in {Russian} {Language} {eCrime} {Landscape}},
copyright = {All rights reserved},
isbn = {9798350327205},
shorttitle = {An {Argument} for {Linguistic} {Expertise} in {Cyberthreat} {Analysis}},
url = {https://www.computer.org/csdl/proceedings-article/eurospw/2023/272000a170/1OFtfig8SyI},
doi = {10.1109/EuroSPW59978.2023.00024},
abstract = {In this position paper, we argue for a holistic perspective on threat analysis and other studies of state-sponsored or state-aligned eCrime groups. Specifically, we argue that understanding eCrime requires approaching it as a sociotechnical system and that studying such a system requires combining linguistic, regional, professional, and technical expertise. To illustrate it, we focus on the discourse of the Conti ransomware group in the context of the Russian invasion of Ukraine. We discuss the background of this group and their actions and argue that the technical approach alone can lose the important aspects specific to the cultural and linguistic context, such as language, slang and humor. We provide examples of how the discourse and threats from such groups can be easily misunderstood without appropriate linguistic and domain expertise.},
language = {English},
urldate = {2023-07-31},
publisher = {IEEE Computer Society},
author = {Manatova, Dalyapraz and Camp, L. Jean and Fox, Julia R. and Kuebler, Sandra and Shardakova, Maria A. and Kouper, Inna},
month = jul,
year = {2023},
note = {ISSN: 2768-0657},
pages = {170--176} } -
Jacob Abbott,
Jayati Dev,
DongInn Kim,
Shakthidhar Reddy Gopavaram,
Meera Iyer,
Shivani Sadam,
Shirang Mare,
Tatiana Ringenberg,
Vafa Andalibi,
and L. Jean Camp.
Kids, Cats, and Control: Designing Privacy and Security Dashboards for IoT Home Devices.
In Proceedings of the Symposium on Usable Security and Privacy (USEC) 2023,
USEC '23,
San Diego, CA, USA,
2023.
Keywords: Security, user interviews, smart home, IoT.@InProceedings{ abbott2023kids,
title = {Kids, Cats, and Control: Designing Privacy and Security Dashboards for IoT Home Devices},
author = {Abbott, Jacob and Dev, Jayati and Kim, DongInn and Gopavaram, Shakthidhar Reddy and Iyer, Meera and Sadam, Shivani and Mare, Shirang and Ringenberg, Tatiana and Andalibi, Vafa and Camp, L. Jean},
year = {2023},
isbn = {1-891562-91-6},
url = {https://dx.doi.org/10.14722/usec.2023.236290},
doi = {10.14722/usec.2023.236290},
address = {San Diego, CA, USA},
location = {San Diego, CA, USA},
abstract = {In the last decade integration of Internet of Things (IoT) ecosystems has increased exponentially, and it is necessary that our understanding of human behavior when interacting with multiple smart devices in an IoT ecosystem keep pace. To better understand users’ perceptions and use of in-home IoT ecosystem over time, we implemented an ecosystem in homes of participants so that we could both test previous findings about individual devices and identify differences that arise in the content of a home with multiple IoT devices. Specifically, we recruited eight participants from separate households who installed identical IoT configurations, and interviewed each participant for five weeks. We included an Android dashboard to provide device control and data transparency. We detail the semi-structured interviews to compare user perceptions of what devices are classified as IoT, the perceived sustainability of IoT devices, interactions with and desires of dashboard information, and exploration of current notification preferences and mitigation strategies. We discuss the factors which participants identified as being relevant to their personal experiences with IoT devices and contribute recommendations for dashboard designs and control mechanisms for IoT devices. We note that the participants uniformly had a more expansive definition of IoT than that found in much of the previous literature, implying that our understanding of perceptions of in-home IoT may be informed by previous research on security systems, wearables, watches, and phones. We identify where our results reify findings of studies of those devices.},
booktitle = {Proceedings of the Symposium on Usable Security and Privacy (USEC) 2023},
keywords = {Security, user interviews, smart home, IoT},
series = {USEC '23} } -
Anesu Chaora,
Nathan Ensmenger,
and L Jean Camp.
Discourse, Challenges, and Prospects Around the Adoption and Dissemination of Software Bills of Materials (SBOMs).
In 2023 IEEE International Symposium on Technology and Society (ISTAS),
pages 1-4,
2023.
@InProceedings{ 10305922,
author = {Chaora, Anesu and Ensmenger, Nathan and Camp, L Jean},
booktitle = {2023 IEEE International Symposium on Technology and Society (ISTAS)},
title = {Discourse, Challenges, and Prospects Around the Adoption and Dissemination of Software Bills of Materials (SBOMs)},
year = {2023},
volume = {},
number = {},
pages = {1-4},
doi = {10.1109/ISTAS57930.2023.10305922} } -
Dalyapraz Manatova,
L Jean Camp,
Julia R Fox,
Sandra Kuebler,
Maria A Shardakova,
and Inna Kouper.
An Argument for Linguistic Expertise in Cyberthreat Analysis: LOLSec in Russian Language eCrime Landscape.
In 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
pages 170--176,
2023.
IEEE Computer Society.
Keywords: ecrime, global resilience.@InProceedings{ manatova2023argument,
title = {An Argument for Linguistic Expertise in Cyberthreat Analysis: LOLSec in Russian Language eCrime Landscape},
author = {Manatova, Dalyapraz and Camp, L Jean and Fox, Julia R and Kuebler, Sandra and Shardakova, Maria A and Kouper, Inna},
booktitle = {2023 IEEE European Symposium on Security and Privacy Workshops (EuroS\&PW)},
pages = {170--176},
year = {2023},
organization = {IEEE Computer Society},
keywords = {ecrime, global resilience} } -
Anne Clara Tally,
Jacob Abbott,
Ashley M Bochner,
Sanchari Das,
and Christena Nippert-Eng.
Tips, Tricks, and Training: Supporting Anti-Phishing Awareness among Mid-Career Office Workers Based on Employees’ Current Practices.
In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems,
CHI '23,
New York, NY, USA,
2023.
Association for Computing Machinery.
Keywords: phishing education, cybersecurity, informal learning, guerrilla learning, phishing, workplace, anti-phishing training, organizations, IT departments, security, work context, organizational security, qualitative user studies, human factors.@InProceedings{ tally2023tips,
author = {Tally, Anne Clara and Abbott, Jacob and Bochner, Ashley M and Das, Sanchari and Nippert-Eng, Christena},
title = {Tips, Tricks, and Training: Supporting Anti-Phishing Awareness among Mid-Career Office Workers Based on Employees’ Current Practices},
year = {2023},
isbn = {9781450394215},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3544548.3580650},
doi = {10.1145/3544548.3580650},
abstract = {Preventing workplace phishing depends on the actions of every employee, regardless of cybersecurity expertise. Based on 24 semi-structured interviews with mid-career office workers (70.8\% women, averaging 44 years old) at two U.S. universities, we found that less than 21\37154515300f our participants had any formal anti-phishing training. Much of what our participants know about phishing comes from informal sources that emphasize “tips” and "tricks" like those found in conversations with friends, news stories, newsletters, social media, and podcasts. These informal channels provide opportunities for IT professionals wishing to enhance employees’ anti-phishing awareness by better aligning the delivery of expert advice with employees’ current practices and desires. We provide four recommendations designed to embrace "guerrilla learning" by distributing anti-phishing educational resources across the workplace and workday in part to encourage the delivery of more accurate information in more informal and incidental ways, and greater dialogue between anti-phishing training instructors and learners.},
booktitle = {Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems},
articleno = {621},
numpages = {13},
keywords = {phishing education, cybersecurity, informal learning, guerrilla learning, phishing, workplace, anti-phishing training, organizations, IT departments, security, work context, organizational security, qualitative user studies, human factors},
location = {Hamburg, Germany},
series = {CHI '23} }
BACK TO INDEX
Disclaimer:
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All person copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
Last modified: Mon Aug 19 14:38:55 2024
Author: teamhats.
This document was translated from BibTEX by bibtex2html and is customized by IU IoT House