Publication statistics

Pub. period:1997-2012
Pub. count:44
Number of co-authors:75



Co-authors

Number of publications with 3 favourite co-authors:

Patrick Gage Kelley:10
Lujo Bauer:9
Richard Shay:6

 

 

Productive colleagues

Lorrie Faith Cranor's 3 most productive colleagues in number of publications:

Robert J. Kauffman:64
John Zimmerman:51
Jason I. Hong:36
 
 
 

Upcoming Courses

go to course
Quality Web Communication: The Beginner's Guide
90% booked. Starts in 5 days
go to course
User-Centred Design - Module 2
84% booked. Starts in 11 days
 
 

Featured chapter

Marc Hassenzahl explains the fascinating concept of User Experience and Experience Design. Commentaries by Don Norman, Eric Reiss, Mark Blythe, and Whitney Hess

User Experience and Experience Design !

 
 

Our Latest Books

 
 
Gamification at Work: Designing Engaging Business Software
by Janaki Mythily Kumar and Mario Herger
start reading
 
 
 
 
The Social Design of Technical Systems: Building technologies for communities
by Brian Whitworth and Adnan Ahmad
start reading
 
 
 
 
The Encyclopedia of Human-Computer Interaction, 2nd Ed.
by Mads Soegaard and Rikke Friis Dam
start reading
 
 

Lorrie Faith Cranor

Personal Homepage:
http://lorrie.cranor.org/

Add description
Rename / change spelling
Add publication
 

Publications by Lorrie Faith Cranor (bibliography)

 what's this?
2012
 
Edit | Del

Ur, Blase, Leon, Pedro Giovanni, Cranor, Lorrie Faith, Shay, Richard and Wang, Yang (2012): Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: Proceedings of the 2012 Symposium on Usable Privacy and Security 2012. p. 4.

We report results of 48 semi-structured interviews about online behavioral advertising (OBA). We investigated non-technical users' attitudes about and understanding of OBA, using participants' expectations and beliefs to explain their attitudes. Participants found OBA to be simultaneously useful and privacy invasive. They were surprised to learn that browsing history is currently used to tailor advertisements, yet they were aware of contextual targeting. Our results identify mismatches between participants' mental models and current approaches for providing users with notice and choice about OBA. Participants misinterpreted icons intended to notify them about behavioral targeting and expected that they could turn to their browser or antivirus software to control OBA. Participants had strong concerns about data collection, and the majority of participants believed that advertisers collect personally identifiable information. They also misunderstood the role of advertising networks, basing their opinions of an advertising network on that company's non-advertising activities. Participants' attitudes towards OBA were complex and context-dependent. While many participants felt tailored advertising could benefit them, existing notice and choice mechanisms are not effectively reaching users.

© All rights reserved Ur et al. and/or their publisher

 
Edit | Del

Shay, Richard, Kelley, Patrick Gage, Komanduri, Saranga, Mazurek, Michelle L., Ur, Blase, Vidas, Timothy, Bauer, Lujo, Christin, Nicolas and Cranor, Lorrie Faith (2012): Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the 2012 Symposium on Usable Privacy and Security 2012. p. 7.

Users tend to create passwords that are easy to guess, while system-assigned passwords tend to be hard to remember. Passphrases, space-delimited sets of natural language words, have been suggested as both secure and usable for decades. In a 1,476-participant online study, we explored the usability of 3- and 4-word system-assigned passphrases in comparison to system-assigned passwords composed of 5 to 6 random characters, and 8-character system-assigned pronounceable passwords. Contrary to expectations, system-assigned passphrases performed similarly to system-assigned passwords of similar entropy across the usability metrics we examined. Passphrases and passwords were forgotten at similar rates, led to similar levels of user difficulty and annoyance, and were both written down by a majority of participants. However, passphrases took significantly longer for participants to enter, and appear to require error-correction to counteract entry mistakes. Passphrase usability did not seem to increase when we shrunk the dictionary from which words were chosen, reduced the number of words in a passphrase, or allowed users to change the order of words.

© All rights reserved Shay et al. and/or their publisher

2011
 
Edit | Del

Mazurek, Michelle L., Klemperer, Peter F., Shay, Richard, Takabi, Hassan, Bauer, Lujo and Cranor, Lorrie Faith (2011): Exploring reactive access control. In: Proceedings of ACM CHI 2011 Conference on Human Factors in Computing Systems 2011. pp. 2085-2094.

As users store and share more digital content at home, access control becomes increasingly important. One promising approach for helping non-expert users create accurate access policies is reactive policy creation, in which users can update their policy dynamically in response to access requests that would not otherwise succeed. An earlier study suggested reactive policy creation might be a good fit for file access control at home. To test this, we conducted an experience-sampling study in which participants used a simulated reactive access-control system for a week. Our results bolster the case for reactive policy creation as one mode by which home users specify access-control policy. We found both quantitative and qualitative evidence of dynamic, situational policies that are hard to implement using traditional models but that reactive policy creation can facilitate. While we found some clear disadvantages to the reactive model, they do not seem insurmountable.

© All rights reserved Mazurek et al. and/or their publisher

 
Edit | Del

Kelley, Patrick Gage, Benisch, Michael, Cranor, Lorrie Faith and Sadeh, Norman (2011): When are users comfortable sharing locations with advertisers?. In: Proceedings of ACM CHI 2011 Conference on Human Factors in Computing Systems 2011. pp. 2449-2452.

As smartphones and other mobile computing devices have increased in ubiquity, advertisers have begun to realize a more effective way of targeting users and a promising area for revenue growth: location-based advertising. This trend brings to bear new questions about whether or not users will adopt products involving this potentially invasive form of advertising and what sorts of protections they should be given. Our real-world user study of 27 participants echoes earlier findings that users have significant privacy concerns regarding sharing their locations with advertisers. However, we examine these concerns in more detail and find that they are complex (e.g., relating not only to the quantity of ads, but the locations and times at which they are received). With advanced privacy settings, users stated they would feel more comfortable and share more information than with a simple opt-in/opt-out mechanism.

© All rights reserved Kelley et al. and/or their publisher

 
Edit | Del

Komanduri, Saranga, Shay, Richard, Kelley, Patrick Gage, Mazurek, Michelle L., Bauer, Lujo, Christin, Nicolas, Cranor, Lorrie Faith and Egelman, Serge (2011): Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of ACM CHI 2011 Conference on Human Factors in Computing Systems 2011. pp. 2595-2604.

Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies. We characterize the predictability of passwords by calculating their entropy, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.

© All rights reserved Komanduri et al. and/or their publisher

 
Edit | Del

Wang, Yang, Norcie, Gregory, Komanduri, Saranga, Acquisti, Alessandro, Leon, Pedro Giovanni and Cranor, Lorrie Faith (2011): "I regretted the minute I pressed share": a qualitative study of regrets on Facebook. In: Proceedings of the 2011 Symposium on Usable Privacy and Security 2011. p. 10.

We investigate regrets associated with users' posts on a popular social networking site. Our findings are based on a series of interviews, user diaries, and online surveys involving 569 American Facebook users. Their regrets revolved around sensitive topics, content with strong sentiment, lies, and secrets. Our research reveals several possible causes of why users make posts that they later regret: (1) they want to be perceived in favorable ways, (2) they do not think about their reason for posting or the consequences of their posts, (3) they misjudge the culture and norms within their social circles, (4) they are in a "hot" state of high emotion when posting, or under the influence of drugs or alcohol, (5) their postings are seen by an unintended audience, (6) they do not foresee how their posts could be perceived by people within their intended audience, and (7) they misunderstand or misuse the Facebook platform. Some reported incidents had serious repercussions, such as breaking up relationships or job losses. We discuss methodological considerations in studying negative experiences associated with social networking posts, as well as ways of helping users of social networking sites avoid such regrets.

© All rights reserved Wang et al. and/or ACM Press

 
Edit | Del

Wiese, Jason, Kelley, Patrick Gage, Cranor, Lorrie Faith, Dabbish, Laura, Hong, Jason I. and Zimmerman, John (2011): Are you close with me? are you nearby?: investigating social groups, closeness, and willingness to share. In: Proceedings of the 2011 International Conference on Uniquitous Computing 2011. pp. 197-206.

As ubiquitous computing becomes increasingly mobile and social, personal information sharing will likely increase in frequency, the variety of friends to share with, and range of information that can be shared. Past work has identified that whom you share with is important for choosing whether or not to share, but little work has explored which features of interpersonal relationships influence sharing. We present the results of a study of 42 participants, who self-report aspects of their relationships with 70 of their friends, including frequency of collocation and communication, closeness, and social group. Participants rated their willingness to share in 21 different scenarios based on information a UbiComp system could provide. Our findings show that (a) self-reported closeness is the strongest indicator of willingness to share, (b) individuals are more likely to share in scenarios with common information (e.g. we are within one mile of each other) than other kinds of scenarios (e.g. my location wherever I am), and (c) frequency of communication predicts both closeness and willingness to share better than frequency of collocation.

© All rights reserved Wiese et al. and/or ACM Press

2010
 
Edit | Del

Shay, Richard, Komanduri, Saranga, Kelley, Patrick Gage, Leon, Pedro Giovanni, Mazurek, Michelle L., Bauer, Lujo, Christin, Nicolas and Cranor, Lorrie Faith (2010): Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the 2010 Symposium on Usable Privacy and Security 2010. p. 2.

Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required users to change their passwords. Through our survey of 470 CMU computer users, we collected data about behaviors and practices related to the use and creation of passwords. We also captured users' opinions about the new, stronger policy requirements. Our analysis shows that, although most of the users were annoyed by the need to create a complex password, they believe that they are now more secure. Furthermore, we perform an entropy analysis and discuss how our findings relate to NIST recommendations for creating a password policy. We also examine how users answer specific questions related to their passwords. Our results can be helpful in designing better password policies that consider not only technical aspects of specific policy rules, but also users' behavior in response to those rules.

© All rights reserved Shay et al. and/or their publisher

 
Edit | Del

Sheng, Steve, Holbrook, Mandy, Kumaraguru, Ponnurangam, Cranor, Lorrie Faith and Downs, Julie (2010): Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of ACM CHI 2010 Conference on Human Factors in Computing Systems 2010. pp. 373-382.

In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti-phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users' tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants' tendency to click on legitimate links.

© All rights reserved Sheng et al. and/or their publisher

 
Edit | Del

Mazurek, Michelle L., Arsenault, J. P., Bresee, Joanna, Gupta, Nitin, Ion, Iulia, Johns, Christina, Lee, Daniel, Liang, Yuan, Olsen, Jenny, Salmon, Brandon, Shay, Richard, Vaniea, Kami, Bauer, Lujo, Cranor, Lorrie Faith, Ganger, Gregory R. and Reiter, Michael K. (2010): Access control for home data sharing: evaluating social acceptability. In: Proceedings of ACM CHI 2010 Conference on Human Factors in Computing Systems 2010. pp. 645-654.

As digital content becomes more prevalent in the home, non-technical users are increasingly interested in sharing that content with others and accessing it from multiple devices. Not much is known about how these users think about controlling access to this data. To better understand this, we conducted semi-structured, in-situ interviews with 33 users in 15 households. We found that users create ad-hoc access-control mechanisms that do not always work; that their ideal policies are complex and multi-dimensional; that a priori policy specification is often insufficient; and that people's mental models of access control and security are often misaligned with current systems. We detail these findings and present a set of associated guidelines for designing usable access-control systems for the home environment.

© All rights reserved Mazurek et al. and/or their publisher

 
Edit | Del

Kelley, Patrick Gage, Cesca, Lucian, Bresee, Joanna and Cranor, Lorrie Faith (2010): Standardizing privacy notices: an online study of the nutrition label approach. In: Proceedings of ACM CHI 2010 Conference on Human Factors in Computing Systems 2010. pp. 1573-1582.

Earlier work has shown that consumers cannot effectively find information in privacy policies and that they do not enjoy using them. In our previous research we developed a standardized table format for privacy policies. We compared this standardized format, and two short variants (one tabular, one text) with the current status quo: full text natural-language policies and layered policies. We conducted an online user study of 764 participants to test if these three more-intentionally designed, standardized privacy policy formats, assisted by consumer education, can benefit consumers. Our results show that standardized privacy policy presentations can have significant positive effects on accuracy and speed of information finding and on reader enjoyment of privacy policies.

© All rights reserved Kelley et al. and/or their publisher

 
Edit | Del

Downs, Julie S., Holbrook, Mandy B., Sheng, Steve and Cranor, Lorrie Faith (2010): Are your participants gaming the system?: screening mechanical turk workers. In: Proceedings of ACM CHI 2010 Conference on Human Factors in Computing Systems 2010. pp. 2399-2402.

In this paper we discuss a screening process used in conjunction with a survey administered via Amazon.com's Mechanical Turk. We sought an easily implementable method to disqualify those people who participate but don't take the study tasks seriously. By using two previously pilot tested screening questions, we identified 764 of 1,962 people who did not answer conscientiously. Young men seem to be most likely to fail the qualification task. Those that are professionals, students, and non-workers seem to be more likely to take the task seriously than financial workers, hourly workers, and other workers. Men over 30 and women were more likely to answer seriously.

© All rights reserved Downs et al. and/or their publisher

2009
 
Edit | Del

Egelman, Serge, Tsai, Janice, Cranor, Lorrie Faith and Acquisti, Alessandro (2009): Timing is everything?: the effects of timing and placement of online privacy indicators. In: Proceedings of ACM CHI 2009 Conference on Human Factors in Computing Systems 2009. pp. 319-328.

Many commerce websites post privacy policies to address Internet shoppers' privacy concerns. However, few users read or understand them. Iconic privacy indicators may make privacy policies more accessible and easier for users to understand: in this paper, we examine whether the timing and placement of online privacy indicators impact Internet users' browsing and purchasing decisions. We conducted a laboratory study where we controlled the placement of privacy information, the timing of its appearance, the privacy level of each website, and the price and items being purchased. We found that the timing of privacy information had a significant impact on how much of a premium users were willing to pay for privacy. We also found that timing had less impact when users were willing to examine multiple websites. Finally, we found that users paid more attention to privacy indicators when purchasing privacy-sensitive items than when purchasing items that raised minimal privacy concerns.

© All rights reserved Egelman et al. and/or ACM Press

 
Edit | Del

Bauer, Lujo, Cranor, Lorrie Faith, Reeder, Robert W., Reiter, Michael K. and Vaniea, Kami (2009): Real life challenges in access-control management. In: Proceedings of ACM CHI 2009 Conference on Human Factors in Computing Systems 2009. pp. 899-908.

In this work we ask the question: what are the challenges of managing a physical or file system access-control policy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identified three sets of real-world requirements that are either ignored or inadequately addressed by technology: 1) policies are made/implemented by multiple people; 2) policy makers are distinct from policy implementers; and 3) access-control systems don't always have the capability to implement the desired policy. We present our interview results and propose several possible solutions to address the observed issues.

© All rights reserved Bauer et al. and/or ACM Press

 
Edit | Del

Tsai, Janice Y., Kelley, Patrick, Drielsma, Paul, Cranor, Lorrie Faith, Hong, Jason and Sadeh, Norman (2009): Who's viewed you?: the impact of feedback in a mobile location-sharing application. In: Proceedings of ACM CHI 2009 Conference on Human Factors in Computing Systems 2009. pp. 2003-2012.

Feedback is viewed as an essential element of ubiquitous computing systems in the HCI literature for helping people manage their privacy. However, the success of online social networks and existing commercial systems for mobile location sharing which do not incorporate feedback would seem to call the importance of feedback into question. We investigated this issue in the context of a mobile location sharing system. Specifically, we report on the findings of a field deployment of Locyoution, a mobile location sharing system. In our study of 56 users, one group was given feedback in the form of a history of location requests, and a second group was given no feedback at all. Our major contribution has been to show that feedback is an important contributing factor towards improving user comfort levels and allaying privacy concerns. Participants' privacy concerns were reduced after using the mobile location sharing system. Additionally, our study suggests that peer opinion and technical savviness contribute most to whether or not participants thought they would continue to use a mobile location technology.

© All rights reserved Tsai et al. and/or ACM Press

 
Edit | Del

Kelley, Patrick Gage, Bresee, Joanna, Cranor, Lorrie Faith and Reeder, Robert W. (2009): A "nutrition label" for privacy. In: Proceedings of the 2009 Symposium on Usable Privacy and Security 2009. p. 4.

We used an iterative design process to develop a privacy label that presents to consumers the ways organizations collect, use, and share personal information. Many surveys have shown that consumers are concerned about online privacy, yet current mechanisms to present website privacy policies have not been successful. This research addresses the present gap in the communication and understanding of privacy policies, by creating an information design that improves the visual presentation and comprehensibility of privacy policies. Drawing from nutrition, warning, and energy labeling, as well as from the effort towards creating a standardized banking privacy notification, we present our process for constructing and refining a label tuned to privacy. This paper describes our design methodology; findings from two focus groups; and accuracy, timing, and likeability results from a laboratory study with 24 participants. Our study results demonstrate that compared to existing natural language privacy policies, the proposed privacy label allows participants to find information more quickly and accurately, and provides a more enjoyable information seeking experience.

© All rights reserved Kelley et al. and/or ACM Press

 
Edit | Del

Benisch, Michael, Kelley, Patrick Gage, Sadeh, Norman, Sandholm, Tuomas, Tsai, Janice, Cranor, Lorrie Faith and Drielsma, Paul Hankes (2009): The impact of expressiveness on the effectiveness of privacy mechanisms for location-sharing. In: Proceedings of the 2009 Symposium on Usable Privacy and Security 2009. p. 22.

 
Edit | Del

Reeder, Robert W., Kelley, Patrick Gage, McDonald, Aleecia M. and Cranor, Lorrie Faith (2009): A user study of the expandable grid applied to P3P privacy policy visualization. In: Proceedings of the 2009 Symposium on Usable Privacy and Security 2009. p. 42.

 
Edit | Del

McDonald, Aleecia M., Reeder, Robert W., Kelley, Patrick Gage and Cranor, Lorrie Faith (2009): A comparative study of online privacy policies and formats. In: Proceedings of the 2009 Symposium on Usable Privacy and Security 2009. p. 46.

2008
 
Edit | Del

Bauer, Lujo, Cranor, Lorrie Faith, Reeder, Robert W., Reiter, Michael K. and Vaniea, Kami (2008): A user study of policy creation in a flexible access-control system. In: Proceedings of ACM CHI 2008 Conference on Human Factors in Computing Systems April 5-10, 2008. pp. 543-552.

Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little has been done to evaluate these systems in practical situations with real users, and few attempts have been made to discover and analyze the access-control policies that users actually want to implement. We report on a user study in which we derive the ideal access policies desired by a group of users for physical security in an office environment. We compare these ideal policies to the policies the users actually implemented with keys and with a smartphone-based distributed access-control system. We develop a methodology that allows us to show quantitatively that the smartphone system allowed our users to implement their ideal policies more accurately and securely than they could with keys, and we describe where each system fell short.

© All rights reserved Bauer et al. and/or ACM Press

 
Edit | Del

Egelman, Serge, Cranor, Lorrie Faith and Hong, Jason (2008): You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of ACM CHI 2008 Conference on Human Factors in Computing Systems April 5-10, 2008. pp. 1065-1074.

Many popular web browsers are now including active phishing warnings after previous research has shown that passive warnings are often ignored. In this laboratory study we examine the effectiveness of these warnings and examine if, how, and why they fail users. We simulated a spear phishing attack to expose users to browser warnings. We found that 97% of our sixty participants fell for at least one of the phishing messages that we sent them. However, we also found that when presented with the active warnings, 79% of participants heeded them, which was not the case for the passive warning that we tested -- where only one participant heeded the warnings. Using a model from the warning sciences we analyzed how users perceive warning messages and offer suggestions for creating more effective warning messages within the phishing context.

© All rights reserved Egelman et al. and/or ACM Press

 
Edit | Del

Reeder, Robert W., Bauer, Lujo, Cranor, Lorrie Faith, Reiter, Michael K., Bacon, Kelli, How, Keisha and Strong, Heather (2008): Expandable grids for visualizing and authoring computer security policies. In: Proceedings of ACM CHI 2008 Conference on Human Factors in Computing Systems April 5-10, 2008. pp. 1473-1482.

We introduce the Expandable Grid, a novel interaction technique for creating, editing, and viewing many types of security policies. Security policies, such as file permissions policies, have traditionally been displayed and edited in user interfaces based on a list of rules, each of which can only be viewed or edited in isolation. These list-of-rules interfaces cause problems for users when multiple rules interact, because the interfaces have no means of conveying the interactions amongst rules to users. Instead, users are left to figure out these rule interactions themselves. An Expandable Grid is an interactive matrix visualization designed to address the problems that list-of-rules interfaces have in conveying policies to users. This paper describes the Expandable Grid concept, shows a system using an Expandable Grid for setting file permissions in the Microsoft Windows XP operating system, and gives results of a user study involving 36 participants in which the Expandable Grid approach vastly outperformed the native Windows XP file-permissions interface on a broad range of policy-authoring tasks.

© All rights reserved Reeder et al. and/or ACM Press

2007
 
Edit | Del

Kumaraguru, Ponnurangam, Rhee, Yong, Acquisti, Alessandro, Cranor, Lorrie Faith, Hong, Jason and Nunge, Elizabeth (2007): Protecting people from phishing: the design and evaluation of an embedded training email system. In: Proceedings of ACM CHI 2007 Conference on Human Factors in Computing Systems 2007. pp. 905-914.

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an embedded training email system that teaches people about phishing during their normal use of email. We conducted lab experiments contrasting the effectiveness of standard security notices about phishing with two embedded training designs we developed. We found that embedded training works better than the current practice of sending security notices. We also derived sound design principles for embedded training systems.

© All rights reserved Kumaraguru et al. and/or ACM Press

 
Edit | Del

Downs, Julie S., Holbrook, Mandy and Cranor, Lorrie Faith (2007): Behavioral response to phishing risk. In: Proceedings of the 2007 Anti-Phishing Working Groups eCrime Researchers Summit 2007. pp. 37-44.

Tools that aim to combat phishing attacks must take into account how and why people fall for them in order to be effective. This study reports a pilot survey of 232 computer users to reveal predictors of falling for phishing emails, as well as trusting legitimate emails. Previous work suggests that people may be vulnerable to phishing schemes because their awareness of the risks is not linked to perceived vulnerability or to useful strategies in identifying phishing emails. In this survey, we explore what factors are associated with falling for phishing attacks in a role-play exercise. Our data suggest that deeper understanding of the web environment, such as being able to correctly interpret URLs and understanding what a lock signifies, is associated with less vulnerability to phishing attacks. Perceived severity of the consequences does not predict behavior. These results suggest that educational efforts should aim to increase users' intuitive understanding, rather than merely warning them about risks.

© All rights reserved Downs et al. and/or ACM Press

 
Edit | Del

Kumaraguru, Ponnurangam, Rhee, Yong, Sheng, Steve, Hasan, Sharique, Acquisti, Alessandro, Cranor, Lorrie Faith and Hong, Jason (2007): Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In: Proceedings of the 2007 Anti-Phishing Working Groups eCrime Researchers Summit 2007. pp. 70-81.

Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education is made part of a primary task for users. The goal is to motivate users to pay attention to the training materials. In embedded training, users are sent simulated phishing attacks and trained after they fall for the attacks. Prior studies tested users immediately after training and demonstrated that embedded training improved users' ability to identify phishing emails and websites. In the present study, we tested users to determine how well they retained knowledge gained through embedded training and how well they transferred this knowledge to identify other types of phishing emails. We also compared the effectiveness of the same training materials delivered via embedded training and delivered as regular email messages. In our experiments, we found that: (a) users learn more effectively when the training materials are presented after users fall for the attack (embedded) than when the same training materials are sent by email (non-embedded); (b) users retain and transfer more knowledge after embedded training than after non-embedded training; and (c) users with higher Cognitive Reflection Test (CRT) scores are more likely than users with lower CRT scores to click on the links in the phishing emails from companies with which they have no account.

© All rights reserved Kumaraguru et al. and/or ACM Press

 
Edit | Del

Bauer, Lujo, Cranor, Lorrie Faith, Reiter, Michael K. and Vaniea, Kami (2007): Lessons learned from the deployment of a smartphone-based access-control system. In: Proceedings of the 2007 Symposium on Usable Privacy and Security 2007. pp. 64-75.

Grey is a smartphone-based system by which a user can exercise her authority to gain access to rooms in our university building, and by which she can delegate that authority to other users. We present findings from a trial of Grey, with emphasis on how common usability principles manifest themselves in a smartphone-based security application. In particular, we demonstrate aspects of the system that gave rise to failures, misunderstandings, misperceptions, and unintended uses; network effects and new flexibility enabled by Grey; and the implications of these for user behavior. We argue that the manner in which usability principles emerged in the context of Grey can inform the design of other such applications.

© All rights reserved Bauer et al. and/or ACM Press

 
Edit | Del

Sheng, Steve, Magnien, Bryant, Kumaraguru, Ponnurangam, Acquisti, Alessandro, Cranor, Lorrie Faith, Hong, Jason and Nunge, Elizabeth (2007): Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of the 2007 Symposium on Usable Privacy and Security 2007. pp. 88-99.

In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.

© All rights reserved Sheng et al. and/or ACM Press

2006
 
Edit | Del

Cranor, Lorrie Faith (2006): What do they "indicate?": evaluating security and privacy indicators. In Interactions, 13 (3) pp. 45-47.

 
Edit | Del

Cranor, Lorrie Faith, Guduru, Praveen and Arjula, Manjula (2006): User interfaces for privacy agents. In ACM Transactions on Computer-Human Interaction, 13 (2) pp. 135-178.

Most people do not often read privacy policies because they tend to be long and difficult to understand. The Platform for Privacy Preferences (P3P) addresses this problem by providing a standard machine-readable format for website privacy policies. P3P user agents can fetch P3P privacy policies automatically, compare them with a user's privacy preferences, and alert and advise the user. Developing user interfaces for P3P user agents is challenging for several reasons: privacy policies are complex, user privacy preferences are often complex and nuanced, users tend to have little experience articulating their privacy preferences, users are generally unfamiliar with much of the terminology used by privacy experts, users often do not understand the privacy-related consequences of their behavior, and users have differing expectations about the type and extent of privacy policy information they would like to see. We developed a P3P user agent called Privacy Bird. Our design was informed by privacy surveys and our previous experience with prototype P3P user agents. We describe our design approach, compare it with the approach used in other P3P use agents, evaluate our design, and make recommendations to designers of other privacy agents.

© All rights reserved Cranor et al. and/or ACM Press

 
Edit | Del

Kuo, Cynthia, Romanosky, Sasha and Cranor, Lorrie Faith (2006): Human selection of mnemonic phrase-based passwords. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 67-78.

Textual passwords are often the only mechanism used to authenticate users of a networked system. Unfortunately, many passwords are easily guessed or cracked. In an attempt to strengthen passwords, some systems instruct users to create mnemonic phrase-based passwords. A mnemonic password is one where a user chooses a memorable phrase and uses a character (often the first letter) to represent each word in the phrase. In this paper, we hypothesize that users will select mnemonic phrases that are commonly available on the Internet, and that it is possible to build a dictionary to crack mnemonic phrase-based passwords. We conduct a survey to gather user-generated passwords. We show the majority of survey respondents based their mnemonic passwords on phrases that can be found on the Internet, and we generate a mnemonic password dictionary as a proof of concept. Our 400,000-entry dictionary cracked 4% of mnemonic passwords; in comparison, a standard dictionary with 1.2 million entries cracked 11% of control passwords. The user-generated mnemonic passwords were also slightly more resistant to brute force attacks than control passwords. These results suggest that mnemonic passwords may be appropriate for some uses today. However, mnemonic passwords could become more vulnerable in the future and should not be treated as a panacea.

© All rights reserved Kuo et al. and/or ACM Press

 
Edit | Del

Downs, Julie S., Holbrook, Mandy B. and Cranor, Lorrie Faith (2006): Decision strategies and susceptibility to phishing. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 79-90.

Phishing emails are semantic attacks that con people into divulging sensitive information using techniques to make the user believe that information is being requested by a legitimate source. In order to develop tools that will be effective in combating these schemes, we first must know how and why people fall for them. This study reports preliminary analysis of interviews with 20 non-expert computer users to reveal their strategies and understand their decisions when encountering possibly suspicious emails. One of the reasons that people may be vulnerable to phishing schemes is that awareness of the risks is not linked to perceived vulnerability or to useful strategies in identifying phishing emails. Rather, our data suggest that people can manage the risks that they are most familiar with, but don't appear to extrapolate to be wary of unfamiliar risks. We explore several strategies that people use, with varying degrees of success, in evaluating emails and in making sense of warnings offered by browsers attempting to help users navigate the web.

© All rights reserved Downs et al. and/or ACM Press

 
Edit | Del

Egelman, Serge, Cranor, Lorrie Faith and Chowdhury, Abdur (2006): An analysis of P3P-enabled web sites among top-20 search results. In: Fox, Mark S. and Spencer, Bruce (eds.) Proceedings of the 8th International Conference on Electronic Commerce - ICEC 2006 2006, Fredericton, New Brunswick, Canada. pp. 197-207.

2005
 
Edit | Del

Cranor, Lorrie Faith (2005): Hey, That's Personal!. In: Ardissono, Liliana, Brna, Paul and Mitrovic, Antonija (eds.) User Modeling 2005 - 10th International Conference - UM 2005 July 24-29, 2005, Edinburgh, Scotland, UK. p. 4.

 
Edit | Del

Cranor, Lorrie Faith (2005): Towards usable Web privacy and security. In: Proceedings of the 2005 International Conference on the World Wide Web 2005. p. 352.

Internet users now rely on a whole arsenal of tools to protect their security and privacy. Experts recommend that computer users install personal firewalls, anti-virus software, spyware blockers, spam filters, cookie managers, and a variety of other tools to keep themselves safe. Users are told to pick hard-to-guess passwords, use a different password at every Web site, and not to write any of their passwords down. They are told to read privacy policies before providing personal information to Web sites, look for lock icons before typing in a credit card number, refrain from opening email attachments from people they don't know, and even to think twice about opening email attachments from people they do know. With so many do's and don'ts, it is not surprising that much of this advice is ignored. In this talk I will highlight usability problems that make it difficult for people to protect their privacy and security on the Web, and I will discuss a number of approaches to addressing these problems.

© All rights reserved Cranor and/or ACM Press

2003
 
Edit | Del

Sadeh, Norman M., Dively, Mary Jo, Kauffman, Robert J., Labrou, Yannis, Shehory, Onn, Telang, Rahul and Cranor, Lorrie Faith (eds.) Proceedings of the 5th International Conference on Electronic Commerce - ICEC 2003 September 30 - October 03, 2003, Pittsburgh, Pennsylvania, USA.

 
Edit | Del

Byers, Simon, Cranor, Lorrie Faith and Kormann, David P. (2003): Automated analysis of P3P-enabled Web sites. In: Sadeh, Norman M., Dively, Mary Jo, Kauffman, Robert J., Labrou, Yannis, Shehory, Onn, Telang, Rahul and Cranor, Lorrie Faith (eds.) Proceedings of the 5th International Conference on Electronic Commerce - ICEC 2003 September 30 - October 03, 2003, Pittsburgh, Pennsylvania, USA. pp. 326-338.

2002
 
Edit | Del

Cranor, Lorrie Faith (2002): Letter from the Special Section Editors, Ten Years of Computers, Freedom and Privacy. In The Information Society, 18 (3) .

 
Edit | Del

Cranor, Lorrie Faith (2002): SPECIAL SECTION: Computers, Freedom and Privacy. In The Information Society, 18 (3) .

2001
 
Edit | Del

Hoffman, Lance J. and Cranor, Lorrie Faith (2001): Internet voting for public officials: introduction. In Communications of the ACM, 44 (1) pp. 69-71.

 
Edit | Del

Waldman, Marc, Rubin, Aviel D. and Cranor, Lorrie Faith (2001): The architecture of robust publishing systems. In ACM Trans. Internet Techn., 1 (2) pp. 199-230.

1999
 
Edit | Del

Cranor, Lorrie Faith (1999): Internet Privacy - Introduction. In Communications of the ACM, 42 (2) pp. 28-31.

 
Edit | Del

Reagle, Joseph and Cranor, Lorrie Faith (1999): The Platform for Privacy Preferences. In Communications of the ACM, 42 (2) pp. 48-55.

1998
 
Edit | Del

Cranor, Lorrie Faith and LaMacchia, Brian A. (1998): Spam!. In Communications of the ACM, 41 (8) pp. 74-83.

1997
 
Edit | Del

Cranor, Lorrie Faith and Cytron, Ron (1997): Sensus: A Security-Conscious Electronic Polling System for the Internet. In: HICSS 1997 1997. pp. 561-570.

 
Add publication
Show list on your website
 

Join our community and advance:

Your
Skills

Your
Network

Your
Career

 
Join our community!
 
 
 

Changes to this page (author)

23 Nov 2012: Modified
23 Nov 2012: Modified
05 Apr 2012: Modified
05 Apr 2012: Modified
05 Jul 2011: Modified
05 Jul 2011: Modified
05 Jul 2011: Modified
02 Nov 2010: Modified
02 Nov 2010: Modified
02 Nov 2010: Modified
02 Nov 2010: Modified
02 Nov 2010: Modified
08 Sep 2009: Modified
08 Sep 2009: Modified
08 Sep 2009: Modified
08 Sep 2009: Modified
18 Aug 2009: Modified
18 Aug 2009: Modified
17 Aug 2009: Modified
17 Aug 2009: Modified
17 Aug 2009: Modified
09 Jul 2009: Modified
12 Jun 2009: Modified
01 Jun 2009: Modified
01 Jun 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
30 May 2009: Modified
09 May 2009: Modified
09 May 2009: Modified
09 May 2009: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
12 May 2008: Modified
24 Jul 2007: Modified
29 Jun 2007: Modified
19 Jun 2007: Added

Page Information

Page maintainer: The Editorial Team
URL: http://www.interaction-design.org/references/authors/lorrie_faith_cranor.html

Publication statistics

Pub. period:1997-2012
Pub. count:44
Number of co-authors:75



Co-authors

Number of publications with 3 favourite co-authors:

Patrick Gage Kelley:10
Lujo Bauer:9
Richard Shay:6

 

 

Productive colleagues

Lorrie Faith Cranor's 3 most productive colleagues in number of publications:

Robert J. Kauffman:64
John Zimmerman:51
Jason I. Hong:36
 
 
 

Upcoming Courses

go to course
Quality Web Communication: The Beginner's Guide
90% booked. Starts in 5 days
go to course
User-Centred Design - Module 2
84% booked. Starts in 11 days
 
 

Featured chapter

Marc Hassenzahl explains the fascinating concept of User Experience and Experience Design. Commentaries by Don Norman, Eric Reiss, Mark Blythe, and Whitney Hess

User Experience and Experience Design !

 
 

Our Latest Books

 
 
Gamification at Work: Designing Engaging Business Software
by Janaki Mythily Kumar and Mario Herger
start reading
 
 
 
 
The Social Design of Technical Systems: Building technologies for communities
by Brian Whitworth and Adnan Ahmad
start reading
 
 
 
 
The Encyclopedia of Human-Computer Interaction, 2nd Ed.
by Mads Soegaard and Rikke Friis Dam
start reading