Publication statistics

Pub. period:2007-2012
Pub. count:9
Number of co-authors:25


Number of publications with 3 favourite co-authors:

Rohit Ashok Khot:
Kannan Srinathan:
Julie Downs:



Productive colleagues

Ponnurangam Kumaraguru's 3 most productive colleagues in number of publications:

Lorrie Faith Crano..:44
Jason Hong:20
Marc Langheinrich:13

Upcoming Courses

go to course
Dynamic User Experience: Ajax Design and Usability
go to course
Gestalt Psychology and Web Design: The Ultimate Guide
92% booked. Starts in 3 days

Featured chapter

Marc Hassenzahl explains the fascinating concept of User Experience and Experience Design. Commentaries by Don Norman, Eric Reiss, Mark Blythe, and Whitney Hess

User Experience and Experience Design !


Our Latest Books

The Glossary of Human Computer Interaction
by Mads Soegaard and Rikke Friis Dam
start reading
The Social Design of Technical Systems: Building technologies for communities. 2nd Edition
by Brian Whitworth and Adnan Ahmad
start reading
Gamification at Work: Designing Engaging Business Software
by Janaki Mythily Kumar and Mario Herger
start reading
The Social Design of Technical Systems: Building technologies for communities
by Brian Whitworth and Adnan Ahmad
start reading
The Encyclopedia of Human-Computer Interaction, 2nd Ed.
by Mads Soegaard and Rikke Friis Dam
start reading

Ponnurangam Kumaraguru


Publications by Ponnurangam Kumaraguru (bibliography)

 what's this?
Edit | Del

Pontes, Tatiana, Vasconcelos, Marisa, Almeida, Jussara, Kumaraguru, Ponnurangam and Almeida, Virgilio (2012): We know where you live: privacy characterization of foursquare behavior. In: Proceedings of the 2012 International Conference on Uniquitous Computing 2012. pp. 898-905.

In the last few years, the increasing interest in location-based services (LBS) has favored the introduction of geo-referenced information in various Web 2.0 applications, as well as the rise of location-based social networks (LBSN). Foursquare, one of the most popular LBSNs, gives incentives to users who visit (check in) specific places (venues) by means of, for instance, mayorships to frequent visitors. Moreover, users may leave tips at specific venues as well as mark previous tips as done in sign of agreement. Unlike check ins, which are shared only with friends, the lists of mayorships, tips and dones of a user are publicly available to everyone, thus raising concerns about disclosure of the user's movement patterns and interests. We analyze how users explore these publicly available features, and their potential as sources of information leakage. Specifically, we characterize the use of mayorships, tips and dones in Foursquare based on a dataset with around 13 million users. We also analyze whether it is possible to easily infer the home city (state and country) of a user from these publicly available information. Our results indicate that one can easily infer the home city of around 78% of the analyzed users within 50 kilometers.

© All rights reserved Pontes et al. and/or ACM Press

Edit | Del

Khot, Rohit Ashok, Srinathan, Kannan and Kumaraguru, Ponnurangam (2011): MARASIM: a novel jigsaw based authentication scheme using tagging. In: Proceedings of ACM CHI 2011 Conference on Human Factors in Computing Systems 2011. pp. 2605-2614.

In this paper we propose and evaluate Marasim, a novel Jigsaw based graphical authentication mechanism using tagging. Marasim is aimed at achieving the security of random images with the memorability of personal images. Our scheme relies on the human ability to remember a personal image and later recognize the alternate visual representations (images) of the concepts occurred in the image. These concepts are retrieved from the tags assigned to the image. We illustrate how a Jigsaw based approach helps to create a portfolio of system-chosen random images to be used for authentication. The paper describes the complete design of Marasim along with the empirical studies of Marasim that provide evidences of increased memorability. Results show that 93% of all participants succeeded in the authentication tests using Marasim after three months while 71% succeeded in authentication tests using Marasim after nine months. Our findings indicate that Marasim has potential applications, especially where text input is hard (e.g., PDAs or ATMs), or in situations where passwords are infrequently used (e.g., web site passwords).

© All rights reserved Khot et al. and/or their publisher

Edit | Del

Ion, Iulia, Sachdeva, Niharika, Kumaraguru, Ponnurangam and apkun, Srdjan (2011): Home is safer than the cloud!: privacy concerns for consumer cloud storage. In: Proceedings of the 2011 Symposium on Usable Privacy and Security 2011. p. 13.

Several studies ranked security and privacy to be major areas of concern and impediments of cloud adoption for companies, but none have looked into end-users' attitudes and practices. Not much is known about consumers' privacy beliefs and expectations for cloud storage, such as web-mail, document and photo sharing platforms, or about users' awareness of contractual terms and conditions. We conducted 36 in-depth interviews in Switzerland and India (two countries with different privacy perceptions and expectations); and followed up with an online survey with 402 participants in both countries. We study users' privacy attitudes and beliefs regarding their use of cloud storage systems. Our results show that privacy requirements for consumer cloud storage differ from those of companies. Users are less concerned about some issues, such as guaranteed deletion of data, country of storage and storage outsourcing, but are uncertain about using cloud storage. Our results further show that end-users consider the Internet intrinsically insecure and prefer local storage for sensitive data over cloud storage. However, users desire better security and are ready to pay for services that provide strong privacy guarantees. Participants had misconceptions about the rights and guarantees their cloud storage providers offers. For example, users believed that their provider is liable in case of data loss, does not have the right to view and modify user data, and cannot disable user accounts. Finally, our results show that cultural differences greatly influence user attitudes and beliefs, such as their willingness to store sensitive data in the cloud and their acceptance that law enforcement agencies monitor user accounts. We believe that these observations can help in improving users privacy in cloud storage systems.

© All rights reserved Ion et al. and/or ACM Press

Edit | Del

Ion, Iulia, Langheinrich, Marc, Kumaraguru, Ponnurangam and Capkun, Srdjan (2010): Influence of user perception, security needs, and social factors on device pairing method choices. In: Proceedings of the 2010 Symposium on Usable Privacy and Security 2010. p. 6.

Recent years have seen a proliferation of secure device pairing methods that try to improve both the usability and security of today's de-facto standard -- PIN-based authentication. Evaluating such improvements is difficult. Most comparative laboratory studies have so far mainly focused on completeness, trying to find the single best method among the dozens of proposed approaches -- one that is both rated the most usable by test subjects, and which provides the most robust security guarantees. This search for the "best" pairing method, however, fails to take into account the variety of situations in which such pairing protocols may be used in real life. The comparative study reported here, therefore, explicitly situates pairing tasks in a number of more realistic situations. Our results indicate that people do not always use the easiest or most popular method -- they instead prefer different methods in different situations, based on the sensitivity of data involved, their time constraints, and the social conventions appropriate for a particular place and setting. Our study also provides qualitative data on factors influencing the perceived security of a particular method, the users' mental models surrounding security of a method, and their security needs.

© All rights reserved Ion et al. and/or their publisher

Edit | Del

Sheng, Steve, Holbrook, Mandy, Kumaraguru, Ponnurangam, Cranor, Lorrie Faith and Downs, Julie (2010): Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of ACM CHI 2010 Conference on Human Factors in Computing Systems 2010. pp. 373-382.

In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti-phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users' tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants' tendency to click on legitimate links.

© All rights reserved Sheng et al. and/or their publisher

Edit | Del

Kumaraguru, Ponnurangam, Cranshaw, Justin, Acquisti, Alessandro, Cranor, Lorrie, Hong, Jason, Blair, Mary Ann and Pham, Theodore (2009): School of phish: a real-word evaluation of anti-phishing training. In: Proceedings of the 2009 Symposium on Usable Privacy and Security 2009. p. 3.

PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated the effectiveness of this approach. Here, we extend our previous work with a 515-participant, real-world study in which we focus on long-term retention and the effect of two training messages. We also investigate demographic factors that influence training and general phishing susceptibility. Results of this study show that (1) users trained with PhishGuru retain knowledge even after 28 days; (2) adding a second training message to reinforce the original training decreases the likelihood of people giving information to phishing websites; and (3) training does not decrease users' willingness to click on links in legitimate messages. We found no significant difference between males and females in the tendency to fall for phishing emails both before and after the training. We found that participants in the 18-25 age group were consistently more vulnerable to phishing attacks on all days of the study than older participants. Finally, our exit survey results indicate that most participants enjoyed receiving training during their normal use of email.

© All rights reserved Kumaraguru et al. and/or ACM Press

Edit | Del

Kumaraguru, Ponnurangam, Rhee, Yong, Acquisti, Alessandro, Cranor, Lorrie Faith, Hong, Jason and Nunge, Elizabeth (2007): Protecting people from phishing: the design and evaluation of an embedded training email system. In: Proceedings of ACM CHI 2007 Conference on Human Factors in Computing Systems 2007. pp. 905-914.

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an embedded training email system that teaches people about phishing during their normal use of email. We conducted lab experiments contrasting the effectiveness of standard security notices about phishing with two embedded training designs we developed. We found that embedded training works better than the current practice of sending security notices. We also derived sound design principles for embedded training systems.

© All rights reserved Kumaraguru et al. and/or ACM Press

Edit | Del

Kumaraguru, Ponnurangam, Rhee, Yong, Sheng, Steve, Hasan, Sharique, Acquisti, Alessandro, Cranor, Lorrie Faith and Hong, Jason (2007): Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In: Proceedings of the 2007 Anti-Phishing Working Groups eCrime Researchers Summit 2007. pp. 70-81.

Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education is made part of a primary task for users. The goal is to motivate users to pay attention to the training materials. In embedded training, users are sent simulated phishing attacks and trained after they fall for the attacks. Prior studies tested users immediately after training and demonstrated that embedded training improved users' ability to identify phishing emails and websites. In the present study, we tested users to determine how well they retained knowledge gained through embedded training and how well they transferred this knowledge to identify other types of phishing emails. We also compared the effectiveness of the same training materials delivered via embedded training and delivered as regular email messages. In our experiments, we found that: (a) users learn more effectively when the training materials are presented after users fall for the attack (embedded) than when the same training materials are sent by email (non-embedded); (b) users retain and transfer more knowledge after embedded training than after non-embedded training; and (c) users with higher Cognitive Reflection Test (CRT) scores are more likely than users with lower CRT scores to click on the links in the phishing emails from companies with which they have no account.

© All rights reserved Kumaraguru et al. and/or ACM Press

Edit | Del

Sheng, Steve, Magnien, Bryant, Kumaraguru, Ponnurangam, Acquisti, Alessandro, Cranor, Lorrie Faith, Hong, Jason and Nunge, Elizabeth (2007): Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of the 2007 Symposium on Usable Privacy and Security 2007. pp. 88-99.

In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.

© All rights reserved Sheng et al. and/or ACM Press

Add publication
Show list on your website

Join our community and advance:




Join our community!

Page Information

Page maintainer: The Editorial Team