Publication statistics

Pub. period:2006-2012
Pub. count:13
Number of co-authors:26


Number of publications with 3 favourite co-authors:

Lujo Bauer:
Nicolas Christin:
Michelle L. Mazurek:



Productive colleagues

Serge Egelman's 3 most productive colleagues in number of publications:

Kori Inkpen:70
Lorrie Faith Crano..:44
A. J. Bernheim Bru..:40

Upcoming Courses

go to course
Gestalt Psychology and Web Design: The Ultimate Guide
Starts the day after tomorrow !
go to course
Become a UX Designer from scratch
92% booked. Starts in 3 days

Featured chapter

Marc Hassenzahl explains the fascinating concept of User Experience and Experience Design. Commentaries by Don Norman, Eric Reiss, Mark Blythe, and Whitney Hess

User Experience and Experience Design !


Our Latest Books

The Glossary of Human Computer Interaction
by Mads Soegaard and Rikke Friis Dam
start reading
The Social Design of Technical Systems: Building technologies for communities. 2nd Edition
by Brian Whitworth and Adnan Ahmad
start reading
Gamification at Work: Designing Engaging Business Software
by Janaki Mythily Kumar and Mario Herger
start reading
The Social Design of Technical Systems: Building technologies for communities
by Brian Whitworth and Adnan Ahmad
start reading
The Encyclopedia of Human-Computer Interaction, 2nd Ed.
by Mads Soegaard and Rikke Friis Dam
start reading

Serge Egelman


Publications by Serge Egelman (bibliography)

 what's this?
Edit | Del

Felt, Adrienne Porter, Ha, Elizabeth, Egelman, Serge, Haney, Ariel, Chin, Erika and Wagner, David (2012): Android permissions: user attention, comprehension, and behavior. In: Proceedings of the 2012 Symposium on Usable Privacy and Security 2012. p. 3.

Android's permission system is intended to inform users about the risks of installing applications. When a user installs an application, he or she has the opportunity to review the application's permission requests and cancel the installation if the permissions are excessive or objectionable. We examine whether the Android permission system is effective at warning users. In particular, we evaluate whether Android users pay attention to, understand, and act on permission information during installation. We performed two usability studies: an Internet survey of 308 Android users, and a laboratory study wherein we interviewed and observed 25 Android users. Study participants displayed low attention and comprehension rates: both the Internet survey and laboratory study found that 17% of participants paid attention to permissions during installation, and only 3% of Internet survey respondents could correctly answer all three permission comprehension questions. This indicates that current Android permission warnings do not help most users make correct security decisions. However, a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension. We present recommendations for improving user attention and comprehension, as well as identify open challenges.

© All rights reserved Felt et al. and/or their publisher

Edit | Del

Johnson, Maritza, Egelman, Serge and Bellovin, Steven M. (2012): Facebook and privacy: it's complicated. In: Proceedings of the 2012 Symposium on Usable Privacy and Security 2012. p. 9.

We measure users' attitudes toward interpersonal privacy concerns on Facebook and measure users' strategies for reconciling their concerns with their desire to share content online. To do this, we recruited 260 Facebook users to install a Facebook application that surveyed their privacy concerns, their friend network compositions, the sensitivity of posted content, and their privacy-preserving strategies. By asking participants targeted questions about people randomly selected from their friend network and posts shared on their profiles, we were able to quantify the extent to which users trust their "friends" and the likelihood that their content was being viewed by unintended audiences. We found that while strangers are the most concerning audience, almost 95% of our participants had taken steps to mitigate those concerns. At the same time, we observed that 16.5% of participants had at least one post that they were uncomfortable sharing with a specific friend -- someone who likely already had the ability to view it -- and that 37% raised more general concerns with sharing their content with friends. We conclude that the current privacy controls allow users to effectively manage the outsider threat, but that they are unsuitable for mitigating concerns over the insider threat -- members of the friend network who dynamically become inappropriate audiences based on the context of a post.

© All rights reserved Johnson et al. and/or their publisher

Edit | Del

Egelman, Serge, Oates, Andrew and Krishnamurthi, Shriram (2011): Oops, I did it again: mitigating repeated access control errors on Facebook. In: Proceedings of ACM CHI 2011 Conference on Human Factors in Computing Systems 2011. pp. 2295-2304.

We performed a study of Facebook users to examine how they coped with limitations of the Facebook privacy settings interface. Students graduating and joining the workforce create significant problems for all but the most basic privacy settings on social networking websites. We therefore created realistic scenarios exploiting work/play boundaries that required users to specify access control policies that were impossible due to various limitations. We examined whether users were aware of these problems without being prompted, and once given feedback, what their coping strategies were. Overall, we found that simply alerting participants to potential errors was ineffective, but when choices were also presented, participants introduced significantly fewer errors. Based on our findings, we designed a privacy settings interface based on Venn diagrams, which we validated with a usability study. We conclude that this interface may be more effective than the current privacy settings interface.

© All rights reserved Egelman et al. and/or their publisher

Edit | Del

Komanduri, Saranga, Shay, Richard, Kelley, Patrick Gage, Mazurek, Michelle L., Bauer, Lujo, Christin, Nicolas, Cranor, Lorrie Faith and Egelman, Serge (2011): Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of ACM CHI 2011 Conference on Human Factors in Computing Systems 2011. pp. 2595-2604.

Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies. We characterize the predictability of passwords by calculating their entropy, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.

© All rights reserved Komanduri et al. and/or their publisher

Edit | Del

Egelman, Serge, Tsai, Janice, Cranor, Lorrie Faith and Acquisti, Alessandro (2009): Timing is everything?: the effects of timing and placement of online privacy indicators. In: Proceedings of ACM CHI 2009 Conference on Human Factors in Computing Systems 2009. pp. 319-328.

Many commerce websites post privacy policies to address Internet shoppers' privacy concerns. However, few users read or understand them. Iconic privacy indicators may make privacy policies more accessible and easier for users to understand: in this paper, we examine whether the timing and placement of online privacy indicators impact Internet users' browsing and purchasing decisions. We conducted a laboratory study where we controlled the placement of privacy information, the timing of its appearance, the privacy level of each website, and the price and items being purchased. We found that the timing of privacy information had a significant impact on how much of a premium users were willing to pay for privacy. We also found that timing had less impact when users were willing to examine multiple websites. Finally, we found that users paid more attention to privacy indicators when purchasing privacy-sensitive items than when purchasing items that raised minimal privacy concerns.

© All rights reserved Egelman et al. and/or ACM Press

Edit | Del

Schechter, Stuart, Egelman, Serge and Reeder, Robert W. (2009): It's not what you know, but who you know: a social approach to last-resort authentication. In: Proceedings of ACM CHI 2009 Conference on Human Factors in Computing Systems 2009. pp. 1983-1992.

Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts-or at least try. Today's systems fall short in meeting both security and reliability requirements. We designed, built, and tested a new backup authentication system that employs a social-authentication mechanism. The system employs trustees previously appointed by the account holder to verify the account holder's identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.

© All rights reserved Schechter et al. and/or ACM Press

Edit | Del

Tsai, Janice, Egelman, Serge, Cranor, Lorrie and Acquisti, Alessandro (2009): The impact of privacy indicators on search engine browsing patterns. In: Proceedings of the 2009 Symposium on Usable Privacy and Security 2009. p. 29.

Edit | Del

Schechter, Stuart, Brush, A. J. Bernheim and Egelman, Serge (2009): It's no secret: measuring the security and reliability of authentication via 'secret' questions. In: Proceedings of the 2009 Symposium on Usable Privacy and Security 2009. p. 40.

Edit | Del

Schechter, Stuart, Egelman, Serge and Reeder, Robert W. (2009): It's not what you know, but who you know: a social approach to last-resort authentication. In: Proceedings of the 2009 Symposium on Usable Privacy and Security 2009. p. 41.

Edit | Del

Egelman, Serge, Cranor, Lorrie Faith and Hong, Jason (2008): You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of ACM CHI 2008 Conference on Human Factors in Computing Systems April 5-10, 2008. pp. 1065-1074.

Many popular web browsers are now including active phishing warnings after previous research has shown that passive warnings are often ignored. In this laboratory study we examine the effectiveness of these warnings and examine if, how, and why they fail users. We simulated a spear phishing attack to expose users to browser warnings. We found that 97% of our sixty participants fell for at least one of the phishing messages that we sent them. However, we also found that when presented with the active warnings, 79% of participants heeded them, which was not the case for the passive warning that we tested -- where only one participant heeded the warnings. Using a model from the warning sciences we analyzed how users perceive warning messages and offer suggestions for creating more effective warning messages within the phishing context.

© All rights reserved Egelman et al. and/or ACM Press

Edit | Del

Egelman, Serge, Brush, A. J. Bernheim and Inkpen, Kori (2008): Family accounts: a new paradigm for user accounts within the home environment. In: Proceedings of ACM CSCW08 Conference on Computer-Supported Cooperative Work 2008. pp. 669-678.

In this paper we present Family Accounts, a new user account model for shared home computers. We conducted a study with sixteen families, eight who used individual profiles at home, and eight who shared a single profile. Our results demonstrate that Family Accounts is a good compromise between a single shared profile and individual profiles for each family member. In particular, we observed that because Family Accounts allowed individuals to switch profiles without forcing them to interrupt their tasks, family members tended to switch to their own profiles only when a task required some degree of privacy or personalization.

© All rights reserved Egelman et al. and/or ACM Press

Edit | Del

Gideon, Julia, Cranor, Lorrie, Egelman, Serge and Acquisti, Alessandro (2006): Power strips, prophylactics, and privacy, oh my!. In: Proceedings of the 2006 Symposium on Usable Privacy and Security 2006. pp. 133-144. Slides

While Internet users claim to be concerned about online privacy, their behavior rarely reflects those concerns. In this paper we investigate whether the availability of comparison information about the privacy practices of online merchants affects users' behavior. We conducted our study using Privacy Finder, a "privacy-enhanced search engine" that displays search results annotated with the privacy policy information of each site. The privacy information is garnered from computer-readable privacy policies found at the respective sites. We asked users to purchase one non-privacy-sensitive item and then one privacy-sensitive item using Privacy Finder, and observed whether the privacy information provided by our search engine impacted users' purchasing decisions (participants' costs were reimbursed, in order to separate the effect of privacy policies from that of price). A control group was asked to make the same purchases using a search engine that produced the same results as Privacy Finder, but did not display privacy information. We found that while Privacy Finder had some influence on non-privacy-sensitive purchase decisions, it had a more significant impact on privacy-sensitive purchases. The results suggest that when privacy policy comparison information is readily available, individuals may be willing to seek out more privacy friendly web sites and perhaps even pay a premium for privacy depending on the nature of the items to be purchased.

© All rights reserved Gideon et al. and/or ACM Press

Edit | Del

Egelman, Serge, Cranor, Lorrie Faith and Chowdhury, Abdur (2006): An analysis of P3P-enabled web sites among top-20 search results. In: Fox, Mark S. and Spencer, Bruce (eds.) Proceedings of the 8th International Conference on Electronic Commerce - ICEC 2006 2006, Fredericton, New Brunswick, Canada. pp. 197-207.

Add publication
Show list on your website

Join our community and advance:




Join our community!

Page Information

Page maintainer: The Editorial Team