Interdisciplinary Workshop on Security and Human Behaviour (SHB 2008)
Boston, MA June 30 - July 1, 2008
Security is both a feeling and a reality, and they're different. There are
several different research communities: technologists who study security
systems, and psychologists who study people, not to mention economists,
anthropologists and others. Increasingly these worlds are colliding.
- Security design is by nature psychological, yet many systems ignore this,
and cognitive biases lead people to misjudge risk. For example, a key in
the corner of a web browser makes people feel more secure than they
actually are, while, people feel far less secure flying than they actually
are. These biases are exploited by various attackers.
- Security problems relate to risk and uncertainty, and the way we react to
them. Cognitive and perception biases affect the way we deal with risk,
and therefore the way we understand security—whether that is the security
of a nation, of an information system, or of one's personal information.
- Many real attacks on information systems exploit psychology more than
technology. Phishing attacks trick people into logging on to websites that
appear genuine but actually steal passwords. Technical measures can stop
some phishing tactics, but stopping users from making bad decisions is much
harder. Deception-based attacks are now the greatest threat to online
security.
- In order to be effective, security must be usable—not just by geeks,
but by ordinary people. Research into usable security invariably has a
psychological component.
- Terrorism is perceived to be a major threat to society. Yet the actual
damage done by terrorist attacks is dwarfed by the secondary effects as
target societies overreact. There are many topics here, from the manipulation
of risk perception to the anthropology of religion.
- There are basic research questions; for example, about the extent to which
the use and detection of deception in social contexts may have helped drive
human evolution.
The dialogue between researchers in security and in psychology is rapidly
widening, bringing in more and more disciplines—from security usability
engineering, protocol design, privacy, and policy on the one hand, and from
social psychology, evolutionary biology, and behavioral economics on the other.
The Interdisciplinary Workshop on Security and Human Behavior will seek to
draw together people working on all sides of this exciting new
multidisciplinary field. It will be held in Boston from June 30 and July 1,
2008, just after the Workshop on
Economics and Information Security. Registration for this new workshop is
now closed; hotel accommodation for participants is here.
Program Committee:
Confirmed Attendees:
- Alessandro
Acquisti, H. John Heinz III School of Public Policy and
Management, Carnegie Mellon University
- Andrew Adams, School
of Systems Engineering, University of Reading
- Ross Anderson, Computer Laboratory,
University of Cambridge
- Matt Blaze, Computer and Infomation
Sciences Department, University of Pennsylvania
- Bill Burns,
research scientist, Decision Research
- Jon Callas, CTO,
PGP Corp.
- Jean Camp, School of Informatics,
Indiana University
- Ralph
Chatham, DARPA
- Luke Church, Computer
Laboratory, Cambridge University
- Dave Clark, CSAIL, MIT
- Richard
Clarke, former terrorism adviser to President Clinton and President Bush
- Ron
Clarke, School of Criminal Justice, Rutgers
- Lorrie Cranor, Schools of Computer
Science and Engineering & Public Policy, Carnegie Mellon University
- Paul Ekman, The Ekman Group and
University of California at San Francisco
- Ed Felten,
Center for Information Technology Policy, Princeton University
- Mark Frank, Buffalo
- Frank Furedi,
Kent
- Nicholas Humphrey, London School
of Economics
- Markus Jakobsson,
School of Informatics, Indiana University
- Richard
John, Professor of Psychology, USC College
- Eric
Johnson, Tuck School of Business, Dartmouth
- George
Loewenstein, Department of Social and Decision Sciences, Carnegie Mellon
University
- Tyler Moore,
Computer Laboratory, University of Cambridge
- Carey
Morewedge, Department of Social and Decision Sciences, Carnegie
Mellon University
- John
Mueller, Department of Political Science, Ohio State University
- Peter
Neumann, Computer Science Laboratory, SRI International Corp.
- Andrew Odlyzko,
Digital Technology Center, University of Minnesota
- Charles
Perrow, Department of Sociology, Yale University
- Tom
Pyszczynski, Department of Psychology, University of Colorado at
Colorado Springs
- James Randi, James Randi
Educational Foundation
- Mike Roe, Microsoft
Corp.
- Sasha Romanosky, Carnegie Mellon
University
- Angela Sasse, UCL
- Stuart Schechter,
Microsoft
- Bruce Schneier, CTO, BT Counterpane
- Paul
Shambroom, photographer
- Uri
Simonsohn, Wharton School of Business, University of Pennsylvania
- David
Livingstone Smith, Department of Philosophy and Religious Studies,
University of New England
- Brad
Stone, reporter, The New York Times
- Cass Sunstein,
University of Chicago Law School
- Doug Tygar, School of
Information, Department of Computer Science, University of California Berleley
- Hal Varian, Google
Inc., and Berkeley
- Alma Whitten, Google, Inc.
- Henry
Willis, Rand Corp.
- Richard
Zeckhauser, John F. Kennedy School of Government, Harvard University
The workshop is sponsored by BT, Google, Microsoft, PGP, Carnegie-Mellon
University, MIT and the University of Cambridge.
There's a liveblog with
one-paragraph summaries of the talks, plus links to audio recordings, here.