Workshop on Security and Human Behaviour (SHB 2010)

June 28-29, Cambridge - Working papers

The workshop will be held in in the Computer Laboratory, University of Cambridge. It is sponsored by Microsoft Research, Thales, Google, Juniper and HP Labs.

This is the third SHB. Here is the programme.

Here are links to the liveblog, papers and audio recordings for the workshops we held in 2009 and 2008.

As we prepare for the workshop, I'll be adding to each attendee's name one or two links to papers that they might like others to look at in advance. Email me your contributions!

Ross.Anderson at

  • Alessandro Acquisti, CMU: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification
  • John Adams, UCL: Quis custodiet ipsos custodes?
  • Ross Anderson, Cambridge: book chapters on psychology and terror; It's the Anthropology, Stupid
  • Scott Atran, John Jay College, CNRS and University of Michigan: Talking to the Enemy; Q&A in Cultural Heritage & Arts Review
  • Michelle Baddeley: Herding, social influence and economic decision-making: socio-psychological and neuroscientific analyses
  • Matt Blaze, UPenn; Toward a broader view of security protocols
  • Caspar Bowden, Microsoft
  • Joe Bonneau, Cambridge: The password thicket: technical and market failures in human authentication on the web; The Privacy Jungle: On the Market for Privacy in Social Networks
  • Pam Briggs, Northumberland; Biometric daemons: authentication via electronic pets
  • Bill Burns, Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike
  • Jon Callas
  • Jean Camp, Indiana: How Safe is Safe Enough: The Online Version
  • Luke Church, Cambridge
  • Dave Clark, MIT: A social embedding of network security - Trust, constraint, power and control
  • Chris Cocking, London Met: Effects of social identity on responses to emergency mass evacuation
  • Dylan Evans, UCC; online risk intelligence test
  • Mark Frank, Buffalo; Human Behaviour and Deception Detection
  • Frank Furedi, Kent; Precautionary culture and the rise of possibilistic risk assessment
  • Rachel Greenstadt, Drexel: Learning to Extract Quality Discourse in Online Communities
  • Cormac Herley, Microsoft: So Long And No Thanks; Where Do Security Policies Come From
  • Chris Hoofnagle, UC Berkeley: Internalizing Identity Theft; Identity Theft: Making the Unknowns Known
  • Benjamin Jakobus, Cork
  • Lukasz Jedrzejczyk, Open University; I Know What You Did Last Summer: risks of location data leakage in mobile and social computing
  • Petter Johansson, Lund: Failure to Detect Mismatches between Intention and Outcome in a Simple Decision Task
  • Jeff Hancock, Cornell: On Lying and Being Lied To: A Linguistic Analysis of Deception in Computer-Mediated Communication; Separating Fact From Fiction: An Examination of Deceptive Self-Presentation in Online Dating Profiles
  • Nick Humphrey, Cambridge
  • Brian LaMacchia, Microsoft
  • Ben Laurie, Google
  • Stephen Lea, Exeter: The Psychology of Scams - Provoking and Committing Errors of Judgment
  • Mark Levine, Lancaster: Intra-group Regulation of Violence: Bystanders and the (De)-escalation of Violence
  • Ragnar Löfstedt, King's College London: Risk communication and management in the twenty-first century
  • Tyler Moore, Harvard: Would a 'Cyber Warrior' Protect Us? Exploring Trade-offs Between Attack and Defense of Information Systems; The Consequences of Non-Cooperation in the Fight Against Phishing; Information Security Economics - and Beyond
  • John Mueller, Ohio State: Hardly Existential: Thinking Rationally About Terrorism
  • Bashar Nuseibeh, Open University: A Multi-Pronged Empirical Approach to Mobile Privacy Investigation; Security Requirements Engineering: A Framework for Representation and Analysis
  • Andrew Odlyzko, University of Minnesota: Providing security with insecure systems, Economics, psychology, and sociology of security
  • Christof Paar, Bochum
  • Andrew Patrick, Privacy Commission Canada: Ecological Validity in Studies of Security and Human Behaviour
  • Sandra Petronio, IUPUI: Regulating the Privacy of Confidentiality
  • Rob Reeder, Microsoft: 1 + 1 = You; I'm allowing what?
  • Peter Robinson, Cambridge: Mind-reading Machines
  • Mike Roe, Microsoft
  • Martin Sadler, HP Labs
  • Angela Sasse, UCL: Not seeing the crime for thecameras?; The True Cost of Unusable Password Policies
  • Bruce Schneier, Counterpane: Worst-Case Thinking Makes Us Nuts, Not Safe; Google And Facebook's Privacy Illusion; Our Reaction Is the Real Security Failure
  • Wolfram Schultz, Cambridge: Risk-dependent reward value signal in human prefrontal cortex
  • Frank Stajano, Cambridge and Google: Understanding scam victims: seven principles for systems security; It's the Anthropology, Stupid
  • Martin Taylor, magician
  • Terence Taylor, ICLS: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)
  • Nicko van Someren, Juniper Networks
  • Rick Wash, Michigan State: Folkmodels of computer security
  • Hayley Watson, Kent: Citizen Journalism & Public Opinion
  • Alma Whitten, Google: Why Johnny can't encrypt: A usability evaluation of PGP 5.0
  • Jeff Yan, Newcastle: Security and usability of CAPTCHAs; The memorability and security of passwords – some empirical results

    Accommodation: we have a block of rooms at Robinson College which you can book here. You'll need a booking code which we give people who're registered for the workshop.

    Registration: you can register for the workshop here. Since the workshop is invitational and numbers are limited, you also need a booking code to register. If you want to be invited, please contact Ross Anderson, Bruce Schneier or Alessandro Acquisti.