Workshop on Security and Human Behaviour (SHB 2009)

June 11-12, MIT - Working papers

The workshop will be held in MIT Classroom 32-124 in the Stata Center, Vassar Street.

As we prepare for the workshop, I'll be adding to each attendee's name one or two links to papers that they might like others to look at in advance. Email me your contributions!

Here is the workshop program.

Ross.Anderson at

  • Alessandro Acquisti, CMU: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification
  • Andrew Adams, Reading: Regulating CCTV
  • John Adams, UCL: Deus e Brasileiro?; Can Science Beat Terrorism?; Bicycle bombs: a further inquiry
  • Ross Anderson, Cambridge: Database State; Information Security Economics - and Beyond; The Memorability and Security of Passwords -- Some Empirical Results; book chapters on psychology and terror
  • Matt Blaze, UPenn; Toward a broader view of security protocols
  • Caspar Bowden, Microsoft
  • danah boyd, Microsoft Research: Taken Out of Context - American Teen Sociality in Networked Publics
  • Bill Burns, Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike
  • Jon Callas, PGP: Improving Message Security With a Self-Assembling PKI
  • Jean Camp, Indiana: Experimental Evaluation of Expert and Non-expert Computer Users' Mental Models of Security Risks
  • Luke Church, Cambridge: SHB Position Paper; Usability and the Common Criteria
  • Dave Clark, MIT: A social embedding of network security - Trust, constraint, power and control
  • Chris Cocking, London Met: Effects of social identity on responses to emergency mass evacuation
  • Lorrie Cranor, CMU: A Framework for Reasoning About the Human in the Loop
  • Julie Downs, CMU: Behavioral Response to Phishing Risk; Parents' vaccination comprehension and decisions; The Psychology of Food Consumption
  • Mark Frank, Buffalo; Human Behaviour and Deception Detection
  • Jeffrey Friedberg, Microsoft: End to End Trust and the Trust User Experience; Testimony on "spyware"
  • Allan Friedman, Harvard
  • Dan Gardner, The Ottawa Citizen
  • Rachel Greenstadt, Drexel: Practical Attacks Against Authorship Recognition Techniques (pre-print); Reinterpreting the Disclosure Debate for Web Infections
  • Jeff Hancock, Cornell: On Lying and Being Lied To: A Linguistic Analysis of Deception in Computer-Mediated Communication; Separating Fact From Fiction: An Examination of Deceptive Self-Presentation in Online Dating Profiles
  • Markus Jakobsson, PARC: Social Phishing; Love and Authentication; Quantifying the Security of Preference-Based Authentication
  • Richard John, USC: Decision Analysis by Proxy for the Rational Terrorist
  • Dominic Johnson, Edinburgh: Paradigm Shifts in Security Strategy; Perceptions of victory and defeat
  • Eric Johnson, Dartmouth: Access Flexibility with Escalation and Audit; Security through Information Risk Management
  • Adam Joinson, Bath: Privacy, Trust and Self-Disclosure Online; Privacy concerns and privacy actions
  • Christine Jolls, Yale
  • Mark Levine, Lancaster: Intra-group Regulation of Violence: Bystanders and the (De)-escalation of Violence
  • George Loewenstein, CMU: Searching for Privacy in all the Wrong Places: A behavioural economics perspective on individual concern for privacy
  • David Mandel, DRDC Toronto: Applied Behavioral Science in Support of Intelligence Analysis, Radicalization: What does it mean?; The Role of Instigators in Radicalization to Violent Extremism
  • Jeff MacKie-Mason, Michigan
  • Betsy Masiello, Google
  • Tyler Moore, Harvard: The Consequences of Non-Cooperation in the Fight Against Phishing; Information Security Economics - and Beyond
  • John Mueller, Ohio State: Reacting to Terrorism: Probabilities, Consequences, and the Persistence of Fear; Evaluating Measures to Protect the Homeland from Terrorism; Terrorphobia: Our False Sense of Insecurity
  • Peter Neumann, SRI: Holistic systems; Risks
  • Bashar Nuseibeh, Open University: A Multi-Pronged Empirical Approach to Mobile Privacy Investigation; Security Requirements Engineering: A Framework for Representation and Analysis
  • Andrew Odlyzko, University of Minnesota: Network Neutrality, Search Neutrality, and the Never-Ending Conflict Between Efficiency and Fairness in Markets, Economics, psychology, and sociology of security
  • Andrew Patrick, NRC Canada: Fingerprint Concerns: Performance, Usability, and Acceptance of Fingerprint Biometric Systems
  • James Pita. USC: Deployed ARMOR Protection: The Application of a Game Theoretic Model for Security at the Los Angeles International Airport
  • Rob Reeder, Microsoft: Expanding Grids for Visualizing and Authoring Computer Security Policies
  • Mike Roe, Microsoft
  • Sasha Romanosky, CMU: Do Data Breach Disclosure Laws Reduce Identity Theft?; Consumer Privacy Costs and Personal Data Protection: Economic and Legal Perspectives
  • Angela Sasse, UCL: The Compliance Budget: Managing Security Behaviour in Organisations; Human Vulnerabilities in Security Systems
  • Stuart Schechter, Microsoft: It's no secret; The Emperor's New Security Indicators
  • Bruce Schneier, Counterpane: How Perverse Incentives Drive Bad Security Decisions; The Kindness of Strangers
  • Adam Shostack, Microsoft: Experiences Threat Modeling at Microsoft
  • Diana Smetters, PARC
  • David Livingstone Smith, University of New England: Talk on Lying at La Ciudad de Las Ideas; a subsequent discussion; Why War?
  • Frank Stajano, Cambridge: Understanding victims: Six principles for systems security; Usability of Security Management: Defining the Permissions of Guests
  • Mark Stewart, University of Newcastle, NSW: A risk and cost-benefit assessment of United States aviation security measures; Risk and Cost-Benefit Assessment of Counter-Terrorism Protective Measures to Infrastructure
  • Terence Taylor, ICLS: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)
  • Simon Wessely, King's College London
  • Alma Whitten, Google: Why Johnny can't encrypt: A usability evaluation of PGP 5.0