U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Usable Cybersecurity

Research Publications & Presentations

Topics:


Legend: Papers paper icon   Presentations presentation icon   Videos video icon    Research Posters poster icon

Authentication 

Authentication Diary Study

Report: Authentication Diary Study paper icon – Michelle P. Steves & Mary F. Theofanos. NISTIR 7983 (2014)


Digital Identity Guidelines

Digital Identity Guidelines: Enrollment and Identity Proofing Requirements paper icon – Paul Grassi, James Fenton, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63A (2017)

Digital Identity Guidelines: Authentication and Lifecycle Management paper icon – Paul Grassi, Elaine Newton, Ray Perliner, Andrew Regenscheid, James Fenton, William Burr, Justin Richter, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63B (2017)

Digital Identity Guidelines: Federation and Assertions paper icon – Paul Grassi, Ellen Nadeau, Justin Richer, Sarah Squire, James Fenton, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, & Mary Theofanos. SP 800-63C (2017)


Memory and Motor

Memory and Motor Processes of Password Entry Error paper icon - Frank Tamborello & Kristen Greene. Proceedings of the Human Factors and Ergonomics Society Annual Meeting (2016)

Password Entry Errors: Memory or Motor?  report icon - Kristen Greene & Frank Tamborello. Proceedings of the 13th International Conference on Cognitive Modeling (2015)

ACT-R Modeling of Password Entry Errors poster icon - Kristen Greene & Franklin Tamborello. Proceedings of the 24th Conference on Behavior Representation in Modeling and Simulation (2015)

Electrodermal Activity and Eye Movements Inform the Usability of Passwords poster icon - Jennifer R. Bergstrom, Kristen Greene, David C. Hawkins, & Christian Gonzalez. Proceedings of the 44th Annual Meeting of the Society for Neuroscience (2014)


Mobile Authentication

Usability and Security Considerations for Public Safety Mobile Authentication paper icon - Yee-Yin Choong, Joshua M. Franklin, & Kristen Greene. NISTIR 8080 (2016)

Measuring the Usability and Security of Permuted Passwords on Mobile Platforms paper icon - Kristen Greene, John M. Kelsey, & Joshua M. Franklin. NISTIR 8040 (2016)

Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry paper icon video icon - Kristen Greene, Joshua M. Franklin, & John M. Kelsey. Proceedings of ShmooCon (2015)

I Can't Type That! P@$$w0rd Entry on Mobile Devices paper icon - Kristen Greene, Melissa A. Gallagher, Brian C. Stanton, & Paul Y. Lee. Proceedings of HCI International (2014)


Multi-factor Authentication

Usability of PIV Smartcards for Logical Access paper icon - Mary F. Theofanos, Emile L. Morse, Hannah Wald, Yee-Yin Choong, Celeste Paul, & Aiping L. Zhang. NISTIR 7867 (2012)

A Field Study of User Behavior and Perception in Smartcard Authentication paper icon  - Emile L. Morse, Celeste L. Paul, Aiping L. Zhang, Yee-Yin Choong, & Mary F. Theofanos. Proceedings of the 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT) (2011)

PIV Pilot Usability Lessons Learned presentation icon – Mary Theofanos (Nov 8, 2010)


Password Creation and Use

Must I, can I? I don’t understand your ambiguous password rules paper icon  – Kristen K. Greene & Yee-Yin Choong. Information and Computer Security (2017)

Secure and Usable Enterprise Authentication: Lessons from the Field paper icon - Mary F. Theofanos, Simson L. Garfinkel, & Yee-Yin Choong. IEEE Security & Privacy (2016)

What's a Special Character Anyway? Effects of Ambiguous Terminology in Password Rules paper icon  - Yee-Yin Choong & Kristen Greene. Proceedings of the Human Factors and Ergonomics Society Annual Meeting (2016)

Password Usability presentation icon - Yee-Yin Choong (Oct 23, 2015)

Employee Password Usability Study presentation icon - Yee-Yin Choong (Sep 10, 2015)

What 4,500+ people can tell you – Employees' Attitudes toward Organizational Password Policy Do Matter paper icon  - Yee-Yin Choong & Mary F. Theofanos. Proceedings of the 3rd International Conference on Human Aspects of Information Security, Privacy, and Trust (2015)

Effects of Password Permutation on Subjective Usability Across Platforms paper icon  - Kristen Greene. Proceedings of HCI International (2015)

Human Generated Passwords - The Impacts of Password Requirements and Presentation Styles paper icon  - Paul Y. Lee & Yee-Yin Choong. Proceedings of HCI International (2015)

The Authentication Equation: A Tool to Visualize the Convergence of Security and Usability of Text-Based Passwords paper icon  - Cathryn A. Ploehn & Kristen Greene Proceedings of HCI International (2015)

Development of a Scale to Assess the Linguistic and Phonological Difficulty of Passwords paper icon - Jennifer R. Bergstrom, Stefan A. Frisch, David C. Hawkins, Joy Hackenbracht, Kristen Greene, Mary F. Theofanos, & Brian Griepentrog. Proceedings of the 6th International Conference on Cross-Cultural Design (2014)

United States Federal Employees' Password Management Behaviors paper icon  – A Department of Commerce Case Study - Yee-Yin Choong, Mary F. Theofanos, & Hung-Kung Liu. NISTIR 7991 (2014)

Character Strings, Memory and Passwords: What a Recall Study Can Tell Us paper icon  - Brian C. Stanton & Kristen K. Greene. Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS) (2014)

A Cognitive-Behavioral Framework of User Password Management Lifecycle paper icon  – Yee-Yin Choong. Proceedings of HCI International (2014)


Password Policy Analysis

Password Policy Languages: Usable Translation from the Informal to the Formal paper icon – Michelle Steves, Mary Theofanos, Celia Paulsen, & Athos Ribeiro. Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust (2015)

Clear, Unambiguous Password Policies: An Oxymoron? paper icon  – Michelle Steves, Kevin Killourhy, & Mary F. Theofanos Proceedings of the 6th International Conference on Cross-Cultural Design (2014)

Taxonomic Rules for Password Policies: Translating the Informal to the Formal Language paper icon - Kevin Killourhy, Yee-Yin Choong, & Mary Theofanos. NISTIR 7970 (2013)

Usability Research in Support Of Cyber-Security: A Password Policy Taxonomy presentation icon – Kevin Killourhy (May 7, 2008)

 

Youth Passwords - see Youth Security

 

Cryptography

Organizational Cryptographic Product Development

Organizational Views of NIST Cryptographic Standards and Testing and Validation Programs paper icon  – Julie Haney, Mary Theofanos, Yasemin Acar, & Sandra S. Prettyman. NISTIR 8241 (2018)

"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products paper icon  - Julie M. Haney,  Mary F. Theofanos, Yasemin Acar & Sandra S. Prettyman. Proceedings of the Symposium on Usable Privacy and Security (SOUPS) (2018). 

Organizational Practices in Cryptographic Development and Testing paper icon  - Julie M. Haney, Simson L. Garfinkel, & Mary F. Theofanos. Proceedings of the IEEE Conference on Communications and Network Security (CNS) (2017). 


Usable Key Management

Usability and Key Management presentation icon – Mary Theofanos (Jun 8, 2009)

 

Cybersecurity Adoption and Awareness

Cybersecurity Awareness and Training

Measuring the Effectiveness of U.S. Government Security Awareness Programs: A Mixed-Methods Study paper icon - Jody L. Jacobs, Julie M. Haney, & Susanne M. Furman. Workshop on Security Information Workers (2022).

An Investigation of Roles, Backgrounds, Knowledge, and Skills of U.S. Government Security Awareness Professionals  paper icon- Julie M. Haney, Jody L. Jacobs, & Susanne M. Furman. ACM SIGMIS Computers and People Research Conference (2022).

NIST Cybersecurity Role-based Training Study Presentation presentation icon - Jody Jacobs, Julie Haney, & Susanne Furman. Presented at the Federal Information Security Educators' (FISSEA) Spring Forum (2022). Recorded presentation  video icon

NISTIR 8420 “Federal Cybersecurity Awareness Programs: A Mixed Methods Research Study” paper icon - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)

NISTIR 8420A “Approaches and Challenges of Federal Cybersecurity Awareness Programs” paper icon - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)

NISTIR 8420B “The Federal Cybersecurity Awareness Workforce: Professional Backgrounds, Knowledge, Skills, and Development Activities” paper icon - Julie Haney, Jody Jacobs, Susanne Furman, & Fernando Barrientos (2022)

NIST Security Awareness Study  presentation icon- Jody Jacobs, Julie Haney, & Susanne Furman. Presented at the Federal Information Security Educators' (FISSEA) Fall Forum (September 2021). Recorded presentation video icon

Exploring Government Security Awareness Programs: A Mixed Methods Approach paper icon - Jody L. Jacobs, Julie M. Haney, Susanne M. Furman, & Fern Barrientos. Workshop on Security Information Workers and poster session at Symposium on Usable Privacy and Security (2021). 

Security Awareness Training for the Workforce: Moving Beyond "Check-the-box" Compliance paper icon - Julie M. Haney & Wayne Lutters. Computer (2020).

Security Awareness in Action: A Case Study [extended abstract] paper icon- Julie M. Haney & Wayne G. Lutters. 5th Workshop on Security Information Workers (WSIW) at the Symposium on Usable Privacy and Security (SOUPS) (2019).

 

Cybersecurity Advocates

Cybersecurity Advocates: Force Multipliers in Security Behavior Change paper icon - Julie Haney, Wayne Lutters, & Jody Jacobs. IEEE Security and Privacy (2021).

Cybersecurity Advocates: Discovering the Characteristics and Skills for an Emergent Role report icon - Julie M. Haney & Wayne Lutters. Information and Computer Security (2021).

Motivating Cybersecurity Advocates: Implications for Recruitment and Retention paper icon - Julie M. Haney & Wayne G. Lutters.  ACM SIGMIS Computers & Personnel Research (2019)

"It's Scary...It's Confusing...It's Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security [presentation] presentation icon - Julie Haney. Presented at FISSEA Conference (June 27, 2019)

 

Internet of Things

Consumer Perspectives on Loss of Support for Smart Home Devices paper icon - Julie M. Haney & Susanne M. Furman. 6th Workshop on Technology and Consumer Protection (ConPro '22) (2022). 
 
"It's the Company, the Government, You and I": User Perceptions of Responsibility for Smart Home Privacy and Security paper icon - Julie Haney, Yasemin Acar, & Susanne Furman. USENIX Security Symposium (2021).
 
Smart Home Consumers' Privacy and Security Perceptions and Practices presentation icon - Julie Haney and Susanne Furman. Presented at Smart City and Smart Home Virtual Exhibition (2020). Recorded presentation video icon
 
NISTIR 8330 Research Report: User Perceptions of Smart Home Security and Privacy paper icon - Julie M. Haney, Susanne M. Furman, & Yasemin Acar (2020).
 
Toward Usable Updates for Smart Home Devices document image - Julie M. Haney & Susanne M. Furman. Workshop on Socio-technical Aspects in Security (STAST) (2020).
 
Smart Home Updates: User Perceptions and Experiences poster icon - Julie M. Haney & Susanne M. Furman. Poster presented at Symposium on Usable Privacy and Security (SOUPS) (2020).
 
Smart Home Security and Privacy Mitigations: Consumer Perceptions, Practices, and Challenges paper icon - Julie M. Haney, Susanne M. Furman, & Yasemin Acar. Proceedings of the HCI for Cybersecurity, Privacy and Trust affiliated conference at HCI International (2020).
 
Human Factors in Smart Home Technologies Workshop Summary Report paper icon - Susanne Furman & Julie Haney. (2019)
 
Consumer Perceptions of Smart Home Privacy and Security presentation icon - Julie Haney, Susanne Furman, & Yasemin Acar. Presented at the NIST Human Factors in Smart Home Technologies Workshop (September 24, 2019)
 

Perceptions of Smart Home Privacy and Security Responsibility, Concerns, and Mitigations paper icon- Julie Haney, Susanne Furman, Yasemin Acar, & Mary Theofanos. Extended abstract from poster presented at Symposium on Usable Privacy and Security (SOUPS) (2019).

 

Methodologies

Investigating Youths' Learning of Online Safety and Privacy from Others: A Discussion of Study Design and Statistical Analysis Considerations paper icon - Kerrianne Buchanan, Yee-Yin Choong, and Olivia Murphy. Workshop on Kids' Online Privacy and Security (2022).

Lessons Learned and Suitability of Focus Groups in Security Information Workers Research paper icon - Julie M. Haney, Jody L. Jacobs, Fernando Barrientos, & Susanne M. Furman. Proceedings of the HCI for Cybersecurity, Privacy and Trust affiliated conference at HCI International (2022).

The Power of Qualitative Methods: Aha Moments in Exploring Cybersecurity and Trust paper icon  - Brian C. Stanton, Mary F. Theofanos, Susanne M. Furman, & Sandra S. Prettyman. User Experience Magazine (2016)

 

Phishing

NIST Phish Scale

 The NIST Phish Scale: Method for rating human phishing detection difficulty (tutorial) presentation icon - Shaneé Dawkins & Jody Jacobs. Presented at Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) (2021).

Scaling the Phish: Advancing the NIST Phish Scale paper icon - Fernando Barrientos, Jody Jacobs, & Shaneé Dawkins. Poster session at International Conference on Human-Computer Interaction (HCII) (2021).

The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails (media article) (2020)

The New NIST Phish Scale, Revealing Why End Users Click  presentation icon - Shaneé Dawkins, Kristen Greene, & Jody Jacobs. Presented at SecureWorld Expo (2020)

Categorizing Human Phishing Difficulty: A Phish Scale paper icon - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Journal of Cybersecurity (2020)

Introducing Phish Scale video icon (2020)

A Phish Scale: Rating Human Phishing Message Detection Difficulty paper icon - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)

 

Phishing Behaviors

No Phishing Beyond This Point paper icon  - Kristen Greene, Michelle Steves, & Mary Theofanos. IEEE Computer (2018)

You've Been Phished video icon (2018)

ISPAB presentation - User Context: An Explanatory Variable in Phishing Susceptibility presentation icon- Kristen Greene, Michelle Steves, & Mary Theofanos. (June 21, 2018)

User Context: An Explanatory Variable in Phishing Susceptibility paper icon  – Kristen K. Greene, Michelle P. Steves, Mary F. Theofanos, & Jennifer Kostick. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2018)

Exploratory Lens Model of Decision-Making in Potential Phishing Attack Scenario paper icon - Franklin Tamborello & Kristen Greene. NISTIR 8194 (2017)

 

Privacy

Differential Privacy video icon (2018)

Non-breach Privacy Events paper icon - Simson L Garfinkel & Mary Theofanos. IEEE Security & Privacy (2018)

Preserving Privacy – More Than Reading a Message paper icon - Susanne M. Furman & Mary F. Theofanos. Proceedings of the International Conference on Universal Access in Human-Computer Interaction (2014)

 

Usable Security (general)

Is Usable Security an Oxymoron? paper icon - Mary Theofanos. IEEE Computer (2020).

Shouldn't All Security Be Usable? paper icon  - Mary Frances Theofanos & Shari Lawrence Pfleeger. IEEE Security & Privacy (2011)

ISPAB Panel on Usable Security presentation icon – Mary Theofanos & Ellen Kowalczyk (Oct 29, 2010)

Usability Research in Support of Cybersecurity presentation icon – Mary Theofanos (May 7, 2008)

Poor Usability: The Inherent Insider Threat presentation icon  – Mary Theofanos (Mar 21, 2008)

 

User Perceptions & Behaviors

Pandemic Parallels: What can cybersecurity learn from COVID? report icon - Steven Furnell, Julie Haney, & Mary Theofanos. IEEE Computer (2021)

Be Prepared: How US Government Experts Think About Cybersecurity paper icon  - Mary F. Theofanos, Brian C. Stanton, Sandra S. Prettyman, Susanne M. Furman, & Simson L. Garfinkel. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2017)

Security Fatigue paper icon  - Brian C. Stanton, Sandra S. Prettyman, Mary F. Theofanos, & Susanne M. Furman. IT Professional (2016)

Cybersecurity Fatigue video icon (2016)

Privacy and Security in the Brave New World: The Use of Multiple Mental Models paper icon  - Susanne M. Furman, Mary F. Theofanos, Brian C. Stanton, & Sandra S. Prettyman. Proceedings of HCI International (2015)

Basing Cybersecurity Training on User Perceptions paper icon  - Susanne M. Furman, Mary Frances Theofanos, Yee-Yin Choong, & Brian Stanton. IEEE Security & Privacy (2012)

 

Youth Security

Challenges to Building Youth's Online Safety Knowledge from a Family Perspective: Results from a Youth/Parent Dyad Study paper icon - Olivia Murphy, Yee-Yin Choong, & Kerrianne Buchanan. Workshop on Kids' Online Privacy and Safety (2022).

Investigating Youths' Learning of Online Safety and Privacy from Others: A Discussion of Study Design and Statistical Analysis Considerations paper icon - Kerrianne Buchanan, Yee-Yin Choong, and Olivia Murphy. Workshop on Kids' Online Privacy and Safety (2022).

Parenting Digital Natives in a Tech World: Research Findings of Children's and Parents' Password Knowledge & Practices presentation icon - Yee-Yin Choong (October 25, 2021)

"Passwords Keep Me Safe" – Understanding What Children Think about Passwords report icon - Mary Theofanos, Yee-Yin Choong, & Olivia Murphy. USENIX Security Symposium  (2021)

“Passwords protect my stuff”— A Study of Children’s Password Practices paper icon- Yee-Yin Choong, Mary F. Theofanos, Karen Renaud, & Suzanne Prior. Journal of Cybersecurity (December 2019)

Case Study – Exploring Children’s Password Knowledge and Practices paper icon - Yee-Yin Choong, Mary F. Theofanos, Karen Renaud, & Suzanne Prior. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)

Created November 17, 2016, Updated November 29, 2022