Security Behavior Observatory

How can we better understand the challenges that everyday people face when using their home computers over both the short- and long-term?

Researchers have realized that humans are the “last mile” to designing secure systems; technically secure systems may still be exploited if users behave in unsafe ways. Thus, researchers have begun studying human behavior as it relates to privacy and security decisions to design more user-centric systems. These research studies generally fall into two categories: controlled laboratory experiments and large-scale measurements in the field. The former allows researchers to directly ask participants questions and observe how they interact with various types of security mitigations, all while controlling the environment to eliminate confounding factors. The latter allows researchers to better estimate attack rates and understand how users behave in their natural environments. However, both methods suffer from shortcomings: laboratory experiments do not take place in users' natural environments and therefore may not accurately capture real world behaviors (i.e., low ecological validity), whereas large-scale measurement studies do not allow the researchers to probe user intent or otherwise gather explanatory data for observed behaviors, and offer limited control for confounding factors.

We fill this gap in the literature through the Security Behavior Observatory (SBO), a panel of participants consenting to our observing their daily computing behavior, so that we can understand what constitutes “insecure” behavior. On a technical level, the SBO consists of a set of “sensors” monitoring various aspects of participants’ operating system and applications (e.g., browser, network traffic, file system), which report a comprehensive overview of user activity to a secure server. The SBO has data from over 500 users, with about 200 users sending their data at any given time.

We have used the SBO to study a variety of security and privacy behaviors including software updates and computer maintenance,  susceptibility to phishing attacks, password reuse, malware infections, and use of private browsing modes. 

Learn More About This Project

Project Publications

Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor. Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing. Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Baltimore, MD, pp. 159-175.

Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. Let’s go in for a closer look: Observing passwords in their natural habitat. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS’17). 2017.

C. Canfield, A. Davis, B. Fischhoff, A. Forget, S. Pearman and J. Thomas Replication: Challenges in Using Data Logs to Validate Phishing Detection Ability Metrics. SOUPS 2017.

A. Forget, S. Pearman, J. Thomas, A. Acquisti, N. Christin, L. Cranor, S. Egelman, M. Harbach, and R. Telang. Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes. SOUPS 2016, Denver, CO, June 22-24, 2016, 97-111.

A. Forget, S. Komanduri, A. Acquisti, N. Christin, L.F. Cranor, and R. Telang. Security Behavior Observatory: Infrastructure for long-term monitoring of client machines. Technical Report CMU-CyLab-14-009, CyLab, Carnegie Mellon University, July 2014.