The 2021 European Symposium on Usable Security

The European Symposium on Usable Security (EuroUSEC) serves as a European forum for research and discussion in the area of human factors in security and privacy. EuroUSEC solicits previously unpublished work offering novel research contributions or clearly articulated research visions in any aspect of human-centered security and privacy. The aim of EuroUSEC is to bring together an interdisciplinary group of researchers and practitioners in human-computer interaction, security, and privacy. Participants are researchers, practitioners, and students from domains including computer science, engineering, psychology, the social sciences, and economics.

Given the pandemic-struck world we currently live in, EuroUSEC 2021 will be a virtual-only event. It will take a slightly different shape than last year's virtual-only edition, in order to address points raised during the discussions after last year’s EuroUSEC and in reflection of the virtual academic events held last year:

  1. Most importantly, EuroUSEC will be an independent event, not associated to any conference. This is motivated by the benefits of revision options in the review process and allowing a deadline after the SOUPS and NSPW notifications. Moreover, due to the (Asia)USEC and SOUPS deadlines in February, we felt that a third deadline for the usable security and privacy community in March would have been excessive and a later submission option, in the summer, would be better for everyone involved. Unfortunately, neither is feasible while maintaining a continued association to Euro S&P.
  2. The technology will basically be the same we used last year. We will hold the event using Zoom for the talks and Slack for the discussions. However, differently than last year, as an independent event, this allows us to make attendance free, enhancing EuroUSEC’s accessibility.
  3. On the same note, we have secured funding to pay for the proceedings to be published in the ACM ICPS. The funding will also allow us to pay for the open access options of ICPS, meaning the proceedings will be open access through the EuroUSEC 2021 website.
  4. We want to accommodate as many time zones as possible, but also allow for breaks so as to reduce Zoom-overload and fatigue. Therefore, EuroUSEC will potentially be a 2-day event. This is of course dependent on the submission numbers.
  5. In light of the changes listed above, it was decided by the Steering Committee to pick up one additional aspect mentioned by participants during the discussion after the last EuroUSEC and enact a small name change: EuroUSEC 2021’s official long name will be 2021 European Symposium on Usable Security.

We want EuroUSEC to be a community-driven event and would love to hear any questions, comments, or concerns you might have regarding these changes from last year. Therefore we want to encourage everyone to join the EuroUSEC Slack . You can also send us an email at eurousec21-chairs@lists.kit.edu.



Program

As last year, all times in the program are given in the Central European (Summer) Time Zone (CEST). You can use this link to convert the times to any time zone you wish.

Monday 11th October 2021
13:45 - 14:00 CEST | Arriving and Settling in

14:00 - 14:15 CEST | Opening Remarks & Best Paper Award

14:15 - 15:35 CEST | Technical Paper Session 1: Usable Security & Privacy Design
Session Chair: Jurlind Budurushi (Cloudical Deutschland GmbH)
Dark Patterns in the Wild: Review of Cookie Disclaimer Designs on Top 500 German Websites Chiara Krisam, Heike Dietmann, Melanie Volkamer (Karlsruhe Institute of Technology); Oksana Kulyk (IT University of Copenhagen)
Microsoft Office Macro Warnings: A Design Comedy of Errors with Tragic Security Consequences Marco Gutfleisch, Maximilian Peiffer, Selim Erk, Martina Angela Sasse (Ruhr University Bochum)
Vision: A Noisy Picture or a Picker Wheel to Spin? Exploring Suitable Metaphors for Differentially Private Data Analyses Farzaneh Karegar, Simone Fischer-Hübner (Karlstad University)
Vision: Usable Security and Aesthetics: Designing for engaging online security warnings and cautions to optimise user security whilst affording ease of use Fiona Carroll (Cardiff Metropolitan University)

15:35 - 15:45 CEST | Coffee Break

15:45 - 17:25 CEST | Technical Paper Session 2: Methods in Usable Security & Privacy Research
Session Chair: Oksana Kulyk (IT University Copenhagen)
🏆 Best Paper Careless Participants Are Essential For Our Phishing Study: Understanding the Impact of Screening Methods Tenga Matsuura (Waseda University); Ayako A. Hasegawa, Mitsuaki Akiyama (NTT), Tatsuya Mori (Waseda University / NICT / RIKEN AIP)
Plug-and-Play: Framework for Remote Experimentation in Cyber Security Klaudia Krawiecka, Jack Sturgess, Alina Petrova, Ivan Martinovic (University of Oxford)
SoK: Human, Organizational, and Technological Dimensions of Developers’ Challenges in Engineering Secure Software Azadeh Mokhberi, Konstantin Beznosov (University of British Columbia)
Vision: Developing a Broad Usable Security & Privacy Questionnaire Franziska Herbert, Florian M. Farke, Marvin Kowalewski, Markus Dürmuth (Ruhr University Bochum)
Vision: Security-Usability Threat Modelling for Industrial Control Systems Karen Li, Awais Rashid, Anne Roudaut (University of Bristol)

17:25 - 17:35 CEST | Coffee Break

17:35 - 18:35 CEST | Keynote
George Finney is a Chief Information Security Officer that believes that people are the key to solving our cybersecurity challenges. George is the bestselling author of several cybersecurity books, including the award-winning book, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George has worked in Cybersecurity for over 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture.

18:35 - 19:20 CEST | Meal Break

19:20 - 20:40 CEST | Technical Paper Session 3: Usable Authentication and Memorized Secrets
Session Chair: James Nicholson (Northumbria University)
Comparing the Effectiveness of Text-based and Video-based Delivery in Motivating Users to Adopt a Password Manager Yusuf Albayram, John Liu, Stivi Cangonj (Central Connecticut State University)
Finding Secret Treasure? Improving Memorized Secrets Through Gamification Katrin Hartwig, Atlas Englisch, Jan Pelle Thomson, Christian Reuter (Technische Universität Darmstadt)
Vision: Computing and Authentication Practices in Global Oil and Gas Fields Mary Rose Martinez, Shriram Krishnamurthi (Brown University)
Vision: What Johnny learns about Password Security from Videos posted on YouTube Mathieu Christmann (Technische Universität Darmstadt); Peter Mayer, Melanie Volkamer (Karlsruhe Institute of Technology)

Tuesday 12th October 2021
13:45 - 14:00 CEST | Arriving and Settling in

14:00 - 15:40 CEST | Technical Paper Session 4: Awareness, Behaviour, and Understanding
Session Chair: Nina Gerber (Technische Universität Darmstadt)
Peeking Into the Black Box: Towards Understanding User Understanding of E2EE Leonie Schaewitz, David Lakotta, Martina Angela Sasse, Nikol Rummel (Ruhr Universität Bochum)
Nudge or Restraint: How do People Assess Nudging in Cybersecurity - A Representative Study in Germany Katrin Hartwig, Christian Reuter (Technische Universität Darmstadt)
Replicating a Study of Ransomware in Germany Anna-Marie Ortloff, Maike Vossen, Christian Tiefenau (University of Bonn)
Replication: Measuring User Perceptions in Smartphone Security and Privacy in Germany Maxim Schessler (University of Bonn); Eva Gerlitz (Fraunhofer FKIE); Maximilian Häring (University of Bonn); Matthew Smith (University of Bonn / Fraunhofer FKIE)
What breach? Measuring online awareness of security incidents by studying real-world browsing behavior Sruti Bhagavatula, Lujo Bauer (Carnegie Mellon University); Apu Kapadia (Indiana University Bloomington)

15:40 - 15:50 CEST | Coffee Break

15:50 - 17:00 CEST | Panel "Security Spring Cleaning in Companies - How to Overcome Outdated Security Practices"
Panelists: Angela Sasse (Ruhr University Bochum), George Finney (Southern Methodist University), Pilar Garcia (1Password), Per Thorsheim (Vipps AS)
Moderator: Ola Michalec (University of Bristol)

17:00 - 17:10 CEST | Coffee Break

17:10 - 18:15 CEST | Participatory Group Activity
Attendees who are willing to participate will be assigned to small-group breakout rooms. Each group will engage in participatory ideation about the observed trends and future of usable security and privacy.

18:15 - 19:00 CEST | Meal Break

19:00 - 20:20 CEST | Technical Paper Session 5: Security for Special Populations
Session Chair: Amel Attatfa (Abertay University)
Understanding Young People’s Experiences of Cybersecurity James Nicholson (Northumbria University); Julia Terry, Helen Beckett, Pardeep Kumar (Swansea University)
Using a Participatory Toolkit to Elicit Youth’s Workplace Privacy Perspectives William Berkley Easley (University of Maryland, Baltimore County); S. Nisa Asgarali-Hoffman (University of Maryland, College Park); Amy Hurst (New York University); Helena M. Mentis, Foad Hamidi (University of Maryland, Baltimore County)
Examining Power Use and the Privacy Paradox between Intention vs. Actual Use of Mobile Applications Moses Namara, Reza Ghaiumy Anaraky (Clemson University); Pamela Wisniewski (University of Central Florida); Xinru Page (Brigham Young University); Bart P. Knijnenburg (Clemson University)
🏆 Honorary Mention Vision: Stewardship of Smart Devices Security for the Aging Population Lorenzo De Carli (Worcester Polytechnic Institute); Indrakshi Ray (Colorado State University); Erin Solovey (Worcester Polytechnic Institute)

20:20 - 21:00 CEST | Closing Remarks & Open Discussion


Event Logistics

EuroUSEC will be held on Zoom (the link is provided in an email after you register). You will be muted upon entry; please stay muted except when speaking. To facilitate interaction, we will be discussing papers primarily on our Slack instance. To make the most of each Q&A session, please ask your questions in Slack (e.g., by typing "Question for Peter: Why did you..."). The moderator for that session will ask the question out loud to the speaker. Please feel encouraged to write questions while the presentation is ongoing so that we have a few questions queued up as soon as the presentation finishes. If someone else asks a question that you find especially interesting, please "emoji react" to it. We will prioritize questions with more reactions. While we realize that it is less personal to have a moderator give voice to each question, the experiences with other virtual conferences have shown that this approach actually maximizes interaction. As a presenter, please follow up with any unanswered questions on Slack and continue the discussion after you've finished speaking!

To the extent you feel comfortable, please consider leaving your video feed on as you attend so that presenters aren't just looking out at a sea of empty boxes. No worries at all if logistics or preference make this impossible.

Social Contract

To make EuroUSEC as effective as possible for everyone, we ask that all participants commit to our social contract:

  1. Engage and actively participate (to the degree you feel comfortable) with each talk.
  2. Be sure your feedback is constructive, forward-looking, and meaningful.
  3. The usable security & privacy community has earned a reputation for being inclusive and welcoming to newcomers; please keep it that way.
  4. We encourage attendees to aim to meet at least three new people from this year's EuroUSEC. The meal breaks and the participatory activity are the perfect opportunities for this.
  5. We strongly encourage tweeting under the hashtag "#EuroUSEC2021" and otherwise spreading the word about work you find exciting at EuroUSEC. However, please do not record EuroUSEC itself or further distribute comments made on our Slack instance.
  6. EuroUSEC 2021 follows the USABLE events Code of Conduct.

Instructions for Presenters

To promote an interactive atmosphere, EuroUSEC will use the same mode for presentations as last year: all presentations will be live, not pre-recorded videos. Each paper has an been allotted a 20 minutes slot in teh program for their presentation talk and the Q&A. Research papers get up to (i.e., at max) 10 minutes for the talk and 8-9 minutes of Q&A. Vision Track papers get up to (i.e., at max) 6 minutes for the talk and 12-13 minutes of Q&A. The remaining time in the allotted slots is reserved for setting up the screen sharing in Zoom. At the beginning of each session, we will promote all speakers to a Zoom role in which screen-sharing is possible. When we announce the final question for the preceding session, the subsequent speaker should share their screen and get ready to present. For speakers who have not presented on Zoom before, we will offer short (optional) training sessions the week before EuroUSEC.




Registration

Attendance of EuroUSEC is free of charge for everyone this year. However, registration is mandatory. At the end of registration you will be sent an email with all important infos and links.

Register Now »


Call for Papers

We invite you to submit a paper and join us at EuroUSEC 2021, which will be held on October 11 & 12, 2021 online. EuroUSEC 2021 will be an independent event with proceedings published by ACM.

We are excited to welcome original work describing research, visions, or experiences in all areas of usable security and privacy. We welcome a variety of research methods, including both qualitative and quantitative approaches.

We accept both longer papers on mature/completed work in a research track, as well as shorter papers on work in progress or work that has yet to begin in a vision track. This decision to accept both types of submissions, which started with EuroUSEC 2019, aims to include researchers at all stages of their career and at all stages of their projects.

Topics include, but are not limited to:

  • innovative security or privacy functionality and design
  • accessible cyber privacy and security
  • cyber diplomacy
  • new applications of existing models or technology
  • field studies of security or privacy technology
  • usability evaluations of new or existing security or privacy features
  • security testing of new or existing usability features
  • longitudinal studies of deployed security or privacy features
  • studies of administrators or developers and support for security and privacy
  • psychological, sociological, and economic aspects of security and privacy
  • the impact of organizational policy or procurement decisions
  • methodologies for usable security and privacy research
  • lessons learned from the deployment and use of usable privacy and security features
  • reports of replicating previously published studies and experiments
  • reports of failed usable privacy/security studies or experiments, with the focus on the lessons learned from such experience

For accepted papers, at least one author must attend EuroUSEC.



Important Dates

Paper registration deadline (mandatory):       Monday, 7th June, 2021 (Anywhere on Earth)                
Paper submission deadline: Friday, 11th June, 2021(Anywhere on Earth)
Notification: Thursday, 8th July, 2021
   
Revision decision re-submission deadline: Friday, 23rd July, 2021 (Anywhere on Earth)
Revision notification: Friday, 6th August, 2021
   
Camera ready: 10th August, 2021
EuroUSEC: 11th & 12th October, 2021



Submission Instructions

Papers must be written in English and must be anonymized for review. EuroUSEC 2021 will use a double-blind review process such that reviewers are not revealed to the authors and authors are not revealed to reviewers. Please refer to your own related work in the third person, as though someone else had written it. This requirement also applies to data sets and artifacts. (For example, "We received data from the authors of Smith et al. [31] that we reused for this experiment.") Do not blind citations except in extraordinary circumstances.

All submissions must be original work. Authors must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed. Serious infringements of these policies may cause the paper to be rejected from publication and the authors put on a warning list, even if the paper is initially accepted by the program committee. Contact the EuroUSEC chairs if there are questions about this policy.

All submissions must be use the ACM Word or LaTeX templates. These templates can be obtained on the ACM author submission information website. Due to the changes in the templates by ACM last year, submissions to EuroUSEC will be possible in either the new ACM one-column submission format or the old two-column format. Note that for the camera-ready submission to The ACM Publishing System (TAPS), you will need to use the one-column format, so it might be worth it to use it already for your submission. Please see below in the descriptions for the Research Track and the Vision Trackfor more details. Contact the EuroUSEC chairs if there are any questions.

Research Track: The research track is intended to report on more mature work that has been completed. The goal of the EuroUSEC's research track is to disseminate results of interest to the broader usable security and privacy community. Papers must not be more than 10 pages in length when using the two-column format or 16 pages in length when using the new one-column submission format, in both cases excluding the bibliography. Try to scale the length of the paper according to the contributions you describe therein. Authors have the option to attach to their paper supplementary appendices containing study materials (e.g., survey instruments, interview guides, etc.) that would not otherwise fit within the body of the paper. Reviewers are not required to read any appendices, so your paper should be self-contained without them. ACM also allows publication of additional supplemental materials and we want to encourage all authors to use this option to provide research artifacts if applicable (e.g., builds of own software used in the study).

Vision Track: The vision track is intended to report on work in progress or concrete ideas for work that has yet to begin. The focus in the vision track is to spark discussion with the goal to provide the authors helpful feedback, pointers to potentially related investigations, and new ideas to explore. Suitable submissions to the vision track include traditional work-in-progress pieces such as preliminary results of pre-studies, but also research proposals and position papers outlining future research. Papers must be up to 6 pages in length when using the two-column-format or up to 9 pages in length when using the one-column format, in both cases including the bibliography and with no appendices. Submissions to the vision track should have a title beginning with the prefix "Vision: ".

Submission Site

Please upload your submission via this link: HotCRP Submission

Proceedings

The EuroUSEC 2021 proceedings will be published through ACM as part of their International Conference Proceedings Series (ICPS). ACM will put the full-text of the proceedings papers into the ACM Digital Library. There will be no hard copies.


Program Committee Chairs

The chairs can be contacted at eurousec21-chairs@lists.kit.edu

Publicity Chairs

  • Sanchari Das, University of Denver (USA)
  • Anne Hennig, Karlsruhe Institute of Technology (Germany)
  • Theodor Schnitzler, Ruhr University Bochum (Germany)

Program Committee

  • Ali Farooq, University of Turku (Finland)
  • Benjamin Berens, Karlsruhe Institute of Technology (Germany)
  • Christian Reuter, Technische Universität Darmstadt (Germany)
  • Christian Stransky, Leibniz University Hannover (Germany)
  • Craig Orgeron, Amazon Web Services (USA)
  • Daniel Thomas, Strathclyde University (UK)
  • Daricia Wilson, Clemson University (USA)
  • Florian Alt, Bundeswehr University Munich (Germany)
  • Heinrich Hußmann, Ludwig-Maximilians-Universität München (Germany)
  • Ingolf Becker, University College London (UK)
  • Ivano Bongiovanni, University of Queensland (Australia)
  • James Nicholson, Northumbria University (UK)
  • Jan-Willem Bullee, University of Twente (Netherlands)
  • Jeremiah Onaolapo, University of Vermont (USA)
  • Jurlind Budurushi, Cloudical Deutschland GmbH (Germany)
  • Karl van der Schyff, Rhodes University (South Africa)
  • Karoline Busse, University of Applied Administrative Sciences Lower Saxony (Germany)
  • Kévin Huguenin, University of Lausanne (Switzerland)
  • Kevin Roundy, NortonLifeLock Research Group (USA)
  • Lydia Kraus, Masaryk University (Czech Republic)
  • Lisa Short, University of Johannesburg (South Africa)
  • Nina Gerber, Technische Universität Darmstadt (Germany)
  • Nora Abdullah, King Saud University (Saudi Arabia)
  • Norbert Nthala, Michigan State University (USA)
  • Oliver Wiese, FU Berlin (Germany)
  • Oksana Kulyk, IT University Copenhagen (Denmark)
  • Oshrat Ayalon, Max Planck Institute for Software Systems (Germany)
  • Patricia Aria-Cabarcos, Karlsruhe Institute of Technology (Germany)
  • Peter Gorski, INFODAS GmbH (Germany)
  • Paul Van Schaik, Teesside University (UK)
  • Rahul Chatterjee, University of Wisconsin Madison (USA)
  • Reinhardt Botha, Nelson Mandela University (South Africa)
  • Richard Shay, MIT Lincoln Laboratory (USA)
  • Sana Maqsood, Carleton University (Canada)
  • Sanchari Das, University of Denver (USA)
  • Scott Ruoti, The University of Tennessee (USA)
  • Simon Parkin, TU Delft (Netherlands)
  • Tatsuya Mori, Waseda University (Japan)
  • Thomas Gross, Newcastle University (UK)
  • Verena Distler, University of Luxembourg (Luxembourg)
  • Yixin Zou, University of Michigan (USA)

Steering Committee

  • Angela Sasse, Ruhr University Bochum / Ruhr-Universität Bochum (Germany)
  • Matthew Smith, University of Bonn / Rheinische Friedrich-Wilhelms-Universität Bonn (Germany)
  • Melanie Volkamer, Karlsruhe Institute of Technology (Germany)
  • Charles Weir, Lancaster University (UK)


Sponsors