Human factors are an essential aspect of cybersecurity. Take for example credit card payments on the web. A protocol for reducing fraud by authenticating the cardholder, 3-D Secure, was introduced by VISA in 1999 and adopted by other payment networks, but has seen limited deployment because of poor usability. Now 3-D Secure 2.0 attempts to reduce friction by asking the merchant to share privacy-sensitive customer information with the bank and giving up on cardholder authentication for transactions deemed low-risk based on that data. A protocol with better usability would provide better security without impinging on cardholder privacy.
But human factors are not limited to the usability of cybersecurity defenses. In biometric authentication, human factors are the very essence of the defense. Human factors are also of the essence in cybersecurity attacks such as phishing and social engineering attacks, and play a role in enabling or spreading attacks that exploit technical vulnerabilities.
The 1st International Conference on HCI for Cybersecurity, Privacy and Trust (HCI-CPT) recognizes the multifaceted role played by human factors in cybersecurity, and intends to promote research that views Human-Computer Interaction (HCI) as “a fundamental pillar for designing more secure systems”. A call for participation can be found here.
The new conference is special in that it is an initiative of the HCI community. It is affiliated with HCI International (HCII) 2019, and attendance will be open to all participants in the parent conference, since affiliated conferences of HCII are held under one registration. Past HCII Conferences were attended by approximately 2000 participants from more than 70 countries, so if you present an interesting paper you may attract a large audience and be able to discuss your ideas with researchers and practitioners of a variety of HCI disciplines from around the world. The program chair of HCI-CPT is Abbas Moallem, HCI expert and editor of the newly published CRC Press book Human-Computer Interaction and Cybersecurity Handbook.
Another special feature of the new conference is that it calls for contributions on “applications of cryptography to cybersecurity, privacy, and trust”, listing a sample of possible topics in that area.
Cryptography is a powerful cybersecurity tool that is sadly underutilized due to technology transfer failures. Before 3D Secure, the SET protocol for online credit card payments included cryptographic authentication of the cardholder, but was abandoned. TLS client certificates are still only used in limited settings. Cryptographic authentication with a key pair is only now being standardized by the W3C. Moving in the wrong direction, the USPTO is now in the process of abandoning certificates and replacing them with less secure “modern” methods of authentication for its EFS Web and Private PAIR web apps. Techniques such as zero-knowledge proofs, which enable unlinkable credentials, or identity-based cryptography, which eliminates the need for public key distribution, are rarely used in practice. In a success story for cryptography, encrypted messaging is now commonly used in social apps; but signed and encrypted email over SMTP is still infrequently used.
All these technology transfer failures can be blamed on human factors, as the cryptography is well understood but the human factors that hinder deployment are not. Hopefully the new conference will help make better use of cryptographic techniques in the real world.
The new conference goes beyond human factors to other human aspects of cybersecurity, as it calls for contributions on “legal, ethical, economic and societal issues in cybersecurity”. The broad list of suggested topics in that category include long standing ones such as user tracking or trust frameworks, as well as hot topics that have emerged recently, such as data protection regulations or ethnic bias in face recognition accuracy.
I hope I have talked you into participating in HCI-CPT. The deadline for submission of a regular paper is October 12, but only an 800 word abstract is due by that date. Tutorial proposals are also due October 12. There are later deadlines for other forms of participation. To make a submission use the Submissions tab of the parent conference, HCI International 2019. When submitting a paper abstract, choose “HCI for Cybersecurity, Privacy and Trust” in the Thematic Area menu.