Event

The Praktikum Security, Usability and Society will cover topics both of usable security and privacy programming, and how to conduct user studies. To reserve a place, please, register on the WiWi portal and send an email with your chosen topic, plus a back-up one, to mattia.mossano@kit.edu . Topics are assigned first-come-first-served until all of them are filled. Topics in italics have been already assigned.

There are two deadlines:

Summer round closes on 16.07.2023. Assignment will be done by 17.07.2023 and confirmation must be received by 21.07.2023.
Autumn round opens 11.09.2023 and closes on 08.10.2023. Assignment will be done by 09.10.2023 and confirmation must be received by 13.10.2023.

Important dates:

Kick-off: 05.10.2023, 09:00 AM CET in Big Blue Button - Link

Report & code feedback deadline: 01.03.2024, 23:59 CET
Feedback on Report & code: 08.03.2024, 23:59 CET
Final report + code deadline: 15.03.2024, 23:59 CET

Presentation draft deadline: 15.03.2024, 23:59 CET
Feedback on presentation draft: 19.03.2024, 23:59 CET
Final presentation deadline: 22.03.2024, 23:59 CET

Presentation day: 29.03.2024, 09:00 CET

Topics:

Programming Usable Security Intervention

In this subject, students develop a part of coding, an extension, or another programming task dealing with various usable security interventions, eg as an extension. Eg TORPEDO ( https://secuso.aifb.kit.edu/english/TORPEDO.php ) or PassSec + ( https://secuso.aifb.kit.edu/english/PassSecPlus.php ). Just as before, students are provided with a point list of goals, containing both basic features mandatory to pass the course and more advanced ones that heighten the final grade.

Title: Making e-mails more visible by embedding moving images
Number of students: 1 Master
Description: In case of a security incident, it is necessary to inform the affected persons about their vulnerabilities as soon as possible. Within the context of the INSPECTION project, we are currently informing website owners via e-mail about security related vulnerabilities on their websites. Although e-mails have been shown to be the most cost-efficient means to deliver such information, they have not lead to an appropriate remediation rate. While speaking to the affected website owners we learned that they would appreciate more information, although not being delivered as more text in the e-mail. Also, we learned that most e-mails were not read because they were considered spam. Thus, we need to find a way to make e-mail notifications more effective in raising peoples’ awareness. Videos have been proven effective to raise awareness in the context of IT security. The goal of the project will be, to explore ways to embed videos in an e-mail via HTML (either as gifs or as preview to a YouTube video). The challenge is to make this e-mail readable for different clients and webmail as well as getting it delivered through spam filters.

Designing Security User studies

These topics are related to how to set up and conduct user studies of various types. Online studies, interviews and lab studies are possible. At the end of the semester, the students present a report / paper and a talk in which they present their methodologies and the results of small pre-studies.

Title: Designing User Studies for Evaluating Biometric Authentication Systems
Number of students: 1 Bachelor or Master level
Description: The proposed topic focuses on designing and implementing a user study methodology to evaluate the usability and user perception of biometric authentication systems. Biometric authentication involves using unique physiological or behavioral characteristics, such as fingerprints, facial recognition, or voice patterns, to verify a user's identity. The goal of this research is to understand the factors that affect the effectiveness and acceptance of biometric authentication and provide insights for designing user-friendly and secure biometric authentication systems.

Title: Can anxiety influences security advices
Number of students: 1 Master level
Description: Nowadays ChatGPT is used for a multitude of reasons. One is to ask advice on security topics. However, previous research showed that oftentimes ChatGPT creates answers based on previous interactions with it. Therefore, is it possible that also security advice change according to the previous interaction? And if this is the case, can more anxious props lead to completely different results? The student will have to read the previous literature on ChatGPT, find expert advice on security topics and create an experiment to determine if anxiety influenced the advice given by ChatGPT.

Title: Investigating ChatGPT privacy tradeoffs and users perception of them (English only)
Number of students: 1 Master level
Description: As ChatGPT grows in popularity, it becomes increasingly vital to examine the privacy trade-offs associated with its usage. The user's willingness to accept these trade-offs is instrumental in understanding the wider implications of employing AI language models. This topic involves a two-part exploration into the privacy trade-offs of using ChatGPT. Initially, the student will analyse ChatGPT’s Terms and Conditions and conduct a short literature review to identify potential privacy trade-offs. The found trade-offs need to be categorised into a set of trade-offs that will be investigated. Subsequently, the student will design an online user study, incorporating various question types and a deception study, to gauge the willingness of ChatGPT users to accept these trade-offs. Finally, the student will test the designed online user study in the course of small pre-test.

Run Usable Security Studies and Results Analysis

These topics are related to run and analyse the results of user-studies. Online studies, interviews and lab studies are all possible, depending on the topic. At the end of the semester, the students present a report / paper with the analyses conducted and a talk in which they present the results.

Title: Phishing through homographic attacks in messengers and social networks
Number of students: 1-2 Bachelor or Master level
Description: The task will be to test three types of attacks in messengers and social networks that work in some email clients. First is the link mismatch attack, where the link text differs from the actual link target. Second is an attack in which the actual link target is disguised by URL encoding [https://en.wikipedia.org/wiki/URL_encoding], and finally homographic attacks which uses Internationalized Domain Names [https://en.wikipedia.org/wiki/IDN_homograph_attack], in which Latin characters are replaced by characters of a different alphabet in the domain name. The attacks are predefined, so no knowledge of phishing techniques is required.

Title: Usability Study of Mobile Authentication for Elderly Users with Rheumatoid Arthritis (English only)
Number of students: 1 Bachelor or Master level
Description: Authentication is an ever important topic, especially in the mobile context. However, it becomes even more relevant when considering accessibility to it. Nowadays, a common authentication method is using a PIN. Yet, given the low hand mobility of users affected by rheumatoid arthritis, sometimes using PINs can be difficult. In this topic, the student will conduct several sessions of an already designed lab study with various participants using arthritis simulation gloves to evaluate three PIN-pad interfaces aimed at making authentication more accessible. The study will also investigate the preferences of users regarding PIN-pad interfaces through drawings and proposals of changes. The student will then analyse the results through inferential statistics. Depending on the quality of the outcome, the results will then be published in a paper and the student will be added to the authors list.

This event counts towards the KASTEL certificate. Further information on how to obtain the certificate can be found on the SECUSO website (https://secuso.aifb.kit.edu/Studium_und_Lehre.php) .