Veranstaltungsprogramm

As digitization continues, consumers are increasingly exposed to AI’s scoring decisions. However, we lack a thorough understanding of how users' misjudgments lead to a rejection of the system. Therefore, we must investigate the appropriation of such socio-technical systems in practice and how users describe their experience with algorithm-based scoring. To address this issue, we evaluated 1003 user reviews of an app of car insurance that calculates its premium based on the consumers' individual driving behavior. We find evidence that users develop their own folk theories to explain the algorithms with the help of situation-related experiences and that insufficient explanations lead to power asymmetries between consumers, the system, and the company. In particular, we uncover a fundamental conflict between computational risk assessment and the perceived agency to influence the score as a result of the different needs of the stakeholders involved.

Dark patterns are malicious interface design strategies on the web and in apps that trick users into decisions that go against their best interests, costing them money, time, or private data. While there are approaches to classifying these patterns and investigating user awareness, there has been little work looking into visual countermeasures against dark patterns. In this work, we used an online survey to investigate concepts for six visual countermeasures against three common dark patterns: Confirmshaming, Low-stock Message, and Visual Interference. Our results indicate two opposing forces for users: On the one hand, users dislike systems actively making silent changes to their screen, preferring to be informed about the presence of dark patterns. On the other hand, they do not want applications to become visually cluttered, as this may impact their productivity. We found that different applications of dark patterns require different countermeasures, and that individual preferences vary strongly.

English: An important factor for the effectiveness of security awareness measures in companies is awareness and consistency of security policies. As part of a case study, a document was created using a user-centred approach that gives an overview of all relevant individual documents (so-called overview document). In addition, a process for publication was developed and evaluated iteratively. The case study took place at a medium-sized energy company in Germany. General lessons learned are derived from the case study. For example, distributing important documents via e-mail carries the risk that this is perceived as less important or is not perceived at all.

Deutsch: Ein wichtiger Faktor für die Effektivität von Security Awareness-Maßnahmen in Unternehmen sind die Bekanntheit und Konsistenz von Security Policies. Im Rahmen einer Case Study wurde mit einem nutzerzentrierten Ansatz ein Dokument, das den Nutzenden eine Übersicht über alle relevanten Einzeldokumente (sog. Übersichtsdokument) gibt und ein Prozess zur Bekanntmachung iterativ entwickelt und evaluiert. Die Case Study fand bei einem mittelgroßen Energieversorgungsunternehmen in Deutschland statt. Aus der Case Study werden allgemeine Lessons Learned abgeleitet. Beispielsweise birgt eine Verteilung von wichtigen Dokumenten über E-Mail die Gefahr, dass diese gar nicht oder als weniger wichtig wahrgenommen wird.

Modern smartphones support FIDO2 passwordless authentication using either external security keys or internal biometric authentication, but it is unclear whether users appreciate and accept these new forms of web authentication for their own accounts. We present the first lab study (N=87) comparing platform and roaming authentication on smartphones, determining the practical strengths and weaknesses of FIDO2 as perceived by users in a mobile scenario. Most participants were willing to adopt passwordless authentication during our in-person user study, but closer analysis shows that participants prioritize usability, security, and availability differently depending on the account type. We identify remaining adoption barriers that prevent FIDO2 from succeeding password authentication, such as missing support for contemporary usage patterns, including account delegation and usage on multiple clients.

Humans can play a decisive role in detecting and mitigating cyber attacks if they possess sufficient cybersecurity skills and knowledge. Realizing this potential requires effective cybersecurity training. Cyber range exercises (CRXs) represent a novel form of cybersecurity training in which trainees can experience realistic cyber attacks in authentic environments. Although evaluation is undeniably essential for any learning environment, it has been widely neglected in CRX research. Addressing this issue, we propose a taxonomy-based framework to facilitate a comprehensive and structured evaluation of CRXs. To demonstrate the applicability and potential of the framework, we instantiate it to evaluate Iceberg CRX, a training we recently developed to improve cybersecurity education at our university. For this matter, we conducted a user study with 50 students to identify both strengths and weaknesses of the CRX.