ABSTRACT
Research in computer security has increasingly considered the needs of marginalized and vulnerable groups in technology. Through this work, we hope to translate this research movement into practice and, ultimately, cause designers-in-training (and, eventually, designers) to consider a more inclusive range of stakeholders. Thus, we created an educational intervention to center marginalized and vulnerable populations in the context of threat modeling. We find that computer security students are more likely to consider unique threats and vulnerabilities facing marginalized and vulnerable populations after being exposed to an intervention prompting them to think about populations that might often be overlooked. We suggest practical methods to teach designers-in-training inclusive methods in computer security and discuss other possible adoptions of this practice across the field. This work is part of an important shift toward inclusive security that centers marginalized and vulnerable populations both in research and in practice.
- [1] T. Ahmed, R. Hoyle, P. Shaffer, D. Connelly, K. Crandall, and A. Kapadia. Understanding the physical safety, security, and privacy concerns of people with visual impairments. IEEE Internet Computing, 21(3):56–63, 2017.Google ScholarDigital Library
- [2] T. Ahmed, P. Shaffer, D. Connelly, K. Crandall, and A. Kapadia. Addressing physical safety, security, and privacy for people with visual impairments. In Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), 2016.Google Scholar
- [3] T. Akter, T. Ahmed, A. Kapadia, and M. Swaminathan. Shared privacy concerns of the visually impaired and sighted bystanders with camera-based assistive technologies. ACM Transactions on Accessible Computing, 15(2):1–33, 2022.Google ScholarDigital Library
- [4] T. Akter, B. Dosono, T. Ahmed, A. Kapadia, and B. Semaan. “I am uncomfortable sharing what I can’t see”: Privacy concerns of the visually impaired with camera based assistive applications. In Proceedings of the 29th USENIX Security Symposium, 2020.Google Scholar
- [5] J. A. Bargh, R. N. Bond, W. J. Lombardi, and M. E. Tota. The additive nature of chronic and temporary sources of construct accessibility. Journal of Personality and Social Psychology, 50(5):869–878, 1986.Google ScholarCross Ref
- [6] C. Barwulor, A. McDonald, E. Hargittai, and E. M. Redmiles. “Disadvantaged in the American-dominated internet”: Sex, work, and technology. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, 2021.Google ScholarDigital Library
- [7] R. Bellini. Paying the price: When intimate partners use technology for financial harm. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, 2023.Google ScholarDigital Library
- [8] R. Bellini, E. Tseng, N. Warford, A. Daffalla, T. Matthews, S. Consolvo, J. P. Woelfer, P. G. Kelley, M. L. Mazurek, D. Cuomo, N. Dell, and T. Ristenpart. SoK: Safer Digital-Safety Research Involving At-Risk Users. In Proceedings of the IEEE Symposium on Security and Privacy, 2024.Google Scholar
- [9] R. Benjamin. Race After Technology: Abolitionist Tools for the New Jim Code. Polity, 2019.Google Scholar
- [10] R. Bhalerao, V. Hamilton, A. McDonald, E. M. Redmiles, and A. Strohmayer. Ethical practices for security research with at-risk populations. In 2022 IEEE European Symposium on Security and Privacy Workshops, 2022.Google ScholarCross Ref
- [11] M. Bishop, L. Drevin, L. Futcher, W. Leung, N. Miloslavskaya, E. Moore, J. Ophoff, and S. von Solms. A brief history and overview of WISE. In L. Drevin, N. Miloslavskaya, W. Leung, and S. von Solms, editors, Information Security Education for Cyber Resilience, pages 3–9. Springer, 2021.Google Scholar
- [12] M. Blanz. Accessibility and fit as determinants of the salience of social categorizations. European Journal of Social Psychology, 29:43–74, 1999.Google ScholarCross Ref
- [13] J. Buolamwini and T. Gebru. Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification. In Proceedings of the 1st Conference on Fairness, Accountability and Transparency (Proceedings of Machine Learning Research), 2018.Google Scholar
- [14] P. D. Chowdhury and K. V. Renaud. ‘Ought’ should not assume ‘Can’... Basic Capabilities in Cybersecurity to Ground Sen’s Capability Approach. In Proceedings of the 2023 New Security Paradigms Workshop, 2023.Google Scholar
- [15] J. Cleland-Huang. How well do you know your personae non gratae? IEEE Software, 31(4):28–31, 2014.Google ScholarCross Ref
- [16] S. Costanza-Chock. Design Justice: Community-Led Practices to Build the Worlds we Need. The MIT Press, 2020.Google ScholarCross Ref
- [17] K. W. Crenshaw. Demarginalizing the intersection of race and sex: A Black feminist critique of antidiscrimination doctrine. University of Chicago Legal Forum, pages 139–168, 1989.Google Scholar
- [18] C. Criado Perez. Invisible Women: Exposing Data Bias in a World Designed for Men. Abrams Books, 2019.Google Scholar
- [19] A. Czeskis, I. Dermendjieva, H. Yapit, A. Borning, B. Friedman, B. Gill, and T. Kohno. Parenting from the pocket: Value tensions and technical directions for secure and private parent-teen mobile safety. In Symposium On Usable Privacy and Security (SOUPS), 2010.Google ScholarDigital Library
- [20] M. del Bosque. Facial Recognition Bias Frustrates Black Asylum Applicants to US, Advocates Say. The Guardian, 2023. https://www.theguardian.com/us-news/2023/feb/08/us-immigration-cbp-one-app-facial-recognition-bias.Google Scholar
- [21] T. A. Denning, B. Friedman, and T. Kohno. Security Cards: A Security Threat Brainstorming Toolkit. University of Washington, 2013.Google Scholar
- [22] J. C. Deska, E. P. Lloyd, and K. Hugenberg. Facing humanness: Facial width-to-height ratio predicts ascriptions of humanity. Journal of Personality and Social Psychology, 114(1):75–94, 2018.Google ScholarCross Ref
- [23] P. G. Devine, P. S. Forscher, A. J. Austin, and W. T. Cox. Long-term reduction in implicit race bias: A prejudice habit-breaking intervention. Journal of Experimental Social Psychology, 48(6):1267–1278, 2012.Google ScholarCross Ref
- [24] P. G. Devine, P. S. Forscher, W. T. Cox, A. Kaatz, J. Sheridan, and M. Carnes. A gender bias habit-breaking intervention led to increased hiring of female faculty in STEMM departments. Journal of Experimental Social Psychology, 73:211–215, 2017.Google ScholarCross Ref
- [25] T. Devos and M. R. Banaji. American = white? Journal of Personality and Social Psychology, 88(3):447–466, 2005.Google ScholarCross Ref
- [26] B. Friedman and D. G. Hendry. Value Sensitive Design: Shaping Technology with Moral Imagination. The MIT Press, 2019.Google ScholarCross Ref
- [27] B. Friedman, P. H. Kahn Jr., and A. Borning. Value sensitive design: Theory and methods. Technical report, University of Washington, 2002.Google Scholar
- [28] A. Frik, L. Nurgalieva, J. Bernd, J. S. Lee, F. Schaub, and S. Egelman. Privacy and security threat models and mitigation strategies of older adults. In USENIX Symposium on Usable Privacy and Security (SOUPS), 2019.Google Scholar
- [29] C. Geeng, M. Harris, E. M. Redmiles, and F. Roesner. “Like lesbians walking the perimeter”: Experiences of u.s. lgbtq+ folks with online security, safety, and privacy advice. In Proceedings of the 31st USENIX Security Symposium, 2022.Google Scholar
- [30] A. K. Ghosh, K. Badillo-Urquiola, S. Guha, J. J. LaViola Jr, and P. J. Wisniewski. Safety vs. surveillance: What children have to say about mobile apps for parental control. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018.Google ScholarDigital Library
- [31] E. Goffman. Stigma: Notes on the Management of Spoiled Identity. Prentice-Hall, 1963.Google Scholar
- [32] T. Guberek, A. McDonald, S. Simioni, A. H. Mhaidli, K. Toyama, and F. Schaub. Keeping a low profile? technology, risk and privacy among undocumented immigrants. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018.Google ScholarDigital Library
- [33] E. V. Hall, A. V. Hall, A. D. Galinsky, and K. W. Phillips. MOSAIC: A model of stereotyping through associated and intersectional categories. Academy of Management Review, 44(3):643–672, 2019.Google ScholarCross Ref
- [34] V. Hamilton, H. Barakat, and E. M. Redmiles. Risk, resilience and reward: Impacts of shifting to digital sex work. In Proceedings of the ACM on Human-Computer Interaction, 2022.Google ScholarDigital Library
- [35] E. T. Higgins. Knowledge activation: Accessibility, applicability, and salience. In E. T. Higgins and A. W. Kruglanski, editors, Social Psychology: Handbook of Basic Principles, pages 133–168. Guilford Press, 1996.Google Scholar
- [36] D. Hornung, C. Müller, I. Shklovski, T. Jakobi, and V. Wulf. Navigating relationships and boundaries: Concerns around ict-uptake for elderly people. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, 2017.Google ScholarDigital Library
- [37] R. Jeong and S. Chiasson. ’Lime’, ’Open Lock’, and ’Blocked’: Children’s perception of colors, symbols, and words in cybersecurity warnings. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, 2020.Google ScholarDigital Library
- [38] L. Kohnfelder and P. Garg. The Threats to Our Products. Microsoft Interface, 1999.Google Scholar
- [39] T. Kohno. Background and Context for the Our Reality Novella. 2021.Google Scholar
- [40] T. Kohno. Our Reality: A Novella. 2021.Google Scholar
- [41] T. Kohno and B. D. Johnson. Science fiction prototyping and security education: Cultivating contextual and societal thinking in computer security education and beyond. In Proceedings of the 42nd ACM Technical Symposium on Computer Science Education, 2011.Google ScholarDigital Library
- [42] P. C. Kumar, M. Chetty, T. L. Clegg, and J. Vitak. Privacy and security considerations for digital technology use in elementary schools. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019.Google ScholarDigital Library
- [43] E. Lastdrager, I. C. Gallardo, P. Hartel, and M. Junger. How effective is anti-phishing training for children? In Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), 2017.Google Scholar
- [44] A. Lerner, H. Y. He, A. Kawakami, S. C. Zeamer, and R. Hoyle. Privacy and activism in the transgender community. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, 2020.Google ScholarDigital Library
- [45] G. Liveley. Stories of Cyber Security Combined Report. 2022.Google Scholar
- [46] E. P. Lloyd, K. Hugenberg, A. R. McConnell, J. W. Kunstman, and J. C. Deska. Black and white lies: Race-based biases in deception judgments. Psychological Science, 28(8):1125–1136, 2017.Google ScholarCross Ref
- [47] K. B. Maddox and S. Gray Chase. Manipulating subcategory salience: Exploring the link between skin tone and social perception of Blacks. European Journal of Social Psychology, 34:533–546, 2004.Google ScholarCross Ref
- [48] J. K. Maner, S. L. Miller, J. H. Moss, J. L. Leo, and E. A. Plant. Motivated social categorization: Fundamental motives enhance people’s sensitivity to basic social categories. Journal of Personality and Social Psychology, 103(1):70–83, 2012.Google ScholarCross Ref
- [49] A. McDonald, C. Barwulor, M. L. Mazurek, F. Schaub, and E. M. Redmiles. “It’s stressful having all these phones”: Investigating sex workers’ safety goals, risks, and practices online. In Proceedings of the 30th USENIX Security Symposium, 2021.Google Scholar
- [50] B. McNally, P. Kumar, C. Hordatt, M. L. Mauriello, S. Naik, L. Norooz, A. Shorter, E. Golub, and A. Druin. Co-designing mobile online safety applications with children. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018.Google ScholarDigital Library
- [51] A. R. McNeill, L. Coventry, J. Pywell, and P. Briggs. Privacy considerations when designing social network systems to support successful ageing. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, 2017.Google ScholarDigital Library
- [52] E. McReynolds, S. Hubbard, T. Lau, A. Saraf, M. Cakmak, and F. Roesner. Toys that listen: A study of parents, children, and internet-connected toys. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, 2017.Google ScholarDigital Library
- [53] N. R. Mead, F. Shull, K. Vemuru, and O. Villadsen. A Hybrid Threat Modeling Method. Carnegie Mellon University, 2018.Google Scholar
- [54] J. Mirkovic, M. Dark, W. Du, G. Vigna, and T. Denning. Evaluating cybersecurity education interventions: Three case studies. IEEE Security & Privacy, 13(3):63–69, 2015.Google ScholarDigital Library
- [55] C. Moser, T. Chen, and S. Y. Schoenebeck. Parents’ and children’s preferences about parents sharing about children on social media. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, 2017.Google ScholarDigital Library
- [56] J. Nicholson, L. Coventry, and P. Briggs. “If it’s important it will be a headline”: Cybersecurity information seeking in older adults. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019.Google ScholarDigital Library
- [57] K. Owens, A. Alem, F. Roesner, and T. Kohno. Electronic monitoring smartphone apps: An analysis of risks from technical, human-centered, and legal perspectives. In 31st USENIX Security Symposium, 2022.Google Scholar
- [58] K. Owens, C. Cobb, and L. Cranor. “You gotta watch what you say”: Surveillance of communication with incarcerated people. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, 2021.Google ScholarDigital Library
- [59] E. L. Paluck and D. P. Green. Prejudice reduction: What works? a review and assessment of research and practice. Annual Review of Psychology, 60:339–367, 2009.Google ScholarCross Ref
- [60] Paul G. Allen School of Computer Science and Engineering. Allen school demographics. 2022. https://www.cs.washington.edu/diversity/demographics.Google Scholar
- [61] S. Perkowitz. The bias in the machine: Facial recognition technology and racial disparities. MIT Schwarzman College of Computing, 2021. https://mit-serc.pubpub.org/pub/bias-in-machine/release/1.Google Scholar
- [62] J. Petelka, M. Finn, F. Roesner, and K. Shilton. Principles Matter: Integrating an Ethics Intervention into a Computer Security Course. In 53rd ACM Technical Symposium on Computer Science Education (SIGCSE), 2022.Google ScholarDigital Library
- [63] V. Purdie-Vaughns and R. P. Eibach. Intersectional invisibility: The distinctive advantages and disadvantages of multiple subordinate-group identities. Sex Roles, 59:377–391, 2008.Google ScholarCross Ref
- [64] F. Roesner and T. Kohno. Security and privacy for augmented reality: Our 10-year retrospective. In VR4Sec: 1st International Workshop on Security for XR and XR for Security, 2021.Google Scholar
- [65] S. Sannon and A. Forte. Privacy research with marginalized groups: What we know, what’s needed, and what’s next. Proceedings of the ACM on Human-Computer Interaction, 6(CSCW2), Nov. 2022.Google ScholarDigital Library
- [66] A. K. Sesko and M. Biernat. Prototypes of race and gender: The invisibility of Black women. Journal of Experimental Social Psychology, 46(2):356–360, 2010.Google ScholarCross Ref
- [67] F. Sharevski and A. Zeidieh. “I Just Didn’t Notice It:” Experiences with Misinformation Warnings on Social Media amongst Users Who Are Low Vision or Blind. In Proceedings of the 2023 New Security Paradigms Workshop, 2023.Google ScholarDigital Library
- [68] N. Shawl and C. Ward. Writing the Other: A Practical Approach. Aqueduct Press, 2005.Google Scholar
- [69] L. Simko, A. Lerner, S. Ibtasam, F. Roesner, and T. Kohno. Computer security and privacy for refugees in the united states. In 2018 IEEE Symposium on Security and Privacy, 2018.Google ScholarCross Ref
- [70] J. Slupska, S. D. Dawson Duckworth, L. Ma, and G. Neff. Participatory threat modeling: Exploring paths to reconfigure cybersecurity. In Extended abstracts of the 2021 CHI conference on human factors in computing systems, 2021.Google ScholarDigital Library
- [71] K. Thomas, D. Akhawe, M. Bailey, D. Boneh, E. Bursztein, S. Consolvo, N. Dell, Z. Durumeric, P. G. Kelley, D. Kumar, D. McCoy, S. Meiklejohn, T. Ristenpart, and G. Stringhini. SoK: Hate, Harassment, and the Changing Landscape of Online Abuse. In Proceedings of the IEEE Symposium on Security and Privacy, 2021.Google ScholarCross Ref
- [72] E. Tseng, M. Sabet, R. Bellini, H. K. Sodhi, T. Ristenpart, and N. Dell. Care infrastructures for digital security in intimate partner violence. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems, 2022.Google ScholarDigital Library
- [73] N. Warford, T. Matthews, K. Yang, O. Akgul, S. Consolvo, P. G. Kelley, N. Malkin, M. L. Mazurek, M. Sleeper, and K. Thomas. SoK: A Framework for Unifying At-Risk User Research. In Proceedings of the IEEE Symposium on Security and Privacy, 2022.Google Scholar
- [74] C. Weir, I. Becker, J. Noble, L. Blair, M. A. Sasse, and A. Rashid. Interventions for long-term software security: Creating a lightweight program of assurance techniques for developers. Software: Practice and Experience, 50(3):275–298, 2020.Google ScholarCross Ref
- [75] T. Yip, C. S. L. Cheah, L. Kiang, and G. C. Nagayama Hall. Rendered invisible: Are Asian Americans a model or a marginalized minority? American Psychological Association, 76(4):575–581, 2021.Google ScholarCross Ref
- [76] J. Zhao, G. Wang, C. Dally, P. Slovak, J. Edbrooke-Childs, M. Van Kleek, and N. Shadbolt. ‘I make up a silly name’: Understanding children’s perception of privacy risks online. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019.Google ScholarDigital Library
- [77] Y. Zou, A. McDonald, J. Narakornpichit, N. Dell, T. Ristenpart, K. A. Roundy, F. Schaub, and A. Tamersoy. The role of computer security customer support in helping survivors of intimate partner violence. In Proceedings of the 30th USENIX Security Symposium, 2021.Google Scholar
- [78] M. E. Zurko. User-centered security: Stepping up to the grand challenge. In Proceedings of the 21st Annual Computer Security Applications Conference, 2005.Google Scholar
- [79] M. E. Zurko and R. T. Simon. User-centered security. In New Security Paradigms Workshop, 1996.Google Scholar
Index Terms
- A Scalable Inclusive Security Intervention to Center Marginalized & Vulnerable Populations in Security & Privacy Design
Recommendations
Security testing of a secure cache design
HASP '13: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and PrivacyCache side channel attacks are attacks that leak secret information through physical implementation of cryptographic operations, nullifying cryptographic protection. Recently, these attacks have received great interest. Previous research found that ...
Government regulations in cyber security: Framework, standards and recommendations
AbstractCyber security refers to the protection of Internet-connected systems, such as hardware, software as well as data (information) from cyber attacks (adversaries). A cyber security regulation is needed in order to protect information ...
Highlights- We list and discuss the cyber attacks, security requirements and measures. We then discuss the cyber security incident management framework and its various ...
Comments