Skip to main content

2021 | Buch

Socio-Technical Aspects in Security and Trust

10th International Workshop, STAST 2020, Virtual Event, September 14, 2020, Revised Selected Papers


Über dieses Buch

This book constitutes the refereed post-conference proceedings of the 10th International Workshop on Socio-Technical Aspects in Security and Trust, STAST 2020, held as a virtual event, in September 2020.

The 8 full papers and 3 short papers presented in this volume were carefully reviewed and selected from 42 submissions and are organized in the following topical sections: personality and behavior; behavior in face of adversaries; smart environments; decentralized systems and digital ledgers; and reflections on socio-technical aspects of security.

The Chapter “Statistical Reliability of 10 Years of Cyber Security User Studies” is available open access under a Creative Commons Attribution 4.0 International License via



Personality and Behavior

How Can Personality Influence Perception on Security of Context-Aware Applications?
[Context and Motivation] Our lives are being transformed by context-aware software applications with important social, environmental, and economic implications. [Question/Problem] Experts recognized that quality attributes, e.g. security, are the cornerstone to get healthy social implications of these applications. However, do end-users (service consumers) perceive these attributes as so important? [Methodology] To answer this question, we designed a survey, to understand how end-users perceive security of context-aware software applications and how the users’ personality traits might influence their perceptions. To this end, we did a web-based survey that embeds two animated-demonstration videos in order to present i) the functionality of a context-aware mobile app, and ii) some vulnerabilities of the mobile app. It involved 48 subjects divided in two groups: subjects with software engineering (SE) background (Group A) and subjects without any SE background (Group B). [Results] Our study found that the importance of confidentiality and integrity is more clearly perceived by subjects with SE backgrounds (Group A). Accountability is more difficult to be perceived by subjects. And this difficulty can be even more pronounced for subjects without any SE background (Group B). Our findings suggest that importance preferences on security are influenced by personality types. For instance, open-minded people have a higher propensity to perceive the importance of confidentiality and integrity. Whilst, people with a high level of agreeableness hold quite different perceptions regarding the importance of authenticity and accountability. Analyzing the level of association between personality and the perceived importance on security, we found that the importance perceptions on confidentiality are influenced by the personality of subjects from Group B. And, the changes (positive an negative) in the importance perception on confidentiality are very strongly influenced by personality, even more so by the personality of subjects from Group B.
Nelly Condori-Fernandez, Franci Suni-Lopez, Denisse Muñante, Maya Daneva
Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviours
Background. Cybersecurity controls are deployed to manage risks posed by malicious behaviours or systems. What is not often considered or articulated is how cybersecurity controls may impact legitimate users (often those whose use of a managed system needs to be protected, and preserved). This oversight characterises the ‘blunt’ nature of many cybersecurity controls.
Aim. Here we present a framework produced from a synthesis of methods from cybercrime opportunity reduction and behaviour change, and a consideration of existing risk management guidelines.
Method. We illustrate the framework and its principles with a range of examples and a potential application focusing on online abuse and social media controls, relating in turn to issues inherent in cyberbullying and tech-abuse.
Results. The framework describes a capacity to improve the precision of cybersecurity controls by examining shared determinants of negative and positive behaviours in a system. This identifies opportunities for risk owners to better protect legitimate users while simultaneously acting to prevent malicious activity in a managed system.
Conclusions. We describe capabilities for a novel approach to managing sociotechnical cyber-risk which can be integrated into typical risk management processes. This includes consideration of user activities as a system asset to protect, and a consideration of how to engage with other stakeholders to identify behaviours to preserve in a system.
Simon Parkin, Yi Ting Chua

Behavior in Face of Adversaries

Natural Strategic Abilities in Voting Protocols
Security properties are often focused on the technological side of the system. One implicitly assumes that the users will behave in the right way to preserve the property at hand. In real life, this cannot be taken for granted. In particular, security mechanisms that are difficult and costly to use are often ignored by the users, and do not really defend the system against possible attacks.
Here, we propose a graded notion of security based on the complexity of the user’s strategic behavior. More precisely, we suggest that the level to which a security property \(\varphi \) is satisfied can be defined in terms of (a) the complexity of the strategy that the voter needs to execute to make \(\varphi \) true, and (b) the resources that the user must employ on the way. The simpler and cheaper to obtain \(\varphi \), the higher the degree of security.
We demonstrate how the idea works in a case study based on an electronic voting scenario. To this end, we model the vVote implementation of the Prêt à Voter voting protocol for coercion-resistant and voter-verifiable elections. Then, we identify “natural” strategies for the voter to obtain receipt-freeness, and measure the voter’s effort that they require.
Wojciech Jamroga, Damian Kurpiewski, Vadim Malvone
A Study of Targeted Telephone Scams Involving Live Attackers
We present the results of a research study in which participants were subjected to social engineering attacks via telephone, telephone scams, in order to determine the features of scams which people are most susceptible to. The study has involved 186 university participants who were attacked with one of 27 different attack scripts which span different independent variables including the pretext used and the method of elicitation. In order to ensure informed consent, each participant was warned that they would receive a scam phone call within 3 months. One independent variable used is the time between the warning and launching the scam. In spite of this warning, a large fraction of participants were still deceived by the scam.
A limitation to research in the study of telephone scams is the lack of a dataset of real phone scams for examination. Each phone call in our study was recorded and we present the dataset of these recordings, and their transcripts. To our knowledge, there is no similar publicly-available dataset or phone scams. We hope that our dataset will support future research in phone scams and their detection.
Ian G. Harris, Ali Derakhshan, Marcel Carlsson

Smart Environments

User Privacy Concerns and Preferences in Smart Buildings
Smart buildings are socio-technical systems that bring together building systems, IoT technology and occupants. A multitude of embedded sensors continually collect and share building data on a large scale which is used to understand and streamline daily operations. Much of this data is highly influenced by the presence of building occupants and could be used to monitor and track their location and activities. The combination of open accessibility to smart building data and stringent data protection legislation such as the GDPR makes the privacy of smart building occupants a concern. Until now, little if any research exists on occupant privacy in work-based or commercial smart buildings. This paper begins to address this gap by reporting on a study conducted amongst occupants of a state-of-the-art commercial smart building to understand their privacy concerns and preferences. Our results show that the majority of the occupants are not familiar with the types of data being collected, that it is subtly related to them, nor the privacy risks associated with it. When we informed occupants about this data and the risks, they became more concerned and called for more transparency in the data collection process. The occupants were also largely averse to open accessibility of the collected data.
Scott Harper, Maryam Mehrnezhad, John C. Mace
Work in Progress: Towards Usable Updates for Smart Home Devices
Background. Smart home device updates are important tools for remediating security vulnerabilities.
Aim. We aim to understand smart home users’ perceptions of and experiences with updates.
Method. We interviewed 40 smart home users and analyzed a subset of data related to updates. We are also planning a broader, follow-on survey.
Results. Users experienced inconsistency in update transparency and methods, were confused about how and if updates are applied, and seldom linked updates to security.
Conclusion. Our efforts will provide a new understanding of smart home updates from a usable security perspective and how those are similar/different to views on updates of conventional IT.
Julie M. Haney, Susanne M. Furman

Decentralized Systems and Digital Ledgers

WARChain: Blockchain-Based Validation of Web Archives
Background. Web archives store born-digital documents, which are usually collected from the Internet by crawlers and stored in the Web Archive (WARC) format. The trustworthiness and integrity of web archives is still an open challenge, especially in the news portal domain, which face additional challenges of censorship even in democratic societies.
Aim. The aim of this paper is to present a light-weight, blockchain-based solution for web archive validation, which would ensure that the crawled documents are authentic for many years to come.
Method. We developed our archive validation solution as an extension and continuation of our work in web crawler development, mainly targeting news portals. The system is designed as an overlay over a blockchain with a proof-of-stake (PoS) distributed consensus algorithm. PoS was chosen due to its lower ecological footprint compared to proof-of-work solutions (e.g. Bitcoin) and lower expected investment in computing infrastructure.
Results. We implemented a prototype of the proposed solution in Python and C#. The prototype was tested on web archive content crawled from Hungarian news portals at two different timestamps which consisted of 1 million articles in total.
Conclusions. We concluded that the proposed solution is accessible, usable by different stakeholders to validate crawled content, deployable on cheap commodity hardware, tackles the archive integrity challenge and is capable to efficiently manage duplicate documents.
Imre Lendák, Balázs Indig, Gábor Palkó
Cyber 9/11 Will Not Take Place: A User Perspective of Bitcoin and Cryptocurrencies from Underground and Dark Net Forums
Background. There is a historical narrative of fear surrounding cybercrime. This has extended to cryptocurrencies (CCs), which are often viewed as a criminal tool. Aim. To carry out the first user study of CCs for illicit activity, from the perspective of underground and dark net forums. Method. We conducted a qualitative study, using a content analysis method, of 16,405 underground and dark net forum posts selected from CrimeBB, a dataset of 100 million posts curated by the Cambridge Cybercrime Centre. Results. Firstly, finality of payments emerged as a major motivator for the use of CCs. Second, we propose an Operational Security Taxonomy for Illicit Internet Activity to show that CCs are only one part of several considerations that combine to form security in illicit internet transactions. Third, the dark net is hard to use and requires significant study, specialist equipment and advanced knowledge to achieve relative security. Conclusion. We argue that finality is the main advantage of CCs for this user group, not anonymity as widely thought. The taxonomy shows that banning CCs is unlikely to be effective. Finally, we contend that the dark net is a niche for criminal activity and fears over cybercrime cause the threat to be exaggerated.
Simon Butler
Self-Governing Public Decentralised Systems
Work in Progress
The selection of members responsible for data replication is a challenge in decentralised record-keeping systems. In ‘permissioned’ systems, this crucial task is performed by a central authority or consortium. In ‘permissionless’ systems, however, the selection process is not trivial and comes with risks. Malicious actors, in a privileged position, can tamper with data, threatening the integrity of the system as a whole. Permissionless membership selection protocols, popularised with the dissemination of distributed ledger technology, have the objective of limiting the influence of a single entity on the wider network. They do so by approximating a participant’s legitimacy to participate in record maintenance. These approximations come with downsides, in terms of attackability, system performance, supported use-cases and resource requirements. In this paper, we propose a prototypical membership selection protocol that uses the measure of personhood as an approximation of legitimacy. Interpreting a decentralised system as a political system, we frame the membership selection problem as one of political representation. We propose a protocol that democratically attributes a personhood score to members, thus creating a self-governing public decentralised system. This work in progress lays out a roadmap for the formal evaluation of self-governing public decentralised systems and describes the anticipated challenges in their implementation. Our proposals provide a means to evolve the membership selection protocol when a closed, permissioned system evolves to an open, permissionless system, as several commercial platforms intend to do.
Moritz Platt, Peter McBurney

Reflections on Socio-Technical Aspects of Security


Open Access

Statistical Reliability of 10 Years of Cyber Security User Studies
Background. In recent years, cyber security user studies have been appraised in meta-research, mostly focusing on the completeness of their statistical inferences and the fidelity of their statistical reporting. However, estimates of the field’s distribution of statistical power and its publication bias have not received much attention.
Aim. In this study, we aim to estimate the effect sizes and their standard errors present as well as the implications on statistical power and publication bias.
Method. We built upon a published systematic literature review of 146 user studies in cyber security (2006–2016). We took into account 431 statistical inferences including t-, \(\chi ^2\)-, r-, one-way F-tests, and Z-tests. In addition, we coded the corresponding total sample sizes, group sizes and test families. Given these data, we established the observed effect sizes and evaluated the overall publication bias. We further computed the statistical power vis-à-vis of parametrized population thresholds to gain unbiased estimates of the power distribution.
Results. We obtained a distribution of effect sizes and their conversion into comparable log odds ratios together with their standard errors. We, further, gained funnel-plot estimates of the publication bias present in the sample as well as insights into the power distribution and its consequences.
Conclusions. Through the lenses of power and publication bias, we shed light on the statistical reliability of the studies in the field. The upshot of this introspection is practical recommendations on conducting and evaluating studies to advance the field.
Thomas Groß
Privacy, Security and Trust in the Internet of Neurons
Arpanet, Internet, Internet of Services, Internet of Things, Internet of Skills. What next? We conjecture that in a few years from now, we will have the Internet of Neurons, in which humans will be able to connect bi-directionally to the net using only their brain. The Internet of Neurons will provide new, tremendous opportunities thanks to constant access to unlimited information, but it will also bring along enormous challenges, especially concerning security, privacy and trust. In this paper we discuss the main technological (and neurological) breakthroughs required to enable the Internet of Neurons, the new opportunities it provides and the security challenges it raises. We also elaborate on the novel system models, threat models and security properties that are required to reason about privacy, security and trust in the Internet of Neurons.
Diego Sempreboni, Luca Viganò
Socio-Technical Aspects in Security and Trust
herausgegeben von
Dr. Thomas Groß
Prof. Luca Viganò
Electronic ISBN
Print ISBN

Premium Partner