Softare Engineering Thesis Proposal
- Remote Access - Zoom
- Virtual Presentation - ET
- DANIEL SMULLEN
- Ph.D. Student
- Ph.D. Program in Software Engineering
- Institute for Software Research, Carnegie Mellon University
Informing the Design and Refinement of Privacy and Security Controls
With the increase in both privacy and security risks and the proliferation of security and privacy controls in computer systems, managing one’s privacy and security choices is becoming ever more important, yet complex. Are so many controls actually needed? Are they the right controls and are they effective? Ideally available controls should enable people to align system behaviors with their security and privacy preferences. These preferences themselves typically reflect the level of flexibility users want their systems to have, their tolerance for risk, and their confidence in their ability to mitigate these risks using available controls. This dissertation explores security and privacy settings available in browsers and mobile phones. Our overall objective is to determine whether these settings are effective in giving users the control and protection they need. This includes looking at whether users are able to identify security and privacy risks, whether they are aware of available controls and what these controls do, and whether they are able to effectively and efficiently take advantage of available controls to mitigate risks and eliminate system behaviors with which they are not comfortable.
This dissertation comprises a series of three studies designed to help answer the questions identified above. This includes a study of limitations of the most popular browsers when it comes to informing users of key security and privacy risks, and empowering them to mitigate these risks. The second study explores people’s privacy and security preferences when it comes to protecting themselves against a collection of potentially intrusive practices. This includes looking at opportunities to simplify settings which users have to control. Our third study focuses on mobile app security and privacy controls in the form of mobile app permissions, looking at the extent to which these permissions are properly aligned with people’s concerns. We explore to what extent more granular settings would enable people to better restrict unacceptable behaviors. We also explore the extent to which machine learning can help mitigate inherent tradeoffs between the level of control users have and the resulting burden they experience in exercising this control.
Except for one additional study, the work described in this proposal has already been completed, and the author believes that the remaining work can be submitted by the end of the August 2021.
Norman Sadeh (Chair)
Alessandro Acquisti (Heinz)
Yaxing Yao (University of Maryland, Baltimore County)
Rebecca Weiss (Mozilla)
Zoom Participation. See announcement.