GWUSEC

@gwusec

@gwusec@infosec.exchange

github.com/gwusec

@gwusec

SEH 4390
(Bubble Lab through SEH4100 doors)

Notice: We are currently recruiting for a study on TikTok using the lab account @gwusec

GWUSEC Lab

GWUSEC Lab Group at USENIX Security, August 2022

David Balash presenting at USENIX Security, August 2022

Peter Mayer presenting at USENIX Security, August 2022

Collins Munyendo presenting at USENIX Security, August 2022

We are the George Washington University/Usable Security and Privacy Lab (GWUSEC). The lab works on problems related to computer security and privacy, with a human centered approach. We are interested in learning why and how users interact, understand, and use/misuse security and privacy tools, and then we design and build better solutions. We are also interested in more general problems related to cybersecurity and privacy. If you want to find out more, please join one of our public activities.

People

Adam J. Aviv
Associate Professor
Lab Director

Yasemin Acar
Professor, Paderborn University
Research Scientist at GW

Lucy Simko
Research Scientist
Postdoctoral Scholar

Jan Tolsdorf
Postdoctoral Scholar

Collins W. Munyendo
PhD Student

Adryana Hutchinson
PhD Student

Monica Kodwani
PhD Student

Neal Keating
PhD Student

Elena Korkes
MS Student

Rachel Gonzalez Rodriguez
MS Student

Leo Phan
Undergraduate

Viraj Prakash
Undergraduate

Faris Jiwad
Undergraduate

Tanim Khan
Undergraduate

If you are a current lab member or collaborator and would like to be added to the list of members, submit a pull request to the webpage repository.

Current and Former External Lab Collaborations

Irwin Reyes
Maximilian Golla (MPI-SP)
Philipp Markert (RUB)
Florian Farke (RUB)
Peter Mayer (Uni. Southern Denmark)
Dominik Wermke (University of Hannover)
Mindy Tran (Paderborn)
Harshinin Sriram (Paderborn)

Alumn/Past Members

Don Kim (UG)
Tim Forman (USNA/UG)
James Levy (MS)
Darika Shaibekova (UG/MS)
Xiaoyuan (Owen) Wu (UG) (Now a PhD student at CMU)
Hunter Dyer (Now at Sandia National Labs)
Jinsuk Lee (MS)
Kayla Berne (UG)
Marlee Alvino (UG)
David Balash (PhD) (Now an assistant professor at University of Richomnd)
Ruining Yang (MS) (Now a PhD student at SUNY Stony Brook)
Miles Grant (UG)
Eddie Cosak (UG)
Victoria Hennemann (UG)
Evan Fries (UG)
Alvin Isaacs (UG)

Join the lab!

So, you're interested in usability, computer security and privacy research, and you're interested in joining the lab? Great! We are always looking for new collaborators. What actions you should take depends on your background.

Prospective PhD Students
We are always looking for new PhD students, and if you are applying to grad school and interested in usable security and privacy, please consider GW! Please email Profs. Adam Aviv and Yasemin Acar with any inquiries, but be mindful, we may not follow up with everyone. Obvious form emails sent en mass will not receive a response, so please be sure to write a personal email that notes some background about yourself and what kinds of projects you're interested in researching.
GW Undergraduate/Masters Students
If you are a current GW student, either an undergraduate or masters students, the easiest way to get involved in the lab is to attend one of our public events. Participating in reading group or social events are the fastest way to learn what is happening in the lab, as well as earn an invite to the lab meeting.

You may also email Profs Adam Aviv if you are interested in research projects, but you will likely be directed to attend a public event. If you cannot attend a public event, we can arrange other times to meet.

Values Statement

At GWUSEC, we strive to conduct the highest quality academic research that is inclusive, diverse, and impactful. In those pursuits, we are guided by the following principles:

creativity — we reward creativity in our research, and do not confine or belittle others’ ideas;
integrity — we value honesty and accuracy in our communications and reports;
ethics — we consider the ethics of our research methods and treat our subjects with respect, always striving to minimize risk and maximize benefits;
scientific rigor — we seek academic and scientific rigor in our research efforts to explore subject matters in-depth;
inclusion — we recognize that that many groups have historically been marginalized in our field, and we strive to find ways to collaborate and partner with individuals across all backgrounds, races, and genders and uplift researchers and professionals who have been unjustly marginalized;
humility — we are willing to admit when we are wrong, take action to correct mistakes in ourselves, and treat mistakes as learning opportunities;
compassion — we show compassion to each other by supporting lab members in cases when their physical or mental health, personal life or family situation warrants special consideration;
justice — we believe in racial justice and oppose discrimination based on age, gender, race, ethnicity, religion, (dis)ability, economic background and nationality, and condemn oppression in any form.
impact — we are determined to conduct research that is impactful both within the scientific community and broadly for all humanity.

Publications

Adryana Hutchinson, Collins W. Munyendo, Peter Mayer, and Adam J. Aviv. An Analysis of Password Managers' Password Checkup Tools. ACM CHI Extended Abstracts 2024.
Adryana Hutchinson, Jinwei Tang, Adam J. Aviv, and Peter Story. Measuring the Prevalence of Password Manager Issues Using In-Situ Experiments. Symposium on Usable Security and Privacy (USEC) 2024.
Florian M. Farke, David G. Balash, Maximilian Golla and Adam J. Aviv. How Does Connecting Online Activities to Advertising Inferences Impact Privacy Perceptions?. Proceedings of Privacy Enhancing Technologies (PoPETs). 2024.
Peter Mayer, Yixin Zou, Byron M. Lowens, Hunter A. Dyer, Khue Le, Florian Schaub and Adam J. Aviv. Awareness, Intention, (In)Action: Individuals’ Reactions to Data Breaches. ACM Trans. Comput.-Hum. Interact.. Vol. 30 (5). Association for Computing Machinery. 2023 (doi) (bib)
Daniel V. Bailey, Collins W. Munyendo, Hunter A. Dyer, Miles Grant, Philipp Markert and Adam J. Aviv. "Someone Definitely Used 0000": Strategies, Performance, and User Perception of Novice Smartphone-Unlock PIN-Guessers. Proceedings of the 2023 European Symposium on Usable Security (EuroUSEC '23)
Collins W. Munyendo, Peter Mayer and Adam J. Aviv. "I Just Stopped Using One and Started Using the Other": Motivations, Techniques, and Challenges When Switching Password Managers. Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS'23).
David G. Balash, Rahel A. Fainchtein, Elena Korkes, Miles Grant, Micah Sherr and Adam J. Aviv. Educators’ Perspectives of Using (or Not Using) Online Exam Proctoring. Proceedings of the 32nd USENIX Security Symposium (Sec'23). 2023
Collins Munyendo, Yasemin Acar, and Adam J. Aviv. "In Eighty Percent of the Cases, I Select the Password for Them": Security and Privacy Challenges, Advice, and Opportunities at Cybercafes in Kenya. In the proceedings of the IEEE Security and Privacy Smposium (IEEE SP23). May. 2023.
David G. Balash, Rahel A. Fainchtein, Elena Korkes, Miles Grant, Micah Sherr, and Adam J. Aviv. Educators’ Perspectives of Using (or Not Using) Online Exam Proctoring. In the proceedings of the 34th USENIX Security Symposium (USENIX Sec'23). Aug. 2023.
Peter Mayer, Yixin Zou, Bryon M. Lowens, Hunter A. Dyer, Khue Lee, Florian Schaub, and Adam J. Aviv. Awareness, Intention, (In)Action: Individuals' Reactions to Data Breaches. To appear in ACM Transactions on Computer-Human Interaction.
Rahel A. Fainchtein, Adam J. Aviv, and Micah Sherr. User Perceptions of the Privacy and Usability of Smart DNS. Annual Computer Security Applications Conference. (ACSAC'22). 2022.
Xiaoyuan Wu, Collins W. Munyendo, Eddie Cosic, Genevieve A. Flynn, Olivia Legault, and Adam J. Aviv. User Perceptions of Five-Word Passwords. Annual Computer Security Applications Conference. (ACSAC'22). 2022.
Peter Mayer, Collins Munyendo, Michelle L. Mazurek, and Adam J. Aviv. Why Users (Don't) Use Password Managers at a Large Educational Institution. USENIX Security Symposium (Sec'22). Aug. 2022.
Collins W. Munyendo, Philipp Markert, Alexandra Nisenoff, Miles Grant, Elena Korkes, Blase Ur, and Adam J. Aviv. "The Same PIN, Just Longer": On the (In)Security of Upgrading PINs from 4 to 6 Digits. USENIX Security Symposium (Sec'22). Aug. 2022.
David G. Balash, Xiaoyuan (Owen) Wu, Miles Grant, Irwin Reyes, and Adam J. Aviv. Security and Privacy Perceptions of Third-Party Application Access for Google Accounts. 31st USENIX Security Symposium (USENIX Security 22). Aug. 2022.
Collins Munyendo, Yasemin Acar, and Adam J. Aviv. "Desperate Times Call for Desperate Measures:"User Concerns with Mobile Loan Apps in Kenya. Proceedings of the 2022 IEEE Symposium on Security and Privacy - Oakland’22. May 2022.
Christian Stransky, Oliver Wiese, Volker Roth, Yasemin Acar and Sascha Fahl. 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. Proceedings of the 2022 IEEE Symposium on Security and Privacy - Oakland’22. Mat 2022. (preprint)
Dominik Wermke, Noah Woehler, Jan Klemmer, Marcel Fourné, Yasemin Acar, Sascha Fahl. Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects. Proceedings of the 2022 IEEE Symposium on Security and Privacy - Oakland'22. May 2022.
Marco Gutfleisch, Jan Klemmer, Niklas Busch, Yasemin Acar, Angela Sasse, Sascha Fahl. How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study. Proceedings of the 2022 IEEE Symposium on Security and Privacy - Oakland’22. May 2022. (preprint)
Jan Jancar, Marcel Fourné, Daniel De Almeida Braga, Mohamed Sabt, Peter Schwabe, Gilles Barthe, Pierre-Alain Fouque, Yasemin Acar. "They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks. Proceedings of the 2022 IEEE Symposium on Security and Privacy - Oakland’22. May 2022. (preprint)
Harjot Kaur, Sabrina Amft, Daniel Votipka, Yasemin Acar and Sascha Fahl. Where to Recruit for Security Development Studies from: Comparing Six Software Developer Samples. USENIX Security Symposium (Sec'22). Aug, 2022.
Christian Stransky, Oliver Wiese, Volker Roth, Yasemin Acar, Sascha Fahl, 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. Proceedings of the 2022 IEEE Symposium on Security and Privacy - Oakland’22
Jan Jancar, Marcel Fourne, Daniel De Almeida Braga, Mohamed Sabt, Peter Schwabe, Gilles Barth, Pierre-Alain Fouque, Yasemin Acar, “They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks. Proceedings of the 2022 IEEE Symposium on Security and Privacy - Oakland’22. May 2022.
Jaron Mink, Amanda Rose Yuile, Uma Pal, Adam J. Aviv and Adam Bates. Users can Deduce Sensitive Locations Protected by Privacy Zones on Fitness Tracking Apps. ACM CHI Conference on Human Factors in Computing Systems (CHI'22). May 2022
Hirak Ray, Ravi Kuber, and Adam J. Aviv. Investigating Older Adults’ Adoption and Usage of Online Conferencing Tools During COVID-19. 19th International Web for All Conference (W4A '22). April, 2022.
Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv. On the Security of Smartphone Unlock PINs. ACM Transactions on Privacy and Security (TOPS). Vol. 24 (4). ACM. Sep 2021.
Collins Munyendo, Miles Grant, Philipp Markert, Timothy J. Forman, and Adam J. Aviv. Using a Blocklist to Improve the Security of User Selection of Android Patterns . 17th Symposium on Usable Security and Privacy (SOUPS '21). Aug 2021.
David G. Balash, Dongkun Kim, Darika Shaibekova, Rahel A. Fainchtein, Micah Sherr, and Adam J. Aviv. Examining the Examiners: Students' Privacy and Security Perceptions of Online Proctoring Services. 17th Symposium on Usable Security and Privacy (SOUPS '21). Aug 2021. (arxiv)
Danil V. Baily, Philipp Markert, and Adam J. Aviv. ``I have no idea what they're trying to accomplish:'' Enthusiastic and Casual Signal Users' Understanding of Signal PINs. 17th Symposium on Usable Security and Privacy (SOUPS '21). Aug 2021.
Flynn Wolf, Adam J. Aviv, and Ravi Kuber. Security Obstacles and Motivations for Small Businesses from a CISO’s Perspective. 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. Aug 2021.
Florian Farke, David G. Balash, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv. Are Privacy Dashboards Good for End Users? Evaluating User Perceptions and Reactions to Google's My Activity. 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. Aug 2021. (arxiv)
Noel Warford, Collins W. Munyendo, Ashna Mediratta, Adam J. Aviv, and Michelle L. Mazurek. Strategies and Perceived Risks of Sending Sensitive Documents. 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. Aug 2021. (arxiv)
Peter Mayer, Yixin Zou, Florian Schaub, and Adam J. Aviv. "Now I'm a bit angry:" Individuals' Awareness, Perception, and Responses to Data Breaches that Affected Them. 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. Aug 2021. (pdf)
Hirak Ray, Flynn Wolf, Ravi Kuber, Adam J. Aviv. Why Older Adults (Don't) Use Password Managers. In the proceedings of the 2021 USENIX Security Symposium (Sec'21). Aug. 2021. (arxiv)
Hirak Ray, Flynn Wolf, Ravi Kuber, Adam J. Aviv. "Warn Them" or "Just Block Them"?: Comparing Privacy Concerns of Older and Working Age Adults. In the proceedings of the Privacy Enhancing Technology Symposium (PoPets'21). Jul. 2021. (pdf) (video)
Rahel A. Fainchtein, Adam J. Aviv, Micah Sherr, Stephen Ribaudo, and Armaan Khullar. Holes in the Geofence: Privacy Vulnerabilities in “Smart” DNS Services. In the proceedings of the Privacy Enhancing Technology Symposium (PoPets'21). Jul. 2021. (video)
Ian Martiny, Gabriel Kaptchuk, Adam J. Aviv, Daniel S. Roche, and Eric Wustrow. Improving Signal’s Sealed Sender. In the proceedings of the 2021 Network and Distributed Systems Symposium. NDSS'21. Feb 2021. (pdf)
Timothy J. Forman and Adam J. Aviv. Double Patterns: A Usable Solution to Increase the Security of Android Unlock Patterns. In the proceedings of the 2020 Annual Computer Security Applications Conference (ACSAC'20). Dec. 2020. (arxiv)
Hassan Khan, Jason Ceci, Jonah Stegman, Adam J. Aviv, Rozita Dara, Ravi Kuber. Widely Reused and Shared, Infrequently Updated, and Sometimes Inherited: A Holistic View of PIN Authentication in Digital Lives and Beyond. In the proceedings of the 2020 Annual Computer Security Applications Conference (ACSAC'20). Dec. 2020. (arxiv)
Raina Samuel, Philipp Markert, Adam J. Aviv, and Iulian Neamtiu. Knock, Knock. Who's There? On the Security of LG's Knock Codes. 2020 Symposium on Usable Security and Privacy (SOUPS'20). Pgs. 1-24. USENIX. 2020. (arxiv pre-print)
Philipp Markert, Daniel V. Bailey, Maximillian Golla, Markus Dürmuth, and Adam J. Aviv. This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs. 2020 IEEE Symposium on Security and Privacy (SP'20). Pgs. 1525-1542. IEEE Computer Society. 2020 (arxiv)
Timothy J. Forman, Daniel S. Roche, and Adam J. Aviv. Twice as Nice? A Preliminary Evaluation of Double Android Unlock Patterns. Extended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems. (CHI EA ’20). Pgs. 1–7. Association for Computing Machinery. 2020