Data on how people browse the web is abundantly collected, but rarely distributed due to its proprietary nature. As a result, our understanding of user web browsing primarily derives from a set of small-scale studies conducted over a decade ago. Using resources like the Security Behavior Observatory, this work provides an more-detailed and recent snapshot of user browsing patterns allowing us to better understand how people navigate and spend their time online. We found that user browsing is highly centralized, with over 50\% of browsing time dedicated to a mere 32 websites. However, users also spend a disproportionate amount of time on websites ranked outside of the top 10 million, areas known to have a higher risk of containing risky and malicious content.
Kyle Crichton, Nicolas Christin, and Lorrie Faith Cranor. 2021. How Do Home Computer Users Browse the Web? ACM Trans. Web 16, 1, Article 3 (February 2022). https://doi.org/10.1145/3473343
Akira Yamada, Yukiko Sawaya Shoma Tanaka, Ayumu Kubota, Nicolas Christin, Kyle Crichton, Jin-Dong Dong, Shun Umemoto, Jun Nakajima, So Matsuda, Reo Matsumura. 2020. Security Behavior Observation for Smartphone: Longterm Monitoring of Smartphones Comparing Desktop Computers. Extended Abstract. Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, USA. View Here
Most security protections available to users as they browse the web rely on blocklists of known malicious URLs. However, there is inherent delay between when malicious content is created and when it is detected which leaves users unprotected for days, or even weeks, against new phishing and malware threats (see figure on the left). To limit the effectiveness of attacks during this gap, our work has developed a novel means of predicting when a user is about to land on a malicious website based on patterns in their browsing behavior. We have demonstrated that our model is capable of making highly accurate predictions, achieving an area under the ROC curve (AUC score) of 0.995, which are reproducible across two very disparate browsing datasets.
This research spawned from discussions with other members of the CyLab Usable Privacy and Security Laboratory who, in the course of running a separate project, questioned whether the mode that they used to conduct an online interview, such as an anonymous chat or a video call, would bias or affect their results. This led us to run 154 interviews across video, audio, chat, email, and survey modes. We found that mode had no substantial effects on the interview data collected and any bias introduced was small enough that most interviewers can gently ignore them. Instead, most qualitatively and quantitatively significant effects of interview mode were related to logistics which included factors like cost and drop-out rates.
What originally started as a course project inspired by a mutual love of video games became a small research project assessing the effectiveness of incentives for people to adopt two-factor authentication (2FA) in online gaming. The study surveyed gamers who regularly played the massively popular multiplayer game Fortnite to assess their perceptions of a free in-game emote that was being offered by Fortnite's parent company to get players to enable 2FA on their account. While we found that the effect of the incentive was not statistically significant, likely a result of poor end-user communication, we observed strong social effects within the gamer community: if a player knew another player who had adopted 2FA they were much more likely to 1) know about the incentive and 2) have adopted 2FA themselves.
Kyle Crichton, Jason Lee, and Meihan Li. 2019. Incentives for Enabling Two-Factor Authentication in Online Gaming. Extended Abstract. Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, USA. View Here