Robert W. Reeder
I am a Research Scientist at Google, where I work on user experiences related to online security and privacy. Before joining Google in 2013, I worked as a usable security researcher in Microsoft's Trustworthy Computing division, and before that, I completed my PhD in the Computer Science Department at Carnegie Mellon.
Authored Publications
Sort By
An Experience Sampling Study of User Reactions to Browser Warnings in the Field
Nathan Malkin
Serge Egelman
CHI (2018)
Preview abstract
Web browser warnings should help protect people from malware, phishing, and network attacks. Adhering to warnings keeps people safer online. Recent improvements in warning design have raised adherence rates, but they could still be higher. And prior work suggests many people still do not understand them. Thus, two challenges remain: increasing both comprehension and adherence rates. To dig deeper into user decision making and comprehension of warnings, we performed an experience sampling study of web browser security warnings, which involved surveying over 6,000 Chrome and Firefox users in situ to gather reasons for adhering or not to real warnings. We find these reasons are many and vary with context. Contrary to older prior work, we do not find a single dominant failure in modern warning design---like habituation---that prevents effective decisions. We conclude that further improvements to warnings will require solving a range of smaller contextual misunderstandings.
View details
Preview abstract
Users often don’t follow expert advice for staying secure online, but the reasons for users’ noncompliance are only partly understood. More than 200 security experts were asked for the top three pieces of advice they would give non-tech-savvy users. The results suggest that, although individual experts give thoughtful, reasonable answers, the expert community as a whole lacks consensus.
View details
Rethinking Connection Security Indicators
Helen Harris
Max Walker
Chris Thompson
Elisabeth Morant
SOUPS (2016)
Preview abstract
We propose a new set of browser security indicators, based on user research and an understanding of the design challenges faced by browsers. To motivate the need for new security indicators, we critique existing browser security indicators and survey 1,329 people about Google Chrome's indicators. We then evaluate forty icons and seven complementary strings by surveying thousands of respondents about their perceptions of the candidates. Ultimately, we select and propose three indicators. Our proposed indicators have been adopted by Google Chrome, and we hope to motivate others to update their security indicators as well.
View details
“She’ll just grab any device that’s closer”: A Study of Everyday Device & Account Sharing in Households
Tara Matthews
Kerwell Liao
Marianne Berkovich
Proceedings of the ACM Conference on Human Factors in Computing Systems, ACM (2016) (to appear)
Preview abstract
Many technologies assume a single user will use an account or device. But account and device sharing situations (when 2+ people use a single device or account) may arise during everyday life. We present results from a multiple-methods study of device and account sharing practices among household members and their relations. Among our findings are that device and account sharing was common, and mobile phones were often shared despite being considered “personal” devices. Based on our study results, we organize sharing practices into a taxonomy of six sharing types — distinct patterns of what, why, and how people shared. We also present two themes that cut across sharing types: that (1) trust in sharees and (2) convenience highly influenced sharing practices. Based on these findings, implications for study and technology design.
View details
“...no one can hack my mind”: Comparing Expert and Non-Expert Security Practices
Iulia Ion
Proceedings of the Eleventh Symposium On Usable Privacy and Security, USENIX (2015), pp. 327-346
Preview abstract
The state of advice given to people today on how to stay safe online has plenty of room for improvement. Too many things are asked of them, which may be unrealistic, time consuming, or not really worth the effort. To improve the security advice, our community must find out what practices people use and what recommendations, if messaged well, are likely to bring the highest benefit while being realistic to ask of people. In this paper, we present the results of a study which aims to identify which practices people do that they consider most important at protecting their security online. We compare self-reported security practices of non-experts to those of security experts (i.e., participants who reported having five or more years of experience working in computer security). We report on the results of two online surveys—one with 231 security experts and one with 294 MTurk participants—on what the practices and attitudes of each group are. Our findings show a discrepancy between the security practices that experts and non-experts report taking. For instance, while experts most frequently report installing software updates, using two-factor authentication and using a password manager to stay safe online, non-experts report using antivirus software, visiting only known websites, and changing passwords frequently.
View details
Improving SSL Warnings: Comprehension and Adherence
Somas Thyagaraja
Alan Bettes
Helen Harris
Jeff Grimes
Proceedings of the Conference on Human Factors and Computing Systems, ACM (2015)
Preview abstract
Browsers warn users when the privacy of an SSL/TLS connection might be at risk. An ideal SSL warning would empower users to make informed decisions and, failing that, guide confused users to safety. Unfortunately, users struggle to understand and often disregard real SSL warnings. We report on the task of designing a new SSL warning, with the goal of improving comprehension and adherence.
We designed a new SSL warning based on recommendations from warning literature and tested our proposal with microsurveys and a field experiment. We ultimately failed at our goal of a well-understood warning. However, nearly 30% more total users chose to remain safe after seeing our warning. We attribute this success to opinionated design, which promotes safety with visual cues. Subsequently, our proposal was released as the new Google Chrome SSL warning. We raise questions about warning comprehension advice and recommend that other warning designers use opinionated design.
View details
Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning
Hazim Almuhimedi
Proceedings of the Symposium On Usable Privacy and Security: SOUPS '14, USENIX (2014)
Preview abstract
Several web browsers, including Google Chrome and Mozilla Firefox, use malware warnings to stop people from visiting infectious websites. However, users can choose to click through (i.e., ignore) these malware warnings. In Google Chrome, users click through a fifth of malware warnings on average. We investigate factors that may contribute to why people ignore such warnings. First, we examine field data to see how browsing history affects click-through rates. We find that users consistently heed warnings about websites that they have not visited before. However, users respond unpredictably to warnings about websites that they have previously visited. On some days, users ignore more than half of warnings about websites they've visited in the past. Next, we present results of an online, survey-based experiment that we ran to gain more insight into the effects of reputation on warning adherence. Participants said that they trusted high-reputation websites more than the warnings; however, their responses suggest that a notable minority of people could be swayed by providing more information. We provide recommendations for warning designers and pose open questions about the design of malware warnings.
View details
Experimenting At Scale With Google Chrome's SSL Warning
Hazim Almuhimedi
ACM CHI Conference on Human Factors in Computing Systems (2014)
Preview abstract
Web browsers shown HTTPS authentication warnings (i.e., SSL warnings) when the integrity and confidentiality of users' interactions with websites are at risk. Our goal in this work is to decrease the number of users who click through the Google Chrome SSL warning. Prior research showed that the Mozilla Firefox SSL warning has a much lower click-through rate (CTR) than Chrome. We investigate several factors that could be responsible: the use of imagery, extra steps before the user can proceed, and style choices. To test these factors, we ran six experimental SSL warnings in Google Chrome 29 and measured 130,754 impressions.
View details
“My religious aunt asked why I was trying to sell her viagra”: Experiences with account hijacking
Richard Shay
Iulia Ion
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems: CHI '14, ACM, New York, NY, USA (2014), pp. 2657-2666
Preview abstract
With so much of our lives digital, online, and not entirely under our control, we risk losing access to our communications, reputation, and data. Recent years have brought a rash of high-profile account compromises, but account hijacking is not limited to high-profile accounts. In this paper, we report results of a survey about people’s experiences with and attitudes toward account hijacking. The problem is widespread; 30% of our 294 participants had an email or social networking account accessed by an unauthorized party. Five themes emerged from our results: (1) compromised accounts are often valuable to victims, (2) attackers are mostly unknown, but sometimes known, to victims, (3) users acknowledge some responsibility for keeping their accounts secure, (4) users’ understanding of important security measures is incomplete, and (5) harm from account hijacking is concrete and emotional. We discuss implications for designing security mechanisms to improve chances for user adoption.
View details