Change search
Refine search result
12 1 - 50 of 61
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Bartsch, Steffen
    et al.
    Universität Kassel/provet.
    Boos, Carina
    Universität Kassel/provet.
    Canova, Gamze
    Universität Kassel/provet.
    Dyck, Dominic
    Universität Kassel/provet.
    Henhapl, Birgit
    Universität Kassel/provet.
    Schultheis, Michael
    Universität Kassel/provet.
    Volkamer, Melanie
    Universität Kassel/provet.
    Interdisziplinäres Bewertungskonzept für Risiken auf Webseiten2014In: Workshop RiskKom der GI-FGn SECMGT & ECOM auf der Informatik 2014, 2014, p. 2069-2078Conference paper (Refereed)
    Abstract [en]

    Dieser Beitrag beschreibt ein Konzept zur Verbesserung der Sicherheit von Nutzern im Internet: Angepasst auf die jeweilige IT-Sicherheitsexpertise sowie seiner Bereitschaft, Risiken einzugehen, werden dem Nutzer in risikoreichen Situationen unterschiedliche Interventionen geboten. Die Entscheidung, ob und welches Risiko existiert, wird auf rechtlicher und technischer Ebene getroffen: Indikatoren, ob Daten- und Verbraucherschutz eingehalten werden sowie ob grundlegende Maßnahmen der IT-Sicherheit umgesetzt sind, werden automatisiert erkannt und ausgewertet. Auf Grundlage der Risikoeinstufung des jeweiligen Szenarios sowie des antizipierten Risikoverhaltens und der IT-Sicherheitsexpertise des Nutzers wird über die Art der Intervention entschieden: Zusätzlich zu Warnmeldungen, die den Nutzer im Surfverhalten unterbrechen, existieren passive Interventionen, die den Nutzer nicht in seiner Handlung behindern, sowie eine permanente Anzeige über den Sicherheitsstatus einer Seite. 

  • 2.
    Bartsch, Steffen
    et al.
    Technische Universität Darmstadt.
    Volkamer, Melanie
    Technische Universität Darmstadt.
    Expert Knowledge for Contextualized Warnings2014Report (Other academic)
    Abstract [en]

    Users are bothered by too many security warnings in a vari- ety of applications. To reduce the number of unnecessary warnings, de- velopers cannot continue to report technical security problems. Instead, they need to consider the actual risks of the context for the decision of whether and how to warn – contextualized warnings. For this risk assess- ment, developers need to encode expert knowledge. Given the number and complexity of the risks – for example, in Web browsing –, eliciting and encoding the expert knowledge is challenging. In this paper, we pro- pose a holistic methodology for an abstract risk assessment that builds upon prior concepts from risk management, such as decision trees. The result of the methodology is an abstract risk model – a model to as- sess the risk for the concrete context. In a case study, we show how this methodology can be applied to warnings in Web browsers.

  • 3. Bernhard, David
    et al.
    Kulyk, Oksana
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Security Proofs for Participation Privacy and Stronger Verifiability for Helios2016Report (Other academic)
  • 4.
    Bernhard, David
    et al.
    University of Bristol, UK.
    Oksana, Kulyk
    Technische Universität Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). Technische Universität Darmstadt, Germany.
    Security proofs for Participation privacy, receipt-freeness and ballot privacy for the helios voting scheme2017In: ARES '17 Proceedings of the 12th International Conference on Availability, Reliability and Security, New York: Association for Computing Machinery (ACM), 2017, article id UNSP 1Conference paper (Refereed)
    Abstract [en]

    The Helios voting scheme is well studied including formal proofs for verifiability and ballot privacy. However, depending on its version, the scheme provides either participation privacy (hiding who participated in the election) or verifiability against malicious bulletin board (preventing election manipulation by ballot stuffing), but not both at the same time. It also does not provide receipt-freeness, thus enabling vote buying by letting the voters construct receipts proving how they voted. Recently, an extension to Helios, further referred to as KTV-Helios, has been proposed that claims to provide these additional security properties. However, the authors of KTV-Helios did not prove their claims. Our contribution is to provide formal definitions for participation privacy and receipt-freeness that we applied to KTV-Helios. In order to evaluate the fulfillment of participation privacy and receipt-freeness, we furthermore applied the existing definition of ballot privacy, which was also used for evaluating the security of Helios, in order to show that ballot privacy also holds for KTV-Helios

  • 5.
    Budurushi, Jurlind
    et al.
    TU Darmstadt/CASED, Germany.
    Jöris, Roman
    TU Darmstadt/CASED, Germany.
    Volkamer, Melanie
    TU Darmstadt/CASED, Germany.
    Implementing and evaluating a software-independent voting system for polling station elections2014In: Journal of Information Security and Applications, ISSN 2214-2134, E-ISSN 2214-2126, Vol. 19, no 2, p. 1-10Article in journal (Refereed)
    Abstract [en]

    In 2009 the German Federal Constitutional Court introduced the principle of “public nature of elections” (Federal Constitutional Court of Germany, March 2009). This principle requires that when using electronic voting systems it must be possible for the citizen to verify the essential steps in the election process and in the ascertainment of the results reliably and without special expert knowledge. Unfortunately, none of the existing systems complies with this principle. As a result, the use of electronic voting systems in Germany for parliamentary elections has stopped. Nevertheless, electronic voting systems are necessary and would improve the situation, especially for elections with complex ballots and voting rules, for example some local elections in Germany or parliamentary elections in Belgium and Luxembourg. The concept proposed by Volkamer et al. (Volkamer et al., 2011) was analyzed by a legal expert and evaluated to comply with the German legal requirements for local elections in the state of Hesse (Henning et al., 2012). In this paper we specify and concretize processes that were left open in the concept, and implement a prototype. We evaluated this prototype in a user study that was conducted alongside the university elections at the Technische Universtität Darmstadt in June 2013. The results of the study show that most of the participants were satisfied with the prototype and would support its use for the upcoming university elections. We also report some lessons learned.

  • 6.
    Budurushi, Jurlind
    et al.
    Detecon Int GmbH, Cologne, Germany.
    Neumann, Stephan
    Tech Univ Darmstadt, Darmstadt, Germany.
    Renaud, Karen
    Abertay Univ, Dundee, Scotland; Univ South Africa, Pretoria, South Africa.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). Tech Univ Darmstadt, Darmstadt, Germany.
    Introduction to special issue on e-voting2018In: Journal of Information Security and Applications, ISSN 2214-2134, E-ISSN 2214-2126, Vol. 38, p. 122-123Article in journal (Refereed)
  • 7.
    Budurushi, Jurlind
    et al.
    Technische Universitat Darmstadt.
    Neumann, Stephan
    Technische Universitat Darmstadt.
    Shala, Genc
    Technische Universitat Darmstadt.
    Volkamer, Melanie
    Technische Universitat Darmstadt.
    Entwicklung eines Common Criteria Schutzprofils für elektronische Wahlgeräte mit Paper Audit Trail2014In: INF14 - Workshop: Elektronische Wahlen: Unterstützung der Wahlprozesse mittels Technik, 2014, Vol. 232, p. 1415-1426Conference paper (Refereed)
    Abstract [en]

    Mit dem Urteil vom 3. Marz 2009 hat das Bundesverfassungsgericht die bislang in der Bundesrepublik Deutschland eingesetzten Wahlgeräte für verfassungswidrig erklart. Grund für dieses Urteil war die fehlende Umsetzung des Prinzips der Öffentlichkeit der Wahl. Mit dem Urteil erklarte das Gericht jedoch nicht grundsätzlich den Einsatz elektronischer Wahlgeräte für verfassungswidrig. Im Rahmen des von der DFG geforderten Projekts ’VerKonWa’ wurde das EasyVote System entwickelt, welches den Öffentlichkeitsgrundsatz durch sogenannte Paper Audit Trails umsetzt. Im Rahmen dieser Arbeit berichten wir über die Erfahrung bei der Entwicklung eines Common Criteria Schutzprofils für elektronische Wahlgeräte mit Paper Audit Trails.

  • 8. Budurushi, Jurlind
    et al.
    Renaud, Karen
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Woide, Marcel
    An Investigation into the Usability of Electronic Voting Systems for Complex Elections2016In: Annals ofTelecommunications, ISSN 0003-4347, Vol. 71, no 7, p. 309-322Article in journal (Refereed)
  • 9. Budurushi, Jurlind
    et al.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Feasibility Analysis of Various Electronic Voting Systems for Complex Elections2014In: International Conference for E-Democracy and Open Government 2014 / [ed] Peter Parycek & Noella Edelmann, Krems: Donau-Universität , 2014, p. 141-152Conference paper (Refereed)
  • 10.
    Budurushi, Jurlind
    et al.
    Tech Univ Darmstadt, Dept Comp Sci, Darmstadt, Germany.
    Volkamer, Melanie
    Tech Univ Darmstadt, Dept Comp Sci, Darmstadt, Germany.
    Renaud, Karen
    Univ Glasgow, Sch Comp Sci, Glasgow G12 8QQ, Lanark, Scotland.
    Woide, Marcel
    Tech Univ Darmstadt, Dept Psychol, Darmstadt, Germany.
    Implementation and Evaluation of the EasyVote Tallying Component and Ballot2014In: 2014 6TH INTERNATIONAL CONFERENCE ON ELECTRONIC VOTING: VERIFYING THE VOTE (EVOTE) / [ed] Krimmer, R; Volkamer, M, IEEE, 2014Conference paper (Refereed)
    Abstract [en]

    The German federal constitutional court ruled, in 2009, that elections had to have a public nature. EasyVote, a promising hybrid electronic voting system for conducting elections with complex voting rules and huge ballots, meets this requirement. Two assumptions need to hold, however. The first is that voters will verify the human-readable part of the EasyVote ballot and detect discrepancies. Secondly, that electoral officials will act to verify that the human-readable part of the ballot is identical to the machine-readable part, and that they, too, will detect discrepancies. The first assumption was tested in prior work, so in this paper we examine the viability of the second assumption. We developed an EasyVote tallying component and conducted a user study to determine whether electoral officials would detect discrepancies. The results of our user study show that our volunteer electoral officials did not detect all of the differences, which challenges the validity of the second assumption. Based on these findings we proceeded to propose two alternative designs of the EasyVote ballot: (1) In contrast to the original EasyVote ballot, the human-readable part highlights only the voter's direct selections in orange, i.e. votes that are automatically distributed by selecting a party are not highlighted; (2) The second alternative includes only the voter's direct selections and highlights them in orange. Both alternatives reduce the number of required manual comparisons and should consequently increase the number of discrepancies detected by election officials. We evaluated both alternatives in an online survey with respect to ease of verification and understandability of the cast vote, i.e. verifying that the human-readable part contained the voter's selections and understanding the impact (distribution of votes) of the corresponding selections. The results of the online survey show that both alternatives are significantly better than the original EasyVote ballot with respect to ease of verification and understandability. Furthermore, the first alternative is significantly better than the second with respect to understandability of the cast vote, and no significant difference was found between the alternatives with respect to ease of verification of the cast vote.

  • 11.
    Canova, Gamze
    et al.
    Tech Univ Darmstadt, Darmstadt, Germany.
    Volkamer, Melanie
    Tech Univ Darmstadt, Darmstadt, Germany.
    Bergmann, Clemens
    Tech Univ Darmstadt, Darmstadt, Germany.
    Borza, Roland
    Tech Univ Darmstadt, Darmstadt, Germany.
    NoPhish: An Anti-Phishing Education App2014In: SECURITY AND TRUST MANAGEMENT (STM 2014), Springer Berlin/Heidelberg, 2014, p. 188-192Conference paper (Refereed)
    Abstract [en]

    Phishing is still a prevalent issue in today's Internet. It can have financial or personal consequences. Attacks continue to become more and more sophisticated and the advanced ones (including spear phishing) can only be detected if people carefully check URLs. We developed a game based smartphone app - NoPhish - to educate people in accessing, parsing and checking URLs; i.e. enabling them to distinguish trustworthy and non-trustworthy websites. Throughout several levels information is provided and phishing detection is exercised.

  • 12. Canova, Gamze
    et al.
    Volkamer, Melanie
    Bergmann, Clemens
    Reinheimer, Benjamin
    NoPhish App Evaluation: Lab and Retention Study2015In: NDSS Workshop on Usable Security 2015, 2015Conference paper (Refereed)
    Abstract [en]

    Phishing is a prevalent issue of today’s Internet. Previous approaches to counter phishing do not draw on a crucial factor to combat the threat - the users themselves. We believe user education about the dangers of the Internet is a further key strategy to combat phishing. For this reason, we developed an Android app, a game called –NoPhish–, which educates the user in the detection of phishing URLs. It is crucial to evaluate NoPhish with respect to its effectiveness and the users’ knowledge retention. Therefore, we conducted a lab study as well as a retention study (five months later). The outcomes of the studies show that NoPhish helps users make better decisions with regard to the legitimacy of URLs immediately after playing NoPhish as well as after some time has passed. The focus of this paper is on the description and the evaluation of both studies. This includes findings regarding those types of URLs that are most difficult to decide on as well as ideas to further improve NoPhish. 

  • 13. Canova, Gamze
    et al.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Weiler, Simon
    Poster: Password Entering and Transmission Security2014Other (Other academic)
    Abstract [en]

    The most popular form of user authentication on websites is the use of passwords. When entering a password, it is crucial that the website uses HTTPS (for the entire content). However, this is often not the case. We propose PassSec - a Firefox Add-On to support users to detect password fields on which their password might be endangered. In addition, PassSec displays a non-blocking warning next to the password field, once users click into the password field. The user is provided with possible consequences of entering a password, recommendations and further information if wanted. 

  • 14.
    Gerber, Paul
    et al.
    Faculty of Human Sciences, Technische Universität Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    Renaud, Karen
    College of Science and Engineering, School of Computing Science, Human-Centred Security and Privacy Lead, University of Glasgow, United Kingdom.
    The simpler, the better? Presenting the COPING Android permission-granting interface for better privacy-related decisions2017In: Journal of Information Security and Applications, ISSN 2214-2134, E-ISSN 2214-2126, Vol. 34, no 1, p. 8-26Article in journal (Refereed)
    Abstract [en]

    One of the great innovations of the modern world is the Smartphone app. The sheer multitude of available apps attests to their popularity and general ability to satisfy our wants and needs. The flip side of the functionality these apps offer is their potential for privacy invasion. Apps can, if granted permission, gather a vast amount of very personal and sensitive information. App developers might exploit the combination of human propensities and the design of the Android permission-granting interface to gain permission to access more information than they really need. This compromises personal privacy. The fact that the Android is the globally dominant phone means widespread privacy invasion is a real concern.

    We, and other researchers, have proposed alternatives to the Android permission-granting interface. The aim of these alternatives is to highlight privacy considerations more effectively during app installation: to ensure that privacy becomes part of the decision-making process. We report here on a study with 344 participants that compared the impact of a number of permission-granting interface proposals, including our own (called the COPING interface — COmprehensive PermIssioN Granting) and two Android interfaces. To conduct the comparison we carried out an online study with a mixed-model design.

    Our main finding is that the focus in these interfaces ought to be on improving the quality of the provided information rather than merely simplifying the interface. The intuitive approach is to reduce and simplify information, but we discovered that this actually impairs the quality of the decision. Our recommendation is that further investigation is required in order to find the “sweet spot” where understandability and comprehensiveness are maximised

  • 15. Ghiglieri, Marco
    et al.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science. TU Darmstadt.
    Renaud, Karen
    Exploring Consumers' Attitudes of Smart TV Related Privacy Risks2017In: Human Aspects of Information Security, Privacy and Trust: 5th International Conference, HAS 2017, Held as Part of HCI International 2017, Vancouver, BC, Canada, July 9-14, 2017, Proceedings, Springer, 2017, Vol. 10292, p. 656-674Conference paper (Refereed)
  • 16.
    Gutmann, Andreas
    et al.
    Tech Univ Darmstadt, Darmstadt, Germany.
    Renaud, Karen
    Glasgow University, Scotland.
    Maguire, Joseph
    Glasgow University, Scotland.
    Mayer, Peter
    Tech Univ Darmstadt, Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science. Tech Univ Darmstadt, Darmstadt, Germany.
    Matsuura, Kanta
    University Tokyo, Japan.
    Müller-Quade, Jörn
    Karlsruhe Inst Technol, Germany.
    ZeTA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology2016In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), IEEE, 2016, p. 357-371Conference paper (Refereed)
    Abstract [en]

    Reliable authentication requires the devices and channels involved in theprocess to be trustworthy; otherwise authentication secrets can easily becompromised. Given the unceasing efforts of attackers worldwide suchtrustworthiness is increasingly not a given. A variety of technicalsolutions, such as utilising multiple devices/channels and verificationprotocols, has the potential to mitigate the threat of untrustedcommunications to a certain extent. Yet such technical solutions make twoassumptions: (1) users have access to multiple devices and (2) attackerswill not resort to hacking the human, using social engineering techniques.In this paper, we propose and explore the potential of using human-basedcomputation instead of solely technical solutions to mitigate the threat ofuntrusted devices and channels. ZeTA (Zero  Trust Authentication on untrusted channels) has the potentialto allow people to authenticate despite compromised channels orcommunications and easily observed usage. Our contributions are threefold:(1) We propose the ZeTA protocol with a formal definition and securityanalysis that utilises semantics and human-based computation to amelioratethe problem of untrusted devices and channels.(2) We  outline a security analysis to assess the envisaged performance ofthe proposed authentication protocol.(3) We report on  a  usability study that explores the viability of relyingon human computation in this context.

  • 17. Gutmann, Andreas
    et al.
    Renaud, Karen
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Nudging Bank Account Holders Towards More Secure PIN Management2015In: Journal of Internet Technology and Secured Transactions, ISSN 1748-569X, Vol. 4, p. 380-386Article in journal (Refereed)
    Abstract [en]

    The memorability of PINs is an enduring security issue. This is especially pertinent in the context of banking, where technical systems evolve more slowly than in other contexts (e.g. many mobile phone operating systems have adopted alternative authentication mechanisms). Banking customers who struggle to memorise all their PINs often record them, sometimes insecurely, flying in the face of advice from their banks. Banks respond to memorisation difficulties by permitting customers to change their PINs. The reality is that both recording and changing unwittingly weakens the mechanism by increasing predictability. Yet trying to forbid these coping strategies is futile. It is far better to acknowledge the prevalence of such behaviours and to try to nudge people towards more secure PIN management. In this paper, we suggest a way of achieving this.

  • 18.
    Karegar, Farzaneh
    et al.
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    Gerber, Nina
    Faculty of Human Sciences, Technische Universitat Darmstadt, Darmstadt, Hessen, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    Fischer-Hübner, Simone
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    Helping John to Make Informed Decisions on Using Social Login2018In: Proceedings of the 33th Symposium on Applied Computing (SAC 2018), Pau, F, April 9-13, 2018, New York: ACM Publications, 2018Chapter in book (Other academic)
  • 19.
    Krimmer, Robert
    et al.
    Tallinn University of Technology, Tallinn, Estonia.
    Volkamer, MelanieKarlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).Barrat, JordiEVOL2-eVoting Research Lab, Tarragona, Spain.Benaloh, JoshMicrosoft Research, Seattle, USA.Goodman, NicoleUniversity of Toronto, Toronto, Canada.Ryan, Peter Y.AUniversity of Toronto, Toronto, Canada.Teague, VanessaUniversity of Melbourne, Parkville, Australia.
    Electronic Voting: First International Joint Conference, E-Vote-ID 2016, Bregenz, Austria, October 18-21, 2016, Proceedings2017Conference proceedings (editor) (Refereed)
  • 20.
    Kulyk, Oksana
    et al.
    Technische Universität Darmstadt, Germany.
    Gerber, Paul
    Technische Universität Darmstadt, Germany.
    El Hanafi, Michael
    Technische Universität Darmstadt, Germany.
    Reinheimer, Benjamin
    Technische Universität Darmstadt, Germany.
    Renaud, Karen
    University of Glasgow, UK.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Encouraging Privacy-Aware Smartphone App Installation: What Would the Technically-Adept Do2016Conference paper (Refereed)
  • 21.
    Kulyk, Oksana
    et al.
    Tech Univ Darmstadt, Darmstadt, Germany. Karlstad Univ, Karlstad, Sweden..
    Marky, Karola
    Tech Univ Darmstadt, Darmstadt, Germany. Karlstad Univ, Karlstad, Sweden..
    Neumann, Stephan
    Tech Univ Darmstadt, Darmstadt, Germany. Karlstad Univ, Karlstad, Sweden..
    Volkamer, Melanie
    Tech Univ Darmstadt, Darmstadt, Germany. Karlstad Univ, Karlstad, Sweden..
    Introducing Proxy Voting to Helios2016In: PROCEEDINGS OF 2016 11TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY, (ARES 2016), IEEE, 2016, p. 98-106Conference paper (Refereed)
    Abstract [en]

    Proxy voting is a form of voting, where the voters can either vote on an issue directly, or delegate their voting right to a proxy. This proxy might for instance be a trusted expert on the particular issue. In this work, we extend the widely studied end-to-end verifiable Helios Internet voting system towards the proxy voting approach. Therefore, we introduce a new type of credentials, so-called delegation credentials. The main purpose of these credentials is to ensure that the proxy has been authorised by an eligible voter to cast a delegated vote. If voters, after delegating, change their mind and want to vote directly, cancelling a delegation is possible throughout the entire voting phase. We show that the proposed extension preserves the security requirements of the original Helios system for the votes that are cast directly, as well as security requirements tailored toward proxy voting.

  • 22.
    Kulyk, Oksana
    et al.
    Technische Universität Darmstadt.
    Neumann, Stephan
    Technische Universität Darmstadt.
    Budurushi, Jurlind
    Technische Universität Darmstadt.
    Volkamer, Melanie
    Technische Universität Darmstadt.
    Nothing Comes for Free: How Much Usability Can You Sacrifice for Security?2017In: IEEE Security and Privacy, ISSN 1540-7993, E-ISSN 1558-4046, Vol. 15, no 3, p. 24-29Article in journal (Refereed)
    Abstract [en]

    Code voting systems differ in security: some ensure either vote secrecy or vote integrity, while others ensure both. However, these systems potentially impair usability, which might negatively affect voters' attitude toward Internet voting. To determine the tradeoff between usability and security in these systems, the authors conduct a pilot user study examining voters in a university elections setting.

  • 23.
    Kulyk, Oksana
    et al.
    Technical University Darmstadt, Germany.
    Neumann, Stephan
    Technical University Darmstadt, Germany.
    Budurushi, Jurlind
    Technical University Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science. Technical University Darmstadt, Germany.
    Haenni, Rolf
    Bern University for Applied Sciences, Switzerland.
    Koenig, Reto
    Bern University for Applied Sciences, Switzerland.
    von Bergen, Philemon
    Bern University for Applied Sciences, Switzerland.
    Efficiency Evaluation of Cryptographic Protocols for Boardroom Voting2015In: Availability, Reliability and Security (ARES), 2015 10th International Conference on, IEEE conference proceedings, 2015, p. 224-229Conference paper (Refereed)
  • 24.
    Kulyk, Oksana
    et al.
    Technical University Darmstadt, Germany.
    Neumann, Stephan
    Technical University Darmstadt, Germany.
    Marky, Karola
    Technical University Darmstadt, Germany.
    Budurushi, Jurlind
    Technical University Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science. Technical University Darmstadt, Germany.
    Coercion-resistant Proxy Voting2016In: ICT Systems Security and Privacy Protection: 31st IFIP TC 11 International Conference, SEC 2016, Ghent, Belgium, May 30 - June 1, 2016, Proceedings / [ed] Jaap-Henk Hoepman & Stefan Katzenbeisser, Springer, 2016, p. 3-16Conference paper (Refereed)
    Abstract [en]

    In general, most elections follow the principle of equality, or as it came to be known, the principle of "one man - one vote". However, this principle might pose difficulties for voters, who are not well informed regarding the particular matter that is voted on. In order to address this issue, a new form of voting has been proposed, namely proxy voting. In proxy voting, each voter has the possibility to delegate her voting right to another voter, so called proxy, that she considers a trusted expert on the matter. In this paper we propose an end-to-end verifiable Internet voting scheme, which to the best of our knowledge is the first scheme to address voter coercion in the proxy voting setting.

  • 25.
    Kulyk, Oksana
    et al.
    Tech Univ Darmstadt, Darmstadt.
    Neumann, Stephan
    Tech Univ Darmstadt, Darmstadt.
    Marley, Karola
    Tech Univ Darmstadt, Darmstadt.
    Budurushi, Jurlind
    Tech Univ Darmstadt, Darmstadt.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). Tech Univ Darmstadt, Darmstadt.
    Coercion-resistant proxy voting2017In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 71, p. 88-99Article in journal (Refereed)
    Abstract [en]

    In general, most elections follow the principle of equality, or as it came to be known, the principle of "one person-one vote". However, this principle might pose difficulties for voters, who are not well informed regarding the particular matter that is voted on. In order to address this issue, a new form of voting has been proposed, namely proxy voting. In proxy voting, each voter has the possibility to delegate her voting right to another voter, so called proxy, that she considers a trusted expert on the matter. In this paper we propose an end-to-end verifiable Internet voting scheme, which to the best of our knowledge is the first scheme to address voter coercion in the proxy voting setting. (C) 2017 Elsevier Ltd. All rights reserved.

  • 26.
    Kulyk, Oksana
    et al.
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Neumann, Stephan
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Volkamer, Melanie
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Feier, Christian
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Koester, Thorben
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Electronic Voting with Fully Distributed Trust and Maximized Flexibility Regarding Ballot Design2014In: 2014 6TH INTERNATIONAL CONFERENCE ON ELECTRONIC VOTING: VERIFYING THE VOTE (EVOTE) / [ed] Krimmer, R; Volkamer, M, IEEE Press, 2014Conference paper (Refereed)
    Abstract [en]

    One common way to ensure the security in voting schemes is to distribute critical tasks between different entities so called trustees. While in most election settings election authorities perform the task of trustees, elections in small groups such as board elections can be implemented in a way that all voters are also trustees. This is actually the ideal case for an election as trust is maximally distributed. A number of voting schemes have been proposed for facilitating such elections. Our focus is on a mix net based approach to maximize flexibility regarding ballot design. We proposed and implemented a corresponding voting scheme as an Android smartphone application. We believe smartphones are most likely to be used in the election settings that we consider in the paper. Our implementation also enables voters to remotely participate in the voting process. The implementation enables us to measure timings for the tallying phase for different settings in order to analyze whether the chosen mix net based scheme is suitable for the considered election settings.

  • 27.
    Kulyk, Oksana
    et al.
    Tech. Univ. Darmstadt, Darmstadt, Germany.
    Reinheimer, Benjamin Maximmilian
    Tech. Univ. Darmstadt, Darmstadt, Germany.
    Gerber, Paul
    Faculty of Human Sciences, Technische Universität Darmstadt, Germany.
    Volk, Florian
    Tech. Univ. Darmstadt, Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    Mühlhäuser, Max
    Tech. Univ. Darmstadt, Darmstadt, Germany.
    Advancing Trust Visualisations for Wider Applicability and User Acceptance2017In: Trustcom/BigDataSE/ICESS, 2017 IEEE, Piscataway: IEEE, 2017, p. 562-569Conference paper (Refereed)
    Abstract [en]

    There are only a few visualisations targeting the communication of trust statements. Even though there are some advanced and scientifically founded visualisations-like, for example, the opinion triangle, the human trust interface, and T-Viz-the stars interface known from e-commerce platforms is by far the most common one. In this paper, we propose two trust visualisations based on T-Viz, which was recently proposed and successfully evaluated in large user studies. Despite being the most promising proposal, its design is not primarily based on findings from human-computer interaction or cognitive psychology. Our visualisations aim to integrate such findings and to potentially improve decision making in terms of correctness and efficiency. A large user study reveals that our proposed visualisations outperform T-Viz in these factors

  • 28. Kulyk, Oksana
    et al.
    Reinheimer, Benjamin
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Sharing Information with Web Services: A Mental Model Approach in the Context of Optional Information2017In: Human Aspects of Information Security, Privacy and Trust: 5th International Conference, HAS 2017, Held as Part of HCI International 2017, Vancouver, BC, Canada, July 9-14, 2017, Proceedings, Springer, 2017, p. 675-690Conference paper (Refereed)
  • 29.
    Kulyk, Oksana
    et al.
    Tech Univ Darmstadt, CASED, Darmstadt, Germany..
    Teague, Vanessa
    Univ Melbourne, Melbourne, Vic, Australia..
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science. Tech Univ Darmstadt, CASED, Darmstadt, Germany.;Karlstad Univ, Karlstad, Sweden..
    Extending Helios Towards Private Eligibility Verifiability2015In: E-Voting and Identity, Springer, 2015, Vol. 9269, p. 57-73Conference paper (Refereed)
    Abstract [en]

    We show how to extend the Helios voting system to provide eligibility verifiability without revealing who voted which we call private eligibility verifiability. The main idea is that real votes are hidden in a crowd of null votes that are cast by others but are indistinguishable from those of the eligible voter. This extended Helios scheme also improves Helios towards receipt-freeness.

  • 30. Kulyk, Oksana
    et al.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Efficiency Comparison of Various Approaches in E-Voting Protocols2016In: FINANCIAL CRYPTOGRAPHY AND DATA SECURITY, FC 2016 / [ed] Clark, J; Meiklejohn, S; Ryan, PYA; Wallach, D; Brenner, M; Rohloff, K, Springer, 2016, Vol. 9604, p. 209-223Conference paper (Refereed)
    Abstract [en]

    In order to ensure the security of remote Internet voting, the systems that are currently proposed make use of complex cryptographic techniques. Since these techniques are often computationally extensive, efficiency becomes an issue. Identifying the most efficient Internet voting system is a non-trivial task - in particular for someone who does not have a sufficient knowledge on the systems that currently exist, and on the cryptographic components that constitute those systems. Aside from these components, the efficiency of Internet voting also depends on various parameters, such as expected number of participating voters and ballot complexity. In this paper we propose a tool for evaluating the efficiency of different approaches for an input scenario, that could be of use to election organizers deciding how to implement the voting system.

  • 31. Marky, Karola
    et al.
    Gutmann, Andreas
    Rack, Philipp
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Privacy Friendly Apps-Making Developers Aware of Privacy Violations2016In: IMPS 2016Innovations in Mobile Privacy and Security: Proceedings of the 1st International Workshop on Innovations in Mobile Privacy and Security co-located with the International Symposium on Engineering Secure Software and Systems (ESSoS 2016), CEUR , 2016, Vol. 1, p. 46-48Conference paper (Refereed)
  • 32. Maseberg, Sönke
    et al.
    Bodden, Eric
    Kus, Mehmet
    Brucker, Achim
    Rasthofer, Siegfried
    Berger, Bernhard
    Huber, Stephan
    Sohr, Karsten
    Gerber, Paul
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Zertifizierte Apps2015In: Risiken kennen, Herausforderungen annehmen, Lösungen gestalten: Tagungsband zum 14. Deutscher IT-Sicherheitskongress des BSI 2015, SecuMedia , 2015, p. 505-516Conference paper (Refereed)
  • 33.
    Mayer, Peter
    et al.
    Faculty of Computer Sciences, Technische Universitat Darmstadt, Darmstadt, Hessen, Germany.
    Gerber, Nina
    Faculty of Human Sciences, Technische Universitat Darmstadt, Darmstadt, Hessen, Germany.
    McDermott, Ronja
    Faculty of Human Sciences, Technische Universitat Darmstadt, Darmstadt, Hessen, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    Vogt, Joachim
    Faculty of Human Sciences Technische, Universitat Darmstadt, Darmstadt, Hessen, Germany.
    Productivity vs security: mitigating conflicting goals in organizations2017In: Information and Computer Security, ISSN 1434-5250, E-ISSN 2220-3796, Vol. 25, no 2, p. 137-151Article in journal (Refereed)
    Abstract [en]

    Purpose

    This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals.

    Design/methodology/approach

    This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees’ security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small- to medium-sized organizations (SMEs) with overall 90 employees.

    Findings

    The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees.

    Research limitations/implications

    Both studies rely on self-reported data and are, therefore, likely to contain some kind of bias.

    Practical implications

    Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations.

    Originality/value

    This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.

  • 34.
    Mayer, Peter
    et al.
    Faculty of Computer Sciences, Technische Universitat Darmstadt, Darmstadt, Hessen, Germany.
    Kirchner, Jan
    Technische Universität Darmstadt.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    A second look at password composition policies in the wild: Comparing samples from 2010 and 20162017In: Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), Usenix, The advanced computer systems associaton , 2017, p. 13-28Conference paper (Refereed)
    Abstract [en]

    In this paper we present a replication and extension of the study performed by Flor^encio and Herley published at SOUPS 2010. They investigated a sample of US websites, examining different website features' effects on the strength of the website's password composition policy (PCP). Using the same methodology as in the original study, we re-investigated the same US websites to identify differences over time. We then extended the initial study by investigating a corresponding sample of German websites in order to identify differences across countries. Our findings indicate that while the website features mostly retain their predicting power for the US sample, only one feature affecting PCP strength translates to the German sample: whether users can choose among multiple alternative websites providing the same service. Moreover, German websites generally use weaker PCPs and, in particular, PCPs of German banking websites stand out for having generally low strength PCPs

     

  • 35.
    Mayer, Peter
    et al.
    Faculty of Computer Sciences, Technische Universitat Darmstadt, Darmstadt, Hessen, Germany.
    Kunz, Alexandra
    Technische Universität Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). Technische Universität Darmstadt , Germany.
    Reliable behavioural factors in the information security context2017In: ARES '17 Proceedings of the 12th International Conference on Availability, Reliability and Security, New York: Association for Computing Machinery (ACM), 2017, article id UNSP 9Conference paper (Refereed)
    Abstract [en]

    Users do often not behave securely when using information technology. Many studies have tried to identify the factors of behavioural theories which can increase secure behaviour. The goal of this work is to identify which of the factors are reliably associated with secure behaviour across multiple studies. Those factors are of interest to information security professionals since addressing them in security awareness and education campaigns can help improving security related processes of users. To attain our goal, we conducted a systematic literature review and assessed the reliability of the factors based on the effect sizes reported in the literature. Our results indicate that 11 out of the 14 factors from well established behavioural theories can be associated with reliable effects in the information security context. These factors cover very different aspects: influence of the users skills, whether the environment makes it possible to exhibit secure behaviour, the influence of friends or co-workers, and the perceived properties of the secure behaviour (e.g. response cost). Also, we identify areas, where more studies are needed to increase the confidence of the factors' reliability assessment.

  • 36. Mayer, Peter
    et al.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Secure and Efficient Key Derivation in Portfolio Authentication Schemes Using Blakley Secret Sharing2015In: Proceedings of the 31st Annual Computer Security Applications Conference, Association for Computing Machinery (ACM), 2015, p. 431-440Conference paper (Refereed)
  • 37.
    Mayer, Peter
    et al.
    Tech Univ Darmstadt, Ctr Adv Secur Res Darmstadt, Darmstadt, Germany.
    Volkamer, Melanie
    Tech Univ Darmstadt, Ctr Adv Secur Res Darmstadt, Darmstadt, Germany.
    Kauer, Michaela
    Tech Univ Darmstadt, Inst Ergon, Darmstadt, Germany.
    Authentication Schemes - Comparison and Effective Password Spaces2014In: INFORMATION SYSTEMS SECURITY (ICISS 2014), Springer Berlin/Heidelberg, 2014, p. 204-225Conference paper (Refereed)
    Abstract [en]

    Text passwords are ubiquitous in authentication. Despite this ubiquity, they have been the target of much criticism. One alternative to the pure recall text passwords are graphical authentication schemes. The different proposed schemes harness the vast visual memory of the human brain and exploit cued-recall as well as recognition in addition to pure recall. While graphical authentication in general is promising, basic research is required to better understand which schemes are most appropriate for which scenario (incl. security model and frequency of usage). This paper presents a comparative study in which all schemes are configured to the same effective password space (as used by large Internet companies). The experiment includes both, cued-recall-based and recognition-based schemes. The results demonstrate that recognition-based schemes have the upper hand in terms of effectiveness and cued-recall-based schemes in terms of efficiency. Thus, depending on the scenario one or the other approach is more appropriate. Both types of schemes have lower reset rates than text passwords which might be of interest in scenarios with limited support capacities.

  • 38.
    Neumann, Stephan
    et al.
    Tech Univ Darmstadt, CASED, D-64289 Darmstadt, Germany.
    Kahlert, Anna
    Univ Kassel, D-34109 Kassel, Germany.
    Henning, Maria
    Univ Kassel, D-34109 Kassel, Germany.
    Richter, Philipp
    Univ Kassel, D-34109 Kassel, Germany.
    Jonker, Hugo
    Univ Luxembourg, L-1359 Luxembourg, Luxembourg.
    Volkamer, Melanie
    Tech Univ Darmstadt, CASED, D-64289 Darmstadt, Germany.
    Modeling the German Legal Latitude Principles2013In: ELECTRONIC PARTICIPATION, EPART 2013, Berlin: Springer Berlin/Heidelberg, 2013, p. 49-56Conference paper (Refereed)
    Abstract [en]

    Postal voting was established in Germany in 1956. Based on the legal latitude of the national legislator, the Federal Constitutional Court confirmed the constitutionality of postal voting several times. In contrast, the constitutionality of electronic voting machines, which were used for federal elections from 2002 to 2005, was rejected as the possibility to control the essential steps in the election was not provided to all citizens. These two cases emphasize that the legal system allows to limit realization of election principles to the advantage of other election principles, but that there are limits. In order to introduce new voting systems, in particular Internet voting systems, it is essential to have guidelines on what is and what is not acceptable. This work provides such guidelines. It identifies the principles of the legal latitude in the German constitution, and captures this latitude in a model. This model enables a review of the constitutionality of new voting systems.

  • 39.
    Neumann, Stephan
    et al.
    Technische Universität Darmstadt, Darmstadt, Germany.
    Noll, Manuel
    Université de Liège, Liège, Belgium.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    Election-Dependent Security Evaluation of Internet Voting Schemes2017In: ICT Systems Security and Privacy Protection: SEC 2017. IFIP Advances in Information and Communication Technology / [ed] De Capitani di Vimercati S., Martinelli F., Springer, 2017, Vol. 502, p. 371-382Conference paper (Refereed)
    Abstract [en]

    The variety of Internet voting schemes proposed in the literature build their security upon a number of trust assumptions. The criticality of these assumptions depends on the target election setting, particularly the adversary expected within that setting. Given the potential complexity of the assumptions, identifying the most appropriate Internet voting schemes for a specific election setting poses a significant burden to election officials. We address this shortcoming by the construction of an election-dependent security evaluation framework for Internet voting schemes. On the basis of two specification languages, the core of the framework essentially evaluates election-independent security models with regard to expected adversaries and returns satisfaction degrees for security requirements. These satisfaction degrees serve election officials as basis for their decision-making. The framework is evaluated against requirements stemming from measure theory.

  • 40.
    Neumann, Stephan
    et al.
    Technische Universität Darmstadt, Darmstadt, Germany.
    Reinheimer, Benjamin Maximmilian
    Tech. Univ. Darmstadt, Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).
    Don’t Be Deceived: The Message Might Be Fake2017In: Trust, Privacy and Security in Digital Business / [ed] Javier Lopez; Simone Fischer-Hübner; Costas Lambrinoudaki, Cham: Springer, 2017, Vol. 10442, p. 199-214Chapter in book (Refereed)
    Abstract [en]

    In an increasingly digital world, fraudsters, too, exploit this new environment and distribute fraudulent messages that trick victims into taking particular actions. There is no substitute for making users aware of scammers’ favoured techniques and giving them the ability to detect fraudulent messages. We developed an awareness-raising programme, specifically focusing on the needs of small and medium-sized enterprises (SMEs). The programme was evaluated in the field. The participating employees demonstrated significantly improved skills in terms of ability to classify messages as fraudulent or genuine. Particularly with regard to one of the most widespread attack types, namely fraudulent messages with links that contain well-known domains as sub-domains of generic domains, recipients of the programme improved their recognition rates from \(56.6\%\) to \(88\%\). Thus, the developed security awareness-raising programme contributes to improving the security in SMEs.

  • 41.
    Neumann, Stephan
    et al.
    CASED TU Darmstadt, Darmstadt, Germany.
    Volkamer, Melanie
    CASED TU Darmstadt, Darmstadt, Germany.
    Civitas and the Real World: Problems and Solutions from a Practical Point of View2012In: 2012 SEVENTH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES), IEEE Communications Society, 2012, p. 180-185Conference paper (Refereed)
    Abstract [en]

    In the past, researchers have proposed many voting schemes that satisfy a wide range of security properties. These schemes often rely on strong trust assumptions and do not consider the voter sufficiently, which currently renders them inappropriate for usage in real-world elections. In this paper we focus on the voting scheme Civitas, which features provably strong security properties, such as end-to-end verifiability and coercion-resistance. We identify the strong trust assumptions and usability weaknesses of the scheme, which currently prevent its usage in real-world elections. Based on these results, we show how most of these strong trust assumptions can be implemented, e. g., by using eID cards in order to overcome Civitas' most critical usability problem, namely credential handling. Together with a voter-process description and a user-interface, we pave the way for the use of Civitas in real-world elections.

  • 42.
    Neumann, Stephan
    et al.
    Tech Univ Darmstadt, Darmstadt, Germany.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science. Tech Univ Darmstadt, Darmstadt, Germany.
    Budurushi, Jurlind
    Tech Univ Darmstadt, Darmstadt, Germany.
    Prandini, Marco
    Univ Bologna, Bologna, Italy.
    SecIVo: a quantitative security evaluation framework for internet voting schemes2016In: Annales des télécommunications, ISSN 0003-4347, E-ISSN 1958-9395, Vol. 71, no 7-8, p. 337-352Article in journal (Refereed)
    Abstract [en]

    Voting over the Internet is subject to a number of security requirements. Each voting scheme has its own bespoke set of assumptions to ensure these security requirements. The criticality of these assumptions depends on the election setting (e.g., how trustworthy the voting servers or the voting devices are). The consequence of this is that the security of different Internet voting schemes cannot easily be compared. We have addressed this shortcoming by developing SecIVo, a quantitative security evaluation framework for Internet voting schemes. On the basis of uniform adversarial capabilities, the framework provides two specification languages, namely qualitative security models and election settings. Upon system analysis, system analysts feed the framework with qualitative security models composed of adversarial capabilities. On the other side, election officials specify their election setting in terms of-among others-expected adversarial capabilities. The framework evaluates the qualitative security models within the given election setting and returns satisfaction degrees for a set of security requirements. We apply SecIVo to quantitatively evaluate Helios and Remotegrity within three election settings. It turns out that there is no scheme which outperforms the other scheme in all settings. Consequently, selecting the most appropriate scheme from a security perspective depends on the environment into which the scheme is to be embedded.

  • 43. Neumann, Stephan
    et al.
    Volkamer, Melanie
    Strube, Moritz
    Jung, Wolfgang
    Brelle, Achim
    Cast-as-intended-Verifizierbarkeit für das Polyas-Internetwahlsystem2015In: Datenschutz und Datensicherheit, ISSN 1614-0702, Vol. 11/2015, p. 747-752Article in journal (Refereed)
    Abstract [en]

    Internet-Wahlsysteme mᅵssen einer Vielzahl von Anforderungen genᅵgen. Besonders drei Eigenschaften ᅵ die ᅵbereinstimmung von Stimmabgabe und Wᅵhlerintension, die korrekte (und vertrauliche) Speicherung der Stimmabgabe und die fehlerfreie Auszᅵhlung ᅵ sollte fᅵr ein Wahlsystem nachweisbar sein. Der vorliegende Beitrag stellt Ansᅵtze zur Realisierung einer nachweisbaren ᅵbereinstimmung von Stimmabgabe und Wᅵhlerintension (Cast-as-intended-Verifizierbarkeit) vor und zeigt, wie das verbreitete Polyas-Internetwahlsystem um diese Eigenschaft erweitert werden kann.

  • 44.
    Paul, Thomas
    et al.
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Stopczynski, Martin
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Puscher, Daniel
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Volkamer, Melanie
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Strufe, Thorsten
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    C4PS-Helping Facebookers Manage Their Privacy Settings2012In: SOCIAL INFORMATICS, SOCINFO 2012, Springer Berlin/Heidelberg, 2012, p. 188-201Conference paper (Refereed)
    Abstract [en]

    The ever increasing popularity of Online Social Networks has left a wealth of personal data on the web, accessible for broad and automatic retrieval. Protection from undesired recipients and harvesting by crawlers is implemented by access control, manually configured by the user in his privacy settings. Privacy unfriendly default settings and the user unfriendly privacy setting interfaces cause an unnoticed over-sharing. We propose C4PS - Colors for Privacy Settings, a concept for future privacy setting interfaces. We developed a mockup for privacy settings in Facebook as a proof of concept, applying color coding for different privacy visibilities, providing easy access to the privacy settings, and generally following common, well known practices. We evaluated this mockup in a lab study and show in the results that the new approach increases the usability significantly. Based on the results we provide a Firefox plug-in implementing C4PS for the new Facebook interface.

  • 45. Renaud, Karen
    et al.
    Flowerday, Stephen
    Othmane, Lotfi ben
    Volkamer, Melanie
    "I Am Because We Are": Developing and Nurturing an African Digital Security Culture2015Conference paper (Refereed)
    Abstract [en]

    Technical solutions fail if people experience difficulties using them. Sometimes these difficulties force people to work around the security solutions in order to achieve legitimate goals. Improving usability undoubtedly helps, but this has not improved the situation as much as anticipated. In this paper we consider a variety of other reasons for non-uptake. We argue that this situation can only be addressed by considering the person as a member of the wider community and not as a solitary agent. This aligns with the traditional African wisdom of Ubuntu: ᅵI am because we areᅵ. We propose improving the African Digital Security Culture (ADSC): collective knowledge, common practices, and intuitive common security and privacy behaviour, in a particular society. We suggest a set of approaches for developing and sustaining ADSC in a society, for as members of a society we learn most effectively from each other, not from books, the media or by carrying out searches using search engines.

  • 46.
    Renaud, Karen
    et al.
    Univ Glasgow, Sch Comp Sci, Glasgow G12 8QQ, Lanark, Scotland.
    Mayer, Peter
    Volkamer, Melanie
    Tech Univ Darmstadt, CASED, Darmstadt, Germany.
    Maguire, Joseph
    Univ Glasgow, Sch Comp Sci, Glasgow G12 8QQ, Lanark, Scotland..
    Are Graphical Authentication Mechanisms As Strong As Passwords?2013In: 2013 FEDERATED CONFERENCE ON COMPUTER SCIENCE AND INFORMATION SYSTEMS (FEDCSIS), Polish Information Processing Society , 2013, p. 837-844Conference paper (Refereed)
    Abstract [en]

    The fact that users struggle to keep up with all their (textual) passwords is no secret. Thus, one could argue that the textual password needs to be replaced. One alternative is graphical authentication. A wide range of graphical mechanisms have been proposed in the research literature. Yet, the industry has not embraced these alternatives. We use nowadays (textual) passwords several times a day to mediate access to protected resources and to ensure that accountability is facilitated. Consequently, the main aspect of interest to decision-makers is the strength of an authentication mechanism to resist intrusion attempts. Yet, researchers proposing alternative mechanisms have primarily focused on the users' need for superior usability while the strength of the mechanisms often remains unknown to the decision makers. In this paper we describe a range of graphical authentication mechanisms and consider how much strength they exhibit, in comparison to the textual password. As basic criteria for this comparison, we use the standard guessability, observability and recordability metrics proposed by De Angell et at. in 2005. The intention of this paper is to provide a better understanding of the potential for graphical mechanisms to be equal to, or superior to, the password in terms of meeting its most basic requirement namely resisting intrusion attempts.

  • 47. Renaud, Karen
    et al.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Renkema-Padmos, Arne
    Why doesn’t Jane protect her privacy?2014In: Privacy Enhancing Technologies: 14th International Symposium, PETS 2014, Amsterdam, The Netherlands, July 16-18, 2014. Proceedings / [ed] Emiliano De Cristofaro, Steven J. Murdoch, 2014, p. 244-262Conference paper (Refereed)
    Abstract [en]

    End-to-end encryption has been heralded by privacy and security researchers as an effective defence against dragnet surveillance, but there is no evidence of widespread end-user uptake. We argue that the non-adoption of end-to-end encryption might not be entirely due to usability issues identified by Whitten and Tygar in their seminal paper “Why Johnny Can’t Encrypt”. Our investigation revealed a number of fundamental issues such as incomplete threat models, misaligned incentives, and a general absence of understanding of the email architecture. From our data and related research literature we found evidence of a number of potential explanations for the low uptake of end-to-end encryption. This suggests that merely increasing the availability and usability of encryption functionality in email clients will not automatically encourage increased deployment by email users. We shall have to focus, first, on building comprehensive end-user mental models related to email, and email security. We conclude by suggesting directions for future research.

  • 48. Renkema-Padmos, Arne
    et al.
    Baum, Jerome
    Renaud, Karen
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Shake hands to bedevil: Securing email with wearable technology2014In: Proceedings of the Eighth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2014) / [ed] Nathan Clarke, Steven Furnell, HAISA , 2014, p. 90-100Conference paper (Refereed)
    Abstract [en]

    Emailers seldom encrypt, sometimes because they do not see the need to do this, and sometimes because they do not know how to or are prevented from doing so by the complexity of the facilitating interface. The reality is that encryption is effortful and has to be deliberately undertaken. We propose the use of a wearable device called a Weaver (WEArable EncrypteR). Weaver will be designed to be a mechanism for exchanging encrypted emails that is as simple and effortless as possible to use. Our design philosophy was inspired by the industrial designer Naoto Fukusawa who talks about "design dissolving into behaviour". We want to arrive at seamless secure communication between people who initially meet in person to establish a trusting relationship by "weaving" their devices. This can be subsequently exploited to facilitate the exchange of secure emails between the wearers of the Weavers.

  • 49. Renkema-Padmos, Arne
    et al.
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Renaud, Karen
    Building Castles in Quicksand: Blueprints of a Crowdsourced Study2014In: ProceedingCHI EA '14 CHI '14 Extended Abstracts on Human Factors in Computing Systems, ACM Digital Library, 2014, p. 643-652Conference paper (Refereed)
    Abstract [en]

    Finding participants for experiments has always been a challenge. As technology advanced, running experiments online became a viable way to carry out research that did not require anything more than a personal computer. The natural next step in this progression emerged as crowdsourcing became an option. We report on our experience of joining this new wave of practice, and the difficulties and challenges we encountered when crowdsourcing a study. This led us to re-evaluate the validity of crowdsourced research. We report our findings, and conclude with guidelines for crowdsourced experiments.

  • 50. Schochlow, Verena
    et al.
    Neumann, Stephan
    Braun, Kristoffer
    Volkamer, Melanie
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science.
    Bewertung der GMX/Mailvelope-Ende-zu-Ende-Verschlüsselung2016In: Datenschutz und Datensicherheit - DuD, ISSN 1614-0702, E-ISSN 1862-2607, Vol. 40, no 5, p. 295-299Article in journal (Other academic)
12 1 - 50 of 61
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf