[Soups-announce] CFP: Workshop on Risk Perception in IT Security and Privacy at SOUPS

Lorrie Faith Cranor lorrie at cs.cmu.edu
Wed Feb 27 21:56:54 EST 2013 

Workshop on Risk Perception in IT Security and Privacy 

A workshop of the Symposium On Usable Privacy and Security (SOUPS) 
http://cups.cs.cmu.edu/soups/2013/ 

For full details, please see: http://cups.cs.cmu.edu/soups/2013/risk.html 

This workshop is an opportunity to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. 

Important Dates:
Submission Deadline:
May 30, 2013, 5pm PDT
Notification Deadline:
June 10, 2013 5pm PDT
Anonymization:
Papers are NOT to be anonymized
Length:
1-2 page position statements




SCOPE AND FOCUS
Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology.

For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems. This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc. Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices.

While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood. How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood. Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions.

In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk.

The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Topics of interest include:

	• Human decision and different attack types: Malware, eavesdropping, inadvertent loss / disclosure of information, phishing, browser attacks, etc.
	• Research methods and metrics for assessing perception of risk
	• Assessing value of assets and resources at risk
	• Communicating and portrayal of risk - security indicators, status indicators, etc.
	• Organizational versus personal risk
	• The psychology of risk perception
	• Behavioral aspects of risk perception
	• Real versus perceived risk
	• Other topics related to measuring IT risk and/or user perception of IT risk
The goal of this workshop is to explore these and related topics across the broad range of IT security contexts, including enterprise system, personal systems, and especially mobile and embedded systems. This workshop provides an informal and interdisciplinary setting that includes the intersection of security, psychological, and behavioral science. Everyone who attends the workshop participates. Panel discussions will be organized around topics of interest where the workshop participants will be given an opportunity to give brief presentations, which may include current or prior work in this area, as well as pose challenges in IT security and privacy risk perception.
SUBMISSIONS

We are soliciting 1-2 page position statements that express the nature of your interest in the workshop, the aspects of risk perception of interest to you including the topic(s) that you would like to discuss during the workshop, including the panel discussions.

Email inquiries may be sent to to: RiskPerception2013 at gmail.com.

IMPORTANT DATES

Paper submission deadline - May 30, 2013, 5pm PDT 
Notification of paper acceptance - June 10, 2013 5pm PDT

ORGANIZERS

Larry Koved, IBM T. J. Watson Research Center 
L Jean Camp, Indiana University

More information about the Soups-announce mailing list