Security Assistant
Resume:
Serge Egelman
Berkeley, CA *****
USA
Email: *****@***********.***
Education
PhD in Computation, Organizations, and Society, May 2009
School of Computer Science, Carnegie Mellon University
BS in Computer Engineering, May 2004
School of Engineering and Applied Science, University of Virginia
Refereed Journal Publications
The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Information Systems
Research (ISR), 22(2), June 2011, pp. 254-268 (with J. Tsai, L. Cranor, and A. Acquisti). Best Published Paper
Award!
P3P Deployment on Websites. Electronic Commerce Research and Applications (ECRA), Autumn 2008 (with L.
Cranor, S. Sheng, A. McDonald, and A. Chowdhury).
The Real ID Act: Fixing Identity Documents with Duct Tape. I/S: A Journal of Law and Policy for the Information
Society, 2(1), Winter 2006, pp. 149-183 (with L. Cranor).
Refereed Conference Papers
The Importance of Being Earnest [in Security Warnings]. Financial Cryptography and Data Security. 2013 (with S.
Schechter), to appear.
Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection . CHI '13:
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2013 (with C. Herley, A.
Sotirakopoulos, I. Muslukhov, and K. Beznosov), to appear.
My Profile Is My Password, Verify Me! The Privacy/Convenience Tradeoff of Facebook Connect . CHI '13:
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2013, to appear.
Android Permissions: User Attention, Comprehension, and Behavior. Proceedings of the 2012 Symposium on
Usable Privacy and Security (SOUPS). July 2012 (with A. P. Felt, E. Ha, A. Haney, E. Chin, and D. Wagner).
Best Paper Award!
Facebook and Privacy: It's Complicated. Proceedings of the 2012 Symposium on Usable Privacy and Security
(SOUPS). July 2012 (with M. Johnson and S. Bellovin).
Oops, I Did It Again: Mitigating Repeated Access Control Errors on Facebook. CHI '11: Proceedings of the
SIGCHI Conference on Human Factors in Computing Systems. 2011 (with A. Oates and S. Krishnamurthi).
Of Passwords and People: Measuring the Effect of Password-Composition Policies. CHI '11: Proceedings of the
SIGCHI Conference on Human Factors in Computing Systems. 2011 (with S. Komanduri, R. Shay, P. G. Kelley,
M. Mazurek, L. Bauer, N. Christin, and L. F. Cranor). Best Paper Nominee!
It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice. Financial
Cryptography and Data Security. 2011 (with N. Christin, T. Vidas, and J. Grossklags).
Crying Wolf: An Empirical Study of SSL Warning Effectiveness. The 18th USENIX Security Symposium. 2009
(with J. Sunshine, H. Almuhimedi, N. Atri, and L. Cranor).
It's No Secret: Measuring the reliability of authentication via 'secret' questions. The 2009 IEEE Symposium on
Security and Privacy (with S. Schechter and A.J. Brush).
It's Not What You Know, But Who You Know: A social approach to last-resort authentication. CHI '09:
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2009 (with S. Schechter and
R. Reeder).
Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI '09: Proceedings of
the SIGCHI Conference on Human Factors in Computing Systems. 2009 (with J. Tsai, L. Cranor, and A.
Acquisti).
Family Accounts: A new paradigm for user accounts within the home environment. CSCW '08: Proceedings of
the 2008 Conference on Computer Supported Cooperative Work. 2008 (with A.J. Brush and K. Inkpen).
You've Been Warned: An Empirical Study on the Effectiveness of Web Browser Phishing Warnings. CHI '08:
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2008 (with L. Cranor and J.
Hong). Best Paper Nominee!
Phinding Phish: An Evaluation of Anti-Phishing Toolbars. NDSS: Proceedings of the ISOC Symposium on
Network and Distributed System Security. February 2007 (with Y. Zhang, L. Cranor, and J. Hong).
An Analysis of P3P-Enabled Web Sites among Top-20 Search Results. Proceedings of the Eighth International
Conference on Electronic Commerce. August 2006 (with L. Cranor and A. Chowdhury).
Power Strips, Prophylactics, and Privacy, Oh My!. Proceedings of the 2006 Symposium On Usable Privacy and
Security (SOUPS). July 2006 (with J. Gideon, L. Cranor, and A. Acquisti).
Refereed Workshop Papers
I've Got 99 Problems, But Vibration Ain't One: A Survey of Smartphone Users' Concerns. The 2nd Annual ACM
CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). October 2012 (with A. P.
Felt and D. Wagner).
How to Ask for Permission. The 7th USENIX Workshop on Hot Topics in Security (HotSec '12). August 2012
(with A. P. Felt, M. Finifter, D. Akhawe, and D. Wagner).
Choice Architecture and Smartphone Privacy: There's A Price for That. Workshop on the Economics of
Information Security (WEIS). June 2012 (with A. P. Felt and D. Wagner).
How Good Is Good Enough? The Sisyphean Struggle for Optimal Privacy Settings. CSCW 2012 Workshop on
Reconciling Privacy with Social Media. February 2012 (with M. Johnson).
Toward Privacy Standards Based on Empirical Studies. W3C Workshop on Web Tracking and User Privacy. April
2011 (with E. McCallister).
Please Continue to Hold: An empirical study on user tolerance of security delays. Workshop on the Economics of
Information Security (WEIS). June 2010 (with D. Molnar, N. Christin, A. Acquisti, C. Herley, and S.
Krishnamurthi).
Tell Me Lies: A Methodology for Scientifically Rigorous Security User Studies. Workshop on Studying Online
Behaviour at CHI'10. April 2010 (with J. Tsai and L. F. Cranor).
The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Workshop on the
Economics of Information Security (WEIS). June 2007 (with J. Tsai, L. Cranor, and A. Acquisti).
Security User Studies: Methodologies and Best Practices. CHI '07 Extended Abstracts on Human Factors in
Computing Systems. April 2007 (with J. King, R. Miller, N. Ragouzis, and E. Shehan).
Studying The Impact of Privacy Information on Online Purchase Decisions. Workshop on Privacy and HCI:
Methodologies for Studying Privacy Issues at CHI'06. April 2006 (with J. Tsai, L. Cranor, and A. Acquisti).
Book Chapters and Magazine Articles
Crowdsourcing. To appear in Ways of Knowing in HCI, J. Olson and W. Kellogg (Eds.), to be published by
Springer (with E. Chi and S. Dow).
Helping Users Create Better Passwords. ;login:. December 2012 (with B. Ur, P. G. Kelley, S. Komanduri, J. Lee,
M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez).
Conference Report: SOUPS 2006. IEEE Security & Privacy. November/December 2006 (with J. Tsai).
Conference Report: 14th USENIX Security Symposium. ;login:. December 2005 (with K. Butler, M. Chow, J.
Duerig, B. Hicks, F. Hsu, S. Kelm, and M. Rajagopalan).
Conference Report: 13th USENIX Security Symposium. ;login:. December 2004 (with A. AuYoung, E. Cronin, M.
Dougherty, R. Greenstadt, S. Kelm, Z. Liang, C. Mano, N. Smith, A. Raniwala, T. Whalen, and W. Xu).
Suing Spammers for Fun and Profit. ;login:. April 2004.
Installation. Peter Norton's Complete Guide to Linux. Macmillan Computer Publishing. 1999.
User Administration. Peter Norton's Complete Guide to Linux. Macmillan Computer Publishing. 1999.
Research Experience
Scientist
University of California, Berkeley
September 2011-present
I am currently working with David Wagner's research group to examine privacy and security issues on mobile devices
(e.g., smartphones). Specifically, we are examining how users make decisions to install particular applications and how to
better alert them to potential malware. We are in the process of creating a new architecture for prompting users when an
application requests certain hardware or software abilities.
Scientist
NIST
August 2010-July 2011
I helped design and conduct studies to examine how users interact with authentication systems, specifically password
and token-based systems. I co-organized a workshop on the NIST campus to discuss ways in which usable security
research and techniques could be formally integrated into the development process, as well as reviewed grant proposals
for NIST funding.
Postdoctoral Research Associate
Brown University
August 2009-August 2010
I worked with Shriram Krishnamurthi on creating better interfaces for policy authors to specify access control policies. We
conducted studies to determine common policy errors, the causes of these errors, and the types of interfaces that policy
authors currently use. We developed a new policy authoring interface that allows users of social networking websites to
interactively specify policies in order to more easily detect and clarify ambiguities. We designed and conducted a usability
study to validate our tool.
Research Assistant
Carnegie Mellon University
June 2004-May 2009
While pursuing a PhD under the direction of Dr. Lorrie Cranor in the Computation, Organizations, and Society program at
CMU, I focused primarily on the usability of privacy and security systems. Areas that I worked in included creating more
effective web browser trust indicators, creating usable privacy tools, Internet anonymity, and detection and prevention of
phishing attacks. My dissertation is entitled "Trust Me: Designing Trustworthy Trust Indicators." My committee consisted
of Lorrie Cranor (chair), Jim Herbsleb, Jason Hong, and Steve Bellovin (Columbia University).
Research Intern
Microsoft Research
July 2008-October 2008
During my second internship at MSR, I conducted two user studies with Stuart Schechter. We first looked at using social
networks as a means for authenticating webmail users who had forgotten their passwords. We tested the usability of our
system as well as how susceptible it would be to various attacks. Additionally, I assisted the Internet Explorer team with
new designs for their security warnings based on my research. We tested the new warnings in the laboratory using an
eye tracker.
Research Intern
Microsoft Research
January 2008-April 2008
I was an intern at MSR working with A.J. Brush and Kori Inkpen on user account models for shared family computers. We
examined why the current user account model does not work on computers shared by trusted individuals (i.e. communal
home computers) and developed a more appropriate model. I implemented our prototype in C# and ran a usability study.
This work was published at the 2008 Computer Supported Cooperative Work (CSCW) conference.
Research Intern
Xerox PARC
June 2006-September 2006
During the summer of 2006, I worked with Jim Thornton in the Computer Science Lab (CSL) at PARC. My main focus
was on malware detection using virtualization. The project involved creating a Windows kernel driver that would intercept
system calls (like a rootkit) on the guest operating system, and then reporting back the state of the guest to the host.
Additional work focused on writing security mechanisms to protect code running under a virtual machine.
Professional Experience
Developer
Tovaris: The Digital Identity Company
2000-2001
I worked part time doing development in C++ for the Mithril Secure Server (an encrypted email solution). I mostly wrote
CGI code for administering the servers from a front-end, although I did do some work on the back-end. This involved
getting very familiar with the OpenSSL libraries. Most of the development was done under OpenBSD, using C++, though I
also did some work in Perl.
Technical Support / Developer / System Administrator
Broadband Network Services, Inc.
1999-2000
I handled all of the technical support questions via telephone and e-mail. I maintained and administrated all of our
databases using MySQL. This included setting up new database customers, adding and removing databases, and
maintaining MySQL. I used PHP, Perl, and bash to write scripts to aid in system administration and to automate other
common tasks. I handled most of the website development that we were hired to do; this included writing scripts, HTML,
and database management. My administrative responsibilities included maintaining our primary and secondary DNS,
Sendmail, Apache, and PHP. I also aided in creating and removing accounts, setting up new virtual hosts, setting up and
maintaining network monitoring, and maintaining hardware; this included building and configuring computers.
Teaching Experience
Information Security & Privacy (46-861)
Carnegie Mellon University
Fall 2007
Teaching assistant duties included developing course materials (topics for lectures, assignments, and exams), grading
assignments and exams, holding office hours, and mentoring students about semester-long projects.
Computers and Society (15-290)
Carnegie Mellon University
Spring 2006
Teaching assistant duties included giving guest lectures, creating assignments and exams, grading assignments and
exams, holding office hours, and mentoring students about semester-long projects.
Information Security (CS 451)
University of Virginia
Fall 2003
Teaching assistant duties included giving guest lectures, creating assignments and exams, grading assignments and
exams, and holding office hours.
Intellectual Property (TCC 200)
University of Virginia
Fall 2003
Teaching assistant duties included grading assignments and holding office hours.
Advanced Software Development Methods (CS 340)
University of Virginia
Spring 2003, Spring 2004
Teaching assistant duties included grading assignments and exams, and holding office hours.
Engineering Software (CS 201J)
University of Virginia
Fall 2002
Teaching assistant duties included grading assignments and holding office hours.
Research Grants
Google Faculty Research Award, Designing Usable Certificate Dialogs in Chrome. Principal Investigator, 2010.
Budget: $60,000.
NSF Trustworthy Computing, Small, Interfaces to Reduce Human Error in Access Control Policy Authoring.
Principal Investigator (Co-PIs: Shriram Krishnamurthi and Kathi Fisler), 2010. Budget: $500,000; Recommended
for funding, though upon accepting a job within the government, we were forced to subsequently withdraw the
proposal.
Professional Activities
Program Committees
2013: CHI; Symposium On Usable Privacy and Security (SOUPS)
2012: Symposium On Usable Privacy and Security (SOUPS); New Security Paradigms Workshop (NSPW)
2011: Symposium On Usable Privacy and Security (SOUPS); New Security Paradigms Workshop (NSPW);
Computers, Freedom, and Privacy (CFP) Conference (poster session co-chair); Software and Usable Security
Aligned for Good Engineering (SAUSAGE) Workshop (co-chair)
2010: Symposium On Usable Privacy and Security (SOUPS)
2008: Conference on Information and Knowledge Management (CIKM)
2007: CHI 2007 Workshop - Security User Studies: Methodologies and Best Practices; Anti-Phishing Working
Group eCrime Researchers Summit (poster session co-chair)
2006: Computers, Freedom, and Privacy (CFP) Conference
Standards Committees
2007-2008: W3C Web Security Context (WSC) Working Group
2004-2006: W3C Platform for Privacy Preferences (P3P) 1.1 Working Group
Leadership Roles
Legislative Concerns Chair, Board of Directors
National Association of Graduate and Professional Students (NAGPS), 2006-2008
Vice President for External Affairs
Carnegie Mellon Graduate Student Assembly, 2006-2008
Awards and Nominations
ISR Best Published Paper, 2012
The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study, received the Best
Published Paper Award at the 2012 INFORMS Conference (with J. Tsai, L. Cranor, and A. Acquisti).
SOUPS Best Paper Award, 2012
Android Permissions: User Attention, Comprehension, and Behavior, received the Best Paper Award at the
Symposium on Usable Privacy and Security (with A. P. Felt, E. Ha, A. Haney, E. Chin, and D. Wagner).
CHI Best Paper Nominee, 2011
Of Passwords and People: Measuring the Effect of Password-Composition Policies, received an honorable
mention at CHI 2011 (with with S. Komanduri, R. Shay, P. G. Kelley, M. Mazurek, L. Bauer, N. Christin, and L. F.
Cranor).
CHI Best Paper Nominee, 2008
You've Been Warned: An Empirical Study on the Effectiveness of Web Browser Phishing Warnings, received an
honorable mention at CHI 2008 (with L. Cranor and J. Hong).
Tor Graphical User Interface Design Competition, 2006
Phase 1 Overall Winner (with L. Cranor, J. Hong, P. Kumaraguru, C. Kuo, S. Romanosky, J. Tsai, and K.
Vaniea).
University of Virginia Dean's List of Scholars
I was included on the Spring 2003 and 2004 Dean's List of Scholars.
Publisher's Clearing House Finalist
I may already be a winner.
Last modified February 2013.
Contact this candidate