I have published extensively throughout graduate school. My research has focused on human factors in cyber security. I have a specific emphasis in understanding how users interact with over-the-shoulder attack resistant graphical authentication schemes.
Journal Article Publications
An Exploratory Study of Cyber Hygiene Behaviors and Knowledge
​
​End users’ cyber hygiene often plays a large role in cybersecurity breaches. Therefore, we need a deeper understanding of the user differences that are associated with either good or bad hygiene and an updated perspective on what users do to promote good hygiene (e.g., employ firewall and anti-virus applications). Those individuals with good cyber hygiene follow best practices for security and protect their personal information. This exploratory study of cyber hygiene knowledge and behavior offers information that designers and researchers can employ to improve users’ hygiene practices. We surveyed 268 participants about their knowledge of concepts, their knowledge of threats, and their behaviors related to cyber hygiene. Further, we asked participants about their previous training and experiences. Notably, the participants represent a large cross section from age 18 to 55+. We addressed inconsistencies in the literature, we provide up-to-date information on behaviors and on users’ knowledge about password usage and phishing, and we explored the impact of age, gender, victim history, perceived expertise, and training on cyber hygiene.
​
Citation:
Cain, A. A., Edwards, M. E., & Still, J. D. (2018). An exploratory study of cyber hygiene behaviors and knowledge. Journal of information security and applications, 42, 36-45.
​
Usability Comparison of Over-the-Shoulder Attack Resistant Authentication Schemes
​
Graphical authentication schemes offer a more memorable alternative to alphanumeric passwords. However, they have been criticized for being susceptible to over-the-shoulder attacks (OSA). To solve this shortcoming, schemes have specifically been designed to be resistant to OSA. Common strategies used to decrease the ease of OSAs are grouping targets among distractors, translating them to another location, disguising the appearance of targets, and using gaze-based input. We are the first to provide a direct comparison of the common strategies regarding usability and OSA resistance.
​
Citation:
Cain, A. A., & Still, J. D. (2018). Usability comparison of over-the-shoulder attack resistant authentication schemes. Journal of Usability Studies, 4, 196-219.
​
RSVP a Temporal Method for Graphical Authentication
​
We present a Rapid, Serial, Visual Presentation method (RSVP) for recognition-based graphical authentication. It presents a stream of rapid, degraded images, which makes the object recognition process difficult for casual attackers. Three studies investigated success rates for authenticating, RSVP’s resistance to over-the-shoulder attacks (OSAs), approaches for facilitating learnability, and effects of resetting a passcode. We found that participants could successfully authenticate and could not complete OSAs.
​
Citation:
Cain, A. A., & Still, J. D. (2017). RSVP a temporal method for graphical authentication. Journal of Information Privacy and Security, 1-12.
​
Human-Centered Authentication Guidelines
​​
Despite the widespread use of authentication schemes and the rapid emergence of novel authentication schemes, a general set of domain-specific guidelines has not yet been developed. We present and explain a list of human-centered guidelines for developing usable authentication schemes. Instead of viewing users as the inevitable weak point in the authentication process, we propose that authentication interfaces be designed to take advantage of users’ natural abilities. This approach requires that we understand how interactions with authentication interfaces can be improved and what human capabilities can be exploited. We present a list of six guidelines that designers ought to consider when developing a new usable authentication scheme.
​
Citation:
Still, J. D., Cain, A. A., & Schuster, D. (2017). Human-centered authentication guidelines. Journal of
Information and Computer Security. Impact Factor: 1.09
​
Iconicity in vocalization, comparisons with gesture, and implications for theories on the evolution of language
​
Scholars have often reasoned that vocalizations are extremely limited in their potential for iconic expression, especially in comparison to manual gestures (e.g., Armstrong & Wilcox, 2007; Tomasello, 2008). As evidence for an alternative view, we first review the growing body of research related to iconicity in vocalizations, including experimental work on sound symbolism, cross-linguistic studies documenting iconicity in the grammars and lexicons of languages, and experimental studies that examine iconicity in the production of speech and vocalizations. We then report an experiment in which participants created vocalizations to communicate 60 different meanings, including 30 antonymic pairs. The vocalizations were measured along several acoustic properties, and these properties were compared between antonyms. Participants were highly consistent in the kinds of sounds they produced for the majority of meanings, supporting the hypothesis that vocalization has considerable potential for iconicity. In light of these findings, we present a comparison between vocalization and manual gesture, and examine the detailed ways in which each modality can function in the iconic expression of particular kinds of meanings. We further discuss the role of iconic vocalizations and gesture in the evolution of language since our divergence from the great apes. In conclusion, we suggest that human communication is best understood as an ensemble of kinesis and vocalization, not just speech, in which expression in both modalities spans the range from arbitrary to iconic.
​
Citation:
Perlman, M., & Cain, A. A. (2014). Iconicity in vocalization, comparisons with gesture, and implications for theories on the evolution of language. Gesture, 14(3), 320-350.
​
Conference Proceedings
Graphical Authentication Schemes: Balancing Amount of Image Distortion
​
Graphical authentication schemes offer a more memorable alternative to conventional passwords. One common criticism of graphical passcodes is the risk for observability by unauthorized onlookers. This type of threat is referred to as an Over-the-Shoulder Attack (OSA). A strategy to prevent casual OSAs is to distort the images, making them difficult for onlookers to recognize. Critically, the distortion should not harm legitimate users’ ability to recognize their passcode images. If designers select the incorrect amount of distortion, the passcode images could become vulnerable to attackers or images could become unrecognizable by users rendering the system useless for authentication. We suggest graphical authentication designers can distort images at brushstroke size 10 for a 112 × 90-pixel image to maintain user recognition and decrease casual OSAs. Also, we present mathematical equations to explicitly communicate the image distortion process to facilitate implementation of this OSA resistant approach.
​
Citation:
Tiller, L. N., Cain, A. A., Potter, L. N., & Still, J. D. (2018). Graphical authentication schemes: Balancing amount
of image distortion. In International Conference on Applied Human Factors and Ergonomics (pp. 88-98).
​
Visual Saliency Predicts Fixations in Low Clutter Web Page
​
Previous research has shown a computational model of visual saliency can predict where people fixate in cluttered web pages (Masciocchi & Still, 2013). Over time, web site designers are moving towards simpler, less cluttered webpages to improve aesthetics and to make searches more efficient. Even with simpler interfaces, determining a saliency ranking among interface elements is a difficult task. Also, it is unclear whether the traditionally employed saliency model (Itti, Koch, & Niebur, 1998) can be applied to simpler interfaces. To examine the model’s ability to predict fixations in simple web pages we compared a distribution of observed fixations to a conservative measure of chance performance (a shuffled distribution). Simplicity was determined by using two visual clutter models (Rosenholz, Li, & Nakano, 2007). We found under free-viewing conditions that the saliency model was able to predict fixations within less cluttered web pages.
​
Citation:
Hicks, J., Still, J. D., Cain A. A. (2017). Visual saliency predicts fixations in low clutter web page.
Proceedings of the Human Factors and Ergonomics Society (HFES 2017).
​
Graphical Authentication Resistance to Over-the-Shoulder-Attacks
​
Graphical passwords offer advantages for memorability over conventional alphanumeric passwords, but in some cases they have been vulnerable to over-the-shoulder-attacks (OSA). Thus, many second-generation graphic based schemes are specifically designed to be resistant to OSA. This is often achieved by not having users select targets directly, but by adding cognitive operations to create seemingly random response patterns. This study takes the first step to directly compare three prototypical graphical password schemes to determine their relative resistance to OSAs employing a within-subjects design. We found that schemes requiring cognitive operations in response to target patterns were superior to direct selection of targets. Convex Hull Click was most secure, followed by What You See is What You Enter, while Use Your Illusion showed high vulnerability to OSA. In addition, we discuss a diversity of previous measurements, which are meant to examine security strength of new approaches. We highlight the need for standard OSA resistance measures depending on threat model needs.
​
Citation:
Cain, A. A., Werner, S., & Still, J. D. (2017). Graphical authentication resistance to over-the-shoulder-
attacks. Proceeding of CHI in Late-Breaking Work. Acceptance Rate: 39%
​
Predicting Stimulus-Driven Attentional Selection Within Mobile Interfaces
​
Masciocchi and Still [1] suggested that biologically inspired computational saliency models could predict attentional deployment within webpages. Their stimuli were presented on a large desktop monitor. We explored whether a saliency model’s predictive performance can be applied to small mobile interface displays. We asked participants to free-view screenshots of NASA’s mobile application Playbook. The Itti et al. [2] saliency model was employed to produce the predictive stimulus-driven maps. The first six fixations were used to select values to form the saliency maps’ bins, which formed the observed distribution. This was compared to the shuffled distribution, which offers a very conservative chance comparison as it includes predictable spatial biases by using a within-subjects bootstrapping technique. The observed distribution values were higher than the shuffled distribution. This suggests that a saliency model was able to predict the deployment of attention within small mobile application interfaces.
​
Citation:
Still, J. D., Hicks, J., Cain, A. A., & Billman, D. (2017). Predicting stimulus-driven attentional selection within mobile interfaces. Proceedings of the 8th International Conference on Cognitive and Neuroergonomics.
​
A Quantitative Measure for Shared and Complementary Situation Awareness
​
As team structures evolve and become more complex, with human and automated agents working together to accomplish team goals, measurement approaches for system situation awareness must also adapt. This paper proposes a novel approach to the measurement of SA for human automation teams. Limitations of existing individual SA measurement approaches are highlighted with a particular focus on the sensitivity of current measures to knowledge held across human and automated agents in complex sociotechnical systems. We propose that elements from team communication data can be used as a basis for the quantification of shared and complementary situation awareness. We present a conceptual measurement approach for using communication data to measure shared and complementary situation awareness for human-automation teams, appropriate for both open or closed loop communication. This paper discusses how such a measurement approach would be applied specifically for human-automation teams, including automation that functions as decision aids, as managers, and automation that learns with the human operator, and discusses implications of our measure for training and design.
​
Citation:
Cain, A. A., Edwards, T., Schuster, D. (2016). A Quantitative Measure for Shared and Complementary Situation Awareness. Proceedings of the Human Factors and Ergonomics Society (HFES 2016). Washington, DC.
​
Swipe Authentication: Exploring Over-the-Shoulder Attack Performance
​
Swipe passwords are a popular method for authenticating on mobile phones. In public, these passwords may become visible to attackers who engage in shoulder surfing. There is a need for strategies that protect swipe passwords from over-the-shoulder attacks (OSAs). We empirically explored the impact of providing gesture visual feedback on OSA performance during successful and unsuccessful swipe login attempts on mobile phones. We found evidence that entry visual feedback facilitates OSAs. As users are biased towards symmetrical swipe patterns, we investigated their impact on attack performance. We found that symmetrical swipe patterns were less vulnerable than asymmetrical patterns, possibly due to the speed of entry. As users tend toward simple patterns, we investigated the impact that nonadjacent, diagonal knight moves have on OSAs. We found that knight moves significantly decreased OSA performance. We recommend users turn off gesture entry visual feedback and use knight moves for greater password security.
​
Citation:
Cain, A. A., Chiu, L., Santiago, F., & Still, J. D. (2016). Swipe Authentication: Exploring Over-the-Shoulder-Attack Performance. Proceedings of the 7th International Conference on Applied Human Factors and Ergonomics (AHFE 2016). Orlando, FL.
​
A Rapid Serial Visual Presentation Method for Graphical Authentication
​
We propose a Rapid Serial Visual Presentation (RSVP) graphical authentication method that is suited for multi-touch mobile devices. This method presents degraded pictures of everyday objects in a temporal stream. Considering all the other authentication methods employ a spatial visual search, our method is unique (i.e., searching across time versus space). A temporal method of presentation is used to decreases login times down to 14 s and to allow login with a simple touch of the screen. By degrading the images, over-the-shoulder attackers are prevented from easily capturing the passcode. This study shows that all participants could successfully login at least once when allowed up to three attempts. After becoming familiar with the RSVP authentication method, participants took on the role of an attacker. Notably, no one was able to identify the passcode. The RSVP method offers a memorable, usable, quick, and secure alternative for authentication on multi-touch mobile devices.
​
Citation:
Cain, A. A. & Still, J. D. (2016). A Rapid Serial Visual Presentation Approach for Graphical Authentication. Proceedings of the 7th International Conference on Applied Human Factors and Ergonomics (AHFE 2016). Orlando, FL.
​
Applying Measurement to Complementary Situation Awareness
​
As networks in complex domains such as cyber security increasingly become distributed, with multiple human and automated agents working together to complete team goals, capturing situation awareness (SA) becomes more difficult. Often, SA is defined and measured as individual SA (the knowledge held by an individual, such as a system administrator) or as shared SA (the knowledge held in common by multiple individuals). For these two types, ideal and actual SA have been measured using goal-oriented task analysis and knowledge-specific queries, respectively. We argue that measurements of SA could fill a gap by additionally measuring complementary SA (the knowledge elements held separately by individuals). In the current paper, we suggest how measures for individual SA can be applied to the measurement of the complementary component of SA. We adapt a technique that involves completing a goal-oriented task analysis for a given context and then querying human operators about specific knowledge elements. This adaption allows for the quantification of goal-oriented knowledge elements that are held by team members but are not shared. This technique for quantifying team SA that is complementary as well as shared can be applied to assess trainees and to inform future training programs. Understanding and measuring multiple facets of SA will help improve efficiency and security in distributed teams in cyber security. First, we review the literature on existing measurement techniques for SA, then we outline how measurement can be applied to complementary SA. Lastly, we discuss some applications of measuring complementary SA.
​
Citation:
Cain, A. A., & Schuster, D. (2016). Applying measurement to complementary situation awareness. Proceedings of the IEEE International Inter-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA). San Diego, CA: IEEE.
​
Measurement of Situation Awareness Among Diverse Agents in Cyber Security
​
Development of innovative algorithms, metrics, visualizations, and other forms of automation are needed to enable network analysts to build situation awareness (SA) from large amounts of dynamic, distributed, and interacting data in cyber security. Several models of cyber SA can be classified as taking an individual or a distributed approach to modeling SA within a computer network. While these models suggest ways to integrate the SA contributed by multiple actors, implementing more advanced data center automation will require consideration of the differences and similarities between human teaming and human-automation interaction. The purpose of this paper is to offer guidance for quantifying the shared cognition of diverse agents in cyber security.
​
Citation:
Cain, A. A., & Schuster, D. (2014). Measurement of situation awareness among diverse agents in cyber security. Proceedings of the IEEE International Inter-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), 1, 113-118. San Antonio, TX: IEEE.
​