Better the Devil You Know: Using Lost-Smartphone Scenarios to Explore user Perceptions of Unauthorised Access

Matt Dixon*, Elizabeth Sillence, James Nicholson, Lynne Coventry

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Downloads (Pure)

Abstract

Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes.
Original languageEnglish
Title of host publicationEuroUSEC '23
Subtitle of host publicationProceedings of the 2022 European Symposium on Usable Security
Place of PublicationNew York, US
PublisherACM
Pages86–96
Number of pages17
ISBN (Electronic)9798400708145
DOIs
Publication statusPublished - 16 Oct 2023
EventEuroUSEC 2023: The 2023 European Symposium on Usable Security - Copenhagen, Denmark
Duration: 16 Oct 202317 Oct 2023
https://eurousec23.itu.dk/#

Conference

ConferenceEuroUSEC 2023
Country/TerritoryDenmark
CityCopenhagen
Period16/10/2317/10/23
Internet address

Cite this