Professorship for Security, Privacy & Society

Search

EN

Completed Projects

Personalised Phishing Intervention Strategies

Recognising the diversity in individuals' motivations, knowledge, and strengths, we investigate the potential of personalized phishing training tailored to accommodate inter-individual differences. Based on sparse information such as a user’s phishing detection proficiency and a limited number of cognitive and behavioural categories, we explore approaches for clustering users into adaptive training groups. We aim to identify lightweight yet effective personalization strategies that can increase training effectiveness without requiring extensive user profiling.

Financial support for the project is generously provided by the Cyber Defence Campus and Armasuisse W+T.

Project Duration: 01/2024 - 12/2024

Partners: Dr. Martin Strohmeier | Cyber Defence Campus

Outcome publications

Lorin Schöni, Neele Roch, Hannah Sievers, Martin Strohmeier, Peter Mayer, and Verena Zimmermann. 2025. It's a Match - Enhancing the Fit between Users and Phishing Training through Personalisation. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (CHI '25). Association for Computing Machinery, New York, NY, USA, Article 592, 1–25. external page https://doi.org/10.1145/3706598.3713845

Lorin Schöni, Victor Carles, Martin Strohmeier, Peter Mayer, and Verena Zimmermann. 2024. You Know What? - Evaluation of a Personalised Phishing Training Based on Users' Phishing Knowledge and Detection Skills. In Proceedings of the 2024 European Symposium on Usable Security (EuroUSEC '24). Association for Computing Machinery, New York, NY, USA, 1–14. external page https://doi.org/10.1145/3688459.3688460

Combating Phishing with AR

Phishing attacks trick people by using social engineering techniques that exploit emotions or weaknesses, such as inattentiveness. Together with collaboration partners from the Swiss Cyber Defence Campus and the University of Oxford spinnout phishAR, we conduct research on human-centered cybersecurity solutions to create targeted interventions that support users against phishing. To that end, we employ augmented reality (AR) to educate and inform users about the dangers of phishing and to assist them in identifying and avoiding such attacks. By using AR, we aim to create engaging and immersive experiences that help users to better understand the risks associated with phishing and to develop systems that compensate for human weaknesses and enhance human strengths when encountering phishing threats.

The project is kindly financially supported by the external page Cyber Defence Campus and Armasuisse W+T.

Project Duration: 01/2023-12/2023

Partners: Dr. Martin Strohmeier | Cyber Defence Campus, Dr. Ivo Sluganovich | phishAR

Outcome publication: Lorin Schöni, Martin Strohmeier, Ivo Sluganovic, and Verena Zimmermann. 2025. Stop the Clock - Counteracting Bias Exploited by Attackers through an Interactive Augmented Reality Phishing Training. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (CHI '25). Association for Computing Machinery, New York, NY, USA, Article 594, 1–23. external page https://doi.org/10.1145/3706598.3714023

Privacy Buddy

Together with our partners at TU Darmstadt/Germany, Dr. Nina Gerber (Work and Engineering Psychology) and Dr. Ephraim Zimmer (Telecooperation Lab), we conduct research on supporting users in making informed privacy decisions.

The project "Privacy Buddy" was funded by the Forum for interdisciplinary Research at TU Darmstadt. Its aims are to educate users in terms of privacy and to apply persuasive strategies to motivate and support users in reaching self-determined privacy goals within a mobile application. The design of the application and its content will follow a human-centered design process.

For more information about this research project external page "Privacy Buddy".

Project Duration: 04/2023 - 07/2024

Partners: Dr. rer. nat. Nina Gerber | FB 3, Arbeits- und Ingenieurpsychologie (FAI), Dr. Ephraim Zimmer | FB 20, Telecooperation Lab (TK)

Usable Authentication

The password still is the most commonly used authentication scheme despite downsides such as the high memory load for users. As a coping strategy, users often create weak passwords or reuse passwords across accounts which negatively impact password security. Alternatives not only exist but are manifold including various biometric (e.g. fingerprint authentication) and token-based schemes (e.g. chip cards). But which schemes are favorable from a user perspective in terms of usability and security perceptions? Which solutions can replace the password, and under which circumstances and in which situations? Which schemes or combination of schemes are sufficiently secure for the authentication purpose, e.g. online banking? These and related questions are addressed by the Security, Privacy and Society Group.

Exemplary publications

Marky, Karola; Schmitz, Martin; Zimmermann, Verena; Herbers, Martin; Kunze, Kai; Mühlhäuser, Max (2020): 3D-Auth: Two-Factor Authentication with Personalized 3D-Printed Items. p. 12, ACM, CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, ISBN 978-1-4503-6708-0, DOI: 10.1145/3313831.3376189

Zimmermann, Verena; Gerber, Nina (2020): The password is dead, long live the password – A laboratory study on user perceptions of authentication schemes. In: International Journal of Human-Computer Studies, 133, pp. 26-44, Elsevier, DOI: 10.1016/j.ijhcs.2019.08.006

Zimmermann, Verena; Gerber, Nina; Mayer, Peter; Kleboth, Marius; Preuschen, Alexandra von; Schmidt, Konstantin (2019): Keep on rating – on the systematic rating and comparison of authentication schemes. In: Information & Computer Security, Emerald Publishing, ISSN 2056-4961, DOI: 10.1108/ICS-01-2019-0020