@online{Kaur_2103.13287,
TITLE = {Human Factors in Security Research: Lessons Learned from 2008-2018},
AUTHOR = {Kaur, Mannat and van Eeten, Michel and Janssen, Marijn and Borgolte, Kevin and Fiebig, Tobias},
LANGUAGE = {eng},
URL = {https://arxiv.org/abs/2103.13287},
EPRINT = {2103.13287},
EPRINTTYPE = {arXiv},
YEAR = {2021},
ABSTRACT = {Instead of only considering technology, computer security research now<br>strives to also take into account the human factor by studying regular users<br>and, to a lesser extent, experts like operators and developers of systems. We<br>focus our analysis on the research on the crucial population of experts, whose<br>human errors can impact many systems at once, and compare it to research on<br>regular users. To understand how far we advanced in the area of human factors,<br>how the field can further mature, and to provide a point of reference for<br>researchers new to this field, we analyzed the past decade of human factors<br>research in security and privacy, identifying 557 relevant publications. Of<br>these, we found 48 publications focused on expert users and analyzed all in<br>depth. For additional insights, we compare them to a stratified sample of 48<br>end-user studies.<br> In this paper we investigate:<br> (i) The perspective on human factors, and how we can learn from safety<br>science (ii) How and who are the participants recruited, and how this -- as we<br>find -- creates a western-centric perspective (iii) Research objectives, and<br>how to align these with the chosen research methods (iv) How theories can be<br>used to increase rigor in the communities scientific work, including<br>limitations to the use of Grounded Theory, which is often incompletely applied<br>(v) How researchers handle ethical implications, and what we can do to account<br>for them more consistently<br> Although our literature review has limitations, new insights were revealed<br>and avenues for further research identified.<br>},
}