Posts

October 2019 Update

As will surprise very few researchers, our blog is out of date! However, that's because we've been working hard coding our data, working on our concept inventory, and developing hands-on exercises (and a delivery framework) to teach improved ways of thinking about these issues. Here's a status report, as of late October, 2019. We completed our survey in the spring of 2019; 87 respondents generated 469 responses about  "commonsense misconceptions" that they believed novices often hold about computer security. We coded our data looking for highly represented misconceptions, which resulted in a list of 17 succinct, one-sentence descriptions of those misconceptions, which we have also expanded into short (1-2 paragraph) explanations. We have started work on our concept inventory, which will be a multiple-choice test to help identify the extent to which CS students (or other novices) hold these misconceptions about security. We are following an approach where we d

Final Survey Design

Survey Design The design of our survey asking experts what they saw as the most critical security-related misconceptions held by novices was one of the most important aspects of this project. One possible approach would be to collect misconceptions from the literature and ask experts to rank them, but we felt it was important to avoid influencing what experts thought. As a result, we had to be careful to not ask leading questions or include examples of misconceptions that might sway the results. On the other hand, we felt that a single question, such as “What are common computer security mistakes you have observed?” would be too vague and might only generate a fraction of the responses from each participant. For example, an expert might think of a misconception they encounter daily, but might not have other misconceptions come to mind in other areas of security. Another issue we faced was that it is often easy for people to identify mistakes that they see, but can be difficult f

Automate all the things!

We plan to reach out to as many experts in the security field as possible. The more respondents we get, the better! There's just one problem. How do you get emails for a bunch of security professors? Even more so, how do you even find a list with just their names? Thankfully, we can answer the second question. Conference proceedings for security and security-education conferences (Usenix and ASE) both contain experts' names and affiliations.  After spending a few hours manually googling author's names to find their emails, Al suggested we try to automate the process as much as possible. How much benefit could that have, I thought? At the end of the day, we still have to manually click on their homepages or find their email somewhere online. We decided to see how much benefit automation could get us, and the end result is pretty cool. Al wrote a regular expression to pull  that goes through and finds the names of all the authors, as well as their affiliation. Then, given

Hello World

Hi! Welcome to the Security Misconceptions Project blog! We will be updating this blog regularly to celebrate our successes, talk about our processes, air our grievances, and ponder our questions -- we invite you to join us. It'd probably be a good idea to read the about page to get a better idea of what we're trying to do. So, what's the status? Well, our current objectives this week are to get everything set up -- eliminating all the   lorem ipsum   from this blog, putting the finishing touches on our survey, and compiling the list of experts we plan to survey. The goal is to meet with our evaluator from the Education department (possibly to be introduced on this blog soon) who will give everything the once-over before we officially get underway. Stay tuned, the next couple weeks we should be blogging about the process of creating the survey, as well as the process of finding people to actually send it to.