For years, NIST has been conducting research in the areas of human-centered design and evaluation, usable cybersecurity, public safety communication technology, augmented-reality usability, biometrics usability, human factors, and cognitive engineering. We asked Yee-Yin Choong, a Human Factors Scientist in the Visualization and Usability Group, Information Technology Laboratory at NIST about her research and experience working in this unique field.
Yee-Yin’s research goal is to understand people’s perceptions, expectations, experiences, and behaviors of human-system interactions – including designers/developers who are developing the technologies, and end users who are using the technologies. Ultimately, the goal is to understand how to facilitate and improve these human experiences. We asked her several questions about her work and her recent research findings at NIST.
I received my bachelor’s and master’s degrees in Electrical Engineering back in Taiwan. Then, I came to the United States to pursue advanced degrees. At first, I was working on my PhD in Electrical Engineering at the Pennsylvania State University. From interacting with other graduate students—almost by accident—I came to learn about the discipline of Human Factors & Ergonomics (HFE) in the Industrial Engineering department. HFE is a scientific discipline taking a holistic approach on human-system interaction by applying theory and knowledge of human abilities and limitations to system design for efficient, effective, comfortable, and safe human use. The field of HFE deals with five major aspects of human interactions with systems: perceptual, cognitive, physical, environmental, social & organizational. I was fascinated by the discipline and being passionate about supporting human’s interactions with technology, I decided to switch majors. I ended up getting a 2nd master’s degree in Industrial Engineering from Penn State University and later, got my Ph.D. in Industrial Engineering–Human Factors from Purdue University.
While working in industry for more than 10 years, I never forgot my passion on research. when I learned about a position opening at NIST in 2006, the decision to switch jobs and shift focus from practitioner to researcher was a no brainer.
My favorite part about working at NIST is that I get to carry out my passion of doing human-centered research, while also knowing my research has the ability to make a positive impact. There are so many brilliant researchers doing amazing projects at NIST. I never get bored with my job. I get to attend research seminars, meet/collaborate with other researchers, germinate research ideas, learn new research methodologies—the list just goes on and on.
In the cyber security research community, a great deal of research has been conducted with adults on their perceptions of online security and privacy, online behaviors and password practices. However, minimum research has examined youth perceptions and understanding of online security and privacy, and their security behaviors and practices. Young people and children, so called “Digital Natives”, are going online more, at younger ages, and in more diverse ways. They are raised in a digital, media-saturated world or grew up with technology in their lives since birth. This creates a “right now” culture with the “always connected” generation. There is no clear delineation between “online” and “offline.” As children are doing more activities online, they are creating user accounts and passwords as required by those online systems. Over the next 10 to 20 years, the world’s cyber posture and culture will depend on the cybersecurity and privacy knowledge and practices of today’s youth since digital natives have already started transitioning into the workforce; or just starting their professional career. Therefore, it is very important that we expand research focus beyond adults and start conducting security research on younger generation.
We started planning research into children’s security and privacy practices around 2017. The first study was conducted in 2018—focusing on children’s practices, perceptions, and knowledge regarding passwords. This was the first large-scale research study with children ever done (and IRB-approved) at NIST.
We also wanted to understand parents’ own password practices and their involvement (or lack of) with their children’s password practices. This required us to conduct two survey studies—a youth survey and parent survey. From the youth survey, we collected more than 1500 responses from children ranging from 3rd to 12th grade. From the parent survey, 266 parents completed the survey.
The quantitative survey studies have provided insight to what children know and think about passwords and their reported practices. The survey results don’t give us the “why?” It is important to investigate why they do what they do, in order to provide guidance on security and privacy to mitigate risky youth security and privacy behaviors. We are currently working on another research study in which we will conduct in-depth interviews with children and their parent as pairs.
Across all age groups it was reported that parents and school play the most important role in providing guidance on ‘good’ password practices. For the most part, younger children rely more on their family in creating and remembering passwords. Almost six times as many elementary schoolers (ES) reported having parental help in creating their passwords. While only about 15% of the high schoolers (HS) reported having parental help.
Children reported some good password practices:
However, as students grow older, they were increasingly more likely to share their password(s) with friends.Risky behaviors like password-sharing by early adolescents can be explained from developmental perspective. Friendships with peers become gradually more prevalent and intense during early adolescence. Friendship formation process in which self-disclosure and the sharing of secrets is a key component of intimate relationship formation. Adolescents regard the ability to share secrets and to talk intimately as the two primary characteristics of a “best friend” – forming trust.
We asked kids to create a password for a hypothetical new game. Not surprisingly, children did not tend to make strong passwords, especially for younger children In contrast, older kids created passwords using a single dictionary word plus numbers and special characters preceding or following the word more than the younger kids. Looking at the words used, many resembled names (presumably) containing personal information, which is a less secure behavior that is also reflected in other studies of children’s password behavior.
We asked kids to write down their answers to an open-ended question “Why do you think people should use passwords?” Qualitative responses were coded using inductive thematic two-cycle coding process into four main thematic codes: access, protection, privacy, and safety.
Participants frequently mentioned securing their personal phones and computers, and they were particularly concerned about access. However, as children get older, privacy becomes more prevalent in their responses. In terms of social development, as children–particularly preteens and teenagers like the majority of this study’s participants–begin to explore and exercise autonomy, their privacy becomes an increasing concern. Older kids frequently emphasized the importance of passwords for personal information privacy. Additionally, younger children’s privacy concerns were more general, whereas their MS and HS counterparts were increasingly more specific to things like gaming, social media, and cell phones. This makes sense, as younger students less frequently have unsupervised access to these applications and therefore do not associate them with expectations of privacy.
Although the idea of safety was a popular response, the mentions of safety were vague. This raises questions about how much students really know about online/cybersecurity safety and privacy, and how much they have been raised in a digital age that teaches them that passwords and other security measures are important for safety, without ever explaining what that safety means.
Students frequently discuss the significance of passwords very generally and vaguely. This raises questions about whether or not they actually understand why certain password practices exist or they just know about the practices. Many students, especially older ones, exhibit password behaviors that do not align with their stated understanding of passwords, such as sharing passwords with friends, reusing passwords and using personal information when creating passwords. This gap between students’ stated password knowledge and their password behavior is an important next step for research surrounding children’s password use and education.
Currently, we are still analyzing the data from the parent password survey, and planning for an in-depth interview study. So, I may not have concrete guidance for parents yet.
Though, here are some preliminary results found from the parent survey:
We observed and heard (anecdotally) from parents that parenting in a tech world is challenging and can be scary at times, especially for those parents who are digital immigrants – meaning they were born before the widespread use of digital technology. Often, digital immigrant parents think that their digital native children are far more proficient in the knowledge and use of technology. Most parents feel in control and have good strategies on how to teach and protect their children to be secure and safe in the physical world. However, many parents feel at lost, anxious, and helpless on how to teach and protect their children to be secure and safe in the digital world.
For more information, see NIST Study on Kids’ Passwords Shows Gap Between Knowledge of Password Best Practices and Behavior.
This article was excellent in identifying vulnerabilites with respect to privacy/security .I would be interested in hearing what Yee-Yin would have to say when we move to children's privacy/security in a classroom setting and how to teach them about vulnerabilities based on the information requested on an educational web site. Good job Yee Yin. I hope to see more of you in the NIST postings.