Staff Spotlight: NIST’s Human Factors Scientist

For years, NIST has been conducting research in the areas of human-centered design and evaluation, usable cybersecurity, public safety communication technology, augmented-reality usability, biometrics usability, human factors, and cognitive engineering. We asked Yee-Yin Choong, a Human Factors Scientist in the Visualization and Usability Group, Information Technology Laboratory at NIST about her research and experience working in this unique field.

Yee-Yin’s research goal is to understand people’s perceptions, expectations, experiences, and behaviors of human-system interactions – including designers/developers who are developing the technologies, and end users who are using the technologies. Ultimately, the goal is to understand how to facilitate and improve these human experiences.  We asked her several questions about her work and her recent research findings at NIST.

Questions

What’s your background, and how did you come to be at NIST working on usable security projects?

I received my bachelor’s and master’s degrees in Electrical Engineering back in Taiwan. Then, I came to the United States to pursue advanced degrees. At first, I was working on my PhD in Electrical Engineering at the Pennsylvania State University. From interacting with other graduate students—almost by accident—I came to learn about the discipline of Human Factors & Ergonomics (HFE) in the Industrial Engineering department. HFE is a scientific discipline taking a holistic approach on human-system interaction by applying theory and knowledge of human abilities and limitations to system design for efficient, effective, comfortable, and safe human use. The field of HFE deals with five major aspects of human interactions with systems: perceptual, cognitive, physical, environmental, social & organizational. I was fascinated by the discipline and being passionate about supporting human’s interactions with technology, I decided to switch majors. I ended up getting a 2^nd master’s degree in Industrial Engineering from Penn State University and later, got my Ph.D. in Industrial Engineering–Human Factors from Purdue University.

While working in industry for more than 10 years, I never forgot my passion on research. when I learned about a position opening at NIST in 2006, the decision to switch jobs and shift focus from practitioner to researcher was a no brainer.

What is your favorite thing about working at NIST?

My favorite part about working at NIST is that I get to carry out my passion of doing human-centered research, while also knowing my research has the ability to make a positive impact. There are so many brilliant researchers doing amazing projects at NIST. I never get bored with my job. I get to attend research seminars, meet/collaborate with other researchers, germinate research ideas, learn new research methodologies—the list just goes on and on.

Can you tell us about your research into children’s security and privacy practices?

In the cyber security research community, a great deal of research has been conducted with adults on their perceptions of online security and privacy, online behaviors and password practices. However, minimum research has examined youth perceptions and understanding of online security and privacy, and their security behaviors and practices. Young people and children, so called “Digital Natives”, are going online more, at younger ages, and in more diverse ways. They are raised in a digital, media-saturated world or grew up with technology in their lives since birth.  This creates a “right now” culture with the “always connected” generation. There is no clear delineation between “online” and “offline.” As children are doing more activities online, they are creating user accounts and passwords as required by those online systems. Over the next 10 to 20 years, the world’s cyber posture and culture will depend on the cybersecurity and privacy knowledge and practices of today’s youth since digital natives have already started transitioning into the workforce; or just starting their professional career. Therefore, it is very important that we expand research focus beyond adults and start conducting security research on younger generation.

We started planning research into children’s security and privacy practices around 2017. The first study was conducted in 2018—focusing on children’s practices, perceptions, and knowledge regarding passwords. This was the first large-scale research study with children ever done (and IRB-approved) at NIST.

We also wanted to understand parents’ own password practices and their involvement (or lack of) with their children’s password practices. This required us to conduct two survey studies—a youth survey and parent survey. From the youth survey, we collected more than 1500 responses from children ranging from 3^rd to 12^th grade. From the parent survey, 266 parents completed the survey.      

The quantitative survey studies have provided insight to what children know and think about passwords and their reported practices. The survey results don’t give us the “why?” It is important to investigate why they do what they do, in order to provide guidance on security and privacy to mitigate risky youth security and privacy behaviors. We are currently working on another research study in which we will conduct in-depth interviews with children and their parent as pairs.

How do children in different age groups differ in their security and privacy practices?

Across all age groups it was reported that parents and school play the most important role in providing guidance on ‘good’ password practices. For the most part, younger children rely more on their family in creating and remembering passwords. Almost six times as many elementary schoolers (ES) reported having parental help in creating their passwords. While only about 15% of the high schoolers (HS) reported having parental help.

Children reported some good password practices:

• memorizing passwords
• limiting writing passwords on paper
• keeping their passwords private
• signing out after computer use.

However, as students grow older, they were increasingly more likely to share their password(s) with friends.Risky behaviors like password-sharing by early adolescents can be explained from developmental perspective. Friendships with peers become gradually more prevalent and intense during early adolescence. Friendship formation process in which self-disclosure and the sharing of secrets is a key component of intimate relationship formation. Adolescents regard the ability to share secrets and to talk intimately as the two primary characteristics of a “best friend” – forming trust.

We asked kids to create a password for a hypothetical new game. Not surprisingly, children did not tend to make strong passwords, especially for younger children  In contrast, older kids created passwords using a single dictionary word plus numbers and special characters preceding or following the word more than the younger kids. Looking at the words used, many resembled names (presumably) containing personal information, which is a less secure behavior that is also reflected in other studies of children’s password behavior. 

We asked kids to write down their answers to an open-ended question “Why do you think people should use passwords?” Qualitative responses were coded using inductive thematic two-cycle coding process into four main thematic codes: access, protection, privacy, and safety.

Participants frequently mentioned securing their personal phones and computers, and they were particularly concerned about access. However, as children get older, privacy becomes more prevalent in their responses. In terms of social development, as children–particularly preteens and teenagers like the majority of this study’s participants–begin to explore and exercise autonomy, their privacy becomes an increasing concern. Older kids frequently emphasized the importance of passwords for personal information privacy. Additionally, younger children’s privacy concerns were more general, whereas their MS and HS counterparts were increasingly more specific to things like gaming, social media, and cell phones. This makes sense, as younger students less frequently have unsupervised access to these applications and therefore do not associate them with expectations of privacy.

Although the idea of safety was a popular response, the mentions of safety were vague. This raises questions about how much students really know about online/cybersecurity safety and privacy, and how much they have been raised in a digital age that teaches them that passwords and other security measures are important for safety, without ever explaining what that safety means.

Students frequently discuss the significance of passwords very generally and vaguely. This raises questions about whether or not they actually understand why certain password practices exist or they just know about the practices. Many students, especially older ones, exhibit password behaviors that do not align with their stated understanding of passwords, such as sharing passwords with friends, reusing passwords and using personal information when creating passwords. This gap between students’ stated password knowledge and their password behavior is an important next step for research surrounding children’s password use and education.

How might parents help their children with online security and privacy? 

Currently, we are still analyzing the data from the parent password survey, and planning for an in-depth interview study. So, I may not have concrete guidance for parents yet.

Though, here are some preliminary results found from the parent survey:

• Parents’ own password practices:
  • When creating passwords, the main considerations tend to be “easy to remember” (about 80%), followed by “Strong (hard to guess/crack)” (about 75%).
  • Parents are generally passive about password maintenance, such as only change passwords when it is necessary. Parents who proactively adopt new technologies are more likely to change their passwords regularly.
  • Parents assume a more active approach towards tracking their personal passwords – more than three-quarters (77.36%) of parents reported memorizing their passwords.
  • When asked where they went to for information or guidance on passwords, most common responses that parents reported were family members, such as their spouse and relatives (41.67%); internet searches, such as Google, Yahoo, or Bing (29.92%); and the websites where parents created their accounts and passwords (23.86%).
• Parents’ involvement in their children’s password practices:
  • Most parents are involved in helping their children create passwords (about 71%) and in helping their children track passwords (about 77%).
  • Parents with younger children prioritize creating passwords that are easy for young children to both enter and remember.
  • Parents with older children (in middle or high school) reported that it was more important to help their children create strong passwords that are hard to guess or crack.

We observed and heard (anecdotally) from parents that parenting in a tech world is challenging and can be scary at times, especially for those parents who are digital immigrants – meaning they were born before the widespread use of digital technology.  Often, digital immigrant parents think that their digital native children are far more proficient in the knowledge and use of technology. Most parents feel in control and have good strategies on how to teach and protect their children to be secure and safe in the physical world. However, many parents feel at lost, anxious, and helpless on how to teach and protect their children to be secure and safe in the digital world.

Based on your research findings, what suggestions do you have for parents to keep kids safe online?

• Stay current, informed, educated and be aware of online risks and dangers.
  • Instead of relying on internet search when unpleasant incidents happen, keep a readily available collection of reputable resources of online security and privacy for the entire family – parents and children.
• Make sure that parents have a good understanding and behaviors of online security and privacy themselves.
  • Literature has shown that parents’ own oversharing actions on social media sites like Facebook could be a potential threat to children’s privacy and security. Based on social learning theory in that most human behavior is learned observationally through modeling and from one’s surroundings; people learn from seeing or being taught something, trying it on their own, and then evaluating the results. It is probably more important to establish a model of your own good online behaviors for your children to learn from than talking to them or setting up parental control rules.
• As with establishing strategies early on to keep your children secure and safe in the physical world, start early by establishing strategies for online experiences for your children to follow and practice – make good online behaviors as a second nature to them.
  • Younger children tend to experience more supervision than their teenage counterparts. However, this supervision often involves parental control and technology to create parental device control (like restricting access, setting privacy settings, and restricting access as punishment) instead of information and education initiatives to help kids learn about cybersecurity and privacy.
  • Be proactive and open-minded – discuss with your children the good (educational, entertainment, relationships, etc.) and the bad (such as online threats, risks) about digital world.
  • Teach children (and yourself as a parent) to become critical and discriminating users of materials they find online and of information provided through direct contact services, such as email, chat and social networking sites.

How Good Are Kids at Making Passwords?

For more information, see NIST Study on Kids’ Passwords Shows Gap Between Knowledge of Password Best Practices and Behavior.