Thomas Groß

Salvatore Sinno, Markus Bertl, Arati Sahoo et al.

This study explores the implementation of large Quantum Restricted Boltzmann Machines (QRBMs), a key advancement in Quantum Machine Learning (QML), as generative models on D-Wave's Pegasus quantum hardware to address dataset imbalance in Intrusion Detection Systems (IDS). By leveraging Pegasus's enhanced connectivity and computational capabilities, a QRBM with 120 visible and 120 hidden units was successfully embedded, surpassing the limitations of default embedding tools. The QRBM synthesized over 1.6 million attack samples, achieving a balanced dataset of over 4.2 million records. Comparative evaluations with traditional balancing methods, such as SMOTE and RandomOversampler, revealed that QRBMs produced higher-quality synthetic samples, significantly improving detection rates, precision, recall, and F1 score across diverse classifiers. The study underscores the scalability and efficiency of QRBMs, completing balancing tasks in milliseconds. These findings highlight the transformative potential of QML and QRBMs as next-generation tools in data preprocessing, offering robust solutions for complex computational challenges in modern information systems.

Thomas Groß

Internet Users' Information Privacy Concerns (IUIPC-10) is one of the most endorsed privacy concern scales. It is widely used in the evaluation of human factors of PETs and the investigation of the privacy paradox. Even though its predecessor Concern For Information Privacy (CFIP) has been evaluated independently and the instrument itself seen some scrutiny, we are still missing a dedicated confirmation of IUIPC-10, itself. We aim at closing this gap by systematically analyzing IUIPC's construct validity and reliability. We obtained three mutually independent samples with a total of $N = 1031$ participants. We conducted a confirmatory factor analysis (CFA) on our main sample. Having found weaknesses, we established further factor analyses to assert the dimensionality of IUIPC-10. We proposed a respecified instrument IUIPC-8 with improved psychometric properties. Finally, we validated our findings on a validation sample. While we could confirm the overall three-dimensionality of IUIPC-10, we found that IUIPC-10 consistently failed construct validity and reliability evaluations, calling into question the unidimensionality of its sub-scales Awareness and Control. Our respecified scale IUIPC-8 offers a statistically significantly better model and outperforms IUIPC-10's construct validity and reliability. The disconfirming evidence on the construct validity raises doubts how well IUIPC-10 measures the latent variable information privacy concern. The sub-par reliability could yield spurious and erratic results as well as attenuate relations with other latent variables, such as behavior. Thereby, the instrument could confound studies of human factors of PETs or the privacy paradox, in general.

Thomas Groß

Background. In recent years, cyber security security user studies have been appraised in meta-research, mostly focusing on the completeness of their statistical inferences and the fidelity of their statistical reporting. However, estimates of the field's distribution of statistical power and its publication bias have not received much attention. Aim. In this study, we aim to estimate the effect sizes and their standard errors present as well as the implications on statistical power and publication bias. Method. We built upon a published systematic literature review of $146$ user studies in cyber security (2006--2016). We took into account $431$ statistical inferences including $t$-, $χ^2$-, $r$-, one-way $F$-tests, and $Z$-tests. In addition, we coded the corresponding total sample sizes, group sizes and test families. Given these data, we established the observed effect sizes and evaluated the overall publication bias. We further computed the statistical power vis-{à}-vis of parametrized population thresholds to gain unbiased estimates of the power distribution. Results. We obtained a distribution of effect sizes and their conversion into comparable log odds ratios together with their standard errors. We, further, gained funnel-plot estimates of the publication bias present in the sample as well as insights into the power distribution and its consequences. Conclusions. Through the lenses of power and publication bias, we shed light on the statistical reliability of the studies in the field. The upshot of this introspection is practical recommendations on conducting and evaluating studies to advance the field.

Mohammed Aamir Ali, Thomas Groß, Aad van Moorsel

Background. 3-D Secure 2.0 (3DS 2.0) is an identity federation protocol authenticating the payment initiator for credit card transactions on the Web. Aim. We aim to quantify the impact of factors used by 3DS 2.0 in its fraud-detection decision making process. Method. We ran credit card transactions with two Web sites systematically manipulating the nominal IVs \textsf{machine\_data}, \textsf{value}, \textsf{region}, and \textsf{website}. We measured whether the user was \textsf{challenged} with an authentication, whether the transaction was \textsf{declined}, and whether the card was \textsf{blocked} as nominal DVs. Results. While \textsf{website} and \textsf{card} largely did not show a significant impact on any outcome, \textsf{machine\_data}, \textsf{value} and \textsf{region} did. A change in \textsf{machine\_data}, \textsf{region} or \textsf{value} made it 5-7 times as likely to be challenged with password authentication. However, even in a foreign region with another factor being changed, the overall likelihood of being challenged only reached $60\%$. When in the card's home region, a transaction will be rarely declined ($< 5\%$ in control, $40\%$ with one factor changed). However, in a region foreign to the card the system will more likely decline transactions anyway (about $60\%$) and any change in \textsf{machine\_data} or \textsf{value} will lead to a near-certain declined transaction. The \textsf{region} was the only significant predictor for a card being blocked ($\mathsf{OR}=3$). Conclusions. We found that the decisions to challenge the user with a password authentication, to decline a transaction and to block a card are governed by different weightings. 3DS 2.0 is most likely to decline transactions, especially in a foreign region. It is less likely to challenge users with password authentication, even if \textsf{machine\_data} or \textsf{value} are changed.

Tom Fordyce, Sam Green, Thomas Groß

Background. The current cognitive state, such as cognitive effort and depletion, incidental affect or stress may impact the strength of a chosen password unconsciously. Aim. We investigate the effect of incidental fear and stress on the measured strength of a chosen password. Method. We conducted two experiments with within-subject designs measuring the Zxcvbn \textsf{log10} number of guesses as strength of chosen passwords as dependent variable. In both experiments, participants were signed up to a site holding their personal data and, for the second run a day later, asked under a security incident pretext to change their password. (a) Fear. $N_\mathsf{F} = 34$ participants were exposed to standardized fear and happiness stimulus videos in random order. (b) \textbf{Stress.} $N_\mathsf{S} = 50$ participants were either exposed to a battery of standard stress tasks or left in a control condition in random order. The Zxcvbn password strength was compared across conditions. Results. We did not observe a statistically significant difference in mean Zxcvbn password strengths on fear (Hedges' $g_{\mathsf{av}} = -0.11$, 95\% CI $[-0.45, 0.23]$) or stress (and control group, Hedges' $g_{\mathsf{av}} = 0.01$, 95\% CI $[-0.31, 0.33]$). However, we found a statistically significant cross-over interaction of stress and TLX mental demand. Conclusions. While having observed negligible main effect size estimates for incidental fear and stress, we offer evidence towards the interaction between stress and cognitive effort that vouches for further investigation.

Uchechi Phyllis Nwadike, Thomas Groß

Background. Incidental emotions users feel during their online activities may alter their privacy behavioral intentions. Aim. We investigate the effect of incidental affect (fear and happiness) on privacy behavioral intention. Method. We recruited $330$ participants for a within-subjects experiment in three random-controlled user studies. The participants were exposed to three conditions \textsf{neutral}, \textsf{fear}, \textsf{happiness} with standardised stimuli videos for incidental affect induction. Fear and happiness were assigned in random order. The participants' privacy behavioural intentions (PBI) were measured followed by a Positive and Negative Affect Schedule (PANAS-X) manipulation check on self-reported affect. The PBI and PANAS-X were compared across treatment conditions. Results. We observed a statistically significant difference in PBI and Protection Intention in neutral-fear and neutral-happy comparisons. However across fear and happy conditions, we did not observe any statistically significant change in PBI scores. Conclusions. We offer the first systematic analysis of the impact of incidental affects on Privacy Behavioral Intention (PBI) and its sub-constructs. We are the first to offer a fine-grained analysis of neutral-affect comparisons and interactions offering insights in hitherto unexplained phenomena reported in the field.

Thomas Groß

Studies in socio-technical aspects of security often rely on user studies and statistical inferences on investigated relations to make their case. They, thereby, enable practitioners and scientists alike to judge on the validity and reliability of the research undertaken. To ascertain this capacity, we investigated the reporting fidelity of security user studies. Based on a systematic literature review of $114$ user studies in cyber security from selected venues in the 10 years 2006--2016, we evaluated fidelity of the reporting of $1775$ statistical inferences using the \textsf{R} package \textsf{statcheck}. We conducted a systematic classification of incomplete reporting, reporting inconsistencies and decision errors, leading to multinomial logistic regression (MLR) on the impact of publication venue/year as well as a comparison to a compatible field of psychology. We found that half the cyber security user studies considered reported incomplete results, in stark difference to comparable results in a field of psychology. Our MLR on analysis outcomes yielded a slight increase of likelihood of incomplete tests over time, while SOUPS yielded a few percent greater likelihood to report statistics correctly than other venues. In this study, we offer the first fully quantitative analysis of the state-of-play of socio-technical studies in security. While we highlight the impact and prevalence of incomplete reporting, we also offer fine-grained diagnostics and recommendations on how to respond to the situation.