Human Factors in Security Research: Lessons Learned from 2008-2018

Instead of only considering technology, computer security research now strives to also take into account the human factor by studying regular users and, to a lesser extent, experts like operators and developers of systems. We focus our analysis on the research on the crucial population of experts, whose human errors can impact many systems at once, and compare it to research on regular users. To understand how far we advanced in the area of human factors, how the field can further mature, and to provide a point of reference for researchers new to this field, we analyzed the past decade of human factors research in security and privacy, identifying 557 relevant publications. Of these, we found 48 publications focused on expert users and analyzed all in depth. For additional insights, we compare them to a stratified sample of 48 end-user studies. In this paper we investigate: (i) The perspective on human factors, and how we can learn from safety science (ii) How and who are the participants recruited, and how this -- as we find -- creates a western-centric perspective (iii) Research objectives, and how to align these with the chosen research methods (iv) How theories can be used to increase rigor in the communities scientific work, including limitations to the use of Grounded Theory, which is often incompletely applied (v) How researchers handle ethical implications, and what we can do to account for them more consistently Although our literature review has limitations, new insights were revealed and avenues for further research identified.