Dan Q

Day: 9 February 2020

Dissertation Hand-In Déjà Vu

I last handed in a dissertation almost 16 years ago; that one marked the cumulation of my academic work at Aberystwyth University, then the “University of Wales, Aberystwyth”. Since then I’ve studied programming, pentesting and psychology (the P-subject Triathalon?)… before returning to university to undertake a masters degree in information security and forensics.

Today, I handed in that dissertation. Thanks to digital hand-ins, I’m able to “hand it in” and then change my mind, make changes, and hand-in a replacement version right up until the deadline on Wednesday (I’m already on my second version!), so I’ve still got a few evenings left for last-minute proofreads and tweaks. That said, I’m mostly happy with where it is right now.

Project management graph for my dissertation
I found it motivating to maintain a graph of my dissertation’s “outstanding tasks” where I would see it every day. Also, as it started to get hairy, my word limit.

Writing a dissertation was harder this time around. Things that made it harder included:

  • Writing a masters-level dissertation rather than a bachelors-level one, naturally.
  • Opting for a research dissertation rather than an engineering one: I had the choice, and I knew that I’d do better in engineering, but I did research anyway because I thought that the challenge would be good for me.
  • Being older! It’s harder to cram information into a late-thirty-something brain than into a young-twenty-something one.
  • Work: going through the recruitment process for and starting at Automattic ate a lot of my time, especially as I was used to working part-time at the Bodleian and I’d been turning a little of what would otherwise have been my “freelance work time” into “study time” (last time around I was working part-time for SmartData, of course).
  • Life: the kids, our (hopefully) upcoming house move and other commitments are pretty good at getting in the way. Ruth and JTA have been amazing at carving out blocks of time for me to study, especially these last few weekends, which may have made all the difference.
Dan's masters dissertation: "Impact of the use of Language on Adoption of Optional Multifactor Authentication"
Despite this thing being big and heavy and dense, it somehow doesn’t seem to fully represent the weight of blood, sweat and tears that went into it.

It feels like less of a bang than last time around, but still sufficient that I’ll breathe a big sigh of relief. I’ve a huge backlog of things to get on with that I’ve been putting-off until this monster gets finished, but I’m not thinking about them quite yet.

I need a moment to get my bearings again and get used to the fact that once again – and for the first time in several years – I’ll soon be not-a-student. Fun fact, I’ve spent very-slightly-more than half of my adult life as a registered student: apparently I’m a sucker it, for all that I complain… in fact, I’m already wondering what I can study next (suggestions welcome!), although I’ve promised myself that I’ll take a couple of years off before I get into anything serious.

(This is, of course, assuming I pass my masters degree, otherwise I might still be a student for a little longer while I “fix” my dissertation!)

Sankey chart showing participants divided into groups and exposed to different experiments, and the results of those experiments.
A personal highlight was that I got to find a genuine use for Sankey charts and treemaps in my work for perhaps the first time.

If anybody’s curious (and I shan’t blame you if you’re not), here’s my abstract… assuming I don’t go back and change it yet again in the next couple of days (it’s still a little clunky especially in the final sentence):

Multifactor authentication (MFA), such as the use of a mobile phone in addition to a username and password when logging in to a website, is one of the strongest security enhancements an individual can add to their online accounts. Compared to alternative enhancements like refraining from the reuse of passwords it’s been shown to be easy and effective. However: MFA is optional for most consumer-facing Web services supporting MFA, and elective user adoption is well under 10%.

How can user adoption be increased? Delivering security awareness training to users has been shown to help, but the gold standard would be a mechanism to encourage uptake that can be delivered at the point at which the user first creates an account on a system. This would provide strong protection to an account for its entire life.

Using realistic account signup scenarios delivered to participants’ own computers, an experiment was performed into the use of language surrounding the invitation to adopt MFA. During the scenarios, participants were exposed to statements designed to either instil fear of hackers or to praise them for setting up an account and considering MFA. The effect on uptake rates is compared. A follow-up questionnaire asks questions to understand user security behaviours including password and MFA choices and explain their thought processes when considering each.

No significant difference is found between the use of “fear” and “praise” statements. However, secondary information revealed during the experiment and survey provides recommendations for service providers to offer MFA after, rather than at, the point of account signup, and for security educators to focus their energies on dispelling user preconceptions about the convenience, privacy implications, and necessity of MFA.

Project management graph for my dissertation× Dan's masters dissertation: "Impact of the use of Language on Adoption of Optional Multifactor Authentication"× Sankey chart showing participants divided into groups and exposed to different experiments, and the results of those experiments.×

Article posted at UTC on .

No comments

Where’s My Elephant?

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

The “where’s my elephant?” theory takes it name, of course, from The Simpsons episode in which Bart gets an elephant (Season 5, episode 17, to be precise). For those of you who don’t know the episode: Bart wins a radio contest where you have to answer a phone call with the phrase, “KBBL is going to give me something stupid.” That “something stupid” turns out to be either $10,000, or “the gag prize”: a full-grown African elephant. Much to the presenters’ surprise, Bart chooses the elephant — which is a problem for the radio station, since they don’t actually have an elephant to give him. After some attempts at negotiation (the presenters offer Principal Skinner $10,000 to go about with his pants pulled down for the rest of the school year; the presenters offer to use the $10,000 to turn Skinner into “some sort of lobster-like creature”), Bart finds himself kicked out of the radio station, screaming “where’s my elephant?”

…the “where’s my elephant?” theory holds the following:

  1. If you give someone a joke option, they will take it.
  2. The joke option is a (usually) a joke option for a reason, and choosing it will cause everyone a lot of problems.
  3. In time, the joke will stop being funny, and people will just sort of lose interest in it.
  4. No one ever learns anything.

For those that were surprised when Trump was elected or Brexit passed a referendum, the “Where’s My Elephant?” theory of history may provide some solace. With reference to Boaty McBoatface and to the assassination of Qasem Soleimani, Tom Whyman pitches that “joke” options will be selected significantly more-often that you’d expect or that they should.

Our society is like Bart Simpson. But can we be a better Bart Simpson?

If that didn’t cheer you up: here’s another article, which more-seriously looks at the political long-game that Remainers in Britain might consider working towards.

Repost posted at UTC on .

No comments