Academia Archives - Page 2 of 11 - Cori Faklaris' blog

Policy on Use of AI Tools for my course syllabus, version 1.0

Ever since ChatGPT arrived, I have been talking with my students and colleagues about how best we can use it and other AI-powered creative tools such as DALL-E and Stable Diffusion in our work. I also have discussed with students, in particular, how these AI tools also could mislead them (such as by “hallucinating” output that looks and feels like a real-world search result or blog post, but composed of made-up information). This is partly because I feel strongly that students should be prepared for the working world where these tools are rapidly becoming commonplace, and partly because talking about it helps me work out my own thinking about their rightful place in the workflows.

Today seemed like a good day to formalize my thoughts into a written policy for my courses. I credit the blog post linked below with inspiring my wording. But the impetus is the sheer number of conversations I’m having with instructors who suspect AI tool use in coursework this month.

Here is what I have come up with:

“In this course, students are allowed to use tools such as Stable Diffusion, ChatGPT, and BingChat in a similar manner to use of non-AI references, templates, images, or body text, such as those in assigned research papers or obtained via internet search. This means that (1) no student may submit an assignment or work on an exam as their own that is entirely generated by means of an AI tool. And, (2) if students use an AI tool to generate, draft, create, or compose any portion of any assignment, they must (a) credit the tool, (b) identify what part of the work is from the AI tool and what is from themselves, and (c) summarize why they decided to include the AI tool’s output.”

Thanks to a timely comment from Jeff Bigham on Mastodon, I am contemplating adding the following sentence to the above, and retitling the section “Policy on use of AI and Other Creative Tools”:

“The same requirement to credit the use of tools for generating, drafting, creating, or composing work toward deliverables also applies to use of creative tools such as Grammarly and Canva.”

Reference consulted for the above: Kristopher Purzycki. 2023. Syllabus Policy for Using AI Tools in the Writing Classroom. Medium. Retrieved March 17, 2023 from https://medium.com/@kristopherpurzycki/syllabus-policy-for-using-ai-tools-in-the-writing-classroom-8accab29e8c7

Idea # 1 for future work: Investigating the role of resistance in cybersecurity adoption

I’ve noticed a peculiar pattern – or more accurately, non-pattern – in all my studies of usable security. At every step of adoption, people exhibit resistance to adopting cybersecurity measures (such as installing password managers or creating unique passwords for each online account). I expected to see a lot of resistant attitudes in people who do not adopt security practices, or those who only adopt security practices if mandated to do so. But resistance is also high among research participants who have voluntarily adopted security practices and who seem very engaged with cybersecurity overall.

As it happens, I have already developed a measure of security resistance that can help in these studies. Take the average of participants’ Likert-type survey ratings on these four items (1=Strongly Disagree to 5=Strongly Agree) [handout]:

I am too busy to put in the effort needed to change my security behaviors.
I have much bigger problems than my risk of a security breach.
There are good reasons why I do not take the necessary steps to keep my online data and accounts safe.
I usually will not use security measures if they are inconvenient.

So far, I have found that resistance alone is not a reliable differentiator of someone’s level of cybersecurity adoption. For example, in my working paper describing the development and validation of the SA-13 security attitude inventory, I find that my SA-Resistance scale (the one described above) is significantly negatively associated with self-reported Recalled Security Actions (RSec), but also significantly positively associated with Security Behavior Intentions (SeBIS). By contrast, in a more recent survey (forthcoming), I found that a measure similar to SA-Resistance was significantly positively associated with a self-report measure of password manager adoption, but significantly negatively associated with a measure of being in a pre-adoption stage similar to intention. A research assistant during the 2021 REU program, Faye Kollig, also found no significant variances in resistance among participants in our interview study to identify commonalities in security adoption narratives.

At the same time, adding these resistance items to those measuring concernedness, attentiveness, and engagement (the SA-13 inventory) appears to create a reliable predictor of security behavior. In a study at Fujitsu Ltd., Terada et al. found a correlation between SA-13 and actual security behavior for both Japanese and American participants (p<.001) that was stronger than that for SA-6. The authors speculate that this is because of the inclusion of the resistance items.

Is it consistently the case that resistance only helps to differentiate your level of adoption if it is balanced with other attitudes? Is some other mechanism responsible? I hope to follow up on these results with a student assistant when I join UNC Charlotte’s Department of Software and Information Systems this fall as an assistant professor.

Coincidentally, the New Security Paradigms Workshop has a theme this year of “Resilience and Resistance.” I may submit to the workshop myself, but I also hope that other prospective attendees will find my resistance scale of use in their work.

‘It’s Problematic but I’m not Concerned’: University Perspectives on Account Sharing – new for CSCW 2022

Our research into this practice sheds light on social cybersecurity.

Walk through a typical research lab – or home kitchen, or business office, or media room, or retail counter. You’re likely to see a piece of paper taped somewhere visible to others, written with a username and password for a WiFi network, an email inbox, or a cloud server account. This is evidence of account sharing, where more than one person uses the same authentication credentials (often, against the stated security policies) to share access to a needed work resource. My latest study of this social practice appears in Proceedings of the ACM: Human Computer Interaction, Vol. 6, CSCW1 (April 2022), and will be presented at CSCW 2022.

Why does account sharing take place?

My group at Carnegie Mellon University, Social Cybersecurity, has found such account sharing to be a “normal and easy” practice in many workplaces and in romantic relationships. Account sharing helps people to get work done and to strengthen their social bonds. But, it also poses many challenges for account security and for the legitimate system users. We found, for instance, that romantic couples don’t use two-factor authentication despite this being a best practice, mostly because it causes issues when one person tries to log in and the other person can’t answer their smartphone notification. We also found that workers reported problems with colleagues who were fired or quit, then changed a shared account password to something unknown, locking them out.

How do people typically share accounts?

In this latest research, an interview study at a U.S. research university (N=23), we found that 17 participants (74%) reported sharing accounts in three ways. First, they shared them via the unofficial but secure method of an individual password manager (a type of software program that remembers your passwords for you via a secured vault). Second, they shared passwords officially via an Enterprise Random Password Manager (ERPM), a supercharged password manager for IT departments that manage many devices and control remote access. Third, they shared passwords unofficially via ad-hoc methods such as plaintext messages stored in a group chat. As in prior work, many shared accounts were for cloud services (frequently, Amazon or Google) or social media (Instagram and Twitter). Crucially, however, no one in our study reported sharing university email linked to their personal identity. This may speak to the success of this university in educating users about the need to keep this credential confidential.

My co-author, Serena Wang, and I found that non-IT workers and/or staff practices around account sharing were less organized, compared with the practices of IT workers and/or students. We also note the influence of two context-specific norms: educational paternalism, as shown by their stated trust in the campus authorities to keep their data and accounts safe; and academic freedom, which implies no limits on tech use and a corresponding lack of top-down security mandates. We think this makes universities different from other workplaces and shows how social norms are likely to influence people’s behaviors around cybersecurity. For example: a negative influence would be a lessened oversight of anyone doing “enabling” work for researchers such as processing credit-card payments. A positive influence would be the likelihood that system users will comply with requests from the university to use a provided password management system for secure account sharing.

What can be done to change account sharing practices?

My group’s overall recommendation from this and other studies has been for system architects to change the “1-user-1-account” design of authentication systems to allow accounts to be securely shared with multiple people. These changes have been implemented in several systems, such as Microsoft’s Azure Active Directory. We also worked with two undergraduates in the School of Computer Science to design and build out a simple social authentication tool. This tool would let a user log into a research lab account by verifying their answers to questions about what occurred during the last group meeting.

Our next step is to discuss the feasibility of our recommendations for research universities with their real-life information security teams. The need for more attention to cybersecurity in educational institutions, particularly higher education, is urgent. One U.S. university official estimated that their institution received an average of 20 million attacks a day, describing this as “typical for a research university”. Threats facing the education sector include ransomware and stolen credentials attacks with unique characteristics. Verizon reports education now is “the only industry where malware distribution to victims was more common via websites than email,” chalking this up to the many “students on bring-your-own devices connected to shared networks”. Please contact me if you would like to consult with us, or read our paper for details specific to end-user cybersecurity in educational and/or research contexts.

Serena Wang, Cori Faklaris, Junchao Lin, Laura Dabbish, and Jason I. Hong. 2022. “It’s Problematic but I’m not Concerned”: University Perspectives on Account Sharing. In Proceedings of the ACM on Human-Computer Interaction, Vol. 6, CSCW1, Article 68 (April 2022), 27 pages. https://doi.org/10.1145/3512915