Serge Egelman - Résumé

Education

PhD in Computation, Organizations, and Society, May 2009
School of Computer Science, Carnegie Mellon University
BS in Computer Engineering, May 2004
School of Engineering and Applied Science, University of Virginia

Refereed Journal Publications

The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. To appear in Information Systems Research (with J. Tsai, L. Cranor, and A. Acquisti).
P3P Deployment on Websites. Electronic Commerce Research and Applications (ECRA), Autumn 2008 (with L. Cranor, S. Sheng, A. McDonald, and A. Chowdhury).
The Real ID Act: Fixing Identity Documents with Duct Tape. I/S: A Journal of Law and Policy for the Information Society, 2(1), Winter 2006, pp. 149-183 (with L. Cranor).

Conference and Workshop Papers

Please Continue to Hold: An empirical study on user tolerance of security delays. Under review. 2010 (with D. Molnar, N. Christin, A. Acquisti, C. Herley, and S. Krishnamurthi).
Tell Me Lies: A Methodology for Scientifically Rigorous Security User Studies. Workshop on Studying Online Behaviour at CHI'10. April 2010 (with J. Tsai and L. F. Cranor).
Crying Wolf: An Empirical Study of SSL Warning Effectiveness. The 18th USENIX Security Symposium. 2009 (with J. Sunshine, H. Almuhimedi, N. Atri, and L. Cranor).
It's No Secret: Measuring the reliability of authentication via 'secret' questions. The 2009 IEEE Symposium on Security and Privacy (with S. Schechter and A.J. Brush).
It's Not What You Know, But Who You Know: A social approach to last-resort authentication. CHI '09: Proceedings of the SIGCHI conference on Human Factors in Computing Systems. 2009 (with S. Schechter and R. Reeder).
Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI '09: Proceedings of the SIGCHI conference on Human Factors in Computing Systems. 2009 (with J. Tsai, L. Cranor, and A. Acquisti).
Family Accounts: A new paradigm for user accounts within the home environment. CSCW '08: Proceedings of the 2008 conference on Computer Supported Cooperative Work. 2008 (with A.J. Brush and K. Inkpen).
You've Been Warned: An Empirical Study on the Effectiveness of Web Browser Phishing Warnings. CHI '08: Proceedings of the SIGCHI conference on Human Factors in Computing Systems (Best Paper Nominee). 2008 (with L. Cranor and J. Hong).
The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Workshop on the Economics of Information Security (WEIS). June 2007 (with J. Tsai, L. Cranor, and A. Acquisti).
Security User Studies: Methodologies and Best Practices. CHI '07 Extended Abstracts on Human Factors in Computing Systems. April 2007 (with J. King, R. Miller, N. Ragouzis, and E. Shehan).
Phinding Phish: An Evaluation of Anti-Phishing Toolbars. NDSS: Proceedings of the ISOC Symposium on Network and Distributed System Security. February 2007 (with Y. Zhang, L. Cranor, and J. Hong).
An Analysis of P3P-Enabled Web Sites among Top-20 Search Results. Proceedings of the Eighth International Conference on Electronic Commerce. August 2006 (with L. Cranor and A. Chowdhury).
Power Strips, Prophylactics, and Privacy, Oh My!. Proceedings of the 2006 Symposium On Usable Privacy and Security (SOUPS). July 2006 (with J. Gideon, L. Cranor, and A. Acquisti).
Studying The Impact of Privacy Information on Online Purchase Decisions. Workshop on Privacy and HCI: Methodologies for Studying Privacy Issues at CHI'06. April 2006 (with J. Tsai, L. Cranor, and A. Acquisti).

Book Chapters and Magazine Articles

Privacy Protection Mechanisms. Information Privacy and Technology: Official Reference for the Certified Information Technology and Privacy Professional (“CIPP/IT”). International Association of Privacy Professionals (IAPP). Forthcoming.
Conference Report: SOUPS 2006. IEEE Security & Privacy. November/December 2006 (with J. Tsai).
Conference Report: 14th USENIX Security Symposium. ;login:. December 2005 (with K. Butler, M. Chow, J. Duerig, B. Hicks, F. Hsu, S. Kelm, and M. Rajagopalan).
Conference Report: 13th USENIX Security Symposium. ;login:. December 2004 (with A. AuYoung, E. Cronin, M. Dougherty, R. Greenstadt, S. Kelm, Z. Liang, C. Mano, N. Smith, A. Raniwala, T. Whalen, and W. Xu).
Suing Spammers for Fun and Profit. ;login:. April 2004.
Installation. Peter Norton's Complete Guide to Linux. Macmillan Computer Publishing. 1999.
User Administration. Peter Norton's Complete Guide to Linux. Macmillan Computer Publishing. 1999.

Research Experience

Postdoctoral Research Associate
Brown University
August 2009-Present

I am working with Shriram Krishnamurthi on creating better interfaces for policy authors to specify access control policies. We are conducting ethnographic studies to determine the most common policy errors, the most frequent causes of those errors, and the types of interfaces that policy authors currently use. We are also developing a new policy authoring interface that allows users to interactively specify policies in order to more easily detect and clarify ambiguities. We expect to perform user studies on this interface in the contexts of privacy settings on social networking websites and file permissions on shared network drives.

Research Assistant
Carnegie Mellon University
June 2004-May 2009

While pursuing a PhD under the direction of Dr. Lorrie Cranor in the Computation, Organizations, and Society program at CMU, I focused primarily on the usability of privacy and security systems. Areas that I worked in included creating more effective web browser trust indicators, creating usable privacy tools, Internet anonymity, and detection and prevention of phishing attacks. My dissertation is entitled "Trust Me: Designing Trustworthy Trust Indicators." My committee consisted of Lorrie Cranor (chair), Jim Herbsleb, Jason Hong, and Steve Bellovin (Columbia University).

Research Intern
Microsoft Research
July 2008-October 2008

During my second internship at MSR, I conducted two user studies with Stuart Schechter. We first looked at using social networks as a means for authenticating webmail users who had forgotten their passwords. We tested the usability of our system as well as how susceptible it would be to various attacks. Additionally, I assisted the Internet Explorer team with new designs for their security warnings based on my research. We tested the new warnings in the laboratory using an eye tracker.

Research Intern
Microsoft Research
January 2008-April 2008

I was an intern at MSR working with A.J. Brush and Kori Inkpen on user account models for shared family computers. We examined why the current user account model does not work on computers shared by trusted individuals (i.e. communal home computers) and developed a more appropriate model. I implemented our prototype in C# and ran a usability study. This work was published at the 2008 Computer Supported Cooperative Work (CSCW) conference.

Research Intern
Xerox PARC
June 2006-September 2006

During the summer of 2006, I worked with Jim Thornton in the Computer Science Lab (CSL) at PARC. My main focus was on malware detection using virtualization. The project involved creating a Windows kernel driver that would intercept system calls (like a rootkit) on the guest operating system, and then reporting back the state of the guest to the host. Additional work focused on writing security mechanisms to protect code running under a virtual machine.

Researcher
University of Virginia
May 2003-December 2003

I worked as a researcher in Professor Jorg Liebeherr's Multimedia Networks Group, in the Department of Computer Science. Specifically I was working on Hypercast, which is an application-layer multicast overlay network. I was involved in designing and implementing an encryption and authentication mechanism, content delivery optimizations, as well as an XML-based configuration utility. All of this work was done in Java under both Linux and Windows.

Researcher
University of Virginia
2002

I worked as a researcher in Professor John Knight's Network Survivability Research Group, in the Department of Computer Science. This group mainly worked on creating fault resistant networks that could detect and recover from attacks. My main role was developing a network visualizer that took inputs from a variety of sensors (mainly intrusion detection systems and packet loggers), and made it easy for a network administrator to literally see all the data and thus be warned about irregularities. Most of the work was done in Java using VTK to program the OpenGL front-end.

Professional Experience

Developer
Tovaris: The Digital Identity Company
2000-2001

I worked part time doing development in C++ for the Mithril Secure Server (an encrypted email solution). I mostly wrote CGI code for administering the servers from a front-end, although I did do some work on the back-end. This involved getting very familiar with the OpenSSL libraries. Most of the development was done under OpenBSD, using C++, though I also did some work in Perl.

Technical Support / Developer / System Administrator
Broadband Network Services, Inc.
1999-2000

I handled all of the technical support questions via telephone and e-mail. I maintained and administrated all of our databases using MySQL. This included setting up new database customers, adding and removing databases, and maintaining MySQL. I used PHP, Perl, and bash to write scripts to aid in system administration and to automate other common tasks. I handled most of the website development that we were hired to do; this included writing scripts, HTML, and database management. My administrative responsibilities included maintaining our primary and secondary DNS, Sendmail, Apache, and PHP. I also aided in creating and removing accounts, setting up new virtual hosts, setting up and maintaining network monitoring, and maintaining hardware; this included building and configuring computers.

Teaching Experience

Information Security & Privacy (46-861)
Carnegie Mellon University
Fall 2007

Teaching assistant duties included developing course materials (topics for lectures, assignments, and exams), grading assignments and exams, holding office hours, and mentoring students about semester-long projects.

Computers and Society (15-290)
Carnegie Mellon University
Spring 2006

Teaching assistant duties included giving guest lectures, creating assignments and exams, grading assignments and exams, holding office hours, and mentoring students about semester-long projects.

Information Security (CS 451)
University of Virginia
Fall 2004

Teaching assistant duties included giving guest lectures, creating assignments and exams, grading assignments and exams, and holding office hours.

Advanced Software Development Methods (CS 340)
University of Virginia
Spring 2003, Spring 2004

Teaching assistant duties included grading assignments and exams, and holding office hours.

Research Grants

Google Faculty Research Award, Designing Usable Certificate Dialogs in Chrome. Principal Investigator, 2010. Budget: $60,000.

Professional Activities

Program Committees
2010: Symposium On Usable Privacy and Security (SOUPS)
2008: Conference on Information and Knowledge Management (CIKM)
2007: CHI 2007 Workshop - Security User Studies: Methodologies and Best Practices; Anti-Phishing Working Group eCrime Researchers Summit (poster session co-chair)
2006: Computers, Freedom, and Privacy (CFP) Conference
Standards Committees
2007-2008: W3C Web Security Context (WSC) Working Group
2004-2006: W3C Platform for Privacy Preferences (P3P) 1.1 Working Group
Leadership Roles
Legislative Concerns Chair, Board of Directors
National Association of Graduate and Professional Students (NAGPS), 2006-2008
Vice President for External Affairs
Carnegie Mellon Graduate Student Assembly, 2006-2008

Awards and Nominations

CHI Best Paper Nominee, 2008
You've Been Warned: An Empirical Study on the Effectiveness of Web Browser Phishing Warnings, received an honorable mention at CHI 2008 (with L. Cranor and J. Hong).
Tor Graphical User Interface Design Competition, 2006
Phase 1 Overall Winner (with L. Cranor, J. Hong, P. Kumaraguru, C. Kuo, S. Romanosky, J. Tsai, and K. Vaniea).
University of Virginia Dean's List of Scholars
I was included on the Spring 2003 and 2004 Dean's List of Scholars.
Publisher's Clearing House Finalist
I may already be a winner.

Last modified March 2010.