Pub­lic­a­tions

Digital Security -- A Question of Perspective. A Large-Scale Telephone Survey with Four At-Risk User Groups

F. Herbert, S. Becker, A. Buckmann, M. Kowalewski, J. Hielscher, Y. Acar, M. Dürmuth, M.A. Sasse, Y. Zou, IEEE Symposium on Security and Privacy. IEEE, New York, NY, USA (2024).


A World Full of Privacy and Security (Mis)conceptions? Findings of a Representative Survey in 12 Countries

F. Herbert, S. Becker, L. Schaewitz, J. Hielscher, M. Kowalewski, M.A. Sasse, Y. Acar, M. Dürmuth, in: A. Schmidt, K. Väänänen, T. Goyal, P.O. Kristensson, A. Peters, S. Mueller, J.R. Williamson, M.L. Wilson (Eds.), Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, CHI 2023, Hamburg, Germany, April 23-28, 2023, ACM, 2023, p. 582:1–582:23.


"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain

D. Wermke, J.H. Klemmer, N. Wöhler, J. Schmüser, H. Sri Ramulu, Y. Acar, S. Fahl, in: 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023, IEEE, 2023, pp. 1545–1560.


Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories

A. Krause, J.H. Klemmer, N. Huaman, D. Wermke, Y. Acar, S. Fahl, in: J.A. Calandrino, C. Troncoso (Eds.), 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, USENIX Association, 2023.


It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security

M. Fourné, D. Wermke, W. Enck, S. Fahl, Y. Acar, in: 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023, IEEE, 2023, pp. 1527–1544.


"In Eighty Percent of the Cases, I Select the Password for Them": Security and Privacy Challenges, Advice, and Opportunities at Cybercafes in Kenya

C.W. Munyendo, Y. Acar, A.J. Aviv, in: 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023, IEEE, 2023, pp. 570–587.


"We are a startup to the core": A qualitative interview study on the security and privacy development practices in Turkish software startups

D. Keküllüoglu, Y. Acar, in: 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023, IEEE, 2023, pp. 2015–2031.


Beyond the Boolean: How Programmers Ask About, Use, and Discuss Gender

E. Bouma-Sims, Y. Acar, Proc. ACM Hum. Comput. Interact. 7 (2023) 1–31.



"Would You Give the Same Priority to the Bank and a Game? I Do Not!" Exploring Credential Management Strategies and Obstacles during Password Manager Setup

S. Amft, S. Höltervennhoff, N. Huaman, Y. Acar, S. Fahl, in: P.G. Kelley, A. Kapadia (Eds.), Nineteenth Symposium on Usable Privacy and Security, SOUPS 2023, Anaheim, CA, USA, August 5-7, 2023, USENIX Association, 2023, pp. 171–190.


"I wouldn’t want my unsafe code to run my pacemaker": An Interview Study on the Use, Comprehension, and Perceived Risks of Unsafe Rust

S. Höltervennhoff, P. Klostermeyer, N. Wöhler, Y. Acar, S. Fahl, in: J.A. Calandrino, C. Troncoso (Eds.), 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, USENIX Association, 2023.


"Security is not my field, I’m a stats guy": A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry

J. Mink, H. Kaur, J. Schmüser, S. Fahl, Y. Acar, in: J.A. Calandrino, C. Troncoso (Eds.), 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, USENIX Association, 2023.


It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security

M. Fourné, D. Wermke, W. Enck, S. Fahl, Y. Acar, in: 2023 IEEE Symposium on Security and Privacy (SP), IEEE, 2023.


"Oh yes! over-preparing for meetings is my jam :)": The Gendered Experiences of System Administrators

M. Kaur, H. Sri Ramulu, Y. Acar, T. Fiebig, Proc. ACM Hum. Comput. Interact. 7 (2023) 1–38.


Lost and not Found: An Investigation of Recovery Methods for Multi-Factor Authentication

S. Amft, S. Höltervennhoff, N. Huaman, A. Krause, L. Simko, Y. Acar, S. Fahl, CoRR abs/2306.09708 (2023).


S3C2 Summit 2202-09: Industry Secure Suppy Chain Summit

M. Tran, Y. Acar, M. Cucker, W. Enck, A. Kapravelos, C. Kästner, L.A. Williams, CoRR abs/2307.15642 (2023).


S3C2 Summit 2023-02: Industry Secure Supply Chain Summit

T. Dunlap, Y. Acar, M. Cucker, W. Enck, A. Kapravelos, C. Kästner, L.A. Williams, CoRR abs/2307.16557 (2023).


S3C2 Summit 2023-06: Government Secure Supply Chain Summit

W. Enck, Y. Acar, M. Cukier, A. Kapravelos, C. Kästner, L.A. Williams, CoRR abs/2308.06850 (2023).


Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations

T. Kohno, Y. Acar, W. Loh, in: J.A. Calandrino, C. Troncoso (Eds.), 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, USENIX Association, 2023.


Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice

L. Neil, H. Sri Ramulu, Y. Acar, B. Reaves, in: Nineteenth Symposium on Usable Privacy and Security, SOUPS 2023, Anaheim, CA, USA, August 5-7, 2023, USENIX Association, 2023, pp. 283–299.


"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication

J.H. Klemmer, M. Gutfleisch, C. Stransky, Y. Acar, M.A. Sasse, S. Fahl, CoRR abs/2309.00744 (2023).


Beyond the Boolean: How Programmers Ask About, Use, and Discuss Gender

E. Bouma-Sims, Y. Acar, Proc. ACM Hum. Comput. Interact. 7 (2023) 1–31.



"We’ve Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

S. Amft, S. Höltervennhoff, N. Huaman, A. Krause, L. Simko, Y. Acar, S. Fahl, in: W. Meng, C.D. Jensen, C. Cremers, E. Kirda (Eds.), Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen, Denmark, November 26-30, 2023, ACM, 2023, pp. 3138–3152.


Securing Your Crypto-API Usage Through Tool Support - A Usability Study

S. Krüger, M. Reif, A.-K. Wickert, S. Nadi, K. Ali, E. Bodden, Y. Acar, M. Mezini, S. Fahl, in: 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023.


"We’ve Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

S. Amft, S. Höltervennhoff, N. Huaman, A. Krause, L. Simko, Y. Acar, S. Fahl, in: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 3138–3152.


A Viewpoint on Human Factors in Software Supply Chain Security: A Research Agenda

M. Fourné, D. Wermke, S. Fahl, Y. Acar, IEEE Security & Privacy 21 (2023) 59–63.


Security, Privacy, and Data-sharing Trade-offs When Moving to the United States: Insights from a Qualitative Study

M. Tran, C.W. Munyendo, H. Sri Ramulu, R.G. Rodriguez, L.B. Schnell, C. Sula, L. Simko, Y. Acar, in: 2024 IEEE Symposium on Security and Privacy (SP), 2023, pp. 4–4.


A Viewpoint on Human Factors in Software Supply Chain Security: A Research Agenda

M. Fourné, D. Wermke, S. Fahl, Y. Acar, IEEE Secur. Priv. 21 (2023) 59–63.


The Use and Non-Use of Technology During Hurricanes

L. Simko, H. Sri Ramulu, T. Kohno, Y. Acar, Proc. ACM Hum. Comput. Interact. 7 (2023) 1–54.


Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth

J. Pottebaum, J. Rossel, J. Somorovsky, Y. Acar, R. Fahr, P. Arias Cabarcos, E. Bodden, I. Gräßler, in: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE, 2023, pp. 379–385.


If You Can’t Get Them to the Lab: Evaluating a Virtual Study Environment with Security Information Workers

N. Huaman, A. Krause, D. Wermke, J.H. Klemmer, C. Stransky, Y. Acar, S. Fahl, in: S. Chiasson, A. Kapadia (Eds.), Eighteenth Symposium on Usable Privacy and Security, SOUPS 2022, Boston, MA, USA, August 7-9, 2022, USENIX Association, 2022, pp. 313–330.


“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks

J. Jancar, M. Fourné, D.D.A. Braga, M. Sabt, P. Schwabe, G. Barthe, P.-A. Fouque, Y. Acar, in: 2022 IEEE Symposium on Security and Privacy (SP), IEEE, 2022.


How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study

M. Gutfleisch, J.H. Klemmer, N. Busch, Y. Acar, M.A. Sasse, S. Fahl, in: 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022, IEEE, 2022, pp. 893–910.


27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University

C. Stransky, O. Wiese, V. Roth, Y. Acar, S. Fahl, in: 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022, IEEE, 2022, pp. 860–875.


Where to Recruit for Security Development Studies: Comparing Six Software Developer Samples

H. Kaur, S. Amft, D. Votipka, Y. Acar, S. Fahl, in: K.R.B. Butler, K. Thomas (Eds.), 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, USENIX Association, 2022, pp. 4041–4058.


They Would Do Better If They Worked Together: Interaction Problems Between Password Managers and the Web

N. Huaman, S. Amft, M. Oltrogge, Y. Acar, S. Fahl, IEEE Secur. Priv. 20 (2022) 49–60.


"Please help share!": Security and Privacy Advice on Twitter during the 2022 Russian Invasion of Ukraine

J. Schmüser, N. Wöhler, H.S. Ramulu, C. Stransky, D. Wermke, S. Fahl, Y. Acar, CoRR abs/2208.11581 (2022).


Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects

D. Wermke, N. Wohler, J.H. Klemmer, M. Fourné, Y. Acar, S. Fahl, in: 2022 IEEE Symposium on Security and Privacy (SP), IEEE, 2022.


"They’re not that hard to mitigate": What Cryptographic Library Developers Think About Timing Attacks

J. Jancar, M. Fourné, D.D.A. Braga, M. Sabt, P. Schwabe, G. Barthe, P.-A. Fouque, Y. Acar, in: 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022, IEEE, 2022, pp. 632–649.


Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects

D. Wermke, N. Wöhler, J.H. Klemmer, M. Fourné, Y. Acar, S. Fahl, in: 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022, IEEE, 2022, pp. 1880–1896.


"Desperate Times Call for Desperate Measures": User Concerns with Mobile Loan Apps in Kenya

C.W. Munyendo, Y. Acar, A.J. Aviv, in: 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022, IEEE, 2022, pp. 2304–2319.


Committed by Accident: Studying Prevention and Remediation Strategies Against Secret Leakage in Source Code Repositories

A. Krause, J.H. Klemmer, N. Huaman, D. Wermke, Y. Acar, S. Fahl, CoRR abs/2211.06213 (2022).


Never ever or no matter what: Investigating Adoption Intentions and Misconceptions about the Corona-Warn-App in Germany

M. Häring, E. Gerlitz, C. Tiefenau, M. Smith, D. Wermke, S. Fahl, Y. Acar, in: S. Chiasson (Ed.), Seventeenth Symposium on Usable Privacy and Security, SOUPS 2021, August 8-10, 2021, USENIX Association, 2021, pp. 77–98.


A Large-Scale Interview Study on Information Security in and Attacks against Small and Medium-sized Enterprises

N. Huaman, B. von Skarczinski, C. Stransky, D. Wermke, Y. Acar, A. Dreißigacker, S. Fahl, in: M. Bailey, R. Greenstadt (Eds.), 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, USENIX Association, 2021, pp. 1235–1252.


On the Limited Impact of Visualizing Encryption: Perceptions of E2E Messaging Security

C. Stransky, D. Wermke, J. Schrader, N. Huaman, Y. Acar, A.L. Fehlhaber, M. Wei, B. Ur, S. Fahl, in: S. Chiasson (Ed.), Seventeenth Symposium on Usable Privacy and Security, SOUPS 2021, August 8-10, 2021, USENIX Association, 2021, pp. 437–454.


They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites

N. Huaman, S. Amft, M. Oltrogge, Y. Acar, S. Fahl, in: 2021 IEEE Symposium on Security and Privacy (SP), IEEE, 2021.


"It’s the Company, the Government, You and I": User Perceptions of Responsibility for Smart Home Privacy and Security

J.M. Haney, Y. Acar, S. Furman, in: M. Bailey, R. Greenstadt (Eds.), 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, USENIX Association, 2021, pp. 411–428.


Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications

M. Oltrogge, N. Huaman, S. Amft, Y. Acar, M. Backes, S. Fahl, in: M. Bailey, R. Greenstadt (Eds.), 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, USENIX Association, 2021, pp. 4347–4364.


Investigating Web Service Account Remediation Advice

L. Neil, E. Bouma-Sims, E. Lafontaine, Y. Acar, B. Reaves, in: S. Chiasson (Ed.), Seventeenth Symposium on Usable Privacy and Security, SOUPS 2021, August 8-10, 2021, USENIX Association, 2021, pp. 359–376.


Human Factors in Secure Software Development

Y. Acar, Human Factors in Secure Software Development, University of Marburg, Germany, 2021.


Smart Home Security and Privacy Mitigations: Consumer Perceptions, Practices, and Challenges

J.M. Haney, S.M. Furman, Y. Acar, in: HCI for Cybersecurity, Privacy and Trust, Springer International Publishing, Cham, 2020.


Cloudy with a Chance of Misconceptions: Exploring Users’ Perceptions and Expectations of Security and Privacy in Cloud Office Suites

D. Wermke, N. Huaman, C. Stransky, N. Busch, Y. Acar, S. Fahl, in: H.R. Lipford, S. Chiasson (Eds.), Sixteenth Symposium on Usable Privacy and Security, SOUPS 2020, August 7-11, 2020, USENIX Association, 2020, pp. 359–377.


Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs

P.L. Gorski, Y. Acar, L. Lo Iacono, S. Fahl, in: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, ACM, 2020.


Smart Home Security and Privacy Mitigations: Consumer Perceptions, Practices, and Challenges

J. Haney, S. Furman, Y. Acar, in: International Conference on Human-Computer Interaction, Copenhagen, -1, 2020.


Your Secrets Are Safe

Y. Wu, P. Gupta, M. Wei, Y. Acar, S. Fahl, B. Ur, in: Proceedings of the 2018 World Wide Web Conference on World Wide Web - WWW ’18, ACM Press, 2018.


"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products

J.M. Haney, M. Theofanos, Y. Acar, S.S. Prettyman, in: M.E. Zurko, H.R. Lipford (Eds.), Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018, Baltimore, MD, USA, August 12-14, 2018, USENIX Association, 2018, pp. 357–373.


Organizational views of NIST cryptographic standards and testing and validation programs

J. Haney, M. Theofanos, Y. Acar, S.S. Prettyman, Organizational Views of NIST Cryptographic Standards and Testing and Validation Programs, National Institute of Standards and Technology, 2018.


Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse

P.L. Gorski, L.L. Iacono, D. Wermke, C. Stransky, S. Möller, Y. Acar, S. Fahl, in: M.E. Zurko, H.R. Lipford (Eds.), Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018, Baltimore, MD, USA, August 12-14, 2018, USENIX Association, 2018, pp. 265–281.


The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators

M. Oltrogge, E. Derr, C. Stransky, Y. Acar, S. Fahl, C. Rossow, G. Pellegrino, S. Bugiel, M. Backes, in: 2018 IEEE Symposium on Security and Privacy (SP), IEEE, 2018.


A Large Scale Investigation of Obfuscation Use in Google Play

D. Wermke, N. Huaman, Y. Acar, B. Reaves, P. Traynor, S. Fahl, in: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03-07, 2018, ACM, 2018, pp. 222–235.


Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android

E. Derr, S. Bugiel, S. Fahl, Y. Acar, M. Backes, in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2017.


How Internet Resources Might Be Helping You Develop Faster but Less Securely

Y. Acar, M. Backes, S. Fahl, D. Kim, M.L. Mazurek, C. Stransky, IEEE Secur. Priv. 15 (2017) 50–60.


Lessons Learned from Using an Online Platform to Conduct Large-Scale, Online Controlled Security Experiments with Software Developers

C. Stransky, Y. Acar, D.C. Nguyen, D. Wermke, D. Kim, E.M. Redmiles, M. Backes, S.L. Garfinkel, M.L. Mazurek, S. Fahl, in: J.M. Fernandez, M. Payer (Eds.), 10th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2017, Vancouver, BC, Canada, August 14, 2017, USENIX Association, 2017.


Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, S. Fahl, in: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017, IEEE Computer Society, 2017, pp. 121–136.


A Stitch in Time: Supporting Android Developers in Writing Secure Code

D.C. Nguyen, D. Wermke, Y. Acar, M. Backes, C. Weir, S. Fahl, in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2017.


Developers Need Support, Too: A Survey of Security Advice for Software Developers

Y. Acar, C. Stransky, D. Wermke, C. Weir, M.L. Mazurek, S. Fahl, in: 2017 IEEE Cybersecurity Development (SecDev), IEEE, 2017.


You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users

Y. Acar, S. Fahl, M.L. Mazurek, in: 2016 IEEE Cybersecurity Development (SecDev), IEEE, 2017.


Comparing the Usability of Cryptographic APIs

Y. Acar, M. Backes, S. Fahl, S. Garfinkel, D. Kim, M.L. Mazurek, C. Stransky, in: 2017 IEEE Symposium on Security and Privacy (SP), IEEE, 2017.


Security Developer Studies with GitHub Users: Exploring a Convenience Sample

Y. Acar, C. Stransky, D. Wermke, M.L. Mazurek, S. Fahl, in: Thirteenth Symposium on Usable Privacy and Security, SOUPS 2017, Santa Clara, CA, USA, July 12-14, 2017, USENIX Association, 2017, pp. 81–95.


A Summary of Survey Methodology Best Practices for Security and Privacy Researchers

E.M. Redmiles, Y. Acar, S. Fahl, M.L. Mazurek, A Summary of Survey Methodology Best Practices for Security and Privacy Researchers, University of Maryland Computer Science Department, 2017.


SoK: Lessons Learned from Android Security Research for Appified Software Platforms

Y. Acar, M. Backes, S. Bugiel, S. Fahl, P. McDaniel, M. Smith, in: 2016 IEEE Symposium on Security and Privacy (SP), IEEE, 2016.


An Empirical Study of Textual Key-Fingerprint Representations

S. Dechand, D. Schürmann, K. Busse, Y. Acar, S. Fahl, M. Smith, in: T. Holz, S. Savage (Eds.), 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016, USENIX Association, 2016, pp. 193–208.


You Get Where You're Looking for: The Impact of Information Sources on Code Security

Y. Acar, M. Backes, S. Fahl, D. Kim, M.L. Mazurek, C. Stransky, in: 2016 IEEE Symposium on Security and Privacy (SP), IEEE, 2016.


VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits

H. Perl, S. Dechand, M. Smith, D. Arp, F. Yamaguchi, K. Rieck, S. Fahl, Y. Acar, in: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, ACM, 2015.


To Pin or Not to Pin-Helping App Developers Bullet Proof Their TLS Connections

M. Oltrogge, Y. Acar, S. Dechand, M. Smith, S. Fahl, in: J. Jung, T. Holz (Eds.), 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015, USENIX Association, 2015, pp. 239–254.


Why eve and mallory (also) love webmasters

S. Fahl, Y. Acar, H. Perl, M. Smith, in: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ACM, 2014.


On the ecological validity of a password study

S. Fahl, M. Harbach, Y. Acar, M. Smith, in: Proceedings of the Ninth Symposium on Usable Privacy and Security, ACM, 2013.


Show all publications