The 2023 European Symposium on Usable Security

Dates and Location: October 16 & 17, 2023 Copenhagen, Denmark

The European Symposium on Usable Security (EuroUSEC) serves as a European forum for research and discussion in the area of human factors in security and privacy. EuroUSEC solicits previously unpublished work offering novel research contributions or clearly articulated research visions in any aspect of human-centered security and privacy. The aim of EuroUSEC is to bring together an interdisciplinary group of researchers and practitioners in human-computer interaction, security, and privacy. Participants are researchers, practitioners, and students from domains including computer science, engineering, psychology, the social sciences, and economics.

EuroUSEC is an independent event in Copenhagen without any affiliation to any conference. We strive to keep registration costs to a minimum.

The International Conference Proceedings Series (ICPS) of ACM has accepted our application, and similar to last year, the EuroUsec proceedings will be published by ACM this year as well.

We will require one author of each accepted paper to present the paper in person. In certain circumstances, people who cannot travel may present their papers virtually. Under the same restrictions, we will ask keynote speakers to come and present in person.

We want EuroUSEC to be a community-driven event and would love to hear any questions, comments, or concerns you might have regarding these changes from last year. Therefore we want to encourage everyone to join the EuroUSEC Slack. Alternatively, you can email the program chairs with any questions or concerns..

EuroUSEC is part of the USEC family of events. You can find more info about all USEC events at:

Keynote Speakers

Jetzabel M. Serna-Olvera

Talk Title: "Driving Security: Navigating the Human-Centric Culture Highway in the Automotive Industry"

Biography: Dr. Jetzabel M. Serna-Olvera is the CEO and Co-founder of SAPAR GmbH, with over 18 years of experience in the global cybersecurity sector. She holds a Bachelor's degree in Computer Systems Engineering, a Master's degree in Computer Science and Communications Engineering, and a PhD in cybersecurity. Throughout her career, she has worked in various roles including software engineer (Tijuana City Council), security researcher (esCERT-UPC and LaCaixa Bank), and cybersecurity strategist (Continental, Rober Bosch GmbH, and Geely). She has contributed as an assistant professor at the Goethe University of Frankfurt and an external lecturer at the RheinMain University of Applied Sciences. Dr. Serna-Olvera has contributed to national and international research projects and her work focuses on Vulnerability Management, Incident Response, Threat Intelligence, and nurturing a culture of cybersecurity. She is passionate about fostering information sharing, addressing privacy issues, and integrating cybersecurity into core business operations.

Albin Zuccato

Talk Title: "How to Create a Useable Security and Data Protection Strategy by Combining Bottom-up and Top-Down Methods"

Biography: Albin is currently Chief Information Security Officer at ICA Gruppen AB. In this role, he maintains and develops Information Security, Cyber Security, and IT privacy. He holds a Ph.D. in information security management and is CISSP, CISA, ISO 27001 Lead Implementer, and Lead Auditor certified. Albin has worked in information security, IT security, and data protection since 1997. He has experience in the financial industry, public sector, cloud services, retail, and telecom industry as well as international research projects. Albin lectures regularly at universities about Privacy & Data Protection, Information Security Management, and Security Development. He is also an invited speaker at various conferences on information security topics.

CFP: Posters for EuroUSEC

Please consider submitting a poster to EuroUSEC 2023 based on the paper you submitted previously, or on some other topic. The posters will be reviewed by the two chairs.

Deadline: 4th 8th September 2023 (AoE)
Notification: 10th 14th September 2023 (AoE)
Prefix the paper title with: POSTER:

If accepted, at least one author has to attend the conference to discuss the poster with interested attendees.

We will include the submitted abstract on the conference website if authors consent to this. The posters/abstracts will not be included in the conference proceedings.


Please submit a structured abstract (see below) of at most 2 pages (incl. references) of your poster here: HotCRP Submission

Please note, you don't need to submit your actual poster at the moment.

Structured Abstract Contents

The structured abstract should include your study's 1. background, 2. aim, 3. methods, 4. results and 5. conclusions. Consider this structured abstract adapted from STAST 2018 (borrowed from STAST 2022’s website) as an example for the structure (note that your abstract will probably be longer than the example, as you have two pages space):

Background. 3-D Secure 2.0 (3DS 2.0) is an identity federation protocol authenticating the payment initiator for credit card transactions on the Web.

Aim. We aim to quantify the impact of factors used by 3DS 2.0 in its fraud-detection decision making process.

Method. We ran N=64 credit card transactions with two Web sites systematically manipulating the nominal IVs machine_data, value, region, and website. We measured whether the user was challenged with an authentication, whether the transaction was declined, and whether the card was blocked as nominal DVs. We established three logistic regression models to quantify the impact of the predictors on the likelihood of the transaction outcomes.

Results. A change in machine_data, region or value made it 5-7 times as likely to be challenged with password authentication. However, even in a foreign region with another factor being changed, the overall likelihood of being challenged only reached 60%. When in the card's home region, a transaction will be rarely declined (< 5% in control, 40% with one factor changed). However, in a region foreign to the card the system will more likely decline transactions anyway (about 60%) and any change in machine_data or value will lead to a near-certain declined transaction.

Conclusions. We found that the decisions to challenge the user with a password authentication, to decline a transaction and to block a card are governed by different weightings. 3DS 2.0 is most likely to decline transactions, especially in a foreign region. It is less likely to challenge users with password authentication, even if machine_data or value are changed.

Call for Papers (deadline passed)

We invite you to submit a paper and join us at EuroUSEC 2023.

We are excited to welcome original work describing research, visions, or experiences in all areas of usable security and privacy. We welcome a variety of research methods, including both qualitative and quantitative approaches.

We will review longer papers on mature/completed work in a research track, as well as shorter papers on work in progress, or work that has yet to begin, in a vision track. We aim to provide a venue for researchers at all stages of their careers and at all stages of their projects.

Topics include, but are not limited to:

  • usable security and privacy implications or solutions for specific domains (such as IoT, ehealth, and vulnerable populations)
  • methodologies for usable security and privacy research
  • field studies of security or privacy technology
  • longitudinal studies of deployed security or privacy features
  • new applications of existing privacy/security models or technology
  • innovative security or privacy functionality and design
  • usability evaluations of new or existing security or privacy features
  • security testing of new or existing usability features
  • lessons learned from the deployment and use of usable privacy and security features
  • reports of failed usable privacy/security studies or experiments, with the focus on the lessons learned from such experience
  • papers with negative results
  • reports of replicating previously published important studies and experiments
  • psychological, sociological, cultural, or economic aspects of security and privacy
  • studies of administrators or developers and support for security and privacy
  • studies on the adoption or acceptance of security or privacy technologies
  • systematization of knowledge papers
  • impact of organizational policy or procurement decisions on security and privacy

It is mandatory for at least one author to attend EuroUSEC (either in person or virtually in certain circumstances).

Important Dates

Paper registration deadline (mandatory):       Monday, 5th June, 2023 (Anywhere on Earth)                
Paper submission deadline: Friday, 9th June, 2023(Anywhere on Earth)
Notification: Monday, 10th July, 2023 Monday, 17th July, 2023
Revision decision re-submission deadline: Monday, 24th July, 2023 Monday, 31st July, 2023 (Anywhere on Earth)
Revision notification: Monday, 7th August, 2023 Monday, 14th August, 2023 Friday, 18th August, 2023
Camera ready (ACM proceedings): Sunday, 10th September, 2023
Camera ready (authors' version, to be uploaded to HotCRP): Sunday, 1st October, 2023
Registration, authors (online and onsite) Friday, 1st September, 2023
Registration, all (onsite) Saturday, 16th September, 2023
Registration, all (online) Sunday, 1st October, 2023
EuroUSEC: 16th & 17th October, 2023


Research Track: The research track is intended to report on mature work that has been completed. The goal of the EuroUSEC's research track is to disseminate results of interest to the broader usable security and privacy community. Papers must not be more than 16 pages in length using the one-column submission format excluding the bibliography. Try to scale the length of the paper according to the contributions you describe therein. Authors have the option to attach to their paper‘s supplementary appendices with study materials (e.g., survey instruments, interview guides, etc.) that would not otherwise take up valuable space within the body of the paper. Reviewers are not required to read appendices, so your paper should be self-contained without them. ACM also allows publication of additional supplemental materials and we want to encourage authors to use this option to provide research artifacts (e.g., builds of own software used in the study).

Vision Track: The vision track is intended to report on work in progress or concrete ideas for work that has yet to begin. The focus in the vision track is to spark discussion with the goal to provide the authors helpful feedback, pointers to potentially related investigations, and new ideas to explore. Suitable submissions to the vision track include traditional work-in-progress pieces such as preliminary results of pre-studies, but also research proposals and position papers outlining future research. Papers must be up to 9 pages in length using the one-column format, including the bibliography and with no appendices.

Submission Instructions

Upload your submission via this link:

  1. All submissions must report original work.
    • Authors must clearly document any overlap with previously or simultaneously submitted papers from any of the authors (email the chairs a PDF document outlining this).
  2. Papers must be written in English.
  3. Papers must be anonymized for review
  4. Refer to your own related work in the third person: do not use personal pronouns
    • This requirement also applies to data sets and artifacts. (For example, "We reused data from the authors of Smith et al. [31] in our experiment.")
  5. Do not blind citations except in extraordinary circumstances. If in doubt, contact the chairs.
  6. All submissions must use the ACM Word or LaTeX templates.
    • These templates can be obtained from the ACM author submission information website. In particular, for the camera-ready submission to The ACM Publishing System (TAPS), the one-column format must be used (e.g. for latex: \documentclass[manuscript]{acmart}).
  7. Systematization of Knowledge paper titles must begin with SOK:
  8. Vision paper titles must begin with Vision:

Simultaneous submission of the same paper to another venue with proceedings or a journal is prohibited. Serious infringements of these policies may cause the paper to be rejected from publication and the authors put on a warning list, even if the paper is initially accepted by the program committee. Contact the EuroUSEC chairs if there are questions about this policy.

You are free to publish a pre-print of your paper on arXiv, SSRN or similar, if you wish to.

Contact the EuroUSEC chairs if there are any questions.

Important Information for Researchers from Russian and Belarussian Institutions

Because of the Russian invasion in Ukraine, current guidelines of our host IT University of Copenhagen (ITU) prohibit hosting guests from research institutions in Russia and Belarus at ITU. We therefore encourage researchers from such institutions to be mindful of these regulations and to check whether they will be able to attend EuroUSEC before submitting their work.

Program Committee Chairs

The chairs can be contacted at Oksana Kulyk and Farzaneh Karegar

Program Committee

  • Samuel Agbesi, IT University of Copenhagen
  • Ala Sarah Alaqra, Karlstad University
  • Patricia Arias-Cabarcos, Paderborn University
  • David Balash, The George Washington University
  • Ingolf Becker, University College London
  • Enka Blanchard, CNRS & Université Polytechnique Hauts-de-France
  • Jurlind Budurushi, University of Qatar
  • Jan-Willem Bullee, University of Twente
  • Karoline Busse, University of Applied Administrative Sciences Lower Saxony
  • Jean Camp, Indiana University
  • Kovila Coopamootoo, Kings College London
  • Adele Da Veiga, University of South Africa
  • Nicolas E. Díaz Ferreyra, Hamburg University of Technology
  • Yvonne Dittrich, IT University of Copenhagen
  • Verena Distler, Bundeswehr University Munich
  • Ali Farooq, University of Turku
  • Edwin Frauenstein, Walter Sisulu University
  • Jennifer Friedauer, Ruhr University Bochum
  • Peter Gorski, INFODAS GmbH
  • Thomas Gross, Newcastle University
  • Hana Habib, Carnegie Mellon University
  • Jonas Hielscher, Ruhr University Bochum
  • Luigi Lo Iacono, Hochschule Bonn-Rhein-Sieg
  • Sana Maqsood, York University
  • Tatsuya Mori, Waseda University
  • Ben Morrison, NHS Business Service Authority & Northumbria University
  • Collins Munyendo, The George Washington University
  • Alena Naiakshina, Bochum University
  • Alaa Nehme, Mississippi State University
  • James Nicholson, Northumbria University
  • Emma Nicol, University of Strathclyde
  • Jason Nurse, University of Kent
  • Jeremiah Onaolapo, University of Vermont
  • Ali Padyab, University of Skövde
  • Simon Parkin, Delft University of Technology
  • Scott Ruoti, University of Tennessee
  • Kavous Salehzadeh, Niksirat University of Lausanne
  • Cigdem Sengul, Brunel University
  • Dirk Snyman, University of Cape Town
  • Mohammad Tahaei, Nokia Bell Labs
  • Faiza Tazi, University of Denver
  • Vanessa Teague, Australian National University
  • Jan Tolsdorf, Hochschule Bonn-Rhein-Sieg
  • Martin Ukrop, Red Hat
  • Karl van der Schyff, Rhodes University
  • Dominik Wermke, CISPA Helmholtz Center for Information Security
  • Stephan Wiefling, Hochschule Bonn-Rhein-Sieg
  • Daricia Wilkinson, Microsoft Research
  • Verena Zimmermann, ETH Zürich

Publicity Chairs

  • Anne Hennig, Karlsruhe Institute of Technology (Germany)
  • Agnieszka Kitkowska, Jönköping University (Sweden)
  • Ali Farooq, University of Turku (Finland)

Steering Committee

  • Karen Renaud, University of Strathclyde (UK)
  • Peter Mayer, Karlsruhe Institute of Technology (Germany)
  • Angela Sasse, Ruhr University Bochum / Ruhr-Universität Bochum (Germany)
  • Melanie Volkamer, Karlsruhe Institute of Technology (Germany)
  • Charles Weir, Lancaster University (UK)


As last year, all times in the program are given in the Central European (Summer) Time Zone (CEST). You can use this link to convert the times to any time zone you wish.

The preliminary program is available below. Specific details for sessions and keynotes will be published as soon as we finished the planning.

Monday 16th October 2023
8:30 - 9:00 | Registration and coffee

9:00 - 9:15 | Greetings

9:15 - 10:15 | Keynote 1: Jetzabel M. Serna-Olvera, CEO and Co-founder of SAPAR GmbH.
Talk title: "Driving Security: Navigating the Human-Centric Culture Highway in the Automotive Industry"

10:15 - 12:15 | Technical Paper Session 1: User Behavior and Perceptions (20 minutes per paper - including time for questions)

Chair: Delphine Reinhardt
“My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in Female-oriented Technologies Maryam Mehrnezhad (RHUL), Teresa Almeida (Umea, Sweden)
“It’s not that I want to see the student’s bedroom...”: Instructor Perceptions of e-Proctoring Software Kazma Chaudhry (Carleton University), Anna-Lena Theus (Carleton University), Hala Assal (Carleton University), Sonia Chiasson (Carleton University)
Divergences in Blame Attribution after a Security Breach based on Compliance Behavior: Implications for Post-breach Risk Communication Ehsan Ul Haque (University of Connecticut), Mohammad Maifi Hasan Khan (University of Connecticut), Md Abdullah Al Fahim (University of Connecticut), Theodore Jensen (University of Connecticut)
A Comparison of Users’ and Non-users’ Perceptions of Health and Ancestry At-Home Dna Testing Khadija Baig (Carleton University), Daniela Napoli (Carleton University), Sonia Chiasson (Carleton University)
Effect of Device Risk Perceptions and Understandability of Data Management Features on Consumers' Willingness to Pay (WTP) for IoT Device Premium Data Management Plan Ehsan Ul Haque (University of Connecticut), Mohammad Maifi Hasan Khan (University of Connecticut)

12:15 - 13:30 | Lunch

13:30 - 15:30 | Technical Paper Session 2: Security and privacy of mobile devices (20 minutes per paper - including time for questions)
Chair: Maryam Mehrnezhad
Better the Devil You Know: Using Lost-Smartphone Scenarios to Explore user Perceptions of Unauthorised Access Matt Dixon (Northumbria University), Elizabeth Sillence (Northumbria University), James Nicholson (Northumbria University), Lynne Coventry (Abertay University
“It’s the one thing that makes my life tick”: Security Perspectives of the Smartphone Era Matt Dixon (Northumbria University), Elizabeth Sillence (Northumbria University), James Nicholson (Northumbria University), Lynne Coventry (Northumbria University)
Analysing the Influence of Loss-Gain Framing on Data Disclosure Behaviour: A Study on the Use Case of App Permission Requests Kerstin Bongard-Blanchy (University of Luxembourg), Jean-Louis Sterckx (KU Leuven), Arianna Rossi (SnT, University of Luxembourg), Anastasia Sergeeva (University of Luxembourg), Vincent Koenig (University of Luxembourg), Salvador Rivas (University of Luxembourg), Verena Distler (University of Luxembourg, University of the Bundeswehr Munich)
Lessons in Prevention and Cure: A User Study of Recovery from Flubot Smartphone Malware Artur Geers (Delft University of Technology), Aaron Ding (Delft University of Technology), Carlos Hernandez Ganan (Delft University of Technology), Simon Parkin (Delft University of Technology)
Assessing Security, Privacy, User Interaction, and Accessibility Features in Popular E-Payment Applications Urvashi Kishnani (University of Denver), Naheem Noah (University of Denver), Sanchari Das (University of Denver), Rinku Dewri (University of Denver)

15:30 - 16:00 | Coffee break

16:00 - 17:45 | Technical Paper Session 3: Authentication (20 minutes per paper - including time for questions)
Chair: Oksana Kulyk
“Someone Definitely Used 0000”: Strategies, Performance, and User Perception of Novice Smartphone-Unlock PIN-Guessers Daniel V. Bailey (Ruhr University Bochum), Collins W. Munyendo (The George Washington University), Hunter A. Dyer (Sandia National Labs), Miles Grant (The George Washington University), Philipp Markert (Ruhr University Bochum), Adam J. Aviv (The George Washington University)
Overcoming Theory: Designing Brainwave Authentication for the Real World Markus Röse (Paderborn University), Emiram Kablo (Paderborn University), Patricia Arias-Cabarcos (Paderborn University)
PinchKey: A Natural and User-Friendly Approach to VR User Authentication Mei Suzuki (Waseda University), Ryo Iijima (National Institute of Advanced Industrial Science and Technology / Waseda University), Kazuki Nomoto (Waseda University/Deloitte Tohmatsu Cyber LLC), Tetsushi Ohki (Shizuoka University / RIKEN AIP), Tatsuya Mori (Waseda University / RIKEN AIP / NICT)
Usable Security Model for Industrial Control Systems - Authentication and Authorisation Workflow Karen Li (University of Bristol), Awais Rashid (University of Bristol), Anne Roudaut (University of Bristol)

18:00 | Reception

Tuesday 17th October 2023
8:30 - 9:00 | Registration and coffee

9:00 - 10:00 | Keynote 2: Albin Zuccato, Chief Information Security Officer at ICA Gruppen AB.
Talk title: "How to Create a Useable Security and Data Protection Strategy by Combining Bottom-up and Top-Down Methods"

10:00 - 11:30 | Technical Paper Session 4: Cybersecurity awareness (20 minutes per paper - including time for questions)

Chair: Anne Hennig
Vision: How to Provide Documentation to Non-skilled Developers for Appropriate Use of Cryptography: Action Research Study on Expert Monitoring Daiki Ishii (Toho University), Akira Kanaoka (Toho University)
Encouraging Organisational Information Security Incident Reporting Fabian Lucas Ballreich (Karlsruhe Institute of Technology), Melanie Volkamer (Karlsruhe Institute of Technology), Dirk Müllmann (Karlsruhe Institute of Technology), Benjamin Berens (Karlsruhe Institute of Technology), Elena Marie Häußler (Karlsruhe Institute of Technology), Karen Renaud (University of Strathclyde)
Caring Not Scaring - An Evaluation of a Workshop to Train Apprentices as Security Champions Uta Menges (Ruhr University Bochum), Jonas Hielscher (Ruhr University Bochum), Laura Kocksch (Aalborg University), Annette Kluge (Ruhr University Bochum), M. Angela Sasse (Ruhr University Bochum)
Vision: Supporting Citizens in Adopting Privacy Enhancing Technologies Shirin Shams (University of Göttingen), Delphine Reinhardt (University of Göttingen)

11:30 - 13:00 | Lunch

13:00 - 14:30 | Technical Paper Session 5: Security and privacy practices and strategies (20 minutes per paper - including time for questions)
Chair: Simon Parkin
Security Champions Without Support: Results from a Case Study with OWASP SAMM in a Large-Scale E-Commerce Enterprise Marco Gutfleisch (Ruhr University Bochum), Markus Schöps (Ruhr University Bochum), Stefan Albert Horstmann (Ruhr University Bochum), Daniel Wichmann (Ruhr University Bochum), M. Angela Sasse (Ruhr University Bochum)
But Is It Exploitable? Exploring How Router Vendors Manage and Patch Security Vulnerabilities in Consumer-Grade Routers George Chalhoub (University of Oxford), Andrew Martin (University of Oxford)
Privacy Strategies for Conversational AI and their Influence on Users’Perceptions and Decision-Making Anna Leschanowsky (Fraunhofer Institute for Integrated Circuits IIS), Birgit Popp (Fraunhofer Institute for Integrated Circuits IIS), Nils Peters (International Audio Laboratories Erlangen)
Vision: What the Hack Is Going On? A First Look at How Website Owners Became Aware That Their Website Was Hacked Anne Hennig (SECUSO / AIFB, Karlsruhe Institute of Technology), Nhu Thi Thanh Vuong (Karlsruhe Institute of Technology), Peter Mayer (University of Southern Denmark)

14:30 - 15:00 | Break

15:00 - 16:15 | Technical Paper Session 6: Phishing (20 minutes per paper - including time for questions)
Chair: Peter Mayer
Influence of URL Formatting on Users' Phishing URL Detection Mattia Mossano (Karlsruhe Institute of Technology), Oksana Kulyk (IT University of Copenhagen), Benjamin Maximillian Berens (Karlsruhe Institute of Technology), Elena Marie Häußler (Karlsruhe Institute of Technology), Melanie Volkamer (Karlsruhe Institute of Technology)
Phishing to Improve Detection Sarah Y. Zheng (University College London), Ingolf Becker (University College London)
"It may take ages": Understanding Human-Centred Lateral Phishing Attack Detection in Organisations Neeranjan Chitare (Northumbria University), Lynne Coventry (Abertay University), James Nicholson (Northumbria University)

16:15 - 16:30 | Closing remarks

17:00 - 18:00 | Social event: a city tour around Copenhagen

From 18:30 | Conferene dinner at the Spiseloppen restaurant in Christiania (self-paid)

Event Logistics

EuroUSEC will be held from October 16 - 17 in Copenhagen, Denmark. Event location is IT University of Copenhagen, located at Rued Langgaards Vej 7, DK-2300 Copenhagen S . The university is reachable via public transportation (metro and bus), see for more information about tickets.

The following hotels are well-connected to the university, either being via walking distance or being close to a city center and directly connected to the university via either bus or metro:

  • Hotel Kong Arthur **** - metro
  • Hotel Nora *** - metro
  • Tivoli **** - bus
  • Zoku **** - walk (6 min)
  • Wakeup Copenhagen ** - metro, bus (several locations)
  • Cabinn ** - metro, bus (several locations)
  • Bryggen Guldsmeden **** - metro or 17 minutes walk

Social Contract

To make EuroUSEC as effective as possible for everyone, we ask that all participants commit to our social contract:

  1. Engage and actively participate (to the degree you feel comfortable) with each talk.
  2. Be sure your feedback is constructive, forward-looking, and meaningful.
  3. The usable security & privacy community has earned a reputation for being inclusive and welcoming to newcomers; please keep it that way.
  4. We encourage attendees to aim to meet at least three new people from this year's EuroUSEC. The meal breaks and the participatory activity are the perfect opportunities for this.
  5. We strongly encourage tweeting under the hashtag "#EuroUSEC2023" and otherwise spreading the word about work you find exciting at EuroUSEC. However, please do not record EuroUSEC itself or further distribute comments made on our Slack instance.
  6. EuroUSEC 2023 follows the USABLE events Code of Conduct.

Instructions for Presenters

Further information will be available soon


Registration is mandatory for participation in EuroUSEC. Please register using the following link: Register Now

At least one author for each accepted paper has to register until September 1st. For the rest of the participants, the registration will be open until September 16th for onsite participants and until October 1st for online participants.

The prices for the registration are as follows (in Danish krones, 7,45 DKK is approximately 1 EUR). At least one registration using the "Author" option (either online or onsite) is required for each paper. Note, we strognly encourage the authors to present their paper onsite, while the online option is available to those who have difficulties in travelling.

Author (online) 2500 DKK
Author (onsite) 2500 DKK
Standard (online) 1500 DKK
Standard (onsite) 2000 DKK
Student (online) 1000 DKK
Student (onsite) 1000 DKK