The 2022 European Symposium on Usable Security

Dates and Location: September 29 & 30, 2022 Karlsruhe, Germany

The European Symposium on Usable Security (EuroUSEC) serves as a European forum for research and discussion in the area of human factors in security and privacy. EuroUSEC solicits previously unpublished work offering novel research contributions or clearly articulated research visions in any aspect of human-centered security and privacy. The aim of EuroUSEC is to bring together an interdisciplinary group of researchers and practitioners in human-computer interaction, security, and privacy. Participants are researchers, practitioners, and students from domains including computer science, engineering, psychology, the social sciences, and economics.

EuroUSEC 2022 will be a hybrid-onsite event to be prepared in case of new Covid variants in autumn. EuroUSEC will be – again – an independent event, not associated to any conference. It will be held in Karlsruhe and the KASTEL Security Research Labs will sponsor the event so that registration costs will be minimised (to cover refreshments and a social event).

On the same note, we have secured funding to pay for the proceedings and we are currently negotiating with ACM to publish it. The funding will allow us to pay for open access options, meaning the proceedings will be open access via the EuroUSEC 2022 website.

For those joining remotely, we want to accommodate as many time zones as possible, but also allow for breaks so as to reduce Zoom-overload and fatigue. The final schedule will depend on the submission numbers. More information will be provided as appropriate.

If travelling is unrestricted, we would ask one of the authors of each accepted paper to present the paper in person at the symposium. If people cannot travel, they are required to present their papers virtually. Under the same restrictions, we will ask the keynote speakers to come in person.

We want EuroUSEC to be a community-driven event and would love to hear any questions, comments, or concerns you might have regarding these changes from last year. Therefore we want to encourage everyone to join the everyone to join the EuroUSEC Slack. You can also send us an email at

EuroUSEC is part of the USEC family of events. You can find more info about all USEC events at:

Keynote Speakers

Ganna Pogrebna
Talk Title: Behavioural Data Science of Machine Learning Operations and Human-Machine Teaming for Cyber Security

Thomas Tschersich

Talk Title: Human Factors in Cyber Security - An industry perspective

CFP: Posters for EuroUSEC

Please consider submitting a poster to EuroUSEC 2022 based on the paper you submitted previously, or on some other topic. The posters will be reviewed by the two chairs.

Deadline: 28th July 16th August 2022
Notification: 4th 20th 22ndAugust 2022
Prefix the paper title with: POSTER:

If accepted, at least one author has to attend the conference to discuss the poster with interested attendees.

We will include the poster PDF on the conference website if authors consent to this. The posters/abstracts will not be included in the conference proceedings.


Two Page Structured Abstract in ACM Single Column Format. Submit ZIP file to: The ZIP file should contain only the 2-page abstract in PDF format and any supplementary material you wish to provide. YOU DO NOT NEED TO SUBMIT THE POSTER AT THE MOMENT

Two pages is a maximum, not a target.

Structured Abstract Contents

The structured abstract should include your study's 1. background, 2. aim, 3. methods, 4. results and 5. conclusions. Consider this structured abstract adapted from STAST 2018 (borrowed from STAST 2022’s website) as an example for the structure (note that your abstract will probably be longer than the example, as you have two pages space):

Background. 3-D Secure 2.0 (3DS 2.0) is an identity federation protocol authenticating the payment initiator for credit card transactions on the Web.

Aim. We aim to quantify the impact of factors used by 3DS 2.0 in its fraud-detection decision making process.

Method. We ran N=64 credit card transactions with two Web sites systematically manipulating the nominal IVs machine_data, value, region, and website. We measured whether the user was challenged with an authentication, whether the transaction was declined, and whether the card was blocked as nominal DVs. We established three logistic regression models to quantify the impact of the predictors on the likelihood of the transaction outcomes.

Results. A change in machine_data, region or value made it 5-7 times as likely to be challenged with password authentication. However, even in a foreign region with another factor being changed, the overall likelihood of being challenged only reached 60%. When in the card's home region, a transaction will be rarely declined (< 5% in control, 40% with one factor changed). However, in a region foreign to the card the system will more likely decline transactions anyway (about 60%) and any change in machine_data or value will lead to a near-certain declined transaction.

Conclusions. We found that the decisions to challenge the user with a password authentication, to decline a transaction and to block a card are governed by different weightings. 3DS 2.0 is most likely to decline transactions, especially in a foreign region. It is less likely to challenge users with password authentication, even if machine_data or value are changed.

Call for Papers (Deadline has passed)

We invite you to submit a paper and join us at EuroUSEC 2022.

We are excited to welcome original work describing research, visions, or experiences in all areas of usable security and privacy. We welcome a variety of research methods, including both qualitative and quantitative approaches.

We will review longer papers on mature/completed work in a research track, as well as shorter papers on work in progress, or work that has yet to begin, in a vision track. We aim to provide a venue for researchers at all stages of their careers and at all stages of their projects.

Topics include, but are not limited to:

  • accessible cyber privacy and security (individual, community e.g. care home residents or population level e.g., people in crisis)
  • field studies of security or privacy technology
  • innovative security or privacy functionality and design
  • lessons learned from the deployment and use of usable privacy and security features
  • longitudinal studies of deployed security or privacy features
  • methodologies for usable security and privacy research
  • new applications of existing models or technology
  • papers with negative results
  • psychological, sociological, and economic aspects of security and privacy
  • reports of failed usable privacy/security studies or experiments, with the focus on the lessons learned from such experience
  • reports of replicating previously published studies and experiments
  • security testing of new or existing usability features
  • studies of administrators or developers and support for security and privacy
  • studies on adoption or acceptance of security technologies
  • systematization of knowledge papers
  • impact of organizational policy or procurement decisions
  • usability evaluations of new or existing security or privacy features

For accepted papers, at least one author must attend EuroUSEC (either in person or virtually).

Important Dates

Paper registration deadline (mandatory):       Monday, 6th June, 2022 (Anywhere on Earth)                
Paper submission deadline: Friday, 10th June, 2022(Anywhere on Earth)
Notification: Thursday, 7th July, 2022
Revision decision re-submission deadline: Friday, 22nd July, 2022 (Anywhere on Earth)
Revision notification: Friday, 5th August, 2022
Camera ready: 12th August, 2022
EuroUSEC: 29th & 30th September, 2022


Research Track: The research track is intended to report on mature work that has been completed. The goal of the EuroUSEC's research track is to disseminate results of interest to the broader usable security and privacy community. Papers must not be more than 16 pages in length using the one-column submission format, in both cases this excludes the bibliography. Try to scale the length of the paper according to the contributions you describe therein. Authors have the option to attach to their paper‘s supplementary appendices with study materials (e.g., survey instruments, interview guides, etc.) that would not otherwise take up valuable space within the body of the paper. Reviewers are not required to read appendices, so your paper should be self-contained without them. ACM also allows publication of additional supplemental materials and we want to encourage authors to use this option to provide research artifacts (e.g., builds of own software used in the study).

Vision Track: The vision track is intended to report on work in progress or concrete ideas for work that has yet to begin. The focus in the vision track is to spark discussion with the goal to provide the authors helpful feedback, pointers to potentially related investigations, and new ideas to explore. Suitable submissions to the vision track include traditional work-in-progress pieces such as preliminary results of pre-studies, but also research proposals and position papers outlining future research. Papers must be up to 9 pages in length using the one-column format, including the bibliography and with no appendices.

Submission Instructions

Upload your submission via this link:

  1. All submissions must report original work.
    • Authors must clearly document any overlap with previously or simultaneously submitted papers from any of the authors (email the chairs a PDF document outlining this).
  2. Papers must be written in English.
  3. Papers must be anonymized for review
  4. Refer to your own related work in the third person: do not use personal pronouns
    • This requirement also applies to data sets and artifacts. (For example, "We reused data from the authors of Smith et al. [31] in our experiment.")
  5. Do not blind citations except in extraordinary circumstances. If in doubt, contact the chairs.
  6. All submissions must use the ACM Word or LaTeX templates.
    • These templates can be obtained from the ACM author submission information website. In particular, for the camera-ready submission to The ACM Publishing System (TAPS), the one-column format must be used.
  7. Systematization of Knowledge paper titles must begin with SOK:
  8. Vision paper titles must begin with Vision:

Simultaneous submission of the same paper to another venue with proceedings or a journal is prohibited. Serious infringements of these policies may cause the paper to be rejected from publication and the authors put on a warning list, even if the paper is initially accepted by the program committee. Contact the EuroUSEC chairs if there are questions about this policy.

You are free to publish a pre-print of your paper on arXiv, SSRN or similar, if you wish to.

Contact the EuroUSEC chairs if there are any questions.

Important Information for Researchers from Russian and Belarussian Institutions

Because of the Russian invasion in Ukraine, current guidelines of our host Karlsruhe Institute of Technology (KIT) prohibit hosting guests from research institutions in Russia and Belarus at KIT. We therefore encourage researchers from such institutions to be mindful of these regulations and to check whether they will be able to attend EuroUSEC before submitting their work.

Program Committee Chairs

The chairs can be contacted at

Program Committee

  • Nora Abdullah, King Saud University
  • Samuel Agbesi, IT University of Copenhagen
  • Patricia Aria-Cabarcos, Paderborn University
  • Louise Barkhuus, IT University of Copenhagen
  • Ingolf Becker, University College London
  • Enka Blanchard, CNRS/Université Polytechnique Hauts-de-France
  • Jurlind Budurushi, University of Qatar
  • Jan-Willem Bullee, University of Twente
  • Karoline Busse, University of Applied Administrative Sciences Lower Saxony
  • Jean Camp, Indiana University
  • Rahul Chatterjee, University of Wisconsin Madison
  • Kovila Coopamootoo, Kings College London
  • Adele Da Veiga, University of South Africa
  • Verena Distler, University of Luxembourg
  • Yvonne Dittrich, IT University of Copenhagen
  • Yves Roland Douha N’Guessan, Nara Institute of Science and Technology
  • Lynette Drevin, North West University
  • Ali Farooq, University of Turku
  • Edwin Frauenstein, Walter Sisulu University
  • Peter Gorski, INFODAS GmbH
  • Thomas Gross, Newcastle University
  • Jonas Hielscher, Bochum University
  • Luigi Lo, Hochschule Bonn-Rhein-Sieg
  • Mathias Mujinga, University of South Africa
  • Sana Maqsood, Carleton University
  • Ola Michalec, Bristol University
  • Tatsuya Mori, Waseda University
  • Ben Morrison, Northumbria University
  • Alena Naiakshina, Ruhr University Bochum
  • Alaa Nehme, Mississippi State University
  • James Nicholson, Northumbria University
  • Emma Nicol, Strathclyde University
  • Kavous Niksirat, University of Lausanne
  • Jason Nurse, Kent University
  • Jeremiah Onaolapo, University of Vermont
  • Simon Parkin, TU Delft
  • Suzanne Prior, Abertay University
  • Scott Ruoti, University of Tennessee
  • Cigdem Sengul, Brunel
  • Dirk Snyman, North West University
  • Faiza Tazi, University of Denver
  • Karl van der Schyff, Rhodes University
  • Dominik Wermke, CISPA Helmholtz Center for Information Security
  • Daricia Wilkinson, Clemson University
  • Shan Xiao, Gonzaga University
  • Yaxing Yao, University of Maryland, Baltimore County
  • Verena Zimmermann, Technische Universität Darmstadt

Publicity Chairs

  • Sanchari Das, University of Denver (USA)
  • Anne Hennig, Karlsruhe Institute of Technology (Germany)
  • Theodor Schnitzler, Ruhr University Bochum (Germany)

Steering Committee

  • Peter Mayer, Karlsruhe Institute of Technology (Germany)
  • Angela Sasse, Ruhr University Bochum / Ruhr-Universität Bochum (Germany)
  • Matthew Smith, University of Bonn / Rheinische Friedrich-Wilhelms-Universität Bonn (Germany)
  • Melanie Volkamer, Karlsruhe Institute of Technology (Germany)
  • Charles Weir, Lancaster University (UK)



As last year, all times in the program are given in the Central European (Summer) Time Zone (CEST). You can use this link to convert the times to any time zone you wish.

The preliminary program is available below. Specific details for sessions and keynotes will be published as soon as we finished the planning.

Thursday 29th September 2022
10:00 - 10:15 | Greetings

10:15 - 11:15 | Keynote 1: Thomas Tschersich, Deutsche Telekom

11:15 - 12:45 | Technical Paper Session 1: Security Awareness (20 minutes per paper - including time for questions)

Chair: Nicolás Díaz Ferreyra
Caring About IoT-Security – An Interview Study in the Healthcare Sector Marco Gutfleisch, Markus Schöps, Jonas Hielscher, Mary Cheney, Sibel Sayin, Nathalie Schuhmacher, Ali Mohamad, M. Angela Sasse (Ruhr University Bochum)
Pre-proceedings PDF
SOK: Young Children’s cybersecurity Knowledge and Skills Maria Lamond (Abertay University); Karen Renaud (University of Strathclyde); Lara Wood, Suzanne Prior (Abertay University)
What Cookie Consent Notices Do Users Prefer: A Study In The Wild Ashutosh Kumar Singh, Nisarg Upadhyaya (Indian Institute of Technology Kharagpur); Arka Seth (National Institute of Technology Durgapur); Xuehui Hu (King’s College London); Nishanth Sastry (University of Surrey); Mainack Mondal (Indian Institute of Technology Kharagpur)
Pre-proceedings PDF
"I just want to play games with friends and it asked me for all of my information'": Trading privacy for connection during the COVID-19 pandemic Fiona Westin, Kalpana Hundlani, Sonia Chiasson (Carleton University)
Pre-proceedings PDF

12:45 - 14:00 | Lunch

14:00 - 15:30 | Technical Paper Session 2: Cybersecurity Behaviours (20 minutes per paper - including time for questions)
Chair: Benjamin Berens
ENAGRAM: An App for the Evaluation of Preventative Nudges on Instagram Nicolas Diaz Ferreyra (Hamburg University of Technology); Sina Ostendorf (University of Duisburg-Essen); Esma Aïmeur (University of Montréal); Maritta Heisel, Matthias Brand (University of Duisburg-Essen)
Pre-proceedings PDF
Exploring Deceptive Design Patterns in Voice Interfaces Kentrell Owens (University of Washington); Johanna Gunawan, Dave Choffnes (Northeastern University); Pardis Emami-Naeini, Tadayoshi Kohno, Franziska Roesner (University of Washington)
Pre-proceedings PDF
Vision: Design Fiction for Cybersecurity: Using Science Fiction to Help Software Developers Anticipate Problems Cecilia Loureiro-Koechlin (Lancaster University); José-Rodrigo Córdoba-Pachón (Royal Holloway, University of London); Lynne Coventry (Northumbria University); Soteris Demetriou (Imperial College London); Charles Weir (Lancaster University)
Pre-proceedings PDF
Shoulder Surfing through the Social Lens: A Longitudinal Investigation & Insights from an Exploratory Diary Study Habiba Farzand, Karola Marky, Mohamed Khamis (University of Glasgow)
Pre-proceedings PDF

15:30 - 16:00 | Coffee break

16:00 - 17:10 | Technical Paper Session 3: Privacy (20 minutes per paper - including time for questions)
Chair: Charles Weir
Privacy Lessons Learnt from Deploying an IoT Ecosystem in the Home Jacob Abbott, Jayati Dev, DongInn Kim, Shakthidhar Gopavaram, Meera Iyer, Shivani Sadam (Indiana University Bloomington); Shrirang Mare (Western Washington University); Tatiana Ringenberg (Purdue University); Vafa Andalibi, L. Jean Camp (Indiana University Bloomington)
Pre-proceedings PDF
Vision: Usable Privacy for XR in the Era of the Metaverse Chris Warin, Delphine Reinhardt (University of Göttingen)
Pre-proceedings PDF
Privacy, Permissions, and the Health App Ecosystem: A Stack Overflow Exploration Mohammad Tahaei (University of Bristol); Julia Bernd (International Computer Science Institute); Awais Rashid (University of Bristol)
Pre-proceedings PDF

17:10 - 17:20 | Short break

17:20 - 18:20 | Keynote 2: Ganna Pogrebna, University of Sydney

18:20 - 19:20 | Buffet

Friday 30th September 2022
10:00 - 11:00 | Poster & Networking Time

11:00 - 12:30 | Technical Paper Session 4: Societal issues (20 minutes per paper - including time for questions)

Chair: Diane Morrow
Assessing Real-World Applicability of Redesigned Developer Documentation for Certificate Validation Errors Martin Ukrop, Michaela Balážová, Pavol Žáčik, Eric Vincent Valčík, Vashek Matyas (Masaryk University)
Pre-proceedings PDF
Vision: Too Little too Late? Do the Risks of FemTech already Outweigh the Benefits? Maryam Mehrnezhad, Laura Shipp (Royal Holloway, University of London, UK); Teresa Almeida (ITI/LARSyS, Instituto Superior Técnico - U. Lisbon); Ehsan Toreini (Durham University, UK)
Pre-proceedings PDF
Cyber insurance from the stakeholder’s perspective: A qualitative analysis of barriers and facilitators to adoption Dawn Branley-Bell, Lynne Coventry, Pam Briggs (Northumbria University)
Pre-proceedings PDF
Phishing with Malicious QR Codes Filipo Sharevski, Amy Devine, Emma Pieroni, Peter Jachim (DePaul University)
Pre-proceedings PDF

12:30 - 14:00 | Lunch

14:00 - 15:30 | Technical Paper Session 5: Studies of Specific Systems (20 minutes per paper - including time for questions)
Chair: Peter Mayer
"It's Just a Lot of Prerequisites": A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator Markus Keil, Philipp Markert (Ruhr University Bochum); Markus Dürmuth (Leibniz University Hannover)
Pre-proceedings PDF
Meaningful Context, a Red Flag, or Both? Users' Preferences for Enhanced Misinformation Warnings on Twitter Filipo Sharevski, Amy Devine, Peter Jachim, Emma Pieroni (DePaul University)
Pre-proceedings PDF
Risks of Mobile Ambient Sensors and User Awareness, Concerns, and Preferences Maryam Mehrnezhad (Royal Holloway, University of London); Christodoula Makarouna, Dante Gray (Newcastle University)
Pre-proceedings PDF
Investigating the effectiveness of personalized content in the form of videos when promoting a Tor Browser Yusuf Albayram, David Suess, Yassir Yaghzar Elidrissi (Central Connecticut State University)
Pre-proceedings PDF

15:30 - 15:45 | Closing

16:00 - 17:40 | Break

17:45 - 19:00 | City tour

From 19:45 | Dinner

Throughout both days of the symposium, posters will be displayed during the breaks. Following posters have been accepted for presentation:
  • Think again: The cues employees use to identify emails from their colleagues. Neeranjan Chitare, Lynne Coventry, James Nicholson (Northumbria University).
  • Talking Cybersecurity with Health IoT Developers. Charles Weir, Anna Dyson, Dan Prince (Lancaster University).
  • Towards Usable Transparency Interfaces to Understand Facebook Data Collection from 3rd Parties. Patricia Arias-Cabarcos (Paderborn University); Saina Khalili (KIT); Thorsten Strufe (KASTEL/KIT)
  • How to best inform website owners about vulnerabilities on their websites. Anne Hennig (Karlsruhe Institute of Technology); Fabian Neusser (University of Bamberg); Aleksandra Alicja Pawelek (Karlsruhe Institute of Technology); Dominik Herrmann (University of Bamberg); Peter Mayer (Karlsruhe Institute of Technology)
  • Identifying Ethical & Salient Messaging For COVID App Adoption. Oshrat Ayalon (Max Planck Institute for Software Systems); Dana Turjeman (Reichman University); Elissa M. Redmiles (Max Planck Institute for Software Systems)

Event Logistics

EuroUSEC will be held as a Hybrid-Onsite Symposium from September 29 - 30 in Karlsruhe, Germany. Event location is:

Kaiserstraße 93
76133 Karlsruhe

Accomodation: You are welcome to look at following hotels located in the city center, within walking distance to the venue. By mentioning the booking code KIT within your reservation, some accommodations grant you a reduction in the cost of accommodation.

****ACHAT Plaza Karlsruhe
76131 Karlsruhe
Tel.: 0721 3717-0
6 min walk to TRIANGEL
Hotel Erbprinzenhof
Erbprinzenstraße 26
76133 Karlsruhe
Tel.: 0721 23890
11 min walk to TRIANGEL

72,00 Euro incl. Breakfast when you mention booking code KIT.
****Hotel Kaiserhof
Karl-Friedrich-Straße 12
76133 Karlsruhe
Tel.: 0721 91700
6 min walk to TRIANGEL
Leonardo Hotel Karlsruhe
Ettlinger Straße 23
76137 Karlsruhe
Tel.: 0721 37270
18 min walk to TRIANGEL
Hotel Markgräfler Hof
Rudolfstr. 31
76131 Karlsruhe
Tel.: 0721 62768-600
13 min walk to TRIANGEL
****Novotel Karlsruhe City
Festplatz 2
76137 Karlsruhe
Tel.: 0721 35260
14 min walk to TRIANGEL

Arrival: Karlsruhe is a well-connected city, with direct train connections from Frankfurt International Airport and Stuttgart Airport. As part of the Helmholtz Association a special offer for tickets at a fixed price can be used for events at KIT with the event ticket of the Deutsche Bahn (DB) which works similar to the well-known Rail & Fly ticket. Booking is possible via the special corporate booking page for events of the Helmholtz Association at DB: The condition is that in addition to the train ticket there is also an admission ticket, invitation, etc. for an event of the Helmholtz Association.

There is a variant with train binding for long-term bookings (limited availability as with other savings prices of the DB). At € 53.90 (2nd class) and € 89.90 (1st class), this offer is particularly attractive for longer distances. A BahnCard is not required, but you have to commit to a specific train connection. In the more expensive variant you can travel without a train ticket. Here, the single journey costs € 80.90 (2nd class) or € 125.90 (1st class). The prices are valid until December 2022.

Additional information about getting to Karlsruhe and to the conference venue (which is located next to KIT Campus South) is available here.

Social Contract

To make EuroUSEC as effective as possible for everyone, we ask that all participants commit to our social contract:

  1. Engage and actively participate (to the degree you feel comfortable) with each talk.
  2. Be sure your feedback is constructive, forward-looking, and meaningful.
  3. The usable security & privacy community has earned a reputation for being inclusive and welcoming to newcomers; please keep it that way.
  4. We encourage attendees to aim to meet at least three new people from this year's EuroUSEC. The meal breaks and the participatory activity are the perfect opportunities for this.
  5. We strongly encourage tweeting under the hashtag "#EuroUSEC2022" and otherwise spreading the word about work you find exciting at EuroUSEC. However, please do not record EuroUSEC itself or further distribute comments made on our Slack instance.
  6. EuroUSEC 2022 follows the USABLE events Code of Conduct.

Instructions for Presenters

Further information will be available soon


Registration is mandatory for participation in EuroUSEC. Please register using the following link: Register Now

At least one author for each accepted paper has to register until August 10th. For the rest of the participants, the registration will be open until September 16th. If you are a student or an employee of KIT, you can register using the form here.

The prices for the registration are as follows (note, the registration system outputs the price in two parts for taxation reasons). At least one registration using the "Author" option (either online or onsite) is required for each paper.

Author (online) 350 €
Author (onsite) 350 €
Standard (online) 227,46 €
Standard (onsite) 350 €
Student (online) 104,93 €
Student (onsite) 186,62 €