publications

2026

1. Mapping the Cloud: A Mixed-Methods Study of Cloud Security and Privacy Configuration Challenges

   Sumair Hashmi, Shafay Kashif, Lea Gröber, Katharina Krombholz, and Mobin Javed

   In NDSS, 2026

   Abs

   Misconfigurations in cloud services remain a leading cause of security and privacy incidents, often stemming from the complexity of configuring cloud platforms. To better understand these challenges, we analyzed approximately 251,900 security- and privacy-related Stack Overflow posts spanning from 2008 to 2024. Using topic modeling and qualitative analysis, we systematically mapped cloud use cases to their associated security and privacy configuration challenges, revealing a comprehensive landscape of the hurdles cloud operators faced. We identified both technical and human-centric issues, including problems related to insufficient documentation and the lack of context-aware tooling. Notably, authentication and access control challenges appeared in all identified use cases, cutting across nearly every stage of cloud deployment, integration, and maintenance. Our findings underscore the need for usable, tailored, and context-sensitive support tools and resources to help developers securely configure cloud services.

2025

1. Understanding the Security Advice Mechanisms of Low Socioeconomic Pakistanis

   Sumair Hashmi, Rimsha Sarfaraz, Lea Gröber, Mobin Javed, and Katharina Krombholz

   In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (CHI 25), 2025

   honorable mention Abs DOI

   ACM Human Factors in Computing Systems (CHI) Honorable Mention (Top 5%) (2025)

   Low socioeconomic populations face severe security challenges while being unable to access traditional written advice resources. We present the first study to explore the security advice landscape of low socioeconomic people in Pakistan. With 20 semi-structured interviews, we uncover how they learn and share security advice and what factors enable or limit their advice sharing. Our findings highlight that they heavily rely on community advice and intermediation to establish and maintain security-related practices (such as passwords). We uncover how shifting social environments shape advice dissemination, e.g., across different workplaces. Participants leverage their social structures to protect each other against threats that exploit their financial vulnerability and lack of digital literacy. However, we uncover barriers to social advice mechanisms, limiting their effectiveness, which may lead to increased security and privacy risks. Our results lay the foundation for rethinking security paradigms and advice for this vulnerable population.

2024

1. Towards Privacy and Security in Private Clouds: A Representative Survey on the Prevalence of Private Hosting and Administrator Characteristics

   Lea Gröber, Simon Lenau, Rebecca Weil, Elena Groben, Michael Schilling, and Katharina Krombholz

   In 33rd USENIX Security Symposium (USENIX Security 24), 2024

   Abs Website

   Instead of relying on Software-as-a-Service solutions, some people self-host services from within their homes. In doing so they enhance their privacy but also assume responsibility for the security of their operations. However, little is currently known about how widespread private self-hosting is, which use cases are prominent, and what characteristics set self-hosters apart from the general population. In this work, we present two large-scale surveys:(1) We estimate the prevalence of private self-hosting in the US across five use cases (communication, file storage, synchronized password managing, websites, and smart home) based on a representative survey on Prolific (n= 1505).(2) We run a follow-up survey on Prolific (n= 589) to contrast individual characteristics of identified self-hosters to people of the same demographics who do not show the behavior.

2. “I chose to fight, be brave, and to deal with it”: Threat Experiences and Security Practices of Pakistani Content Creators

   Lea Gröber, Waleed Arshad, Shanza, Angelica Goetzen, Elissa M Redmiles, Maryam Mustafa, Katharina Krombholz, and others

   In 33rd USENIX Security Symposium (USENIX Security 24), 2024

   Abs Website

   Content creators are exposed to elevated risks compared to the general Internet user. This study explores the threat landscape that creators in Pakistan are exposed to, how they protect themselves, and which support structures they rely on. We conducted a semi-structured interview study with 23 creators from diverse backgrounds who create content on various topics. Our data suggests that online threats frequently spill over into the offline world, especially for gender minorities. Creating content on sensitive topics like politics, religion, and human rights is associated with elevated risks. We find that defensive mechanisms and external support structures are non-existent, lacking, or inadequately adjusted to the sociocultural context of Pakistan. Disclaimer: This paper contains quotes describing harmful experiences relating to sexual and physical assault, eating disorders, and extreme threats of violence.

3. Trust Me If You Can–How Usable is Trusted Types in Practice?

   Sebastian Roth, Lea Gröber, Philipp Baus, Katharina Krombholz, and Ben Stock

   In 33rd USENIX Security Symposium (USENIX Security 24), 2024

   Abs Website

   Many online services deal with sensitive information such as credit card data, making those applications a prime target for adversaries, e.g., through Cross-Site Scripting (XSS) attacks. Moreover, Web applications nowadays deploy their functionality via client-side code to lower the server’s load, require fewer page reloads, and allow Web applications to work even if the connection is interrupted. Given this paradigm shift of increasing complexity on the browser side, client-side security issues such as client-side XSS are getting more prominent these days. A solution already deployed in server-side applications of major companies like Google is to use type-safe data, where potentially attacker-controlled string data can never be output with sanitization. The newly introduced Trusted Types API offers an analogous solution for client-side XSS. With Trusted Types, the browser enforces that no input can be passed to an execution sink without being sanitized first. Thus, a developer’s only remaining task – in theory – is to create a proper sanitizer. This study aims to uncover roadblocks that occur during the deployment of the mechanism and strategies on how developers can circumvent those problems by conducting a semi-structured interview, including a coding task with 13 real-world Web developers. Our work also identifies key weaknesses in the design and documentation of Trusted Types, which we urge the standardization body to incorporate before the Trusted Types becomes a standard.

2023

1. To Cloud or not to Cloud: A Qualitative Study on Self-Hosters’ Motivation, Operation, and Security Mindset

   Lea Gröber, Rafael Mrowczynski, Nimisha Vijay, Daphne A Muller, Adrian Dabrowski, and Katharina Krombholz

   In 32nd USENIX Security Symposium (USENIX Security 23), 2023

   Abs Website

   Despite readily available cloud services, some people decide to self-host internal or external services for themselves or their organization. In doing so, a broad spectrum of commercial, institutional, and private self-hosters take responsibility for their data, security, and reliability of their operations. Currently, little is known about what motivates these self-hosters, how they operate and secure their services, and which challenges they face. To improve the understanding of self-hosters’ security mindsets and practices, we conducted a large-scale survey (N=994) with users of a popular self-hosting suite and in-depth follow-up interviews with selected commercial, non-profit, and private users (N=41). We found exemplary behavior in all user groups; however, we also found a significant part of self-hosters who approach security in an unstructured way, regardless of social or organizational embeddedness. Vague catch-all concepts such as firewalls and backups dominate the landscape, without proper reflection on the threats they help mitigate. At times, self-hosters engage in creative tactics to compensate for a potential lack of expertise or experience.

2021

1. Investigating Car Drivers’ Information Demand after Safety and Security Critical Incidents

   Lea Gröber, Matthias Fassl, Abhilash Gupta, and Katharina Krombholz

   In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, May 2021

   Abs DOI

   Modern cars include a vast array of computer systems designed to remove the burden on drivers and enhance safety. As cars are evolving towards autonomy and taking over control, e.g. in the form of autopilots, it becomes harder for drivers to pinpoint the root causes of a car’s malfunctioning. Drivers may need additional information to assess these ambiguous situations correctly. However, it is yet unclear which information is relevant and helpful to drivers in such situations. Hence, we conducted a mixed-methods online survey (N = 60) on Amazon MTurk where we exposed participants to two security- and safety-critical situations with one of three different explanations. We applied Thematic and Correspondence Analysis to understand which factors in these situations moderate drivers’ information demand. We identified a fundamental information demand across scenarios that is expanded by error-specific information types. Moreover, we found that it is necessary to communicate error sources, since drivers might not be able to identify them correctly otherwise. Thereby, malicious intrusions are typically perceived as more critical than technical malfunctions.

2. 12 Angry Developers–A Qualitative Study on Developers’ Struggles with CSP

   Sebastian Roth, Lea Gröber, Michael Backes, Katharina Krombholz, and Ben Stock

   In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS 21), May 2021

   Abs DOI

   The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. However, research has shown that the vast majority of all policies in the wild are trivially bypassable. To uncover the root causes behind the omnipresent misconfiguration of CSP, we conducted a qualitative study involving 12 real-world Web developers. By combining a semi-structured interview, a drawing task, and a programming task, we were able to identify the participant’s misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.

3. Exploring User-Centered Security Design for Usable Authentication Ceremonies

   Matthias Fassl, Lea Gröber, and Katharina Krombholz

   In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (CHI 21), May 2021

   Abs DOI

   Security technology often follows a systems design approach that focuses on components instead of users. As a result, the users’ needs and values are not sufficiently addressed, which has implications on security usability. In this paper, we report our lessons learned from applying a user-centered security design process to a well-understood security usability challenge, namely key authentication in secure instant messaging. Users rarely perform these key authentication ceremonies, which makes their end-to-end encrypted communication vulnerable. Our approach includes collaborative design workshops, an expert evaluation, iterative storyboard prototyping, and an online evaluation. While we could not demonstrate that our design approach resulted in improved usability or user experience, we found that user-centered prototypes can increase the users’ comprehension of security implications. Hence, prototypes based on users’ intuitions, needs, and values are useful starting points for approaching long-standing security challenges. Applying complementary design approaches may improve usability and user experience further.

4. Stop the Consent Theater

   Matthias Fassl, Lea Gröber, and Katharina Krombholz

   In Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems (alt.CHI 21), May 2021

   Abs DOI

   The current web pesters visitors with consent notices that claim to “value” their privacy, thereby habituating them to accept all data practices. Users’ lacking comprehension of these practices voids any claim of informed consent. Market forces specifically designed these consent notices in their favor to increase users’ consent rates. Some sites even ignore users’ decisions entirely, which results in a mere theatrical performance of consent procedures designed to appear as if it fulfills legal requirements. Improving users’ online privacy cannot rely on individuals’ consent alone. We have to look for complementary approaches as well. Current online data practices are driven by powerful market forces whose interests oppose users’ privacy expectations – making turnkey solutions difficult. Nevertheless, we provide a bird’s-eye view on privacy-improving approaches beyond individuals’ consent.

2020

1. End User and Expert Perceptions of Threats and Potential Countermeasures

   Simon Anell, Lea Gröber, and Katharina Krombholz

   In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW 20), May 2020

   Abs DOI

   Experts often design security and privacy technology with specific use cases and threat models in mind. In practice however, end users are not aware of these threats and potential countermeasures. Furthermore, misconceptions about the benefits and limitations of security and privacy technology inhibit large-scale adoption by end users. In this paper, we address this challenge and contribute a qualitative study on end users’ and security experts’ perceptions of threat models and potential countermeasures. We follow an inductive research approach to explore perceptions and mental models of both security experts and end users. We conducted semi-structured interviews with 8 security experts and 13 end users. Our results suggest that in contrast to security experts, end users neglect acquaintances and friends as attackers in their threat models. Our findings highlight that experts value technical countermeasures whereas end users try to implement trust-based defensive methods.