SHUCS: Science of HUman Circumvention of Security

Welcome to the home page for the SHUCS project.

You can find links to our ongoing surveys of end users and CIOs here

Effective security controls are critical for trustworthy operation of large computer systems, central to large enterprises and critical infrastructure, especially with physical distribution. Without tools such as access control and firewalls and the like, it becomes impossible to reason about, define, detect, and prevent adversarial action moving the system into a state that violates any of several key security goal.

However, these real-world systems involve large populations of humans, who use, configure, and maintain these systems. Fieldwork and much research reveal human users continually circumvent and misuse these security controls.  These humans do not intend their circumventions as attacks, but rather as a way to efficiently achieve their job activities and organizational goals.

Many in the computer security research community overlook the reality of this circumvention. But such circumvention is ongoing, ubiquitous, often required, and seldom rebuked. Furthermore, since system security depends on correct use and operation of the security tools being circumvented, effective security requires a way to address such circumventions scientifically.  Failure to understand and analyze these circumventions (or workarounds) means we build and deploy security that doesn't work---but we pretend that it does.

In this project we extend the science of security to take into account how good-intentioned humans behave/misbehave, so that our resulting systems are more effective, and more responsive to real-world needs and realities.



PhD Students


In the press

Our paper Workarounds to Computer Access in Healthcare Organizations: You Want my Password or a Dead Patient? was covered in Quartz Magazine, The Register, The Security Ledger,, boingboing and the Risks Digest.

Our early work in simulation of human security behavior was covered in The Economist.


Below are selected publications by topic. Here is a comprehensive list.


J. Blythe, R. Koppel, S.W. Smith.
Circumvention of Security: Good Users do Bad Things.
IEEE Security and Privacy. 11 (5): 80--83. September/October 2013.

Recent posters

SOUPS 2018: Usable Security vs. Workflow Realities (an earlier version was presented at USEC 2018).

Presented at HotSOS in June 2017:
FARM: Finding the Appropriate Level of Realism for Modeling,
Analysis of Two Parallel Surveys on Cybersecurity: Users & Security Administrators - Notable Similarities & Differences, and
Flawed Mental Models Lead to Bad Cyber Security Decisions: Let’s Do a Better Job

Presented at the Science of Security Lablet meeting at Illinois in July 2016:
Reasons for Cybersecurity Circumvention,
Beliefs about Cybersecurity Rules and Passwords,
and Modeling Human Security Behavior.

Papers on Fieldwork:

R. Koppel, J. Blythe, V. Kothari and S.W. Smith.
Security for the Collective Reality of the Smart Home.
SOUPS Workshop on Human aspects of Smarthome Security and Privacy (WSSP 2018)

J. Blythe, V. Kothari, S.W. Smith, R. Koppel.
Usable Security vs. Workflow Realities
Workshop on Usable Security (USEC 2018).
February 2018.
(With illustrations in the accompanying poster.)

R. Koppel, J. Blythe, V. Kothari, S.W. Smith.
Password Logbooks and what their Amazon Reviews Reveal about their Users' Motivations, Beliefs, and Behaviors.
2nd European Workshop on Usable Security (EuroUSEC 2017).
April 2017.

R. Koppel, J. Blythe, V. Kothari, S.W. Smith.
Beliefs About Cybersecurity Rules and Passwords: A Comparison of Two Survey Samples of Cybersecurity Professionals Vs. Regular Users.
SOUPS 2016 Security Fatigue Workshop

S.W. Smith, R. Koppel, J. Blythe, V. Kothari.
Mismorphism: a Semiotic Model of Computer Security Circumvention
International Symposium on Human Aspects of Information Security and Assurance (HAISA 2015).
July 2015.
Extended tech report

R. Koppel, S.W. Smith, J. Blythe, V. Kothari.
Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?
Driving Quality in Informatics: Fulfilling the Promise.
IOS Press, Studies In Health Technology and Informatics, Volume 208, pp 215-20, February 2015.

S.W. Smith and R. Koppel.
Healthcare Information Technology's Relativity Problems: A Typology of How Patients' Physical Reality, Clinicians' Mental Models, and Healthcare Information Technology Differ.
Journal of the American Medical Informatics Association. 21: 117-131, 2014.
(This got named a ``best paper'' twice!)

Papers on Simulation:

J. Blythe and A. Tregubov.
FARM: Architecture for Distributed Agent-based Social Simulations.
IJCAI/AAMAS workshop on Massively Multi-agent Simulations.
July 2018.

C. Novak, J. Blythe, R. Koppel, V. Kothari, S.W. Smith.
Modeling Aggregate Security with User Agents that Employ Password Memorization Techniques.
Who Are You?! Adventures in Authentication (WAY 2017); Symposium on Usable Privacy and Security.
July 2017.

B. Korbar, J. Blythe, R. Koppel, V. Kothari, and S.W. Smith.
Validating an Agent-Based Model of Human Password Behavior
The AAAI-16 Workshop on Artificial Intelligence for Cyber Security (AICS).
February 2016.

V. Kothari, J. Blythe, S.W. Smith, R. Koppel.
Measuring the Security Impacts of Password Policies Using Cognitive Behavioral Agent-Based Modeling.
ACM Symposium and Bootcamp on the Science of Security (HotSoS).
April 2015.

V. Kothari, J. Blythe, S.W. Smith, R. Koppel.
Agent-Based Modeling of User Circumvention of Security.
ACySE '14: Proceedings of the 1st International Workshop on Agents and CyberSecurity.
ACM. 2014.