Is Security Human Factors Research Skewed Towards Western Ideas and Habits?

Really interesting research: “How WEIRD is Usable Privacy and Security Research?” by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama:

Abstract: In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.

The moral may be that human factors and usability needs to be localized.

Tags: ,

Posted on March 18, 2025 at 7:10 AM18 Comments

Comments

ResearcherZero March 18, 2025 7:55 AM

This will probably change in the future. As other countries further develop their own industries, more localized research and development may emerge and become apparent.

‘https://www.abc.net.au/news/2025-03-18/chinese-state-media-welcomes-cuts-to-us-media-in-asia/105065794

As well as ending Voice of America, the Trump administration is also scaling back WarCAT and withdrawing from the multinational war crimes accountability task force.

https://www.jurist.org/news/2025/03/us-withdraws-from-group-investigating-russia-for-crime-of-aggression-in-ukraine/

Andrew L Duane March 18, 2025 8:39 AM

At first, I had to check that this article wasn’t 14 days early. That said, it’s a cool acronym, I can’t wait to use it somewhere.

Localization is always a big deal for technology, and UX work (including security) is an important piece of any technology. I’m surprised this hasn’t come up before. I work for a large multinational technology company and I work with teams in a dozen countries around the world (as well as people from those areas who now reside in these WEIRD United States). I have noticed some differences in things like approach to performing tasks (doing exactly and specifically what is asked, versus looking at the bogger picture), following instructions, handling of authority, etc. These are mostly just the cultural norms of the region, and all factor into human factors and HCI. I would imagine things like social engineering are done much differently in the US versus China or India. Even things like communications with idioms and colloquial speech can have different effects with different cultural backgrounds.

Clive Robinson March 18, 2025 9:03 AM

@ Bruce, ALL,

The article gives,

“We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants.”

Would make a prime example for a rewrite of,

“How to lie with statistics.”[1]

For instance take a look at the D of WEIRD, and ask an obvious question,

“How many WEIR nations are not D?”

Then ask the second obvious question,

“Until fairly recently how many non D nations actually did academic research or filed patents?”

So treat this much like a piece of “road kill”, it might be safe to consume but are you going to go to the effort of testing to see if it is…

But a valid point is,

“The moral may be that human factors and usability needs to be localized.”

That would be true irrespective of WEIRD criteria.

The question really is,

“How localized?”

[1] You can read Darrell Huff’s some what humours 1954 book on line,

https://archive.org/details/HowToLieWithStatistics_201608

Bob March 18, 2025 2:34 PM

Studies around human technology interaction are focused on the humans who most heavily interact with technology.

Clive Robinson March 19, 2025 12:04 AM

@ Bruce, ALL,

A very significant question to ask about “WEIRD” is,

“What is left after the D is gone?”

It’s something that is increasingly speeding up in North America, The UK and a number of parts of North and East Europe.

And surprisingly to many it’s not the politicians bringing this about but actually what most would consider “Big Tech” that is behind “Globalization” and similar.

You can kind of look on it in a similar way to “Brutalist Art” that quickly predominates and adheres it’s self to authoritarianism.

Technology has become “Brutalist” and yet few realise and even less understand the “What, Why, and When” of this change.

Oddly or not depending on how you look on potential synchronicity, in the UK “The Guardian” newspaper –that employed our hosts skills for quite a while– has just published an article that addresses part of the problem,

https://www.theguardian.com/commentisfree/2025/mar/18/stem-graduates-technology-careers

Put simply it’s about “employment opportunities” for many “Science Technology Engineering and Mathematics”(STEM) graduates the only real opportunity for not just employment but career progression is with “The Bastions of Capitalism” that brook no honest dissent.

Part of this is “Data Collection and Processing”. Data especially personal data is seen as “The new black gold” that “Oil once was”. Not only does it have “basic value” like Oil it can be refined and turned into other more lucrative and money earning products.

Some see it as “Bulk Surveillance” others “Theft of Personal and Private Information” and others view it as akin to activities the likes of Stalin would have given anything and everything for. And as many know “Non D” states with certain types of authoritarian leaders are rapidly acquiring and deploying such technology every which way they can.

But increasingly so are supposedly D nations, Australia, France, Sweden, the UK and now other nations are insisting on access to communications without hindrance or any oversight on a “Might is Right” authoritarian basis.

First access to “plain text message” stores, when people stoped that and started E2EE the authoritarians demand impossible “Crypto Backdoors” and as that is actually not possible now it’s “user interface” via “Client Side Scanning” or “On Device scanning” and similar.

Quite a few people have waved read flags over user interface scanning not least Prof Ross Anderson a few years back,

https://www.lightbluetouchpaper.org/2021/10/15/bugs-in-our-pockets/

The simple fact is that like BLE Beaconing put in for C19 but never fully removed, scanning of the user interface is going to happen and has already started.

Since “Secure Messaging Apps” became a thing, I’ve warned that they are not actually secure in use. I’ve detailed why, and what people need to do.

Unfortunately a “secure system” is not as “convenient” as an “insecure system with the illusion of security”.

Further there is the issue of the security of the “root of trust” or if you prefer the “Master Key” from which all security is derived.

Unless people “meet in person” and “exchange by hand” there is no reliable way to ensure that a 3rd party will not gain access to it. If you doubt this consider how a “Man In The Middle” attack on any and all communications channels serves as a base for this security failure.

Is it an “impossible task to solve?” Probably not China has at least one satellite orbiting that in theory does it though the practicality is low and there is no real assurance that it is doing as claimed. See Quantum Cryptography / “Quantum Key Distribution”(QKD) on Wikipedia. A recent investor type puff piece is,

https://thequantuminsider.com/2025/03/05/space-based-quantum-key-distribution-a-deep-dive-into-qkds-market-map-and-competitive-landscape/

But just a few days ago China announced it had a working link to South Africa,

https://asiatimes.com/2025/03/chinas-quantum-satellite-link-a-hack-proof-leap-forward/

The article goes on to describe some potential attacks and counter measures. But this is “normal” with what is thought of as “Military EM Radiation” based systems (see ECM ECCM wars).

Can QKD be made fully secure and “generally” practical, whilst I’m not sure on the former, I suspect that the latter will without “Authoritarian Interference” happen within a half decade or so as much of the technology is already there.

iAPX March 19, 2025 6:52 AM

@Peter A, All,

I am too.
This clearly establish a hierarchy of populations, that is the original definition of…

Clive Robinson March 19, 2025 9:11 AM

@ Peter A., ALL,

With regards,

“Nobody seems offended by the “clever” composition of the acronym?”

Do you find “WASP” any less offensive?

Such acronyms are supposed to be memorable by being “pithy” which is just another way of saying they are designed to be sarcastic / offensive.

The sad thing is that the people who think them up,

1, Think they are being clever when juvenile might be more appropriate.
2, Don’t appear to realise it says more about them, than it does the targets of their antipathy.

For instance, in UK children’s education there are children “on the books” that “don’t attend”. There are many reasons for “non attendance” but lumping them all together and calling them RHINOs supposedly for “Really Here In Name Only” is not helping in the slightest.

Even those initialisms like “NIMBY” that are not actual words almost always eventually become insults. Hurled with not just invective but all to often spittle as well…

If nothing else it proves the point that “social” though we think we might be, underneath there is many tens of thousands of years of “tribalism” and “herd” mentality.

Whilst “sticks and stones may break your bones” still, we now know without doubt that such “Words will always harm you”. The wounds they leave may not bleed but they do fester and that like certain types of joke is exactly why people use them.

Peter A. March 19, 2025 3:13 PM

@Clive Robinson: “[people] Think they are being clever when juvenile might be more appropriate.” – I think you’ve pinpointed it. BTW. I do not feel hurt, I stick to the “stick and stones” principle, but I am quite disappointed by the impertinence of these researchers. Science used to be made with dignity. Also, thank you for other examples of stigmatizing initialisms, I wasn’t aware of them.

@Bob: Ha, you just have to be thick-skinned. “Sticks and stones” etc., indeed. Works most of the time, but sometimes it doesn’t, sadly.

ResearcherZero March 20, 2025 12:34 AM

@Clive Robinson, ALL

I like to consider myself totally weird, yet don’t like the more derogatory terms which are used by nasty people to be deliberately be nasty because they are nasty, but I digress.

How to lie with statistics.

or – How to lie with rules.

‘https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents

And UI manipulation can also be used to make files appear safe or hide command line input.

Unfamiliarity with language, processes and what is hidden for the user can be exploited to bypass security processes. Blank spaces (as code input) and type confusion has been used for years by APTs to gain initial access. Chained with other vulnerabilities it is a powerful attack – which when skillfully executed – can easily escape the user’s detection.

It can be very difficult to mitigate some of these exploits and develop a long-term fix.

Microsoft to “consider” addressing shortcut argument exploit in a future release…

‘https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html

ResearcherZero March 20, 2025 1:23 AM

The Western approach will often infantilize the cultural knowledge of other cultures and completely miss or overlook the epistemic value and the scientific approach which encoded a wealth of other information within local cultural practices and oral knowledge and history.

We literally cannot see the forest for the trees. Even our ignorance escapes our senses.

You can only learn such information from watching and listening in personal proximity. It is knowledge that cannot be hacked or discovered by other means, and due to remoteness can only be learned over time with great difficulty through practice of what is demonstrated.

In theory some of the knowledge could be rediscovered – yet this seems self defeating due to the constraints of time. So we must become better listeners and better observers, or we will continue sending out search parties each time someone steps off from the beaten path.

There are more open source tools being developed which users can contribute to with regional language support or features which might be more appropriate for their locale.

What can you do with the ESP32 ? – and critical risks.

‘https://eclypsium.com/blog/the-explosion-of-hardware-hacking-devices/

An open source stack for ESP32.
https://media.ccc.de/v/38c3-liberating-wi-fi-on-the-esp32

Discovering undocumented or propriety features.
https://darkmentor.com/blog/esp32_non-backdoor/

Clive Robinson March 20, 2025 10:43 AM

@ John Clark, ResearcherZero, ALL,

The one rule to rule them all.

As you note,

“Chain-of-Thought Reasoning In The Wild Is Not Always Faithful”

The “one rule” is “ambiguity”…

Let me explain with this simple example,

I input,

9,9 9,11
Indicate which is larger?

You will probably get told “9,11”.

Why well there are several reasons the first of which is there is no meta-data indicating the input type.

So does the LLM or any other program for that matter treat them as strings or numbers?

As the inputs are actually “strings” then 9,11 being one character longer is by one view “the larger”.

However humans especially in Europe and the US won’t see them as strings but something else.

In Europe the use of a comma instead of a full stop is seen as a “Decimal Point” so they will see them as numbers in which case 9,9 will be seen as the larger.

In the US however 9,11 has “special meaning” as a date marking a tragic event.

Thus 9,11 is a “later date” that can be seen as larger (as in time elapsed).

But also 9,11 in many different presentations will be extraordinarily more present in any textual input corpus scraped from the Internet. So again it is larger by representation.

These are “the simple cases” that can be easily seen…

But LLM’s don’t work the way humans do…

They take any input and they “tokenize it” then build vectors for each token. However the tokens are built by “chains of probability” and that makes them a product of “a drunkards walk” like brownian motion trends of things can be seen “in general” but not “in specific”. Thus in practice you have absolutely no idea how input to the LLM builds it’s tokens, nor can you see them as such.

So you have no idea how the statistics of the LLM will work in the “specific” only in “general”.

Thus “ambiguity rules all rules” is very much an inbuilt and effectively impossible to avoid issue of current AI systems, and importantly “the humans that use them”.

Which brings us onto ResearcherZero’s more general than LLM point,

“Unfamiliarity with language, processes and what is hidden for the user can be exploited to bypass security processes… …Chained with other vulnerabilities it is a powerful attack – which when skillfully executed – can easily escape the user’s detection.”

Is not quite right, because I can show mathematically from information theory that,

1, If there is enough redundancy in the primary channel
2, There was/is a covert side channel

Then a covert channel can be created within the primary channel that any other party can not see or prove exists.

Thus,

“It can be very difficult to mitigate some of these exploits and develop a long-term fix.”

Can not be done with any semblance of “free input” and removing “free input” stops “information being communicated”…

Oh and both “free input” and redundancy are another way to say “ambiguity”…

ResearcherZero March 21, 2025 3:10 AM

@Clive Robinson

Hence ChatGPT spits out an output which says you murdered your children and some other random person it hallucinated. Which would be quite a shock when it spits out the same output to every other crackpot and WEIRDo on the internet, including your neighbours.

‘https://arstechnica.com/tech-policy/2025/03/chatgpt-falsely-claimed-a-dad-murdered-his-own-kids-complaint-says/

Corporations are now arguing to get rid of US regulations and regulations in other countries, because it’s cheaper. They also want more ‘get out of jail free’ cards and claim that they are being ripped-off by these nasty laws and that it is harming profitability.

‘https://theconversation.com/australias-coercive-news-media-rules-are-the-latest-targets-of-us-trade-ire-252806

Nestled deep in the text of the lengthy contracts for most credit cards and bank accounts are little clauses that not only prohibit harmed customers from suing their bank or card issuer, but also prevents them from banding together with similarly injured consumers to argue their dispute as a group.

‘https://www.citizen.org/article/corporate-clemency-trump-enforcement-report/

What could be wrong with ripping-off workers and avoiding law and regulations?
https://apnews.com/article/meta-tiktok-snap-discord-zuckerberg-testify-senate-00754a6bea92aaad62585ed55f219932

It’s cheaper to violate the law.
https://www.cbsnews.com/news/wage-theft-us-companies-workers/

ResearcherZero March 21, 2025 3:35 AM

Something is a little skewed for sure. The general idea once (behind closed doors) was to sacrifice the few for the well being of the many (typically 007 because they could hire another actor). Now that idea has been flipped on it’s head to – sacrifice the many for the benefit of the few – who already have the personal wealth of entire nation states.

This is of course off topic, but it does explain a little of the Western mindset.

American corporations today are like the great European monarchies of yore.

‘https://www.promarket.org/2021/02/12/corporations-supereme-court-constitution-avoid-regulation/

Affordable Drugs – Over consumers’ dead bodies will there be affordable drugs!
https://www.abc.net.au/news/2025-03-21/behind-americas-decades-long-fight-to-dismantle-the-pbs/105078864

A year after the free trade deal was signed, Australian exports to America declined. 🙁

American exports to Australia increased. 🙂
https://www.abc.net.au/news/2025-03-16/verrender-us-free-trade-analysis/105053766

After Russia invaded Ukraine, the United States required more aluminum for production.

The US asked Australian aluminum producers to send more aluminum. Now they are mad. 🙁
https://www.smh.com.au/business/companies/the-us-had-asked-australia-to-ship-more-aluminium-says-rio-tinto-ceo-20250220-p5ldq7.html

Steve April 15, 2025 1:57 PM

WEIR has a special meaning to me.
I used to work for an employer that was building telemetry systems for measuring water levels using pressure transducers in WEIRS.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.