Warda Usman, Ph.D.

Harassment continues to impact the safety and well-being of young adults in Pakistan.Prior research has largely focused on women, often imposing external definitions of harm and overlooking how individuals themselves understand and respond to harassment. This study examines how Pakistani young adults define, experience, and cope with harassment. Drawing on 33 semi-structured interviews guided by a human-centered threat modeling framework, we surface context-specific threat models. Participants’ definitions of harassment were shaped by gender norms, religious values, and moral judgments. Women described harassment as a routine part of life, tied to public visibility, modesty, and risks to reputation. Men also reported harassment, though framed by different dynamics such as pressure to maintain control, avoid vulnerability, and conform to masculinity. Across participants, formal reporting pathways were viewed as untrustworthy or unsafe. Our findings highlight the need for interventions that reflect local definitions of harm, address relational adversaries, and support safety within sociocultural contexts.

Human-centered threat modeling is a practice that researchers use to identify security and privacy threats to people, as well as ways to mitigate those threats. Often this may be the first step toward understanding the security and privacy needs, perspectives, experiences, and practices of a group or community, so that researchers can learn how to better improve their overall safety. However, research in this area is relatively ad hoc as compared to the more well-developed field of threat modeling for systems, leading to a fragmented and incomplete understanding of how researchers should engage in this endeavor. The goal of this work is to systematize the practice of human-centered threat modeling, identifying the core components of a human-centered threat modeling exercise by studying the practices of researchers in the area. We gathered a corpus of 78 papers in this area, using qualitative analysis to understand the practices used by researchers to elicit a threat model. Our results include a framework for human-centered threat modeling, a guide for using the framework that is grounded in best practices, and a description of how human-centered threat modeling differs from systems threat modeling. Our work can be used to guide new and experienced researchers in the field as they work to center human safety in their practices.

This work explores the security and privacy perceptions, practices, and challenges Pakistani immigrants face in the US. We also explore how parent-child dynamics affect immigrants' learning about and adaptation to security and privacy practices in the US. Through 25 semi-structured interviews with Pakistani immigrants, we find that first-generation immigrants perceive heightened risks of discrimination, surveillance, and isolation due to their status as Muslim immigrants. They also report tensions regarding self-expression and self-censorship in online settings. In contrast, second-generation immigrants quickly adapt to life in the US and do not perceive most of these challenges. We find that first- and second-generation immigrants mutually support each other in learning to use technology and reacting to perceived threats. Our findings underscore an urgent need for tailored digital safety initiatives and designs that consider the unique needs of at-risk populations to ensure their security and privacy. Recognizing and addressing these challenges can foster more inclusive digital landscapes, empowering immigrant populations with resilience and agency.

Human-centered threat modeling (HCTM) is an emerging area within security and privacy research that focuses on how people define and navigate threats in various social, cultural, and technological contexts. While researchers increasingly approach threat modeling from a human-centered perspective, little is known about how they prepare for and engage with HCTM in practice. In this work, we conduct 23 semi-structured interviews with researchers to examine the state of HCTM, including how researchers design studies, elicit threats, and navigate values, constraints, and long-term goals. We find that HCTM is not a prescriptive process but a set of evolving practices shaped by relationships with participants, disciplinary backgrounds, and institutional structures. Researchers approach threat modeling through sustained groundwork and participant-centered inquiry, guided by values such as care, justice, and autonomy. They also face challenges including emotional strain, ethical dilemmas, and structural barriers that complicate efforts to translate findings into real-world impact. We conclude by identifying opportunities to advance HCTM through shared infrastructure, broader recognition of diverse contributions, and stronger mechanisms for translating findings into policy, design, and societal change.

Secure email systems that use end-to-end encryption are the best method we have for ensuring user privacy and security in email communication. However, the adoption of secure email remains low, with previous studies suggesting mainly that secure email is too complex or inconvenient to use. However, the perspectives of those who have, in fact, chosen to use an encrypted email system are largely overlooked. To understand these perspectives, we conducted a semi-structured interview study that aims to provide a comprehensive understanding of the mindsets underlying adoption and use of secure email services. Our participants come from a variety of countries and vary in the amount of time they have been using secure email, how often they use it, and whether they use it as their primary account. Our results uncover that a defining reason for adopting a secure email system is to avoid surveillance from big tech companies. However, regardless of the complexity and accuracy of a person's mental model, our participants rarely send and receive encrypted emails, thus not making full use of the privacy they could obtain. These findings indicate that secure email systems could potentially find greater adoption by appealing to their privacy advantages, but privacy gains will be limited until a critical mass are able to join these systems and easily send encrypted emails to each other.