SOUPS 2025 Conference Reflections - Charlotte Hargreaves

In August 2025, I had the pleasure of attending the Symposium on Usable Privacy and Security (SOUPS) which was co-located with USENIX Security Symposium in Seattle, WA, USA. The technical program covered a wide range of topics within usable privacy and security and brought together interdisciplinary researchers and practitioners with valuable perspectives on security, privacy, and human-computer interaction.

This year, the conference was held in Seattle, which provided a great setting as Washington state attracts tech startups and is the base for tech giants such as Amazon and Microsoft. Alongside 30 accepted papers presented across two days, the conference also held workshops, a poster session, lightning talks, a mentoring program and plenty of opportunities to network with attendees. Selected papers drew upon crucial topics on privacy and security, from exploring contemporary scams, to understanding user perceptions of generative AI, and IOT misuse. Papers also provided new insights into user concerns, authentication design, and privacy and security advice.

On the surface, researchers illustrated steps to secure systems and amend privacy guidelines.

However, I think the conference was valuable in how it approached these issues. Critically, because it remembered the user and highlighted how the journey to usability includes focusing on building trust, being inclusive, and designing ethically.

One important theme that stood out to me was the need for context-sensitive approaches whereby privacy and security is culturally and socially attuned. I was particularly interested in this as a researcher interested in contextual influences and how end-users and communities experience security and privacy. For instance, presentations discussed how privacy controls and online experiences often intersect with cultural practices and beliefs within the home, such as in Saudi households, where smart home devices have often overlooked collective household practices, causing tensions as a result of crossing these boundaries. Phishing was another area where culture was significant, as research highlighted how susceptibility to phishing can be shaped by linguistic factors grounded in cultural attitudes and trust. The morning of day two also continued these calls for more culturally-sensitive privacy controls as talks discussed how western-centric online platform policies fail to respond appropriately to content that may lead to cultural repercussions for the individuals published online.

Emotional and behavioral dimensions to security and privacy were also illustrated as presentations explained how users had been manipulated in exploitative scams using cultural norms, emotions, or psychological techniques. These papers highlighted gaps in victim support and offered insights into how ethical design and regulation, such as in children’s games, is crucial to avoid unnecessary harms.

It was also clear that we need improved communication of privacy information and simplified interfaces. Researchers stated how users often misunderstand technical terms or find some tools such as password managers lacking intuitive design. Therefore improving usability includes building confidence as well as building trust, and improving transparency so that users are able to understand and consent to any changes.

Although it was apparent that there are still many areas of privacy and security that remain inadequate for meeting user needs, it was promising to hear researchers invested in finding solutions to these failures and providing hopeful design paths.

It goes without saying that conferences are really valuable for PhD students as platforms to update our knowledge of the current research in our field, and to engage in dialogue with experts on shared areas of interest. As such, I found it most inspiring to hear several discussions of privacy and security situated in their contexts and inclusive of user perspectives. So, while the content of this year’s papers suggests we still have some way to go to improve privacy and security, the conference sent a clear message that security and privacy should be designed with real people in mind. Therefore, I would say this is a great conference for people interested in technical privacy and security but also one that champions making privacy and security more accessible to everyday users.

To compliment the research packed days, I was also able to explore sunny Seattle in the evenings and learn about the area that is well known for its famous Pike Place market, famous coffee chain, grunge music, and outstanding nature nearby.

Thank you very much to everyone involved at USENIX for their work in organizing SOUPS and to the CDT and my funders who made attending this event possible!


Comments

Post a Comment

Popular posts from this blog

Remote working and Cyber Security: Georgia Crossland and Amy Ertan

Introducing the project The shift to remote working represents a huge shift for employees and organisations alike, introducing significant implications for cyber security. Amy Ertan and Georgia Crossland are currently working on a research project, in collaboration with the Research Institute for Sociotechnical Cyber Security (RISCS) and funded by the UK National Cyber Security Centre (NCSC), on the impact of remote working on cyber security and wellbeing. This blog post will give an overview of a section of this project, how remote working impacts cyber security. In response to COVID-19, in March 2020, organisations across the world made the rapid shift away from physical office working to remote working, wherever possible. This shift has had a significant impact across many aspects of organisations. This blog post will offer a high-level overview of how the cyber threat landscape was impacted for many organisations and may further change organisational cyber resilience. Remote workin...
Read more

New Publication: Remote Working and (In)Security?: Amy Ertan

Image
A recent research report by CDT researchers Amy Ertan and Georgia Crossland has been published with the Research Institute for Sociotechnical Cyber Security (RISCS). The report examines ‘The Impact of Pandemic-Driven Remote Working on Employee Wellbeing, the Psychological Contract and Cyber Security’, with research carried out through a series of interviews with senior cyber security colleagues between January and April 2021. The full report can be found on the RISCS website: New publication: Remote Working and (In)Security | RISCS. Context In the UK and around the world, the impact of COVID-19 represented a total shift away from what was considered ‘normal living’. One aspect of this change was the rapid transition to remote working as people were encouraged to work from home and limit contact with others as far as possible through repeated lockdown conditions. Fellow CDT colleague Georgia Crossland and I were curious to explore how remote working has impacted the experiences - and se...
Read more

The Artificial Intelligence Monster: Nicola Bates

Image
Christopher Booker in 2004 wrote of the seven basic plots to any story, one of these being ‘overcoming the monster’. Within Hollywood, such ‘monsters’ often reflects the zeitgeist balancing commercial requirements with the political and societal preoccupations of the age. The monster evolves over time - from Russia in the Cold War years through to lone actors and terrorists and now to seemingly shadowy figures controlling intelligence. Whilst generally lighter in tone, such monsters also exist within children’s cinema. In recent years this monster has become increasingly defined by their use of highly sophisticated technology, finally becoming the technology in ‘The Mitchells vs. the Machine’*. Lethal technology and subversive machines aren’t new concepts in children’s movies. They can, for example, be found in ‘Short Circuit’ back in 1986. This movie begins with five United States military robots in a training exercise against tanks and focusses upon one of the robots becoming ‘alive’...
Read more