Areas of Interest
There is a significant gap between the theoretical security and privacy properties discussed in academic circles and those available to individuals in their day-to-day lives. For example, password managers were designed to get users to abandon human-selected passwords with weak security in favor of computer-generated passwords with strong security; however, in practice, due to various usability impediments, users forego generated passwords, using password managers primarily to store their human-selected passwords. In my research, I seek to identify the design principles necessary to bridge the gap between theoretical and practical security and privacy.
My research approach is multi-faceted. First, I conduct empirical user studies of security and privacy systems, whether academic prototypes or software deployed in the wild, measuring what issues (e.g., usability, functionality, key management requirements) impeded the adoption and correct usage of these systems. These efforts are enhanced through (a) collaboration with application-domain experts, (b) surveys and interviews of stakeholders, and (c) measurement studies of existing deployments, helping me to more concretely identify key requirements and design constraints for the systems under study.
Next, I rigorously explore the design space for these systems, looking for designs with the potential to address the issues previously identified. These designs can include novel cryptographic protocols and user interfaces, as well as designs improving other aspects of user experience. I evaluate each of these designs theoretically from both a security (e.g., threat modeling, proofs) and usability (e.g., cognitive walkthroughs, expert review) perspective.
Lastly, for the most promising designs, I develop proof-of-concept prototypes and conduct empirical user studies to ensure that these prototypes satisfy stakeholder requirements and identified design constraints under real-world usage. Critically, these evaluations include both technical evaluations—such as measuring latency or demonstrating the ability to stop an attack—and user-centered evaluations—such as usability testing and longitudinal studies. Based on the results of this work, I strive to extract generalizable design principles that could help improve the usability, security, and utility of other systems. Notably, I am one of only a few researchers who takes such a holistic approach to security research.
I’m a member of The Church of Jesus Christ of Latter-Day Saints. I’m married to Emily Ruoti and am the father of four children. When I’m not wrangling the children (which takes up most of my free time), I enjoy swimming, biking, and playing video games.
- Ph.D. in Computer Science, Brigham Young University, 2016
- M.S. in Computer Science, Brigham Young University, 2015
- B.S. in Computer Science, Brigham Young University, 2011
- B.A. in Chinese, Brigham Young University, 2011
Prior Work Experience
Prior to my time at the University of Tennessee, I was a researcher at MIT Lincoln Laboratory. While there, I led a range of efforts, including acting as the chief architect for the Department of Homeland Security’s Cyber.gov program that is tasked with creating a next-generation cybersecurity architecture for all non-DoD federal departments and agencies. I also led a research team exploring non-cryptocurrency usages for Blockchain technology. Prior to my time at MIT Lincoln Laboratory I’ve also worked at Microsoft, Microsoft Research, Google, Blue Coat Systems (Symantec), and Sandia National Laboratories.
As part of my dissertation, I designed email systems that are both secure and easy-to-use, especially for novice users. The final version of our secure email system outperforms other similar systems in terms of usability, ranking in the top 15% among the hundreds of software systems subjected to a standard usability test. My design reduced user errors from 25% to 2%, and increased user understanding and trust in secure email.