EuroUSEC 2025

The 2025 European Symposium on Usable Security
September 10 & 11, 2025, Manchester, United Kingdom

The 2025 European Symposium on Usable Security

Dates and Location: September 10 & 11, 2025, Manchester, United Kingdom.

Experience EuroUSEC 2025 in Manchester – the vibrant north England city that lives and breathes football! Join leading minds in usable privacy and security as we unite to explore, learn, and drive innovation in cybersecurity and privacy. Be part of the future—where research meets real-world impact!.

The European Symposium on Usable Security (EuroUSEC) is a forum for research and discussion on human factors in security and privacy. EuroUSEC solicits previously unpublished work offering novel research contributions in any aspect of human-centered security and privacy. EuroUSEC aims to bring together researchers, practitioners, and students from diverse backgrounds, including computer science, engineering, psychology, the social sciences, and economics, to discuss issues related to human-computer interaction, security, and privacy

EuroUSEC is part of the USEC family of events: https://www.usablesecurity.net/USEC/index.php

We want EuroUSEC to be a community-driven event and would love to hear any questions, comments, or concerns you might have regarding changes from last year—please just email the programme chairs.


Keynote Speakers

Dr. Marc J. Dupuis

Talk Title: Faith, Fear, and Fallibility: A Human-Centered Vision for Cybersecurity Inspired by Religion and Beyond

Talk Abstract: Despite decades of effort, organizations continue to struggle with the human side of cybersecurity. Security policies are written, awareness campaigns are launched, and training is delivered; yet, employees still make mistakes, disregard guidance, or act contrary to expectations. These behaviors are not merely signs of negligence but reflections of the complexity of human nature. Where cybersecurity frameworks often lean heavily on rules and compliance, they tend to lack depth in addressing the emotional, psychological, and even existential dimensions of human behavior.

This presentation explores a broader, more empathetic vision for cybersecurity by drawing upon insights not only from world religions but also from research on fear, shame, regret, and grace—core emotional and moral experiences that influence decision-making. Religions, which have long grappled with human fallibility, offer practices and paradigms for encouraging right action while making space for forgiveness, growth, and redemption. Similarly, emotional states like fear, shame, regret, forgiveness, and grace can either hinder or help secure behavior depending on the one employed how they are engaged. By integrating perspectives from organized religion, psychology, and behavioral science, we propose a more human-centered cybersecurity vision—one that recognizes the limits of punitive models and instead explores what it means to care for users who inevitably make mistakes. This approach is not merely for the sake of demonstrating compassion for those that make mistakes, but equally for the organization so that it may be more secure and resilient from a cybersecurity perspective.

We present findings from our qualitative research with religious leaders, along with feedback from cybersecurity professionals on this expanded model, as well as insight gleaned from our other studies on the use of emotion to engender behavioral change. This work aims to spark a new conversation in the field—one that reimagines “best practices” not merely in terms of efficiency or compliance, but through a lens of empathy, accountability, and the messy reality of being human.

Biography: Marc J. Dupuis, Ph.D., is an Associate Professor within the Division of Computing and Software Systems at the University of Washington Bothell where he also serves as the Graduate Program Coordinator. Dr. Dupuis earned a Ph.D. in Information Science at the University of Washington with an emphasis on cybersecurity. Prior to this, he earned an M.S. in Information Science and a Master of Public Administration (MPA) from the University of Washington, as well as an M.A. in Political Science at Western Washington University.

His research area is cybersecurity with an emphasis on the human factors of cybersecurity. The primary focus of his research involves the examination of psychological traits and their relationship to the cybersecurity and privacy behavior of individuals. This has included an examination of antecedents and related behaviors, as well as usable security and privacy. His goal is to both understand behavior as it relates to cybersecurity and privacy, and discover what may be done to improve that behavior.

More recently, Dr. Dupuis and his collaborators have been exploring the use of fear appeals, shame, regret, forgiveness, and grace in cybersecurity, including issues related to their efficacy and the ethics of using such techniques to engender behavioral change.

Dr Jason R.C. Nurse

Talk Title: It's *not* all about the Benjamins: The real harms of cyber attacks

Talk Abstract: Cyber-attacks pose a significant threat for organisations and individuals, with ransomware itself devastating countless lives across the world. This keynote talk seeks to move beyond focusing on the cyber-attacks themselves to explore the depth and breadth of harms experienced by victims of these crimes. Drawing on insights from extensive interviews with victims, incident responders, negotiators, law enforcement, and government officials, we uncover a range of severe consequences that extend beyond monetary loss. This is particularly in the case of ransomware attacks.

As we will discuss, organisations face significant risks of business interruption and data exposure, which can lead to substantial financial penalties, reputational damage, and potential legal repercussions. For employees – and specifically thinking about the human factor – the impact can be equally devastating. The psychological toll of a ransomware attack, for instance, is profound, leading to increased stress, anxiety, and even post-traumatic stress disorder. Furthermore, the physical consequences, such as disrupted work routines and extended work hours, can exacerbate these mental health challenges.

This talk also explores the factors that can either mitigate or exacerbate these harms, including organisational preparedness, leadership culture, and effective crisis communication. By understanding these dynamics, organisations can develop robust strategies to minimise the impact of ransomware attacks and support their employees during and after such incidents. This presentation aims to shift the narrative and research surrounding cyber-attacks, highlighting the human cost of these attacks. By recognising the multifaceted nature of cyber-attack harms, we can advocate for more comprehensive and effective response strategies, ultimately protecting organisations and their employees from this growing threat.

Biography: Dr Jason R.C. Nurse is a Reader in Cyber Security in the Institute of Cyber Security for Society and the School of Computing at the University of Kent. He also holds the roles of Associate Fellow at The Royal United Services Institute (RUSI), Visiting Fellow in Defence and Security at Cranfield University, and Research Member of Wolfson College, University of Oxford.

His research interests include human aspects of cyber security, cyberpsychology, cyber harms, security culture, ransomware, cyber insurance, and corporate communications and cyber security.

Dr Nurse has published over 120 peer-reviewed articles in prestigious security journals, and his research has been featured in national and international media including the BBC, Associated Press, The Wall Street Journal, The Washington Post, Newsweek, Wired, The Telegraph, and The Independent. Prior to joining Kent in 2018, Dr Nurse was a Senior Researcher in Cyber Security at the University of Oxford and before that, a Research Fellow in Psychology at the University of Warwick.

Call for Papers

We invite you to submit a paper and join us in Manchester, UK at EuroUSEC 2025.

We welcome submissions containing unpublished original work describing research, visions, or experiences in all areas of usable security and privacy. We also welcome systematization of knowledge (SOK) papers with a clear connection to usable security and privacy. Well executed replication studies are also welcomed. We appreciate a variety and mixture of research methods, including both qualitative and quantitative approaches

Topics include, but are not limited to:

  • usable security and privacy implications or solutions for specific domains (such as IoT, ehealth, and vulnerable populations)
  • methodologies for usable security and privacy research
  • role of AI/Generative AI technologies in improving usable security and privacy
  • field studies of security or privacy technology
  • longitudinal studies of deployed security or privacy features
  • new applications of existing privacy/security models or technology
  • innovative security or privacy functionality and design
  • usability evaluations of new or existing security or privacy features
  • security testing of new or existing usability features
  • lessons learned from the deployment and use of usable privacy and security features
  • reports of failed usable privacy/security studies or experiments, with the focus on the lessons learned from such experience
  • papers with negative results
  • reports of replicating previously published important studies and experiments
  • psychological, sociological, cultural, or economic aspects of security and privacy
  • studies of administrators or developers and support for security and privacy
  • studies on the adoption or acceptance of security or privacy technologies
  • systematization of knowledge papers
  • impact of organizational policy or procurement decisions on security and privacy

We aim to provide a venue for researchers at all stages of their careers and at all stages of their projects.

All submissions will undergo a double-blind review by at least two reviewers. The submissions will receive three decisions: Accept, Shepherding, or Reject. Papers receiving shepherding decisions will engage with an appointed Shepherd, and a revised version will be prepared and must be approved by the shepherd before being accepted. During the shepherding phase, the identities of the authors and one shepherding reviewer will be disclosed for communication purposes. Shepherding will take place outside the conference management system. The authors will be responsible for reaching out to Shepherd


Important Dates (Anywhere on Earth (AoE))

Paper registration deadline (mandatory):       Monday, 13th May, 2025
Paper submission deadline: Friday, 16th May, 2025(Hard Deadline)
Author's notification: Monday, 23rd June, 2025
   
Revision period (For shepherded papers): Tuesday, 24th June to Monday 7th July, 2025
Author's notification (For shepherded papers): Monday, 14th July, 2025
   
Camera-ready submission for all papers: Monday, 4th August, 2025

Submission Instructions

Upload your submission via this link:

Disclaimer: The Microsoft CMT service was used for managing the peer-reviewing process for this conference. This service was provided for free by Microsoft and they bore all expenses, including costs for Azure cloud services as well as for software development and support.

  1. All submissions must report original work written in English.
    • Using Text generated from large language models such as ChatGPT for purposes other than editing the author’s own text is not allowed. While we do not plan to use any tools to check all submissions, we will investigate submissions brought to our attention and will reject them.
    • Authors must clearly document any overlap with previously or simultaneously submitted papers from any of the authors (email the chairs a PDF document outlining this)
  2. Submissions should be anonymized for review. No author names or affiliations should be included in the title page or the body of the paper. Acknowledgments should also be removed, and papers should not reveal authors' identities.
  3. Refer to your own related work in the third person, as though someone else had written it. This also includes, e.g., data sets: "We received data from Smith et al. [31] in our experiment." Do not blind citations except in extraordinary circumstances. If in doubt, contact the chairs.
  4. All submissions should be at most 10 pages, double-column excluding bibliography) reporting on mature work. Appendices are not counted towards the page count, but note that reviewers will not necessarily read the appendices: the text should be sufficient without appendices. If accepted, authors can include a link to appendices in their paper (hosted on a service such as OSF).
  5. Papers must be typeset in A4 format (not "US Letter") using the IEEE conference proceeding template with the appropriate options [Templates here]. Failure to adhere to the page limit and/or formatting requirements will be grounds for desk rejection.
  6. Systematization of Knowledge paper titles must begin with SOK:
  7. Replication studies must mention “Replication” in the title

Simultaneous submission of the same paper to another venue with proceedings or a journal is prohibited. Authors may post pre-prints, however—please consult the guidelines for further information. Serious infringements of these policies may result in the paper's rejection, and the authors may be put on a warning list, even after if we only become aware of the violation after the paper has been accepted. If you have questions about this policy, contact the EuroUSEC chairs..

At least one author of each accepted paper must register and attend to present the paper IN PERSON. We will only permit virtual presentations in exceptional circumstances.

Contact EuroUSEC chairs if there are any questions.

Program Committee Chairs

The chairs can be contacted at pc.chairs.eurousec

Program Committee

  • Adam Jenkins, King's College London (UK)
  • Agnieszka Kitkowska, Jönköping University (Sweden)
  • Alaa Nehme, Mississippi State University (USA)
  • Alvi Jawad, Carlton University (Canada)
  • Anna Leschanowsky, Fraunhofer Institute for Integrated Circuits IIS (Germany)
  • Anna-Marie Ortloff, University of Bonn (Germany)
  • Anne Hennig, Karlsruhe Institute of Technology (Germany)
  • Anuj Gautam, University of Illinois at Urbana-Champaign (USA)
  • Arianna Rossi, Sant'Anna University of Advanced Studies (Italy)
  • Bernardo Breve, University of Salerno (Italy)
  • Bilal Naqvi, Lappeenranta University of Technology (Finland)
  • Christian Eichenmüller, Friedrich-Alexander-Universität Erlangen-Nürnberg (Germany)
  • Christian Tiefenau, University of Bonn (Germany)
  • Christine Utz, Radboud University (Netherlands)
  • Cigdem Sengul, Brunel University (UK)
  • Claudia Negri-Ribalta, University of Luxembourg (Luxembourg)
  • Collins Munyendo, The George Washington University (USA)
  • Daniel Thomas, University of Strathclyde (UK)
  • Diana Freed, Brown University (USA)
  • Divyanshau Bhardwaj, CISPA Helmholtz Center for Information Security (Germany)
  • Elham Al Qahtani, University of Jeddah (Saudi Arabia)
  • Eman Alashwali, King Abdulaziz University (Saudi Arabia)
  • Emiram Kablo, University of Paderborn (Germany)
  • Emma Nicol, University of Strathclyde (UK)
  • Gaston Pugliese, Friedrich-Alexander-Universität Erlangen-Nürnberg (Germany)
  • Habiba Farzand, University of Bristol (UK)
  • Hana Habib, Carnegie Mellon University (USA)
  • Hazel Murray, Munster Technological University (Ireland)
  • Ingolf Becker, University College London (UK)
  • James Nicholson, Northumbria University (UK)
  • Jan Nold, Ruhr University Bochum (Germany)
  • Jan-Willem Bullee, University of Twente (Netherlands)
  • Jason Jaskolla, Carlton University (Canada)
  • Jide Edu, University of Strathclyde (UK)
  • Jingjie Li, University of Edinburgh (UK)
  • Joakim Kävrestad, Jönköping University (Sweden)
  • Julie Wunder, Friedrich-Alexander-Universität Erlangen-Nürnberg (Germany)
  • Jurlind Budurushi, Baden-Wuerttemberg Cooperative State University (Germany)
  • Karoline Busse, University of Applied Administrative Sciences Lower Saxony (Germany)
  • Kavous Salehzadeh Niksirat, EPFL (Switzerland)
  • Kévin Huguenin, University of Lausanne (Switzerland)
  • Kieron Ivy Turk, Surrey University (UK)
  • Lorin Schoni, ETH Zurich (Switzerland)
  • Mainack Mondal, IIT Kharagpur (India)
  • Maksim Kalameyets, Newcastle University (UK)
  • Marvin Ramokapane, University of Bristol (UK)
  • Muriel-Larissa Frank, University of Luxembourg (Luxembourg)
  • Nicola Zannone, Eindhoven University of Technology (Netherlands)
  • Nicolas E. Díaz Ferreyra, Hamburg University of Technology (Germany)
  • Noé Zufferey, ETH Zurich (Switzerland)
  • Ola Michalec, Bristol University (UK)
  • Pavlo Burda, ICT Institute (Netherlands)
  • Raphael Serafini, University of Cologne (Germany)
  • Robert Biddle, Carleton University (Canada)
  • Ruba Abu-Salma, King's College London (UK)
  • Ryan Gibson, University of Strathclyde (UK)
  • Sabid Bin Habib Pias, Indiana University (USA)
  • Sara Haghighi, University of Maine (USA)
  • Scott Harper, Surrey University (UK)
  • Shan Xiao, Gonzaga University (USA)
  • Shijing He, King's College London (UK)
  • Simon Parkin, Delft University of Technology (Netherlands)
  • Sotirios Terzis, University of Strathclyde (UK)
  • Stefanos Evripidou, University of Glasgow (UK)
  • Stephan Wiefling, swiefling.de & Vodafone (Germany)
  • Thomas Gross, Newcastle University (UK)
  • Weijia He, University of Southampton (UK)
  • Xiaowei Chen, University of Luxembourg (Luxembourg)
  • Yasmeen Abdrabou, Technical University of Munich (Germany)

Organising Chair

Publicity Chairs

  • Scott Harper, Newcastle University (UK)
  • Huiyun Tang, Luxembourg University (Luxembourg)

Technical Support

  • Frazer Sandison, Strathclyde University (UK)

Steering Committee

  • Oksana Kulyk, IT University of Copenhagen (Denmark)
  • Karen Renaud, University of Strathclyde (UK)
  • Peter Mayer, University of Southern Denmark (Denmark)
  • Angela Sasse, Ruhr University Bochum / Ruhr-Universität Bochum (Germany)
  • Melanie Volkamer, Karlsruhe Institute of Technology (Germany)
  • Charles Weir, Lancaster University (UK)
  • Farzaneh Karegar, Karstad University (Sweden)

Event Logistics

EuroUSEC 2025 will be held on September 10 and 11 in Manchester, UK.

Event location: Digital Security Hub (DiSH) 47 Lloyd Street, Manchester M2 5LE, Floor G, Heron House.

Travelling to Manchester : Manchester has many transport links including Rail, Coach, and Car. Situated at the heart of the M60 Ring Road, it is connected to motorways North, South, East, and West.

Traveling within Manchester : Manchester has bus, tram, train as its main methods of public transport, with a large number of dedicated cycle lanes throughout the city centre. This includes a specific free bus route around the city. The transport links are detailed here.

Accommodation: We will not arrange any hotel reservations for the attendees. However, for their ease will provide details of nearby hotels.

The conference takes place in the heart of Manchester's City Centre. Information for where to stay can be found here. Reservations for nearby stays can also be made through AirBnB or Booking.com

Social Contract

To make EuroUSEC as effective as possible for everyone, we ask that all participants commit to our social contract:

  1. Engage and actively participate (to the degree you feel comfortable) with each talk.
  2. Be sure your feedback is constructive, forward-looking, and meaningful.
  3. The usable security & privacy community has earned a reputation for being inclusive and welcoming to newcomers; please keep it that way.
  4. We encourage attendees to aim to meet at least three new people from this year's EuroUSEC. The meal breaks and the participatory activity are the perfect opportunities for this.
  5. We strongly encourage tweeting under the hashtag "#EuroUSEC2024" and otherwise spreading the word about work you find exciting at EuroUSEC.
  6. EuroUSEC 2025 follows the USABLE events Code of Conduct.