{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:03:14Z","timestamp":1777806194546,"version":"3.51.4"},"reference-count":54,"publisher":"SAGE Publications","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCS"],"published-print":{"date-parts":[[2022,7,4]]},"abstract":"<jats:p>Formal analysis of security is often focused on the technological side of the system. One implicitly assumes that the users will behave in the right way to preserve the relevant security properties. In real life, this cannot be taken for granted. In particular, security mechanisms that are difficult and costly to use are often ignored by the users, and do not really defend the system against possible attacks. Here, we propose a graded notion of security based on the complexity of the user\u2019s strategic behavior. More precisely, we suggest that the level to which a security property \u03c6 is satisfied can be defined in terms of: (a) the complexity of the strategy that the user needs to execute to make \u03c6 true, and (b) the resources that the user must employ on the way. The simpler and cheaper to obtain \u03c6, the higher the degree of security. We demonstrate how the idea works in a case study based on an electronic voting scenario. To this end, we model the vVote implementation of the Pr\u00eat \u00e0 Voter voting protocol for coercion-resistant and voter-verifiable elections. Then, we identify \u201cnatural\u201d strategies for the voter to obtain voter-verifiability, and measure the voter\u2019s effort that they require. We also consider the dual view of graded security, measured by the complexity of the attacker\u2019s strategy to compromise the relevant properties of the election.<\/jats:p>","DOI":"10.3233\/jcs-210049","type":"journal-article","created":{"date-parts":[[2022,4,5]],"date-time":"2022-04-05T11:24:35Z","timestamp":1649157875000},"page":"381-409","source":"Crossref","is-referenced-by-count":2,"title":["How to measure usable security: Natural strategies in voting protocols1"],"prefix":"10.1177","volume":"30","author":[{"given":"Wojciech","family":"Jamroga","sequence":"first","affiliation":[{"name":"Interdisc.\u00a0Centre on Security, Reliability and Trust, SnT, University of Luxembourg"},{"name":"Institute of Computer Science, Polish Academy of Sciences, Warsaw, Poland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Damian","family":"Kurpiewski","sequence":"additional","affiliation":[{"name":"Institute of Computer Science, Polish Academy of Sciences, Warsaw, Poland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Vadim","family":"Malvone","sequence":"additional","affiliation":[{"name":"T\u00e9l\u00e9com Paris, France"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","reference":[{"key":"10.3233\/JCS-210049_ref1","unstructured":"T.\u00a0\u00c5gotnes, V.\u00a0Goranko, W.\u00a0Jamroga and M.\u00a0Wooldridge, Knowledge and ability, in: Handbook of Epistemic Logic, H.P.\u00a0van Ditmarsch, J.Y.\u00a0Halpern, W.\u00a0van der Hoek and B.P.\u00a0Kooi, eds, College Publications, 2015, pp.\u00a0543\u2013589."},{"key":"10.3233\/JCS-210049_ref2","doi-asserted-by":"publisher","first-page":"672","DOI":"10.1145\/585265.585270","article-title":"Alternating-time temporal logic","volume":"49","author":"Alur","year":"2002","journal-title":"Journal of the ACM"},{"key":"10.3233\/JCS-210049_ref3","doi-asserted-by":"crossref","unstructured":"D.A.\u00a0Basin, H.\u00a0Gersbach, A.\u00a0Mamageishvili, L.\u00a0Schmid and O.\u00a0Tejada, Election security and economics: It\u2019s all about eve, in: Proceedings of E-Vote-ID, 2017, pp.\u00a01\u201320.","DOI":"10.1007\/978-3-319-68687-5_1"},{"key":"10.3233\/JCS-210049_ref4","doi-asserted-by":"crossref","unstructured":"D.A.\u00a0Basin, S.\u00a0Radomirovic and L.\u00a0Schmid, Modeling human errors in security protocols, in: Computer Security Foundations Symposium, CSF, IEEE Computer Society, 2016, pp.\u00a0325\u2013340.","DOI":"10.1109\/CSF.2016.30"},{"key":"10.3233\/JCS-210049_ref5","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30080-9_7"},{"key":"10.3233\/JCS-210049_ref6","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-30436-1_23"},{"key":"10.3233\/JCS-210049_ref7","doi-asserted-by":"crossref","unstructured":"G.\u00a0Bella, P.\u00a0Curzon, R.\u00a0Giustolisi and G.\u00a0Lenzini, A socio-technical methodology for the security and privacy analysis of services, in: COMPSAC Workshops, IEEE Computer Society, 2014, pp.\u00a0401\u2013406.","DOI":"10.1109\/COMPSACW.2014.69"},{"issue":"5","key":"10.3233\/JCS-210049_ref8","doi-asserted-by":"publisher","first-page":"563","DOI":"10.3233\/JCS-150536","article-title":"Service security and privacy as a socio-technical problem","volume":"23","author":"Bella","year":"2015","journal-title":"J. Comput. Secur."},{"key":"10.3233\/JCS-210049_ref9","doi-asserted-by":"crossref","unstructured":"J.\u00a0Benaloh and D.\u00a0Tuinstra, Receipt-free secret-ballot elections, in: Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, ACM, 1994, pp.\u00a0544\u2013553.","DOI":"10.1145\/195058.195407"},{"key":"10.3233\/JCS-210049_ref10","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bernhard, A.\u00a0McDonald, H.\u00a0Meng, J.\u00a0Hwa, N.\u00a0Bajaj, K.\u00a0Chang and J.A.\u00a0Halderman, Can voters detect malicious manipulation of ballot marking devices? in: IEEE Symposium on Security and Privacy, IEEE, 2020, pp.\u00a0679\u2013694.","DOI":"10.1109\/SP40000.2020.00118"},{"key":"10.3233\/JCS-210049_ref11","doi-asserted-by":"publisher","first-page":"546","DOI":"10.1037\/h0030000","article-title":"Knowing and using concepts","volume":"77","author":"Bourne","year":"1970","journal-title":"Psychol. Rev."},{"key":"10.3233\/JCS-210049_ref12","doi-asserted-by":"crossref","unstructured":"A.\u00a0Buldas and T.\u00a0M\u00e4gi, Practical security analysis of e-voting systems, in: Proceedings of IWSEC, Lecture Notes in Computer Science, Vol.\u00a04752, Springer, 2007, pp.\u00a0320\u2013335.","DOI":"10.1007\/978-3-540-75651-4_22"},{"key":"10.3233\/JCS-210049_ref14","doi-asserted-by":"crossref","unstructured":"M.\u00a0Carlomagno Carlos, J.\u00a0Everson Martina, G.\u00a0Price and R.F.\u00a0Cust\u00f3dio, A proposed framework for analysing security ceremonies, in: SECRYPT, SciTePress, 2012, pp.\u00a0440\u2013445.","DOI":"10.5220\/0004129704400445"},{"issue":"6","key":"10.3233\/JCS-210049_ref15","doi-asserted-by":"publisher","first-page":"677","DOI":"10.1016\/j.ic.2009.07.004","volume":"208","author":"Chatterjee","year":"2010","journal-title":"Strategy Logic. Information and Computation"},{"key":"10.3233\/JCS-210049_ref16","doi-asserted-by":"crossref","unstructured":"V.\u00a0Cortier, D.\u00a0Galindo, R.\u00a0K\u00fcsters, J.\u00a0M\u00fcller and T.T.\u00a0SoK, Verifiability notions for e-voting protocols, in: IEEE Symposium on Security and Privacy, 2016, pp.\u00a0779\u2013798.","DOI":"10.1109\/SP.2016.52"},{"issue":"1","key":"10.3233\/JCS-210049_ref17","doi-asserted-by":"publisher","first-page":"3:1","DOI":"10.1145\/2746338","article-title":"vvote: A verifiable voting system","volume":"18","author":"Culnane","year":"2015","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"10.3233\/JCS-210049_ref18","doi-asserted-by":"crossref","unstructured":"C.\u00a0Culnane and V.\u00a0Teague, Strategies for voter-initiated election audits, in: Decision and Game Theory for Security: Proceedings of GameSec, Lecture Notes in Computer Science, Vol.\u00a09996, Springer, 2016, pp.\u00a0235\u2013247.","DOI":"10.1007\/978-3-319-47413-7_14"},{"key":"10.3233\/JCS-210049_ref19","doi-asserted-by":"crossref","unstructured":"N.\u00a0David, A.\u00a0David, R.\u00a0Rydhof Hansen, K.\u00a0Guldstrand Larsen, A.\u00a0Legay, M.C.\u00a0Olesen and C.W.\u00a0Probst, Modelling social-technical attacks with timed automata, in: Proceedings of International Workshop on Managing Insider Security Threats, MIST, ACM, 2015, pp.\u00a021\u201328.","DOI":"10.1145\/2808783.2808787"},{"issue":"9","key":"10.3233\/JCS-210049_ref20","doi-asserted-by":"publisher","first-page":"92","DOI":"10.1145\/2701413","article-title":"Commonsense reasoning","volume":"58","author":"Davis","year":"2015","journal-title":"Communications of the ACM"},{"key":"10.3233\/JCS-210049_ref21","unstructured":"S.\u00a0Delaune, S.\u00a0Kremer and M.\u00a0Ryan, Coercion-resistance and receipt-freeness in electronic voting, in: Computer Security Foundations Workshop, 2006. 19th IEEE, IEEE, 2006, pp.\u00a012."},{"key":"10.3233\/JCS-210049_ref22","doi-asserted-by":"crossref","unstructured":"V.\u00a0Distler, M.-L.\u00a0Zollinger, C.\u00a0Lallemand, P.B.\u00a0R\u00f8nne, P.Y.A.\u00a0Ryan and V.\u00a0Koenig, Security \u2013 visible, yet unseen? in: Proceedings of Conference on Human Factors in Computing Systems, CHI, ACM, 2019, p.\u00a0605.","DOI":"10.1145\/3290605.3300835"},{"key":"10.3233\/JCS-210049_ref23","doi-asserted-by":"publisher","DOI":"10.1109\/ICC.2012.6364938"},{"key":"10.3233\/JCS-210049_ref24","doi-asserted-by":"crossref","unstructured":"R.\u00a0Fagin, J.Y.\u00a0Halpern, Y.\u00a0Moses and M.Y.\u00a0Vardi, Reasoning About Knowledge, MIT Press, 1995.","DOI":"10.7551\/mitpress\/5803.001.0001"},{"key":"10.3233\/JCS-210049_ref25","doi-asserted-by":"publisher","first-page":"630","DOI":"10.1038\/35036586","article-title":"Minimization of Boolean complexity in human concept learning","volume":"407","author":"Feldman","year":"2000","journal-title":"Nature"},{"key":"10.3233\/JCS-210049_ref26","doi-asserted-by":"crossref","unstructured":"M.\u00a0Ghallab, D.\u00a0Nau and P.\u00a0Traverso, Automated Planning: Theory and Practice, Morgan Kaufmann, 2004.","DOI":"10.1016\/B978-155860856-6\/50021-1"},{"issue":"7\u20138","key":"10.3233\/JCS-210049_ref27","doi-asserted-by":"publisher","first-page":"299","DOI":"10.1007\/s12243-016-0509-8","article-title":"An experiment on the security of the Norwegian electronic voting protocol","volume":"71","author":"Gj\u00f8steen","year":"2016","journal-title":"Ann. des T\u00e9l\u00e9communications"},{"issue":"2","key":"10.3233\/JCS-210049_ref28","doi-asserted-by":"publisher","first-page":"91","DOI":"10.1080\/01449290500330331","article-title":"User experience-a research agenda","volume":"25","author":"Hassenzahl","year":"2006","journal-title":"Behaviour & Information Technology"},{"issue":"1","key":"10.3233\/JCS-210049_ref29","first-page":"4","article-title":"Insiders and insider threats \u2013 an overview of definitions and mitigation techniques","volume":"2","author":"Hunker","year":"2011","journal-title":"J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl."},{"key":"10.3233\/JCS-210049_ref30","doi-asserted-by":"crossref","unstructured":"W.\u00a0Jamroga, Y.\u00a0Kim, D.\u00a0Kurpiewski and P.Y.A.\u00a0Ryan, Towards model checking of voting protocols in uppaal, in: Proceedings of E-Vote-ID, Lecture Notes in Computer Science, Vol.\u00a012455, Springer, 2020, pp.\u00a0129\u2013146.","DOI":"10.1007\/978-3-030-60347-2_9"},{"key":"10.3233\/JCS-210049_ref31","doi-asserted-by":"crossref","unstructured":"W.\u00a0Jamroga, M.\u00a0Knapik and D.\u00a0Kurpiewski, Model checking the SELENE e-voting protocol in multi-agent logics, in: Proceedings of the 3rd International Joint Conference on Electronic Voting (E-VOTE-ID), Lecture Notes in Computer Science, Vol.\u00a011143, Springer, 2018, pp.\u00a0100\u2013116.","DOI":"10.1007\/978-3-030-00419-4_7"},{"key":"10.3233\/JCS-210049_ref32","doi-asserted-by":"crossref","unstructured":"W.\u00a0Jamroga, D.\u00a0Kurpiewski and V.\u00a0Malvone, Natural strategic abilities in voting protocols, in: Proceedings of STAST 2020, 2021, To appear.","DOI":"10.1007\/978-3-030-79318-0_3"},{"key":"10.3233\/JCS-210049_ref33","unstructured":"W.\u00a0Jamroga, V.\u00a0Malvone and A.\u00a0Murano, Reasoning about natural strategic ability, in: Proceedings of the 16th International Conference on Autonomous Agents and Multiagent Systems (AAMAS), IFAAMAS, 2017, pp.\u00a0714\u2013722."},{"key":"10.3233\/JCS-210049_ref35","unstructured":"W.\u00a0Jamroga, V.\u00a0Malvone and A.\u00a0Murano, Natural strategic ability under imperfect information, in: Proceedings of the 18th International Conference on Autonomous Agents and Multiagent Systems AAMAS 2019, IFAAMAS, 2019, pp.\u00a0962\u2013970."},{"key":"10.3233\/JCS-210049_ref36","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-52240-1_1"},{"issue":"2\u20133","key":"10.3233\/JCS-210049_ref37","first-page":"185","article-title":"Agents that know how to play","volume":"63","author":"Jamroga","year":"2004","journal-title":"Fundamenta Informaticae"},{"key":"10.3233\/JCS-210049_ref38","doi-asserted-by":"publisher","DOI":"10.1145\/1102199.1102213"},{"key":"10.3233\/JCS-210049_ref39","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-54455-3_21"},{"key":"10.3233\/JCS-210049_ref40","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2010.16"},{"key":"10.3233\/JCS-210049_ref41","doi-asserted-by":"crossref","unstructured":"M.\u00a0Kwiatkowska, G.\u00a0Norman and D.\u00a0Parker, PRISM: Probabilistic symbolic model checker, in: Proceedings of TOOLS, Lecture Notes in Computer Science, Vol.\u00a02324, Springer, 2002, pp.\u00a0200\u2013204.","DOI":"10.1007\/3-540-46029-2_13"},{"issue":"1","key":"10.3233\/JCS-210049_ref42","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1007\/s10009-015-0378-x","article-title":"MCMAS: An open-source model checker for the verification of multi-agent systems","volume":"19","author":"Lomuscio","year":"2017","journal-title":"Int. J. Softw. Tools Technol. Transf."},{"key":"10.3233\/JCS-210049_ref43","unstructured":"K.\u00a0Marky, O.\u00a0Kulyk, K.\u00a0Renaud and M.\u00a0Volkamer, What did I really vote for? in: Proceedings of Conference on Human Factors in Computing Systems, CHI, ACM, 2018, p.\u00a0176."},{"key":"10.3233\/JCS-210049_ref44","doi-asserted-by":"crossref","unstructured":"K.\u00a0Marky, M.-L.\u00a0Zollinger, M.\u00a0Funk, P.Y.A.\u00a0Ryan and M.\u00a0M\u00fchlh\u00e4user, How to assess the usability metrics of e-voting schemes, in: Financial Cryptography Workshops, LNCS, Vol.\u00a011599, Springer, 2019, pp.\u00a0257\u2013271.","DOI":"10.1007\/978-3-030-43725-1_18"},{"key":"10.3233\/JCS-210049_ref45","unstructured":"T.\u00a0Martimiano, E.\u00a0Dos Santos, M.\u00a0Olembo and J.E.\u00a0Martina, Ceremony analysis meets verifiable voting: Individual verifiability in Helios, in: SECURWARE, 2015."},{"key":"10.3233\/JCS-210049_ref46","doi-asserted-by":"crossref","unstructured":"T.\u00a0Martimiano and J.\u00a0Everson Martina, Threat modelling service security as a security ceremony, in: 11th International Conference on Availability, Reliability and Security, ARES, IEEE Computer Society, 2016, pp.\u00a0195\u2013204.","DOI":"10.1109\/ARES.2016.59"},{"issue":"4","key":"10.3233\/JCS-210049_ref47","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2631917","article-title":"Reasoning about strategies: On the model-checking problem","volume":"15","author":"Mogavero","year":"2014","journal-title":"ACM Transactions on Computational Logic"},{"key":"10.3233\/JCS-210049_ref48","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0028157"},{"issue":"1","key":"10.3233\/JCS-210049_ref49","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1007\/s10458-019-09433-x","article-title":"Multi-objective multi-agent decision making: A utility-based analysis and survey","volume":"34","author":"Radulescu","year":"2020","journal-title":"Autonomous Agents and Multi Agent Systems"},{"key":"10.3233\/JCS-210049_ref50","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-84882-736-3_5"},{"issue":"3","key":"10.3233\/JCS-210049_ref51","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1109\/MSP.2015.54","article-title":"End-to-end verifiability in voting systems, from theory to practice","volume":"13","author":"Ryan","year":"2015","journal-title":"IEEE Security & Privacy"},{"key":"10.3233\/JCS-210049_ref53","doi-asserted-by":"publisher","first-page":"242","DOI":"10.1038\/nature25763","article-title":"Social norm complexity and past reputations in the evolution of cooperation","volume":"555","author":"Santos","year":"2018","journal-title":"Nature"},{"key":"10.3233\/JCS-210049_ref54","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Shoham and K.\u00a0Leyton-Brown, Multiagent Systems \u2013 Algorithmic, Game-Theoretic, and Logical Foundations, Cambridge University Press, 2009.","DOI":"10.1017\/CBO9780511811654"},{"key":"10.3233\/JCS-210049_ref56","doi-asserted-by":"crossref","unstructured":"M.\u00a0Tabatabaei, W.\u00a0Jamroga and P.Y.A.\u00a0Ryan, Expressing receipt-freeness and coercion-resistance in logics of strategic ability: Preliminary attempt, in: Proceedings of the 1st International Workshop on AI for Privacy and Security, PrAISe@ECAI 2016, ACM, 2016, pp.\u00a01:1\u20131:8.","DOI":"10.1145\/2970030.2970039"},{"key":"10.3233\/JCS-210049_ref57","unstructured":"Verified Voting. Policy on direct recording electronic voting machines and ballot marking devices, 2019."},{"issue":"2","key":"10.3233\/JCS-210049_ref58","doi-asserted-by":"crossref","first-page":"143","DOI":"10.1016\/0377-2217(81)90275-7","article-title":"A multiple criteria method for choosing among discrete alternatives","volume":"7","author":"Zionts","year":"1981","journal-title":"European Journal of Operational Research"}],"container-title":["Journal of Computer Security"],"original-title":[],"link":[{"URL":"https:\/\/content.iospress.com\/download?id=10.3233\/JCS-210049","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:38Z","timestamp":1777495538000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/full\/10.3233\/JCS-210049"}},"subtitle":[],"editor":[{"given":"Thomas","family":"Gro\u00df","sequence":"additional","affiliation":[],"role":[{"role":"editor","vocabulary":"crossref"}]},{"given":"Luca","family":"Vigan\u00f2","sequence":"additional","affiliation":[],"role":[{"role":"editor","vocabulary":"crossref"}]}],"short-title":[],"issued":{"date-parts":[[2022,7,4]]},"references-count":54,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.3233\/jcs-210049","relation":{},"ISSN":["1875-8924","0926-227X"],"issn-type":[{"value":"1875-8924","type":"electronic"},{"value":"0926-227X","type":"print"}],"subject":[],"published":{"date-parts":[[2022,7,4]]}}}