Kat Krol

Honorary Research Associate at UCL

Research Interests

My work focuses on security and privacy behaviours, on the Web and in organisations. In my PhD research, I studied the role of effort, understood as cognitive and physical workload, on users' security and privacy behaviours – ranging from behaviour resulting from a conscious cost-benefit analysis to attitudes and habituation.

In addition to understanding users' choices, I aim at enabling them with a vivid interest in usable security and privacy. From laboratory and field experiments and observational studies, I deduce recommendations for improving the design of devices and systems, hoping to make them both more user-friendly and secure. The overall aim is to help individuals enhance their online privacy and security.

Thus far, I have conducted studies on security warnings, authentication, CAPTCHAs, instant messaging and information disclosure in Web forms.

I'm passionate about doing user research. I have conducted a range of different studies with around 6,760 participants combined – 1,000 in face-to-face laboratory sessions, 60 in interviews at companies and 5,700 on the Amazon Mechanical Turk platform.


  • Krol, K., & Preibusch, S. (2016). Control Versus Effort in Privacy Warnings for Webforms, Workshop on Privacy in the Electronic Society (WPES) 2016 link
  • Krol, K., Spring, J.M., Parkin, S. & Sasse, M.A. (2016). Towards robust experimental design for user studies in security and privacy, The LASER Workshop: Learning from Authoritative Security Experiment Results [paper and blogpost]
  • Beautement, A., Becker, I., Parkin, S., Krol, K. & Sasse, M.A. (2016). Productive Security: A scalable methodology for analysing employee security behaviours. Workshop on Usable Privacy and Security (SOUPS) 2016 [paper and dataset]
  • Krol, K., Parkin, S. & Sasse, M.A. (2016). "I don't like putting my face on the Internet!" An acceptance study of face biometrics as a CAPTCHA replacement, ISBA 2016 link
  • Krol, K., Parkin & Sasse, M.A. (2016). Better the Devil You Know: A User Study of Two CAPTCHAs and a Possible Replacement Technology. USEC: NDSS Workshop on Usable Security 2016 link
  • Krol, K., Rahman, M.S., Parkin, S., De Cristofaro, E. & Vasserman, E. (2016). An Exploratory Study of User Perceptions of Payment Methods in the UK and the US. USEC: NDSS Workshop on Usable Security 2016 link
  • Parkin, S., Driss, S., Krol, K. & Sasse, M.A. (2015). Assessing the User Experience of Password Reset Policies in a University, Passwords 2015 link
  • Parkin, S. & Krol, K. Appropriation of security technologies in the workplace. Workshop on Experiences of Technology Appropriation: Unanticipated Users, Usage, Circumstances, and Design, in conjunction with ECSCW 2015 link
  • Krol, K., & Preibusch, S. (2015). Effortless Privacy Negotiations. Security & Privacy, IEEE, 13(3), 88-91 link
  • Krol, K., Papanicolaou, C., Vernitski, A. & Sasse, M.A. (2015). "Too taxing on the mind!" Authentication grids might not be for everyone. HCI International 2015, 3rd International Conference on Human Aspects of Information Security, Privacy and Trust
  • Krol, K., Philippou, E., De Cristofaro, E. & Sasse, M.A. (2015). "They brought in the horrible key ring thing" Analysing the Usability of Two-Factor Authentication in UK Online Banking. USEC: NDSS Workshop on Usable Security 2015 link
  • Krol, K. (2014). "Wait: That's optional!" Designing helpful over-disclosure alerts. Designing Human Technologies (DHT) 2.0, 18-20 May 2014, Roskilde / Denmark
  • Sasse, M.A., Steves, M., Krol, K. & Chisnell, D. (2014). The Great Authentication Fatigue – And How to Overcome It. HCI International 2014, 6th International Conference on Cross-Cultural Design. Published in: Lecture Notes in Computer Science Volume 8528, 2014 (pp. 228-239) link
  • Steves, M., Chisnell, D., Sasse, A., Krol, K., Theofanos, M. & Wald, H. (2014). Report: Authentication Diary Study NISTIR 7983
  • Sasse, M.A. & Krol, K. (2013). Usable biometrics for an ageing population. In: Fairhurst, M. (ed.), Age factors in biometric processing (pp. 303-320). The IET link
  • Krol, K., Moroz, M. & Sasse, M.A. (2012). Don't Work. Can't Work? Why It's Time to Rethink Security Warnings. 7th International Conference on Risks and Security of Internet and Systems (CRiSIS 2012), 10-12 October 2012, Cork / Ireland link
  • Preibusch, S., Krol, K. & Beresford, A.R. (2012). The privacy economics of voluntary overdisclosure in Web forms. 11th Workshop on the Economics of Information Security (WEIS 2012), 25-26 June 2012, Berlin / Germany link
  • Marewski, J.N. & Krol, K. (2011). Fast, frugal, & moral: Uncovering the heuristics of morality. Journal of Organizational Moral Psychology, 1 (3), 1-20
  • Marewski, J.N., & Krol, K. (2010). Modelle ökologischer Rationalität: Auf dem Weg zu einer Theorie der Moralheuristiken [Models of ecological rationality: Towards studying the heuristics of morality.]. In: M. Iorio & R. Reisenzein (eds.), Regel, Norm, Gesetz: Eine interdisziplinäre Bestandsaufnahme (pp. 231-256) [Rules, norms, and laws. An interdisciplinary review]. Frankfurt am Main, Germany: Lang

This page was last modified on 28 Nov 2016.



6.07, Malet Place Engineering


+44 020 7679 0350


+44 020 7387 1397


k.krol [at] cs.ucl.ac.uk


Research Themes

  • Usable security and privacy
  • Authentication
  • Warnings
  • Information disclosure (e.g., through Web forms)
  • Workload