When information security depends on font size : how the saliency of warnings affects protection behavior

Prior research on how to improve the effectiveness of information security warnings has predominantly focused on either the informational content of warnings or their visual saliency. In an online experiment (N?=?1’486), we disentangle the effect of both manipulations and demonstrate that both factors simultaneously influence decision making. Our data indicate that the proportion of people who engage in protection behavior can be increased by roughly 65% by making a particular warning message more visually salient (i.e. a more conspicuous visual design is used). We also show that varying the message’s saliency can make people behave very differently when confronted with the same threat or behave very similarly when confronted with threats that differ widely in terms of severity of outcomes. Our results suggest that the visual design of a warning may warrant at least as much attention as the informational content that the warning message conveys

PUPy: A Generalized, Optimistic Context Detection Framework

In modern life, the usage of smart devices like smartphones and laptops that allow for access to information, communication with friends and colleagues and other indispensable services has become ubiquitous. People have gradually taken to performing more and more of their daily tasks on and through these devices. Therefore, all modern smart devices employ some form of authentication to ensure that access to this confidential data by the wrong person is avoided. This authentication method is usually some form of explicit authentication, which can be detrimental to the user's experience, often leading to users forgoing authentication entirely. Implicit authentication aims to limit the amount of explicit authentications that are necessary for the user, using passive approaches to authenticate the user instead. Context detection frameworks aim to reduce explicit authentications by disabling explicit authentication entirely when appropriate. Since these two approaches are not mutually exclusive, there exist frameworks that will use the context around them to make decisions when authenticating on which approach to use. This combination of context detection with implicit authentication is the approach taken in this work, though we focus mainly on the context detection part of this hybrid approach. We aim to build upon existing works through wider applicability, better accuracy through numerous data sources, and most importantly, an optimistic approach to context detection. We build a framework based on the assumption that the absence of data can, in some cases, be taken as a sign the context is safe. This optimistic approach provides a less secure method of determining the context of the device, but simultaneously provides a significantly improved user experience. In this thesis, we outline a theoretical context detection framework that is based on a novel set of values. These values are called privacy, unfamiliarity and proximity, each describing a different aspect of the current context. Privacy tracks the privacy of the current context, while unfamiliarity tracks how many unfamiliar people are around. Finally, proximity estimates the distance between the device and the user. These values are calculated using a method we devise that better adapts to different contexts. We provide an Android implementation of the framework, including an API that allows other developers to contribute modules to the system. These modules can provide additional input data for PUPy, or build functionality that uses the calculated values. Finally, we evaluate the theoretical framework, using two datasets - Cambridge/Haggle and the MDC dataset. We conduct visual and statistical analysis of how the system functions using data from the datasets. Through this analysis, we find that PUPy compares favourably to existing works, permitting a 77% reduction on average in the number of explicit authentications