Changing users' security behaviour towards security questions: A game based learning approach

Fallback authentication is used to retrieve forgotten passwords. Security questions are one of the main techniques used to conduct fallback authentication. In this paper, we propose a serious game design that uses system-generated security questions with the aim of improving the usability of fallback authentication. For this purpose, we adopted the popular picture-based "4 Pics 1 word" mobile game. This game was selected because of its use of pictures and cues, which previous psychology research found to be crucial to aid memorability. This game asks users to pick the word that relates to the given pictures. We then customized this game by adding features which help maximize the following memory retrieval skills: (a) verbal cues - by providing hints with verbal descriptions, (b) spatial cues - by maintaining the same order of pictures, (c) graphical cues - by showing 4 images for each challenge, (d) interactivity/engaging nature of the game.Comment: 6, Military Communications and Information Systems Conference (MilCIS), 2017. arXiv admin note: substantial text overlap with arXiv:1707.0807

Comparing the usability of doodle and Mikon images to be used as authenticators in graphical authentication systems

Recognition-based graphical authentication systems rely on the recognition of authenticator images by legitimate users for authentication. This paper presents the results of a study that compared doodle images and Mikon images as authenticators in recognition based graphical authentication systems taking various usability dimensions into account. The results of the usability evaluation, with 20 participants, demonstrated that users preferred Mikon to doodle images as authenticators in recognition based graphical authentication mechanisms. Furthermore, participants found it difficult to recognize doodle images during authentication as well as associate them with something meaningful. Our findings also show the need to consider the security offered by the images, especially their predictability

CCBS – a method to maintain memorability, accuracy of password submission and the effective password space in click-based visual passwords

Text passwords are vulnerable to many security attacks due to a number of reasons such as the insecure practices of end users who select weak passwords to maintain their long term memory. As such, visual password (VP) solutions were developed to maintain the security and usability of user authentication in collaborative systems. This paper focuses on the challenges facing click-based visual password systems and proposes a novel method in response to them. For instance, Hotspots reveal a serious vulnerability. They occur because users are attracted to specific parts of an image and neglect other areas. Undertaking image analysis to identify these high probability areas can assist dictionary attacks. Another concern is that click-based systems do not guide users towards the correct click-point they are aiming to select. For instance, users might recall the correct spot or area but still fail to include their click within the tolerance distance around the original click-point which results in more incorrect password submissions. Nevertheless, the Passpoints study by Wiedenbeck et al., 2005 inspected the retention of their VP in comparison with text passwords over the long term. Despite being cued-recall the successful rate of their VP submission was not superior to text passwords as it decreased from 85% (the instant retention on the day of registration) to 55% after 2 weeks. This result was identical to that of the text password in the same experiment. The successful submission rates after 6 weeks were also 55% for both VP and text passwords. This paper addresses these issues, and then presents a novel method (CCBS) as a usable solution supported by an empirical proof. A user study is conducted and the results are evaluated against a comparative study

A Serious Game Design: Nudging Users’ Memorability of Security Questions

Online review communities thrive on contributions from different reviewers, who exhibit a varying range of community behaviors. However, no attempt has been made in the IS literature to cluster behavioral patterns across a reviewer population. In this paper, we segment the reviewers of a popular review site (Yelp) using two-step cluster analysis based on four key attributes (reviewer involvement, sociability, experience, and review quality), resulting in three distinct reviewer segments - Enthusiasts, Adepts, and Amateurs. We also compare the propensity of receiving community recognition across these segments. We find that the Enthusiasts, who show high involvement and sociability, are the most recognized. Surprisingly, the Adepts, who are high on review quality, are the least recognized. The study is a novel attempt on reviewer segmentation and provides valuable insights to the community managers to customize strategies to increase productivity of different segments

Designing Usable and Secure Authentication Mechanisms for Public Spaces

Usable and secure authentication is a research field that approaches different challenges related to authentication, including security, from a human-computer interaction perspective. That is, work in this field tries to overcome security, memorability and performance problems that are related to the interaction with an authentication mechanism. More and more services that require authentication, like ticket vending machines or automated teller machines (ATMs), take place in a public setting, in which security threats are more inherent than in other settings. In this work, we approach the problem of usable and secure authentication for public spaces. The key result of the work reported here is a set of well-founded criteria for the systematic evaluation of authentication mechanisms. These criteria are justified by two different types of investigation, which are on the one hand prototypical examples of authentication mechanisms with improved usability and security, and on the other hand empirical studies of security-related behavior in public spaces. So this work can be structured in three steps: Firstly, we present five authentication mechanisms that were designed to overcome the main weaknesses of related work which we identified using a newly created categorization of authentication mechanisms for public spaces. The systems were evaluated in detail and showed encouraging results for future use. This and the negative sides and problems that we encountered with these systems helped us to gain diverse insights on the design and evaluation process of such systems in general. It showed that the development process of authentication mechanisms for public spaces needs to be improved to create better results. Along with this, it provided insights on why related work is difficult to compare to each other. Keeping this in mind, first criteria were identified that can fill these holes and improve design and evaluation of authentication mechanisms, with a focus on the public setting. Furthermore, a series of work was performed to gain insights on factors influencing the quality of authentication mechanisms and to define a catalog of criteria that can be used to support creating such systems. It includes a long-term study of different PIN-entry systems as well as two field studies and field interviews on real world ATM-use. With this, we could refine the previous criteria and define additional criteria, many of them related to human factors. For instance, we showed that social issues, like trust, can highly affect the security of an authentication mechanism. We used these results to define a catalog of seven criteria. Besides their definition, we provide information on how applying them influences the design, implementation and evaluation of a the development process, and more specifically, how adherence improves authentication in general. A comparison of two authentication mechanisms for public spaces shows that a system that fulfills the criteria outperforms a system with less compliance. We could also show that compliance not only improves the authentication mechanisms themselves, it also allows for detailed comparisons between different systems

Usability and Trust in Information Systems

The need for people to protect themselves and their assets is as old as humankind. People's physical safety and their possessions have always been at risk from deliberate attack or accidental damage. The advance of information technology means that many individuals, as well as corporations, have an additional range of physical (equipment) and electronic (data) assets that are at risk. Furthermore, the increased number and types of interactions in cyberspace has enabled new forms of attack on people and their possessions. Consider grooming of minors in chat-rooms, or Nigerian email cons: minors were targeted by paedophiles before the creation of chat-rooms, and Nigerian criminals sent the same letters by physical mail or fax before there was email. But the technology has decreased the cost of many types of attacks, or the degree of risk for the attackers. At the same time, cyberspace is still new to many people, which means they do not understand risks, or recognise the signs of an attack, as readily as they might in the physical world. The IT industry has developed a plethora of security mechanisms, which could be used to mitigate risks or make attacks significantly more difficult. Currently, many people are either not aware of these mechanisms, or are unable or unwilling or to use them. Security experts have taken to portraying people as "the weakest link" in their efforts to deploy effective security [e.g. Schneier, 2000]. However, recent research has revealed at least some of the problem may be that security mechanisms are hard to use, or be ineffective. The review summarises current research on the usability of security mechanisms, and discusses options for increasing their usability and effectiveness