Revisiting the Design Agenda for Privacy Notices and Security Warnings

System-generated user-facing notices, dialogs, and warnings in privacy and security interventions present the opportunity to support users in making informed decisions about identified risks. However, too often, they are bypassed, ignored, and mindlessly clicked through, mainly in connection to the well-studied effect of user fatigue and habituation. The contribution of this position paper is to provide a summarized review of established and emergent design dimensions and principles to limit such risk-prone behavior, and to identify three emergent research and design directions for privacy-enhancing dialogs

Revisiting the Design Agenda for Privacy Notices and Security Warnings

System-generated user-facing notices, dialogs, and warnings in privacy and security interventions present the opportunity to support users in making informed decisions about identified risks. However, too often, they are bypassed, ignored, and mindlessly clicked through, mainly in connection to the well-studied effect of user fatigue and habituation. The contribution of this position paper is to provide a summarized review of established and emergent design dimensions and principles to limit such risk-prone behavior, and to identify three emergent research and design directions for privacy-enhancing dialogs.Comment: 11 pages, 3 figures, Workshop on Privacy Interventions and Education (PIE): Encouraging Privacy Protective Behavioral Change Online, ACM CHI Conference on Human Factors in Computing Systems, 23-28 April 2023, Hamburg, German

Towards an Assessment of Pause Periods on User Habituation in Mitigation of Phishing Attacks

Social engineering is the technique in which the attacker sends messages to build a relationship with the victim and convinces the victim to take some actions that lead to significant damages and losses. Industry and law enforcement reports indicate that social engineering incidents costs organizations billions of dollars. Phishing is the most pervasive social engineering attack. While email filtering and warning messages have been implemented for over three decades, organizations are constantly falling for phishing attacks. Prior research indicated that attackers use phishing emails to create an urgency and fear response in their victims causing them to use quick heuristics, which leads to human errors. Humans use two types of decision-making processes: a heuristic decision, which is a quick, instinctual decision-making process known as ‘System One’, and a second, known as ‘System Two,’ that is a slow, logical process requiring attention. ‘System Two’ is often triggered by a pause in the decision-making process. Additionally, timers were found in other research fields (medicine, transportation, etc.) to affect users’ judgement and reduce human errors. Therefore, the main goal of this work-in-progress research study is to determine through experimental field study whether requiring email users to pause by displaying a phishing email warning with a timer, has any effect on users falling to simulated phishing attacks. This paper will outline the rationale and the process proposed for the validation of the field experiments with Subject Matter Experts (SMEs). Limitations of the proposed study and recommendation for further research are provided

Users Aren’t (Necessarily) Lazy: Using NeuroIS to Explain Habituation to Security Warnings

Warning messages are one of the last lines of defense in information security, and are fundamental to users’ security interactions with technology. Unfortunately, research shows that users routinely ignore security warnings. A key contributor to this disregard is habituation, the diminishing of attention through frequent exposure. However, previous research has examined habituation indirectly by observing its influence on security behavior, rather than measuring habituation itself. We contribute by using functional magnetic resonance imaging (fMRI) to directly observe habituation as it occurs in the brain. Our results show that with repeated exposure to warnings, neural activity in the visual processing centers sharply decreases. We also show that this process occurs for images of both security warnings and general software applications, although habituation is more severe for security warnings. Our findings suggest that habituation is not due to users’ laziness or carelessness, but is a natural consequence of how the brain works

The Effect of Developer-Specified Explanations for Permission Requests on Smartphone User Behavior

In Apple’s iOS 6, when an app requires access to a protected resource (e.g., location or photos), the user is prompted with a permission request that she can allow or deny. These permission request dialogs include space for developers to optionally include strings of text to explain to the user why access to the resource is needed. We examine how app developers are using this mechanism and the effect that it has on user behavior. Through an online survey of 772 smartphone users, we show that permission requests that include explanations are significantly more likely to be approved. At the same time, our analysis of 4,400 iOS apps shows that the adoption rate of this feature by developers is relatively small: around 19 % of permission requests include developer-specified explanations. Finally, we surveyed 30 iOS developers to better understand why they do or do not use this feature

Can We Fight Social Engineering Attacks By Social Means? Assessing Social Salience as a Means to Improve Phish Detection

Phishing continues to be a problem for both individuals and organisations, with billions of dollars lost every year. We propose the use of nudges – more specifically social saliency nudges that aim to highlight important information to the user when evaluating emails. We used a signal detection analysis to assess the effects of both sender saliency (highlighting important fields from the sender) and receiver saliency (showing numbers of other users in receipt of the same email). Sender saliency improved phish detection but did not introduce any unwanted response bias. Users were asked to rate their confidence in their own judgements and these confidence scores were poorly calibrated with actual performance, particularly for phishing (as opposed to genuine) emails. We also examined the role of impulsive behaviour on phish detection, concluding that those who score highly on dysfunctional impulsivity are less likely to detect the presence of phishing emails

EXPERIMENTAL STUDY TO ASSESS THE IMPACT OF TIMERS ON USER SUSCEPTIBILITY TO PHISHING ATTACKS

Social engineering costs organizations billions of dollars. It exploits the weakest link of information systems security, the users. It is well-documented in literature that users continue to click on phishing emails costing them and their employers significant monetary resources and data loss. Training does not appear to mitigate the effects of phishing much; other solutions are warranted. Kahneman introduced the concepts of System-One and System-Two thinking. System-One is a quick, instinctual decision-making process, while System-Two is a process by which humans use a slow, logical, and is easily disrupted. The key aim of our experimental field study was to investigate if requiring the user to pause by presenting a countdown or count-up timer when a possible phishing email is opened will influence the user to enter System-Two thinking. In this study, we designed, developed, and empirically tested a Pause-and-Think (PAT) mobile app that presented a user with a warning dialog and a countdown or count-up timer. Our goal was to determine whether requiring users to wait with a colored warning and a timer has any effect on phishing attempts. The study was completed in three phases with 42 subject matter experts and 107 participants. The results indicated that a countdown timer set at 3-seconds accompanied by red warning text was most effective on the user’s ability to avoid clicking on a malicious link or attachment. Recommendations for future research include enhancements to the PAT mobile app and investigating what effect the time of day has on susceptibility to phishing

Evaluating the End-User Experience of Private Browsing Mode

Nowadays, all major web browsers have a private browsing mode. However, the mode's benefits and limitations are not particularly understood. Through the use of survey studies, prior work has found that most users are either unaware of private browsing or do not use it. Further, those who do use private browsing generally have misconceptions about what protection it provides. However, prior work has not investigated \emph{why} users misunderstand the benefits and limitations of private browsing. In this work, we do so by designing and conducting a three-part study: (1) an analytical approach combining cognitive walkthrough and heuristic evaluation to inspect the user interface of private mode in different browsers; (2) a qualitative, interview-based study to explore users' mental models of private browsing and its security goals; (3) a participatory design study to investigate why existing browser disclosures, the in-browser explanations of private browsing mode, do not communicate the security goals of private browsing to users. Participants critiqued the browser disclosures of three web browsers: Brave, Firefox, and Google Chrome, and then designed new ones. We find that the user interface of private mode in different web browsers violates several well-established design guidelines and heuristics. Further, most participants had incorrect mental models of private browsing, influencing their understanding and usage of private mode. Additionally, we find that existing browser disclosures are not only vague, but also misleading. None of the three studied browser disclosures communicates or explains the primary security goal of private browsing. Drawing from the results of our user study, we extract a set of design recommendations that we encourage browser designers to validate, in order to design more effective and informative browser disclosures related to private mode

The Role of User Behaviour in Improving Cyber Security Management

Information security has for long time been a field of study in computer science, software engineering, and information communications technology. The term ‘information security’ has recently been replaced with the more generic term cybersecurity. The goal of this paper is to show that, in addition to computer science studies, behavioural sciences focused on user behaviour can provide key techniques to help increase cyber security and mitigate the impact of attackers’ social engineering and cognitive hacking methods (i.e., spreading false information). Accordingly, in this paper, we identify current research on psychological traits and individual differences among computer system users that explain vulnerabilities to cyber security attacks and crimes. Our review shows that computer system users possess different cognitive capabilities which determine their ability to counter information security threats. We identify gaps in the existing research and provide possible psychological methods to help computer system users comply with security policies and thus increase network and information security