It is not about the design - it is about the content! Making warnings more efficient by communicating risks appropriately

Most studies in usable security research aim at a quantification of persons, who – depending on the subject – fall for phishing, pass on their password, download malicious software and so on. In contrast, little research is done to identify the reasons for such insecure behavior. Within this paper, the result of a laboratory study is presented in which participants were confronted with different certificate warnings. Those warnings were presented when the participants tried to access different websites with different criticality (online banking, online shopping, social networks and information sites). Besides quantitative analyses of participants who were willing to use a websites despite the warning, the main focus of this work is to identify reasons for their decision. As a result of our study those risks are identified which were unacceptable for most participants to take and thereby might help to prevent unsecure usage behavior in the web by rewording warnings according to the perceived risks

Security Warning Life Cycle: Challenges and Panacea

Security warning is a very important aspect in computer security. Security warning is a form of message conveyed to inform user on the risk of allowing an application to run on the computer system. Security warning plays an important role in notify, warn and advise user about the potential result of an action beforehand. However, security warnings are often being ignored due to various reasons such as poor design of security warnings and too many technical terms used in security warnings. This research highlights insights into the discovery of problems and difficulties encountered by the users, approaches in improving security warnings and future direction of the security warning improvement process. We proposed to utilise the hybrid approach of iterative design and mental model in the effort to enhance the current implementation of security warning. Iterative design is a cyclic design process where prototyping, testing and refining are done repeatedly. A mental model is a person’s psychological representation of how they perceive and understand something. It is expected that this paper would benefit the researchers to comprehend approches and challenges to improve security warnings

Mobile App Installation: the Role of Precautions and Desensitization

The purpose of this research is to investigate precautions that consumers take before installing mobile apps and consumer’s potential desensitization to excessive app permission requests. Through a survey of 209 participants, a prediction model was created that attempts to predict whether respondents would download applications asking for excessive permissions. The model results indicate those that take more precautions are less likely to download apps requesting excessive permissions. However, the precautions taken by participants may be inadequate and may leave consumers with a false since of security. Another key finding with the support of Communication Theory and the C-HIP Model is that some consumers have become desensitized to excessive permission requests. These consumers knowingly install apps requesting excessive permissions for reasons such as nothing bad has happened to them before, they trust the market, or they really want the app. The security implications of permission desensitization and inadequate precautions are discussed

Erklärvideo “Online-Betrug” – Nach nur fünf Minuten Phishing E-Mails nachweislich signifikant besser erkennen

Betrüger haben schon immer das Vertrauen von unvorsichtigen Personen ausgenutzt und versucht diese zu betrügen. Im Zeitalter der Computer wurden die Möglichkeiten der Betrüger erweitert und sie können nun jede beliebige Person, die im Besitz einer E-Mail Adresse ist, zu ihrem Ziel machen. Die Betrüger passen ihre Phishing-Nachrichten gezielt auf ihre Opfer an und verschleiern Täuschung und Betrug so gut wie möglich. Daraus folgernd wird die Sensibilisierung der Nutzer in Bezug auf das Thema Phishing und die erfolgreiche Erkennung dessen von immer größerer Wichtigkeit. Unsere bisher entwickelten Phishing Awareness-Programme adressieren bestehende Fehlannahmen und Missverständnisse bezüglich Phishing und können gezielt dabei helfen, die Erkennung solcher Nachrichten zu verbessern. Der größte Nachteil dieser Awareness-Programme stellt die dafür aufzuwendende Zeit dar. Deshalb haben wir ein Phishing Awareness Video entwickelt und evaluiert, welches in fünf Minuten über das Thema Phishing informiert. Nach dem Ansehen des Videos konnten Probanden in unserer Untersuchung Phishing-Nachrichten signifikant zuverlässiger erkennen (verglichen mit der Erkennung vor dem Ansehen des Videos). Diese Fähigkeit konnte auch nach einer achtwöchigen Pause in einer abschließenden Befragung nachgewiesen werden

Contextualized Security Interventions in Password Transmission Scenarios

Usable security user studies as well as the number of successful attacks to end users’ data and devices show that today’s security interventions like the green URL bar and self-signed certificate warnings do not protect end users effectively for many reasons. To improve the situation, we proposed the Framework fOr Contextualized security Interventions (FOCI). While this framework provides general guidelines how to develop contextualized security interventions, this is the first paper in which this framework is applied to actually develop adequate security intervention strategies and intervention content. We focus on a subset of security- and privacy-critical scenarios in the context of web applications – namely those in which users visit web pages containing a password filed. If either the communication is not confidential and authenticated or the service behind the web page is not trustworthy, entering a password can have consequences like financial loss and privacy leakage in particular for users reusing their passwords for several different web pages. Therefore, it is important to provide effective security interventions for these scenarios.&nbsp

ENHANCING USABILITY USING AUTOMATED SECURITY INTERFACE ADAPTATION (ASIA)

2 PUBLISHED CONFERENCE PROCEEDINGS PROVIDED IN APPENDIX E.Many users are now significantly dependent upon computer application. Whilst many aspects are now used very successfully, an area in which usability difficulties continue to be encountered is in relation to security. Thus can become particularly acute in situations where users are required to interact and make decisions, and a key context here is typically when they need to respond to security warnings. The current implementation of security warnings can often be considered as an attempt to offer a one size fits all solution. However, it can be argued that many implementations are still lacking the ability to provide meaningful and effective warnings. As such, this research focuses upon achieving a better understanding of the elements that aid end-users in comprehending the warnings, the difficulties with the current approaches, and the resulting requirements in order to improve the design and implementation of such security dialogues. In the early stage of research, a survey was undertaken to investigate perceptions of security dialogues in practice, with a specific focus upon security warnings issued within web browsers. This provided empirical evidence of end-users’ experiences, and revealed notable difficulties in terms of their understanding and interpretation of the security interactions. Building upon this, the follow-up research investigated understanding of application level security warnings in wider contexts, looking firstly at users’ interpretation of what constitutes a security warning and then at their level of comprehension when related warnings occurred. These results confirmed the need to improve the dialogues so that the end-users are able to act appropriately, and consequently promoted the design and prototype implementation of a novel architecture to improve security warnings, which has been titled Automated Security Interface Adaptation (ASIA). The ASIA approach aims to improve security warnings by tailoring the interaction more closely to individual user needs. By automatically adapting the presentation to match each user’s understanding and preferences, security warnings can be modified in ways that enable users to better comprehend them, and thus make more informed security decisions and choices. A comparison of the ASIA-adapted interfaces compared to standard versions of warnings revealed that the modified versions were better understood. As such, the ASIA approach has significant potential to assist (and thereby protect) the end-user community in their future interactions with security.UNIVERSITY SAINS MALAYSIA (USM), MINISTRY OF HIGHER EDUCATION MALAYSIA(MOHE