What’s it worth to you? Applying risk tradeoff paradigms to explain user interactions with interruptive security messages

Attacks on information security continue to result in large losses for organizations. Oftentimes, the breaches occur because organizational insiders fail to adhere to commonplace system security messages. This could be because, faced with the challenges and time demands of everyday stressors, security policy compliance can be costly for individuals; security actions require time and distract attention from other primary tasks. To defend against these attacks, user interactions with security messages need to be better understood. This study reports the results of a 110-participant MTurk field study that examines user interactions with interruptive security messages through the lens of a risk tradeoff paradigm. First, a gap in the information security literature is identified, wherein findings about low security-message attention are contrasted against studies that assume attention and information processing. Three competing hypotheses are proposed that describe different patterns of risk analysis that users may engage in when interacting with an interruptive security message: (1) very little to no elaboration over the risk-taking decision due to perniciously low attention, (2) consistent security message risk-taking decision elaboration, and (3) a bimodal situation where elaboration depends on the information security risk-reward tradeoff balance. Multiple behavioral dependent variables are corroborated to support the third hypothesis, suggesting the existence of a bimodal risk tradeoff paradigm for user interactions with interruptive security messages. The relevance of the findings for research and practice are discussed

Understanding phishing awareness among students in tertiary institutions and setting-up defensive mechanisms against the attackers

The average loss by companies to phishing in 2021 is $14.8 million, more than triple what it was in 2015. That translates to hundreds of billions of dollars in total losses from phishing attacks on global businesses, and the vulnerability of these attacks is every day increasing, particularly among the younger generation less than 40 years of age. This paper begins with a background exposition on phishing trends and highlights previous findings concerning users' susceptibility to phishing attacks. It however explores the term Phishing itself, its kinds, types and some basic measures necessary for defense against phishing activities. The research was employed with a major focus on the email aspect of phishing. Alongside the website aspect of phishing, the certificate of a website was also considered. The purpose of this study was to identify the level of student awareness related to specific phishing tactics. Findings revealed that while students are unlikely to provide personal information in response to an email/SMS request, they can be easily tricked by numerous other tactics. This paper reports the findings of the study in addition to listing suggested points to employ for creating phishing awareness

Users Aren’t (Necessarily) Lazy: Using NeuroIS to Explain Habituation to Security Warnings

Warning messages are one of the last lines of defense in information security, and are fundamental to users’ security interactions with technology. Unfortunately, research shows that users routinely ignore security warnings. A key contributor to this disregard is habituation, the diminishing of attention through frequent exposure. However, previous research has examined habituation indirectly by observing its influence on security behavior, rather than measuring habituation itself. We contribute by using functional magnetic resonance imaging (fMRI) to directly observe habituation as it occurs in the brain. Our results show that with repeated exposure to warnings, neural activity in the visual processing centers sharply decreases. We also show that this process occurs for images of both security warnings and general software applications, although habituation is more severe for security warnings. Our findings suggest that habituation is not due to users’ laziness or carelessness, but is a natural consequence of how the brain works

Analysis of Credential Stealing Attacks in an Open Networked Environment

Abstract. This paper analyses the forensic data on credential stealing incidents over a period of 5 years across 5000 machines monitored at the National Center for Supercomputing Applications at the University of Illinois. The analysis conducted is the first attempt in an open operational environment (i) to evaluate the intricacies of carrying out SSH-based credential stealing attacks, (ii) to highlight and quantify key characteristics of such attacks, and (iii) to provide the system level characterization of such incidents in terms of distribution of alerts and incident consequences. Keywords-Incident analysis;Credential stealing; Intrusion detectio

Understanding users’ mental models of Federated Identity Management (FIM): use of a new tangible elicitation method

The number of passwords users require to interact with online accounts continues to grow, as the services they interact with online become more and more common. Federated Identity Management (FIM) offer an easy option for users to authenticate themselves to many accounts using just one password from an Identity Provider such as Facebook or Google. Previous research has shown that users are reluctant to use such systems and have inaccurate mental models of how they work, but much of the research is now over a decade old. An initial exploratory study with 12 users asked them to create a mental model of a particular concrete FIM scenario, using a new tangible elicitation method involving felt icons and a flocked board, based on the Fuzzy-Felt toy for young children. It was found that almost all participants had inaccurate mental models of FIM which may lead to hesitancy to use such systems: they believe much more information is passed to the website they wish to login to and they mis-understand the route taken by the information that is passed between their browser, the Identity Provider and the target website. The implications of these results and the new method of eliciting mental models are discussed

Towards Seamless and Secure Mobile Authentication

abstract: With the rise of mobile technology, the personal lives and sensitive information of everyday citizens are carried about without a thought to the risks involved. Despite this high possibility of harm, many fail to use simple security to protect themselves because they feel the benefits of securing their devices do not outweigh the cost to usability. The main issue is that beyond initial authentication, sessions are maintained using optional timeout mechanisms where a session will end if a user is inactive for a period of time. This interruption-based form of continuous authentication requires constant user intervention leading to frustration, which discourages its use. No solution currently exists that provides an implementation beyond the insecure and low usability of simple timeout and re-authentication. This work identifies the flaws of current mobile authentication techniques and provides a new solution that is not limiting to the user, has a system for secure, active continuous authentication, and increases the usability and security over current methods.Dissertation/ThesisMasters Thesis Computer Science 201

Bridging the gap between human and machine trust : applying methods of user-centred design and usability to computer security

This work presents methods for improving the usability of security. The work focuses on trust as part of computer security. Methods of usability and user-centred design present an essential starting point for the research. The work uses the methods these fields provide to investigate differences between machine and human trust, as well as how the technical expressions of trust could be made more usable by applying these methods. The thesis is based on nine publications, which present various possibilities to research trust with user-centric methods. The publications proceed chronologically and logically from the first user interviews about trust, trusting attitudes and behaviours in general to the actual design and usability testing of user interfaces for security applications, finally presenting the outcomes and conclusions of the research. The work also presents a review of relevant previous work in the area, concentrating on work done in the fields of usability and user-centred design. The work is of cross-disciplinary nature, falling into the areas of human-computer interaction, computer science and telecommunications. The ultimate goal of the conducted research has been to find out 1) how trust is to be understood in this context; 2) what methods can be used to gain insight into trust thus defined; and, finally, 3) what means can be used to create trust in the end users in online situations, where trust is needed. The work aims at providing insight into how trust can be studied with the methods provided by user-centred design and usability. Further, it investigates how to take understanding of trust formation in humans into account when attempting to design trust-inducing systems and applications. The work includes an analysis and comparison of the methods used: what kinds of methods to study trust exist in the field of usability and user-centred design. Further, it is evaluated, what kind of results and when can be reached with the different methods available, by applying a variety of these methods. Recommendations for the appropriate application of these methods when studying the various parts of trust is one of the outcomes. The results received with the methods used have also been compared with results received by others by applying alternative methods to the same research questions. On a conceptual level, the work contains an analysis of the concept of trust. It also contains a brief investigation into both technical and humane ways to express trust, with a comparison between the two

ENHANCING USABILITY USING AUTOMATED SECURITY INTERFACE ADAPTATION (ASIA)

2 PUBLISHED CONFERENCE PROCEEDINGS PROVIDED IN APPENDIX E.Many users are now significantly dependent upon computer application. Whilst many aspects are now used very successfully, an area in which usability difficulties continue to be encountered is in relation to security. Thus can become particularly acute in situations where users are required to interact and make decisions, and a key context here is typically when they need to respond to security warnings. The current implementation of security warnings can often be considered as an attempt to offer a one size fits all solution. However, it can be argued that many implementations are still lacking the ability to provide meaningful and effective warnings. As such, this research focuses upon achieving a better understanding of the elements that aid end-users in comprehending the warnings, the difficulties with the current approaches, and the resulting requirements in order to improve the design and implementation of such security dialogues. In the early stage of research, a survey was undertaken to investigate perceptions of security dialogues in practice, with a specific focus upon security warnings issued within web browsers. This provided empirical evidence of end-users’ experiences, and revealed notable difficulties in terms of their understanding and interpretation of the security interactions. Building upon this, the follow-up research investigated understanding of application level security warnings in wider contexts, looking firstly at users’ interpretation of what constitutes a security warning and then at their level of comprehension when related warnings occurred. These results confirmed the need to improve the dialogues so that the end-users are able to act appropriately, and consequently promoted the design and prototype implementation of a novel architecture to improve security warnings, which has been titled Automated Security Interface Adaptation (ASIA). The ASIA approach aims to improve security warnings by tailoring the interaction more closely to individual user needs. By automatically adapting the presentation to match each user’s understanding and preferences, security warnings can be modified in ways that enable users to better comprehend them, and thus make more informed security decisions and choices. A comparison of the ASIA-adapted interfaces compared to standard versions of warnings revealed that the modified versions were better understood. As such, the ASIA approach has significant potential to assist (and thereby protect) the end-user community in their future interactions with security.UNIVERSITY SAINS MALAYSIA (USM), MINISTRY OF HIGHER EDUCATION MALAYSIA(MOHE

Enhancing Web Browsing Security

Web browsing has become an integral part of our lives, and we use browsers to perform many important activities almost everyday and everywhere. However, due to the vulnerabilities in Web browsers and Web applications and also due to Web users\u27 lack of security knowledge, browser-based attacks are rampant over the Internet and have caused substantial damage to both Web users and service providers. Enhancing Web browsing security is therefore of great need and importance.;This dissertation concentrates on enhancing the Web browsing security through exploring and experimenting with new approaches and software systems. Specifically, we have systematically studied four challenging Web browsing security problems: HTTP cookie management, phishing, insecure JavaScript practices, and browsing on untrusted public computers. We have proposed new approaches to address these problems, and built unique systems to validate our approaches.;To manage HTTP cookies, we have proposed an approach to automatically validate the usefulness of HTTP cookies at the client-side on behalf of users. By automatically removing useless cookies, our approach helps a user to strike an appropriate balance between maximizing usability and minimizing security risks. to protect against phishing attacks, we have proposed an approach to transparently feed a relatively large number of bogus credentials into a suspected phishing site. Using those bogus credentials, our approach conceals victims\u27 real credentials and enables a legitimate website to identify stolen credentials in a timely manner. to identify insecure JavaScript practices, we have proposed an execution-based measurement approach and performed a large-scale measurement study. Our work sheds light on the insecure JavaScript practices and especially reveals the severity and nature of insecure JavaScript inclusion and dynamic generation practices on the Web. to achieve secure and convenient Web browsing on untrusted public computers, we have proposed a simple approach that enables an extended browser on a mobile device and a regular browser on a public computer to collaboratively support a Web session. A user can securely perform sensitive interactions on the mobile device and conveniently perform other browsing interactions on the public computer