Assessing the role of conceptual knowledge in an anti-phishing game

Copyright @ 2014 IEEE. This is the author accepted version of this article.Games can be used to support learning and confidence development in several domains, including the secure use of computers. However, emphasizing different types of knowledge in a game design can lead to different outcomes. This study explores two game designs that aim to enhance students' ability to identify phishing hyperlinks. One design focuses on procedural knowledge: developing students' tacit ability to recognize phishing hyperlinks through systematic practice. The other design focuses on conceptual knowledge: helping students to explicitly reflect upon and identify the features of phishing hyperlinks. The results of a double-blind randomized trial with 66 participants suggests that using a game designed for conceptual knowledge leads to a greater increase in learners' ability to identify phishing hyperlinks. Hence, incorporating conceptual knowledge development into educational games enhances their efficacy within the computer security context

Countering Social Engineering through Social Media: An Enterprise Security Perspective

The increasing threat of social engineers targeting social media channels to advance their attack effectiveness on company data has seen many organizations introducing initiatives to better understand these vulnerabilities. This paper examines concerns of social engineering through social media within the enterprise and explores countermeasures undertaken to stem ensuing risk. Also included is an analysis of existing social media security policies and guidelines within the public and private sectors.Comment: Proceedings of The 7th International Conference on Computational Collective Intelligence Technologies and Applications (ICCCI 2015), LNAI, Springer, Vol. 9330, pp. 54-6

Baiting the Hook: Factors Impacting Susceptibility to Phishing Attacks

Over the last decade, substantial progress has been made in understanding and mitigating phishing attacks. Nonetheless, the percentage of successful attacks is still on the rise. In this article, we critically investigate why that is the case, and seek to contribute to the field by highlighting key factors that influence individuals’ susceptibility to phishing attacks. For our investigation, we conducted a web-based study with 382 participants which focused specifically on identifying factors that help or hinder Internet users in distinguishing phishing pages from legitimate pages. We considered relationships between demographic characteristics of individuals and their ability to correctly detect a phishing attack, as well as time-related factors. Moreover, participants’ cursor movement data was gathered and used to provide additional insight. In summary, our results suggest that: gender and the years of PC usage have a statistically significant impact on the detection rate of phishing; pop-up based attacks have a higher rate of success than the other tested strategies; and, the psychological anchoring effect can be observed in phishing as well. Given that only 25 % of our participants attained a detection score of over 75 %, we conclude that many people are still at a high risk of falling victim to phishing attacks but, that a careful combination of automated tools, training and more effective awareness campaigns, could significantly help towards preventing such attacks

ACIS

In this paper, we develop a theoretical model for the adoption process of Information System Security innovations in organisations. The model stemmed from the Diffusion of Innovation theory (DOI), the Technology Acceptance Model (TAM), the Theory of Planned Behaviour (TPB) and the Technology- Organisation-Environment (TOE) framework. The model portrays Information System Security adoption process progressing in a sequence of stages. The study considers the adoption process from the initiation stage until the acquisition of innovation as an organisational level judgement while the process of innovation assimilation and integration is assessed in terms of the user behaviour within the organisation. The model also introduces several factors that influence the Information System Security innovation adoption. By merging the organisational adoption and user acceptance of innovation in a single depiction, this research contributes to IS security literature a more comprehensive model for IS security adoption in organisation, compare to any of the past representations

ACM International Conference Proceeding Series

Lack of usability of security Application Programming Interfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that provide cryptographic functionalities such as password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API to identify usability issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution using Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experience for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them

Am I Responsible for End-User’s Security?

Previous research has pointed that software applications shouldnot depend on programmers to provide security for end-usersas majority of programmers are not experts of computer security.On the other hand, some studies have revealed thatsecurity experts believe programmers have a major role toplay in ensuring the end-users’ security. However, there havebeen no investigation on what programmers perceive abouttheir responsibility for the end-users’ security of applicationsthey develop. In this work, by conducting a qualitative experimentalstudy with 40 software developers, we attemptedto understand the programmer’s perception on who is responsiblefor ensuring end-users’ security of the applicationsthey develop. Results revealed majority of programmersperceive that they are responsible for the end-users’ securityof applications they develop. Furthermore, results showedthat even though programmers aware of things they needto do to ensure end-users’ security, they do not often followthem. We believe these results would change the currentview on the role that different stakeholders of the softwaredevelopment process (i.e. researchers, security experts,programmers and Application Programming Interface (API)developers) have to play in order to ensure the security ofsoftware applications

Why Johnny Can’t Develop a Secure Application? A Usability Analysis of Java Secure Socket Extension API

Lack of usability of security Application Programming Interfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that provide Transport Layer Security (TLS) related functionalities are sometimes too complex for programmers to learn and use. Therefore, applications are often diagnosed with vulnerable TLS implementations due to mistakes made by programmers. In this work, we evaluated the usability of Java Secure Socket Extension (JSSE) API to identify usability issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 11 programmers where each of them spent around 2 hours and attempted to develop a secure programming solution using JSSE API. From data we collected, we identified 59 usability issues that exist in JSSE API. Then we divided those usability issues into 15 cognitive dimensions and analyzed how those issues affected the experience of participant programmers. Results of our study provided useful insights about how TLS APIs and similar security APIs should be designed, developed and improved to provide a better experience for programmers who use them

Proceedings 19th International Conference on Human-Computer Interaction (HCII)

Programmers use security APIs to embed security into the applications they develop. Security vulnerabilities get introduced into those applications, due to the usability issues that exist in the security APIs. Improving usability of security APIs would contribute to improve the security of applications that programmers develop. However, currently there is no methodology to evaluate the usability of security APIs. In this study, we attempt to improve the Cognitive Dimensions framework based API usability evaluation methodology, to evaluate the usability of security APIs