Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online

Advancements in information technology often task users with complex and consequential privacy and security decisions. A growing body of research has investigated individuals’ choices in the presence of privacy and information security tradeoffs, the decision-making hurdles affecting those choices, and ways to mitigate such hurdles. This article provides a multi-disciplinary assessment of the literature pertaining to privacy and security decision making. It focuses on research on assisting individuals’ privacy and security choices with soft paternalistic interventions that nudge users toward...

Information Security in the Workplace: A Mixed-Methods Approach to Understanding and Improving Security Behaviours

The thesis identified influencers and barriers to specific security behaviours and developed an extended-Protection Motivation Theory model. The model includes information sensitivity appraisal as an important influencer for which a new scale (WISA) was developed and validated. The model was tested on three specific anti-malware behaviours: usage of antimalware software, installing software updates and avoiding suspicious links within emails. The testing allowed the identification of the most influential factors for each behaviour and demonstrated how these factors differ between behaviours....

Effects of cyber security knowledge on attack detection

Ensuring cyber security is a complex task that relies on domain knowledge and requires cognitive abilities to determine possible threats from large amounts of network data. This study investigates how knowledge in network operations and information security influence the detection of intrusions in a simple network. We developed a simplified Intrusion Detection System (IDS), which allows us to examine how individuals with or without knowledge in cyber security detect malicious events and declare an attack based on a sequence of network events. Our results indicate that more knowledge in cyber...

Your Attention Please Designing security-decision UIs to make genuine risks harder to ignore

We designed and tested attractors for computer security dialogs: user-interface modifications used to draw users’ attention to the most important information for making decisions. Some of these modifications were purely visual, while others temporarily inhibited potentially-dangerous behaviors to redirect users’ attention to salient information. We conducted three between-subjects experiments to test the effectiveness of the attractors. In the first two experiments, we sent participants to perform a task on what appeared to be a third-party site that required installation of a browser...

“Little Brothers Watching You:” Raising Awareness of Data Leaks on Smartphones

Today’s smartphone applications expect users to make decisions about what information they are willing to share, but fail to provide sufficient feedback about which privacy sensitive information is leaving the phone, as well as how frequently and with which entities it is being shared. Such feedback can improve users’ understanding of potential privacy leakages through apps that collect information about them in an unexpected way. Through a qualitative lab study with 19 participants, we first discuss misconceptions that smartphone users currently have with respect to two popular game...

Contextualized Web warnings, and how they cause distrust

Current warnings in Web browsers are difficult to understand for lay users. We address this problem through more concrete warning content by contextualizing the warning – for example, taking the user’s current intention into account in order to name concrete consequences. To explore the practical value of contextualization and potential obstacles, we conduct a behavioral study with 36 participants who we either confront with contextualized or with standard warning content while they solve Web browsing tasks. We also collect exploratory data in a posterior card-sorting exercise and interview....

Designing a Mobile Game to Teach Conceptual Knowledge of Avoiding ‘Phishing Attacks’

Phishing is a form of online identity theft, which attempts to appropriate confidential and sensitive information such as usernames and passwords from its victims. To facilitate cyberspace as a secure environment, phishing education needs to be made accessible to home computer users and mobile games enable embedded learning in a natural environment. Previously, we have introduced a mobile game design that aimed to enhance avoidance motivation and behavior to protect against phishing threats. This paper focuses on a design that develops the conceptual knowledge that is necessary to combat...

Johnny in internet café: user study and exploration of password autocomplete in web browsers

One of the most popular aids adopted by users to reduce the pain suffered from the use of passwords is browsers’ autocomplete feature. This feature, caching username and password after getting the user consent and using them later for automatic completion, is available in all modern browsers but communication with the user asking consent is implemented in different ways. In this paper, we report on user studies comparing active communication with a blocking dialog box and passive communication with a non-intrusive toolbar. We found that a dialog box misled users to save passwords in...

Phishing IQ Tests Measure Fear, Not Ability

We argue that phishing IQ tests fail to measure susceptibility to phishing attacks. We conducted a study where 40 subjects were asked to answer a selection of questions from existing phishing IQ tests in which we varied the portion (from 25% to 100%) of the questions that corresponded to phishing emails. We did not find any correlation between the actual number of phishing emails and the number of emails that the subjects indicated were phishing. Therefore, the tests did not measure the ability of the subjects. To further confirm this, we exposed all the subjects to existing phishing...

Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook

Online social networks such as Friendster, MySpace, or the Facebook have experienced exponential growth in membership in recent years. These networks offer attractive means for interaction and communication, but also raise privacy and security concerns. In this study we survey a representative sample of the members of the Facebook (a social network for colleges and high schools) at a US academic institution, and compare the survey data to information retrieved from the network itself. We look for underlying demographic or behavioral differences between the communities of the network’s...

Bridging the gap between organisational and user perspectives of security in the clinical domain

An understanding of ‘communities of practice’ can help to make sense of existing security and privacy issues within organizations; the same understanding can be used proactively to help bridge the gap between organizational and end-user perspectives on these matters. Findings from two studies within the health domain reveal contrasting perspectives on the ‘enemy within’ approach to organizational security. Ethnographic evaluations involving in-depth interviews, focus groups and observations with 93 participants (clinical staff, managers, library staff and IT department members) were...