Improving security decisions with polymorphic and audited dialogs

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Improving security decisions with polymorphic and audited dialogs

Full text

Pdf (602 KB)

Source

ACM International Conference Proceeding Series; Vol. 229 archive
Proceedings of the 3rd symposium on Usable privacy and security table of contents

Pittsburgh, Pennsylvania

SESSION: Training and such table of contents

Pages: 76 - 85

Year of Publication: 2007

ISBN:978-1-59593-801-5

Authors

José Carlos Brustoloni	University of Pittsburgh, Pittsburgh, PA
Ricardo Villamarín-Salomón	University of Pittsburgh, Pittsburgh, PA

Sponsor

: CyLab

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 6, Downloads (12 Months): 72, Citation Count: 2

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1280680.1280691 What is a DOI?

ABSTRACT

Context-sensitive guidance (CSG) can help users make better security decisions. Applications with CSG ask the user to provide relevant context information. Based on such information, these applications then decide or suggest an appropriate course of action. However, users often deem security dialogs irrelevant to the tasks they are performing and try to evade them. This paper contributes two new techniques for hardening CSG against automatic and false user answers. Polymorphic dialogs continuously change the form of required user inputs and intentionally delay the latter, forcing users to pay attention to security decisions. Audited dialogs thwart false user answers by (1) warning users that their answers will be forwarded to auditors, and (2) allowing auditors to quarantine users who provide unjustified answers. We implemented CSG against email-borne viruses on the Thunderbird email agent. One version, CSG-PD, includes CSG and polymorphic dialogs. Another version, CSG-PAD, includes CSG and both polymorphic and audited dialogs. In user studies, we found that untrained users accept significantly less unjustified risks with CSG-PD than with conventional dialogs. Moreover, they accept significantly less unjustified risks with CSG-PAD than with CSG-PD. CSG-PD and CSG-PAD have insignificant effect on acceptance of justified risks.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Mozilla. "Thunderbird -- Reclaim your inbox," http://www.mozilla.com/en-US/thunderbird/
	2	US-CERT. "Microsoft Word Vulnerability," Technical Cyber Security Alert TA06-139A, May, 2006, http://www.us-cert.gov/cas/techalerts/TA06-139A.html
	3	L. Rogers. "Use Care When Reading Email with Attachments," news@sei, vol. 6, no. 3, SEI, CMU, 2003, http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2003/3q03/security-matters-3q03.htm
	4	US-CERT. "Using Caution with Email Attachments," Cyber Security Tip ST04-010, 2004, http://www.uscert.gov/cas/tips/ST04-010.html
	5	Haidong Xia , José Carlos Brustoloni, Hardening Web browsers against man-in-the-middle and eavesdropping attacks, Proceedings of the 14th international conference on World Wide Web, May 10-14, 2005, Chiba, Japan [doi>10.1145/1060745.1060817]
	6	W. Kennedy. "Blocked Attachments: The Outlook Feature You Love to Hate," Microsoft, http://office.microsoft.com/enus/outlook/HA011894211033.aspx
	7	R. Villamarín-Salomón, J. Brustoloni, M. DeSantis and A. Brooks. <u>"Improving User Decisions About Opening Potentially Dangerous Attachments In E-Mail Clients,"</u> Poster, Symposium on Usable Privacy and Security, CMU, July 2006.
	8	Lorrie Cranor , Simson Garfinkel, Security and Usability, O'Reilly Media, Inc., 2005
	9	Trusted Computing Group. "Trusted Network Connect." https://www.trustedcomputinggroup.org/groups/network/
	10	H. Xia, J. Kanchana and J. Brustoloni. <u>"Using Secure Coprocessors to Protect Access to Enterprise Networks,"</u> in Proceedings of the Networking'2005 Conference, IFIP, Lecture Notes in Computer Science, 3462:154--165, Springer-Verlag, May 2005.
	11	J. Cohen. "Statistical Power Analysis for the Behavioral Sciences," Lawrence Erlbaum, Hillsdale, NJ, 1988.
	12	Mozilla. "Firefox -- Rediscover the Web," http://www.mozilla.com/en-US/firefox/
	13	Min Wu , Robert C. Miller , Greg Little, Web wallet: preventing phishing attacks by revealing user intentions, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania [doi>10.1145/1143120.1143133]
	14	A. Whitten and J. D. Tygar. <u>"Safe Staging for Computer Security,"</u> in Proc. Workshop on Human-Computer Interaction and Security Systems, CHI'2003, ACM, April 2003.
	15	Ponnurangam Kumaraguru , Yong Rhee , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Protecting people from phishing: the design and evaluation of an embedded training email system, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA [doi>10.1145/1240624.1240760]

CITED BY 2

	Andreas Heiner , N. Asokan, Using salience differentials to making visual cues noticeable, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-6, April 14-14, 2008, San Francisco, California
	Serge Egelman , Lorrie Faith Cranor , Jason Hong, You've been warned: an empirical study of the effectiveness of web browser phishing warnings, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy