skip to main content
10.1145/1280680.1280691acmotherconferencesArticle/Chapter ViewAbstractPublication PagessoupsConference Proceedingsconference-collections
Article

Improving security decisions with polymorphic and audited dialogs

Published: 18 July 2007 Publication History

Abstract

Context-sensitive guidance (CSG) can help users make better security decisions. Applications with CSG ask the user to provide relevant context information. Based on such information, these applications then decide or suggest an appropriate course of action. However, users often deem security dialogs irrelevant to the tasks they are performing and try to evade them. This paper contributes two new techniques for hardening CSG against automatic and false user answers. Polymorphic dialogs continuously change the form of required user inputs and intentionally delay the latter, forcing users to pay attention to security decisions. Audited dialogs thwart false user answers by (1) warning users that their answers will be forwarded to auditors, and (2) allowing auditors to quarantine users who provide unjustified answers. We implemented CSG against email-borne viruses on the Thunderbird email agent. One version, CSG-PD, includes CSG and polymorphic dialogs. Another version, CSG-PAD, includes CSG and both polymorphic and audited dialogs. In user studies, we found that untrained users accept significantly less unjustified risks with CSG-PD than with conventional dialogs. Moreover, they accept significantly less unjustified risks with CSG-PAD than with CSG-PD. CSG-PD and CSG-PAD have insignificant effect on acceptance of justified risks.

References

[1]
Mozilla. "Thunderbird -- Reclaim your inbox," http://www.mozilla.com/en-US/thunderbird/
[2]
US-CERT. "Microsoft Word Vulnerability," Technical Cyber Security Alert TA06-139A, May, 2006, http://www.us-cert.gov/cas/techalerts/TA06-139A.html
[3]
L. Rogers. "Use Care When Reading Email with Attachments," news@sei, vol. 6, no. 3, SEI, CMU, 2003, http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2003/3q03/security-matters-3q03.htm
[4]
US-CERT. "Using Caution with Email Attachments," Cyber Security Tip ST04-010, 2004, http://www.uscert.gov/cas/tips/ST04-010.html
[5]
H. Xia and J. Brustoloni. "Hardening Web Browsers Against Man-in-the-Middle and Eavesdropping Attacks," in Proc. 14th International World Wide Web Conference (WWW2005), ACM, pp. 489--497, May 2005.
[6]
W. Kennedy. "Blocked Attachments: The Outlook Feature You Love to Hate," Microsoft, http://office.microsoft.com/enus/outlook/HA011894211033.aspx
[7]
R. Villamarín-Salomón, J. Brustoloni, M. DeSantis and A. Brooks. "Improving User Decisions About Opening Potentially Dangerous Attachments In E-Mail Clients," Poster, Symposium on Usable Privacy and Security, CMU, July 2006.
[8]
L. Cranor and S. Garfinkel (eds.). "Security and Usability -- Designing Secure Systems That People Can Use." O'Reilly, 2005.
[9]
Trusted Computing Group. "Trusted Network Connect." https://www.trustedcomputinggroup.org/groups/network/
[10]
H. Xia, J. Kanchana and J. Brustoloni. "Using Secure Coprocessors to Protect Access to Enterprise Networks," in Proceedings of the Networking'2005 Conference, IFIP, Lecture Notes in Computer Science, 3462:154--165, Springer-Verlag, May 2005.
[11]
J. Cohen. "Statistical Power Analysis for the Behavioral Sciences," Lawrence Erlbaum, Hillsdale, NJ, 1988.
[12]
Mozilla. "Firefox -- Rediscover the Web," http://www.mozilla.com/en-US/firefox/
[13]
M. Wu, R. Miller and G. Little. "Web Wallet: Preventing Phishing Attacks by Revealing User Intentions," in Proc. Symposium on Usable Privacy and Security, CMU, July 2006.
[14]
A. Whitten and J. D. Tygar. "Safe Staging for Computer Security," in Proc. Workshop on Human-Computer Interaction and Security Systems, CHI'2003, ACM, April 2003.
[15]
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong and E. Nunge. "Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System," in Proc. SIGCHI Conf. Human Factors in Computing Systems (CHI'07), ACM, April 2007.

Cited By

View all
  • (2024)Farsight: Fostering Responsible AI Awareness During AI Application PrototypingProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642335(1-40)Online publication date: 11-May-2024
  • (2023)A research framework and initial study of browser security for the visually impairedProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620499(4679-4696)Online publication date: 9-Aug-2023
  • (2023)Seeing is Not Believing: A Nuanced View of Misinformation Warning Efficacy on Video-Sharing Social Media PlatformsProceedings of the ACM on Human-Computer Interaction10.1145/36100857:CSCW2(1-35)Online publication date: 4-Oct-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security
July 2007
188 pages
ISBN:9781595938015
DOI:10.1145/1280680
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

  • CyLab

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2007

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. attachment
  2. audited dialogs
  3. context-sensitive guidance
  4. e-mail client
  5. polymorphic dialogs
  6. virus propagation

Qualifiers

  • Article

Conference

SOUPS '07
Sponsor:
SOUPS '07: The third Symposium on Usable Privacy and Security
July 18 - 20, 2007
Pennsylvania, Pittsburgh, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)27
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Farsight: Fostering Responsible AI Awareness During AI Application PrototypingProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642335(1-40)Online publication date: 11-May-2024
  • (2023)A research framework and initial study of browser security for the visually impairedProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620499(4679-4696)Online publication date: 9-Aug-2023
  • (2023)Seeing is Not Believing: A Nuanced View of Misinformation Warning Efficacy on Video-Sharing Social Media PlatformsProceedings of the ACM on Human-Computer Interaction10.1145/36100857:CSCW2(1-35)Online publication date: 4-Oct-2023
  • (2023)’Don’t Annoy Me With Privacy Decisions!’ — Designing Privacy-Preserving User Interfaces for SSI Wallets on SmartphonesIEEE Access10.1109/ACCESS.2023.333490811(131814-131835)Online publication date: 2023
  • (2023)Towards Improving the Efficacy of Windows Security Notifier for Apps from Unknown Publishers: The Role of RhetoricHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-35822-7_8(101-121)Online publication date: 9-Jul-2023
  • (2022)Users' perceptions of chrome's compromised credential notificationProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563618(155-174)Online publication date: 8-Aug-2022
  • (2022)Exploring Phone-Based Authentication Vulnerabilities in Single Sign-On SystemsInformation and Communications Security10.1007/978-3-031-15777-6_11(184-200)Online publication date: 5-Sep-2022
  • (2022)Subliminal Warnings: Utilizing the High Bandwidth of Nonconscious Visual PerceptionPersuasive Technology10.1007/978-3-030-98438-0_20(255-271)Online publication date: 29-Mar-2022
  • (2022)“Not all my friends are friends”Journal of the Association for Information Science and Technology10.1002/asi.2458073:6(797-810)Online publication date: 26-Apr-2022
  • (2021)Eliciting Design Guidelines for Privacy Notifications in mHealth EnvironmentsResearch Anthology on Privatizing and Securing Data10.4018/978-1-7998-8954-0.ch093(1909-1928)Online publication date: 2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media