skip to main content
10.1145/1753326.1753382acmconferencesArticle/Chapter ViewAbstractPublication PageschiConference Proceedingsconference-collections
research-article

Using reinforcement to strengthen users' secure behaviors

Published:10 April 2010Publication History

ABSTRACT

Users have a strong tendency toward dismissing security dialogs unthinkingly. Prior research has shown that users' responses to security dialogs become significantly more thoughtful when dialogs are polymorphic, and that further improvements can be obtained when dialogs are also audited and auditors penalize users who give unreasonable responses. We contribute an Operant Conditioning model that fits these observations, and, inspired by the model, propose Security Reinforcing Applications (SRAs). SRAs seek to reward users' secure behavior, instead of penalizing insecure behavior. User studies show that SRAs improve users' secure behaviors and that behaviors strengthened in this way do not extinguish after a period of several weeks in which users do not interact with SRAs. Moreover, inspired by Social Learning theory, we propose Vicarious Security Reinforcement (VSR). A user study shows that VSR accelerates SRA benefits.

References

  1. A. Adams, and M.A. Sasse, "Users are not the enemy. Why users compromise computer security mechanisms and how to take remedial measures," Communications of the ACM, vol. 42, no. 12, 1999, pp. 40--46. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. Bandura, Social learning theory, Prentice-Hall, 1977.Google ScholarGoogle Scholar
  3. A.P. Goldstein, and M. Sorcher, Changing supervisor behavior, Pergamon Press, 1974.Google ScholarGoogle Scholar
  4. B. Klimt, and Y. Yang, "Introducing the Enron corpus," in Proc. CEAS, 2004.Google ScholarGoogle Scholar
  5. B.F. Skinner, "Operant behavior," American Psychologist, vol. 18, no. 8, 1963, pp. 503--515.Google ScholarGoogle ScholarCross RefCross Ref
  6. B.F. Skinner, Science and human behavior, Macmillan Pub Co, 1953.Google ScholarGoogle Scholar
  7. C.B. Ferster, and B.F. Skinner, Schedules of reinforcement, Appleton-Century-Crofts, 1957.Google ScholarGoogle ScholarCross RefCross Ref
  8. G.P. Latham, and L.M. Saari, "Application of social-learning theory to training supervisors through behavioral modeling," Journal of Applied Psychology, vol. 64, no. 3, 1979, pp. 239--246.Google ScholarGoogle ScholarCross RefCross Ref
  9. H. Xia, and J.C. Brustoloni, "Hardening Web browsers against man-in-the-middle and eavesdropping attacks," in proc. WWW, ACM, 2005, pp. 489--498. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. J. Cameron, & W.D. Pierce, Rewards and intrinsic motivation: Resolving the controversy, Bergin & Garvey, 2002Google ScholarGoogle Scholar
  11. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, & L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness," in Proc. USENIX Security 2009 Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. J.C. Brustoloni, and R. Villamarín-Salomón, "Improving security decisions with polymorphic and audited dialogs," in Proc. SOUPS, 2007, pp. 76--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. M.A. Sasse, and I. Flechais, "Usable Security: Why do we need it? How do we get it," in Security and Usability: Designing Secure Systems That People Can Use, L. Cranor, and S. Garfinkel eds., O'Reilly, 2005, pp. 13--30.Google ScholarGoogle Scholar
  14. N.A. Macmillan, and C.D. Creelman, Detection theory: A user's guide, Cambridge University Press, 1991.Google ScholarGoogle Scholar
  15. P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L.F. Cranor, and J. Hong, "Getting users to pay attention to anti-phishing education: evaluation of retention and transfer," in Proc. APWG's annual eCrime researchers summit, 2007, pp. 70--81. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. P.J. Decker, "The enhancement of behavior modeling training of supervisory skills by the inclusion of retention processes," Personnel psychology, vol. 35, no. 2, 1982Google ScholarGoogle Scholar
  17. P.W. Dowrick, Practical guide to using video in the behavioral sciences, Wiley New York, 1991.Google ScholarGoogle Scholar
  18. R.G. Miltenberger, Behavior modification: Principles and procedures, Cole Publishing Company, 1997.Google ScholarGoogle Scholar
  19. S. Egelman, L.F. Cranor, and J. Hong, "You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings," in Proc. CHI, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L.F. Cranor, J. Hong, and E. Nunge, "Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish," in Proc. SOUPS 2007, pp. 88--99. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. VSR intervention; http://vsr.securityconditioning.orgGoogle ScholarGoogle Scholar

Index Terms

  1. Using reinforcement to strengthen users' secure behaviors

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader