ABSTRACT
Users have a strong tendency toward dismissing security dialogs unthinkingly. Prior research has shown that users' responses to security dialogs become significantly more thoughtful when dialogs are polymorphic, and that further improvements can be obtained when dialogs are also audited and auditors penalize users who give unreasonable responses. We contribute an Operant Conditioning model that fits these observations, and, inspired by the model, propose Security Reinforcing Applications (SRAs). SRAs seek to reward users' secure behavior, instead of penalizing insecure behavior. User studies show that SRAs improve users' secure behaviors and that behaviors strengthened in this way do not extinguish after a period of several weeks in which users do not interact with SRAs. Moreover, inspired by Social Learning theory, we propose Vicarious Security Reinforcement (VSR). A user study shows that VSR accelerates SRA benefits.
- A. Adams, and M.A. Sasse, "Users are not the enemy. Why users compromise computer security mechanisms and how to take remedial measures," Communications of the ACM, vol. 42, no. 12, 1999, pp. 40--46. Google ScholarDigital Library
- A. Bandura, Social learning theory, Prentice-Hall, 1977.Google Scholar
- A.P. Goldstein, and M. Sorcher, Changing supervisor behavior, Pergamon Press, 1974.Google Scholar
- B. Klimt, and Y. Yang, "Introducing the Enron corpus," in Proc. CEAS, 2004.Google Scholar
- B.F. Skinner, "Operant behavior," American Psychologist, vol. 18, no. 8, 1963, pp. 503--515.Google ScholarCross Ref
- B.F. Skinner, Science and human behavior, Macmillan Pub Co, 1953.Google Scholar
- C.B. Ferster, and B.F. Skinner, Schedules of reinforcement, Appleton-Century-Crofts, 1957.Google ScholarCross Ref
- G.P. Latham, and L.M. Saari, "Application of social-learning theory to training supervisors through behavioral modeling," Journal of Applied Psychology, vol. 64, no. 3, 1979, pp. 239--246.Google ScholarCross Ref
- H. Xia, and J.C. Brustoloni, "Hardening Web browsers against man-in-the-middle and eavesdropping attacks," in proc. WWW, ACM, 2005, pp. 489--498. Google ScholarDigital Library
- J. Cameron, & W.D. Pierce, Rewards and intrinsic motivation: Resolving the controversy, Bergin & Garvey, 2002Google Scholar
- J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, & L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness," in Proc. USENIX Security 2009 Google ScholarDigital Library
- J.C. Brustoloni, and R. Villamarín-Salomón, "Improving security decisions with polymorphic and audited dialogs," in Proc. SOUPS, 2007, pp. 76--85. Google ScholarDigital Library
- M.A. Sasse, and I. Flechais, "Usable Security: Why do we need it? How do we get it," in Security and Usability: Designing Secure Systems That People Can Use, L. Cranor, and S. Garfinkel eds., O'Reilly, 2005, pp. 13--30.Google Scholar
- N.A. Macmillan, and C.D. Creelman, Detection theory: A user's guide, Cambridge University Press, 1991.Google Scholar
- P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L.F. Cranor, and J. Hong, "Getting users to pay attention to anti-phishing education: evaluation of retention and transfer," in Proc. APWG's annual eCrime researchers summit, 2007, pp. 70--81. Google ScholarDigital Library
- P.J. Decker, "The enhancement of behavior modeling training of supervisory skills by the inclusion of retention processes," Personnel psychology, vol. 35, no. 2, 1982Google Scholar
- P.W. Dowrick, Practical guide to using video in the behavioral sciences, Wiley New York, 1991.Google Scholar
- R.G. Miltenberger, Behavior modification: Principles and procedures, Cole Publishing Company, 1997.Google Scholar
- S. Egelman, L.F. Cranor, and J. Hong, "You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings," in Proc. CHI, 2008. Google ScholarDigital Library
- S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L.F. Cranor, J. Hong, and E. Nunge, "Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish," in Proc. SOUPS 2007, pp. 88--99. Google ScholarDigital Library
- VSR intervention; http://vsr.securityconditioning.orgGoogle Scholar
Index Terms
Using reinforcement to strengthen users' secure behaviors
Recommendations
Improving security decisions with polymorphic and audited dialogs
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and securityContext-sensitive guidance (CSG) can help users make better security decisions. Applications with CSG ask the user to provide relevant context information. Based on such information, these applications then decide or suggest an appropriate course of ...
Exploring the factors driving impulse buying tendency on advertisements of Facebook: a social learning theory perspective
ICETC '18: Proceedings of the 10th International Conference on Education Technology and ComputersNowadays, advertising on Facebook has grown into a highly popular marketing channel, resulting in how advertisements can capture users' attention becomes a vital issue for practitioners and researchers. This study aims to use the Social Learning Theory ...
Original Contribution: A learning rule based on empirically-derived activity-dependent neuromodulation supports operant conditioning in a small network
Activity-dependent neuromodulation has been proposed as a cellular mechanism for classical conditioning in Aplysia. Previously, we developed a mathematical model of an Aplysia sensory neuron that reflects the subcellular processes underlying this form ...
Comments