ABSTRACT
Attacks on computer systems are rapidly becoming more numerous and more sophisticated, and current preventive techniques do not seem able to keep pace. Many successful attacks can be attributed to user errors: for example, while focused on other tasks, users may succumb to 'social engineering' attacks such as phishing or trojan horses. Warnings about the danger of these attacks are often vaguely worded and given long before the dangers are realized, and are therefore too easy to ignore. However, we hypothesize that users are more likely to be persuaded by messages that (1) leverage mental models to describe the dangers, (2) describe particular vulnerabilities that the user may be exposed to and (3) are delivered close in time before the danger may actually be realized. We discuss the design and initial implementation of a system to achieve this. It first shows a video about a potential danger, then creates warnings tailored to the user's environment and given at the time they may be most useful, displaying a still frame or snippet from the video to remind the user of the potential danger. The system uses templates of user activities as input to a markov logic network to recognize potentially risky behaviors. This approach can identify likely next steps that can be used to predict immediate danger and customize warnings.
- A. Acquisti. Imagined communities: Awareness, information sharing and sharing on facebook. PETS, June 2006. Google ScholarDigital Library
- A. Acquisti and J. Grossklags. Uncertainty, ambiguity and privacy. In Fourth Annual Workshop Economics and Information Security (WEIS 2005), MA.Google Scholar
- F. Asgharpour, D. Liu, and L. Camp. Mental models of computer security risks. In Workshop on the Economics of Information Security (WEIS), 2007.Google Scholar
- V. Bellotti and A. Sellen. Design for privacy in ubiquitous computing environments. In Proceedings of the third conference on European Conference on Computer-Supported Cooperative Work. Google ScholarDigital Library
- J. Blythe, J. Hobbs, P. Domingos, R. Kate, and R. Mooney. Implementing weighted abuction in markov logic. In International Workshop on Semantics of Computing, 2011. Google ScholarDigital Library
- L. Camp. Mental models of privacy and security. Technology and Society Magazine, 28(3), 2009.Google Scholar
- L. F. Cranor and S. Garfinkel. Security and Usability. O'Reilly, 2008. Google ScholarDigital Library
- V. Gargv and J. Camp. How Safe is Safe Enough: Online Version. In Workshop on Security and Human Behavior, 2010.Google Scholar
- C. Herron, H. York, C. Corrie, and S. Cole. A comparison study of the effects of a story-based video instructional package versus a text-based instructional package in the intermediate-level foreign language classroom. CALICO JOURNAL, 23(2):281, 2006.Google ScholarCross Ref
- M. Jakobsson, A. Tsow, A. Shah, E. Blevis, and Y. Lim. What instills trust? A qualitative study of phishing. Lecture Notes in Computer Science, 4886:356, 2008. Google ScholarDigital Library
- P. Johnson-Laird. Mental models: Towards a cognitive science of language, inference and consciousness. Harvard Univ Pr, 1986. Google ScholarDigital Library
- D. Kahneman and A. Tversky. Prospect theory: An analysis of decision under risk. Econometrica, 47(2):263--291, 1979.Google ScholarCross Ref
- D. Nau, T. C. Au, O. Ilghami, U. Kuter, J. Murdock, D. Wu, and F. Yaman. Shop2: An htn planning system. JAIR, 20:379--404, 2003. Google ScholarDigital Library
- M. Pattinson and G. Anderson. How well are information risks being communicated to your computer end-users? Information Management & Computer Security, 15(5):362--371, 2007.Google ScholarCross Ref
- D. Podszebka, C. Conklin, M. Apple, and A. Windus. Comparison of Video and Text Narrative Presentations on Comprehension and Vocabulary Acquisition. Geneseo Annual Reading and Literacy Symposium, 1998.Google Scholar
- M. Richardson and P. Domingos. Markov logic networks. Machine Learning. Google ScholarDigital Library
- N. Schroeder and U. Capt. Using prospect theory to investigate decision-making bias within an information security context, 2005.Google Scholar
- A. Tversky, P. Slovic, and D. Kahneman. Judgment under uncertainty: Heuristics and biases. Social Cognition: Key Readings, page 167, 2005.Google Scholar
Index Terms
- Targeted risk communication for computer security
Recommendations
Risk-based Systems Security Engineering: Stopping Attacks with Intention
Government and industry increasingly rely on modern information systems (IS) for mission successes. But their critical IS must survive in hostile environments; thus, mission owners need systems security engineers to build systems that are secure against ...
Defensive dissuasion in security risk management
SMC'09: Proceedings of the 2009 IEEE international conference on Systems, Man and CyberneticsThe purpose of this paper is to explore ways of integrating defensive dissuasion into a probabilistic framework for security risk analysis. Dissuasion influences attacker perceptions and choice with the effect of reducing the probability of occurrence ...
Comments