Financial Cryptography and Data Security

Inhaltsverzeichnis

1. Frontmatter

2. AsiaUSEC: First Asian Workshop on Usable Security

   1. Frontmatter

   2. Tale of Two Browsers: Understanding Users’ Web Browser Choices in South Korea

      Jihye Woo, Ji Won Choi, Soyoon Jeon, Joon Kuy Han, Hyoungshick Kim, Simon S. Woo

      Abstract

      Internet users in South Korea seem to have clearly different web browser choices and usage patterns compared to the rest of the world, heavily using Internet Explorer (IE) or multiple browsers. Our work is primarily motivated to investigate the reasons for such differences in web browser usage, relating with the use of government mandated security technology, digital certificate. We conducted an IRB-approved semi-structured online user study to examine internet users’ browser choices in South Korea and analyze their usage patterns. Our user study results reveal that there are clearly different users’ browser preferences across different web services, and they are in turn closely related with the security policy enforced by the government 20 years ago. In our study, while younger age group tends to prefer two browsers (Chrome and IE), older age group prefers to use IE browser Also, all age groups commonly prefer the IE browser for the services requiring digital certificates issued from Korean government agencies such as finance and e-commerce sites. Our user study is quantitative to show how the standardization of technologies in a country could affect users’ web browsing activities. Also, despite of the abolishment of the mandatory security technology, we still observe that people are not aware of such abolishment and habitually use technology locked-in IE browser.

   3. User-Centered Risk Communication for Safer Browsing

      Sanchari Das, Jacob Abbott, Shakthidhar Gopavaram, Jim Blythe, L. Jean Camp

      Abstract

      Solutions to phishing have included training users, stand-alone warnings, and automatic blocking. We integrated personalized blocking, filtering, and alerts into a single holistic risk-management tool, which leverages simple metaphorical cartoons that function both as risk communication and controls for browser settings. We tested the tool in two experiments. The first experiment was a four-week naturalistic study where we examined the acceptability and usability of the tool. The experimental group was exposed to fewer risks in that they chose to run fewer scripts, disabled most iFrames, blocked Flash, decreased tracking, and quickly identified each newly encountered website as unfamiliar. Each week participants increased their tool use. Conversely, those in the control group expressed perceptions of lower risk, while enabling more potentially malicious processes. We then tested phishing resilience in the laboratory with newly recruited participants. The results showed that the tool significantly improved participants’ ability to distinguish between legitimate and phishing sites.

   4. Secure Email - A Usability Study

      Adrian Reuter, Karima Boudaoud, Marco Winckler, Ahmed Abdelmaksoud, Wadie Lemrazzeq

      Abstract

      Several end-to-end encryption technologies for emails such as PGP and S/MIME exist since decades. However, end-to-end encryption is barely applied. To understand why users hesitate to secure their email communication and which usability issues they face with PGP, S/MIME as well as with pEp (Pretty Easy Privacy), a fairly new technology, we conducted an online survey and user testing. We found that more than 60% of e-mail users are unaware of the existence of such encryption technologies and never tried to use one. We observed that above all, users are overwhelmed with the management of public keys and struggle with the setup of encryption technology in their mail software. Even though users struggle to put email encryption into practice, we experienced roughly the same number of users being aware of the importance of email encryption. Particularly, we found that users are very concerned about identity theft, as 78% want to make sure that no other person is able to write email in their name.

   5. The Effects of Cue Utilization and Cognitive Load in the Detection of Phishing Emails

      George Nasser, Ben W. Morrison, Piers Bayl-Smith, Ronnie Taib, Michael Gayed, Mark W. Wiggins

      Abstract

      Phishing emails represent a major threat to online information security. While the prevailing research is focused on users’ susceptibility, few studies have considered the decision making strategies that account for skilled detection. One relevant facet of decision making is cue utilization, where users retrieve feature-event associations stored in long-term memory. High degrees of cue utilization help reduce the demands placed on working memory (i.e., cognitive load), and invariably improve decision performance (i.e., the information-reduction hypothesis in expert performance). The current study explored the effect of cue utilization and cognitive load when detecting phishing emails. A total of 50 undergraduate students completed: (1) a rail control task and; (2) a phishing detection task. A cue utilization assessment battery (EXPERTise 2.0) then classified participants with either higher or lower cue utilization. As expected, higher cue utilization was associated with a greater likelihood of detecting phishing emails. However, variation in cognitive load had no effect on phishing detection, nor was there an interaction between cue utilization and cognitive load. These findings have implications for our understanding of cognitive mechanisms that underpin the detection of phishing emails and the role of factors beyond the information-reduction hypothesis.

   6. Cue Utilization, Phishing Feature and Phishing Email Detection

      Piers Bayl-Smith, Daniel Sturman, Mark Wiggins

      Abstract

      Cognitive processes are broadly considered to be of vital importance to understanding phishing email feature detection or misidentification. This research extends the current literature by introducing the concept of cue utilization as a unique predictor of phishing feature detection. First year psychology students (n = 127) undertook three tasks measuring cue utilization, phishing feature detection and phishing email detection. A multiple linear regression model provided evidence that those in a higher cue utilization typology (n = 55) performed better at identifying phishing features than those in a lower cue utilization typology (n = 72). Furthermore, as predicted by the Elaboration Likelihood Model (ELM) and Heuristic-Systematic Model (HSM), those who deliberated longer per email demonstrated an increased ability to correctly identify phishing features. However, these results did not translate into improved performance in the phishing email detection task. Possible explanations for these results are discussed, including possible limitations and areas of future research.

   7. Dis-Empowerment Online: An Investigation of Privacy-Sharing Perceptions and Method Preferences

      Kovila P. L. Coopamootoo

      Abstract

      While it is often claimed that users are empowered via online technologies, there is also a general feeling of privacy dis-empowerment. We investigate the perception of privacy and sharing empowerment online, as well as the use of privacy technologies, via a cross-national online study with N = 907 participants. We find that perception of privacy empowerment differs from that of sharing across dimensions of meaningfulness, competence and choice. We find similarities and differences in privacy method preference between the US, UK and Germany. We also find that non-technology methods of privacy protection are among the most preferred methods, while more advanced and standalone privacy technologies are least preferred. By mapping the perception of privacy dis-empowerment into patterns of privacy behavior online, and clarifying the similarities and distinctions in privacy technology use, this paper provides an important foundation for future research and the design of privacy technologies. The findings may be used across disciplines to develop more user-centric privacy technologies, that support and enable the user.

   8. Security and Privacy Awareness in Smart Environments – A Cross-Country Investigation

      Oksana Kulyk, Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Nina Gerber, Melanie Volkamer

      Abstract

      Smart environments are becoming ubiquitous despite many potential security and privacy issues. But, do people understand what consequences could arise from using smart environments? To answer this research question, we conducted a survey with 575 participants from three different countries (Germany, Spain, Romania) considering smart home and health environments. Less than half of all participants mentioned at least one security and privacy issue, with significantly more German participants mentioning issues than the Spanish ones and the Spanish participants in turn mentioning significantly more security and privacy issues than the Romanian participants. Using open coding, we find that among the 275 participants mentioning security and privacy issues, 111 only expressed abstract concerns such as “security issues” and only 34 mentioned concrete harms such as “Burglaries (physical and privacy)”, caused by security and privacy violations. The remaining 130 participants who mentioned security and privacy issues named only threats (i.e. their responses were more concrete than just abstract concerns but they did not mention concrete harming scenarios).

   9. Understanding Perceptions of Smart Devices

      Hilda Hadan, Sameer Patil

      Abstract

      We explored perceptions regarding the value and sensitivity of the data collected by a variety of everyday smart devices. Via semi-structured interviews, we found that people’s conceptualizations of operational details and privacy and security threats of “smart” functions are greatly limited. Our findings point to the need for designs that readily enable users to separate the physical and digital aspects of device operation and call for further exploration of the design space of privacy and security controls and indicators for smart devices.

   10. In Our Employer We Trust: Mental Models of Office Workers’ Privacy Perceptions

       Jan Tolsdorf, Florian Dehling

       Abstract

       The increasing digitization of the workplace poses new threats to the right to privacy for employees. Previous work on this matter was rather quantitative and with a strong focus on monitoring and surveillance. Yet, there is a lack of comprehensive explanations for employees’ privacy perceptions and what drives their risk and trust perceptions.

       We conducted an interview study with 22 German employees to qualitatively examine (1) issues and themes related to the expectations of privacy of office workers and (2) their beliefs and understandings of how their data is handled by their employers.

       We present the mental model of the believing employee, which is characterized by a high level of trust in the lawful processing of personal data by the employer and little fear of invasions of privacy. The mental model is strongly influenced by the uncertainty regarding the processing of personal data by employers and compensates missing experiences regarding privacy at work with analogies from private online use.

   11. Behaviour of Outsourced Employees as Sources of Information System Security Threats

       David Oyebisi, Kennedy Njenga

       Abstract

       There is an increased need for information systems to be protected against unauthorized access and retrieval, particularly from legitimate ‘insider’ outsourced employees. While most studies have focused on organisations’ employees as threats, only a few have focused on the role the outsourced employees’ play as a potential threat. The study seeks to investigate the insider threat behaviour of an outsourced employee in developing countries as security threats to information systems by virtue of their privileged access. The study is quantitative and adopts social bond and involvement theories for this purpose. The research sample was chosen from organisations in Nigeria and South Africa which are the largest two national economies in Africa. Close-ended questionnaires were used and the data were analysed using factor analysis. The study found that outsourced employees exploit information systems vulnerabilities because they are not actively involved in the organisation and lack moral values and beliefs. The findings of this study will assist organisations in developing countries to mitigate the information security threats posed by outsourced employees.

   12. Exploring Effects of Auditory Stimuli on CAPTCHA Performance

       Bruce Berg, Tyler Kaczmarek, Alfred Kobsa, Gene Tsudik

       Abstract

       CAPTCHAs have been widely used as an anti-bot means for well over a decade. Unfortunately, they are often hard and annoying to use, and human errors have been blamed mainly on overly complex challenges, or poor challenge design. However, errors can also occur because of ambient sensory distractions, and performance impact of these distractions has not been thoroughly examined.

       The goal of our work is to explore the impact of auditory distractions on CAPTCHA performance. To this end, we conducted a comprehensive user study. Its results, discussed in this paper, show that various types of auditory stimuli impact performance differently. Generally, simple and less dynamic stimuli sometimes improve subject performance, while highly dynamic stimuli have a negative impact. This is troublesome since CAPTCHAs are often used to protect web sites offering tickets for limited-quantity events, that sell out very quickly, i.e., within seconds. In such settings, introduction of even a small delay can make the difference between obtaining tickets from the primary source, and being forced to use a secondary market. Our study was conducted in a fully automated experimental environment to foster uniform and scalable experiments. We discuss both benefits and limitations of unattended automated experiment paradigm.

   13. PassPage: Graphical Password Authentication Scheme Based on Web Browsing Records

       Xian Chu, Huiping Sun, Zhong Chen

       Abstract

       This paper proposes a two-factor graphical password authentication scheme, PassPage, which is suitable for website authentication with enhanced security. It leverages the implicit memory based on the user’s web browsing records. Whenever the user tries to log in, the server returns 9 small pages as a challenge, and asks the user to select all the pages the user has browsed besides inputting a text password. We performed user experiments on 12 volunteers. The experiment results showed that the average login success rate on a news website is steadily over 80% when the users are familiar with the login process, and the login success rate does not decrease sharply in 6 days.

   14. Empathy as a Response to Frustration in Password Choice

       Kovila P. L. Coopamootoo

       Abstract

       Previous research often reports that password-based security is frustrating, irritating or annoying, and as a result it often leads to weak password choices. We investigated the impact of empathy as a countermeasure to the anger-related states. We designed an online study with N = 194 participants. The experimental group received an empathic message while the control group did not. Participants presented with the empathic message created significantly stronger passwords than those who did not receive the message. Our finding differs from previous research because it shows participants creating stronger passwords with an empathic response to anger arousal. This antidote to frustrated states with regards to password choice provides an initial step towards more supportive and emotionally intelligent security designs.

   15. Fixing the Fixes: Assessing the Solutions of SAST Tools for Securing Password Storage

       Harshal Tupsamudre, Monika Sahu, Kumar Vidhani, Sachin Lodha

       Abstract

       Text passwords are one of the most widely used authentication mechanisms on the internet. While users are responsible for creating secure passwords, application developers are responsible for writing code to store passwords securely. Despite continued reports of password database breaches, recent research studies reveal that developers continue to employ insecure password storage practices and have several misconceptions regarding secure password storage. Therefore, it is important to detect security issues relating to password storage and fix them in a timely manner before the application is deployed.

       In this paper, we survey several open-source (SpotBugs, SonarQube, CryptoGuard, CogniCrypt) Static Application Security Testing (SAST) tools to understand their detection capabilities with respect to password storage vulnerabilities and determine if the remediation fixes suggested by these tools are consistent with the OWASP or NIST recommended password storage guidelines. We found that none of the surveyed tools covers all potential vulnerabilities related to password storage. Further, we found that solutions suggested by the tools are either imprecise or they are not in accordance with the latest password storage guidelines. We conduct a study with 8 developers where each of them attempted to replace insecure SHA-1 based password storage implementation with PBKDF2 solution recommended by the surveyed tools. The study results show that, in the absence of specific examples, developers choose insecure values for PBKDF2 parameters (salt, iteration count, key length). Thus, although the use of PBKDF2 is in adherence with the tool requirements, the resulting password storage code may not be secure in practice.

   16. Incorporating Psychology into Cyber Security Education: A Pedagogical Approach

       Jacqui Taylor-Jackson, John McAlaney, Jeffrey L. Foster, Abubakar Bello, Alana Maurushat, John Dale

       Abstract

       The role of the human in cyber security is well acknowledged. Many cyber security incidents rely upon targets performing specific behavioural actions, such as opening a link within a phishing email. Cyber adversaries themselves are driven by psychological processes such as motivation, group dynamics and social identity. Furthermore, both intentional and unintentional insider threats are associated with a range of psychological factors, including cognitive load, mental wellbeing, trust and interpersonal relations. By incorporating psychology into cyber security education, practitioners will be better equipped with the skills they need to address cyber security issues. However, there are challenges in doing so. Psychology is a broad discipline, and many theories, approaches and methods may have little practical significance to cyber security. There is a need to sift through the literature to identify what can be applied to cyber security. There are also pedagogical differences in how psychology and cyber security are taught and also psychological differences in the types of student that may typically study psychology and cyber security. To engage with cyber security students, it is important that these differences are identified and positively addressed. Essential to this endeavor is the need to discuss and collaborate across the two disciplines. In this paper, we explore these issues and discuss our experiences as psychology and cyber security academics who work across disciplines to deliver psychology education to cyber security students, practitioners and commercial clients.