Human Aspects of Information Security, Privacy, and Trust

System-generated and user-generated text-based passwords are commonly used to authenticate access to electronic assets. Users typically have multiple web accounts ranging from banking to retail, each with a different password, creating a significant usability problem. The passwords authenticated by these applications may vary in usability and memorability depending on the type of password generation, composition and length. Researchers have compared the usability of different user-generated password composition schemes. The passwords created using different composition schemes in these studies achieved different levels of minimum security, making comparisons across them difficult. This research compares the usability and memorability of three password generation schemes that each exceed a specified minimum entropy for the sake of security.

Usability and guessability are two conflicting criteria in assessing thesuitability of an image to be used as password in the recognition based graph-ical authentication systems (RGBSs). We present the first work in this area that uses a new approach, which effectively integrates a series of techniques in order to rank images taking into account the values obtained for each of the dimen-sions of usability and guessability, from two user studies. Our approach uses fuzzy numbers to deal with non commensurable criteria and compares two multicriteria optimization methods namely, TOPSIS and VIKOR. The results suggest that VIKOR method is the most applicable to make an objective state-ment about which image type is better suited to be used as password. The paper also discusses some improvements that could be done to improve the ranking assessment.

Neurosecurity focuses on the security of the increasingly intimate coupling of human brains and computers, addressing issues surrounding modern computer security and how they relate to brain- computer interfaces (BCIs). Although several elements of this field are not yet relevant in today’s society, the goal is to examine what can be done to avoid the post-patch-just-in-time security solution seen in today’s computer architectures and networks. Modern computer security has been the unfortunate result of afterthought; patched on out of necessity, often just-in-time at best.

We present a hassle-free personal information protection design that continuously monitors user identity with a Microsoft touchmouse [1] under a windows-based computer environment. This is the first design which investigates the relationship between time-indexed pressure map trajectories extracted from a touch-mouse and user behavior patterns categorized by common mouse action primitives. This design serves as an assistive method to enhance existing password and biometric based security mechanisms, enabling continuous and unobtrusive personal identity monitoring. Commercialized windows-based systems can be seamlessly integrated with the proposed system and this design can offer a convenient and lightweight solution for physical computer intrusion detection.

The Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) has been widely used as a technique that will allow a machine to distinguish between input from a human and that of another machine. The security of current CAPTCHA methods is not sufficient to protect against advanced modern malware. This paper focuses on applying gamification, the use of game elements in non-game human interaction systems, in order to improve the security and usability of CAPTCHA systems. We propose to use movie-based quizzes to achieve a Gamified CAPTCHA system that employs the human capability to recognize the strangeness of a short movie story.

The paper describes a system able to recognize the users identity according how she/he looks at the monitor while using a given interface. The system does not need invasive measurements that could limit the naturalness of her/his actions. The proposed approach clusters the sequences of observed points on the screen and characterizes the user identity according the relevant detected patterns. Moreover, the system is able to identify patterns in order to have a more accurate recognition and to create prototypes of natural facial dynamics in user expressions. The possibility to characterize people through facial movements introduces a new perspective on human-machine interaction. For example, a user can obtain different contents according her/his mood or a software interface can modify itself to keep a higher attention from a bored user. The success rate of the classification using only 7 parameters is around 68%. The approach is based on k-means that is tuned to maximize an index involving the number of true-positive detections and conditional probabilities. A different evaluation of this parameter allows to focus on the identification of a single user or to spot a general movement for a wide range of people The experiments show that the performance can reach the 90% of correct recognition.

Multi-touch tablets can offer a large, collaborative space where several users can work on a task at the same time. However, the lack of privacy in these situations makes standard password-based authentication easily compromised. This work presents a new gesture-based authentication system based on users’ unique signature of touch motion when drawing a combination of one-stroke gestures following two different policies, one fixed for all users and the other selected by a model of control to maximize the expected long-term information gain. The system is able to achieve high user recognition accuracy with relatively few gestures, demonstrating that human touch patterns have a distinctive “signature” that can be used as a powerful biometric measure for user recognition and personalization.

This paper investigates the effect of individual differences in human cognition on user performance in CAPTCHA tasks. In particular, a three-month ecological valid user study was conducted with a total of 107 participants who interacted with a text-recognition and an image-recognition CAPTCHA mechanism. The study included a series of psychometric tests for eliciting users’ speed of processing, controlled attention and working memory capacity, with the aim to examine the effect of these cognitive processes on the efficiency and effectiveness of user interactions in CAPTCHA tasks. Preliminary results provide interesting insights for the design and deployment of adaptive CAPTCHA mechanisms based on individual differences in cognitive processing since it has been initially shown that specific cognitive processing abilities of individuals could be a determinant factor on the personalization of CAPTCHA mechanisms.

‘Despite technological advances, humans remain the weakest link in Internet security’

[1], this weakness is typically characterised in one of two domains. First, systems may not enable humans to interface securely, or the security mechanisms themselves are unusable or difficult to use effectively. Second, there may be something fundamental about the behaviour of some people which leads them to become vulnerable.

This paper examines the links between perceptions of risk associated with online tasks and password choice. We also explore the degrees to which the said perceptions of risk differ according to whether the password user is a security expert or not, and whether they have experienced some form of attack.

In this paper we investigate the influence of Trust Assurances in Mobile Commerce Applications on the formation of Online Trust. In comparison to existing measuring approaches we therefore developed a more detailed approach of capturing Online Trust. We carried out a study in which Online Trust was captured after an initial interaction with an unknown business partner in form of a fictional Mobile Commerce Application. The generated quantitative and qualitative data allowed for conclusions concerning the formation of Online Trust as well as the influence of Trust Assurances.

Although many security solutions exist, home computer systems are vulnerable against different type of attacks. The main reason is that users are either not motivated to use these solutions or not able to correctly use them. In order to make security software more usable and hence computers more secure, we re-ran the study by Wash about “Folk Models of Home Computer Security” in Germany. We classified the different mental models in eleven folk models. Eight of the identified folk models are similar to the models Wash presented. We describe each folk model and illustrate how users think about computer security.

The acceptance of novel technology is one if not the most decisive component of the success of the technology rollout. Though, acceptance criteria differ not only across the diversity of users, but might also differ across the different usage context. This is especially valid for technologies in the health and beauty context, in which the balance between pro-using arguments and contra-using arguments is especially fragile. This paper focuses on the impact of the context towards the motivation to use an invasive technology. A survey was conducted in which 170 participants of a wide age range (17-89 years) took part. In the study, three different usage scenarios were presented (medical scenario, preventative healthcare scenario and beauty scenario). After an introduction into each scenario the participants had to evaluate usage motives and barriers. The results corroborated the impact of the situational context and the dependency of acceptance outcomes on the reasons for which technology might be used. Overall, acceptance was highest for medical technology and lowest for the beauty context. Considering the single reasons for or against the technology, we find that nature and weighing of perceived barriers and concerns are quite similar, independently of the context.

In this paper, a survey was conducted on the current status of social networking services (SNS) with an emphasis on privacy concerns, which are often deemed an obstruction factor in the use of such services on the Internet. Anxiety over personal privacy and other factors were analyzed based on the technology acceptance model (TAM). The results of the survey show that “perceived usefulness” scored highest with respect to SNS, although, on the demerit side, there were marked anxieties over privacy.

Social networking sites such as Facebook have been experiencing tremendous growth for the last several years. In order to get connected with people, Facebook users have to create personal profile with real data about themselves, such as name, home address, email address, phone numbers, relationship status etc. However, there have been ongoing concerns about information disclosure and privacy. Research has indicated personality is one of many factors may have some influence on Facebook’s usage, information disclosure, and privacy. The purpose of this research was to investigate possible influence of personality on Facebook privacy settings. Five hypotheses about personality and Facebook privacy settings were developed. Data were collected from 500 college students in Taiwan, with 441 valid data. Four hypotheses about personality and privacy settings were partial supported. People with high extraversion had low privacy settings on family and relationships, religious and political view, and birthday. People with high agreeableness had high privacy settings on wall, photos and videos, religious and political view, birthday, and comments. People with high continuousness had high privacy settings on browsing personal profile and searching personal profile. People with high emotional stability had high privacy settings on religious and political views, and birthday. However, one hypothesis about openness and privacy settings was not supported.

The primary goal of this paper is testing a causal model of privacy management indicating the influence of gender on the user behavior of privacy management in OSNs. We adopted communication privacy management theory and the theory of planned behavior, developed a causal model showing the influence of self-evaluated gender role on the behavior of privacy management in online social networks, and tested a set of hypotheses using structural equation modeling (SEM). The results of SEM indicate that self-evaluation of masculinity and femininity did not have significant relationship with user’s behavior of privacy management in OSN.

This paper offers insights to how cyber security analysts establish and maintain situation awareness of a large computer network. Through a series of interviews, observations, and a card sorting activity, we examined the questions analysts asked themselves during a network event. We present the results of our work as a taxonomy of cyber awareness questions that represents a mental model of situation awareness in cyber security analysts.

Being able to predict how internet users react when confronted with a potentially dangerous call for action in an online message (such as an e-mail) is important for several reasons. On the one hand, users have to be protected from fraudulent e-mails such as phishing. On the other hand, over-cautious users would be difficult to communicate with on the internet, so senders of legitimate messages have to know how to convince recipients of the authenticity of their messages. Extensive research already exists from both of these perspectives, but each study only explores certain aspects of the complex system of factors influencing users’ reactions. In this paper the results of our efforts to integrate the various existing findings into one comprehensive model are presented, along with the results of a preliminary evaluation of some of the model’s predictions using quantitative as well as qualitative measures and eye-tracking.

When interacting with objects and services in the Internet of Things, people will need to trust that their data is safe, and that “things” will do what they promise they will do. As part of a user evaluation of a toolkit for providing security and privacy information to users, we created two models to find a pattern in changes in the perception of trust in the participants. The model based on demographics was not very descriptive. But, the model based on participants’ privacy concerns and trust traits revealed a good match between changes in trust based on information from our toolkit. While there were some limitations in the current study, it showed how TFT can be improved for future evaluations.

What constitutes risky security behaviour is not necessarily obvious to users and as a consequence end-user devices could be vulnerable to compromise. This paper seeks to lay the groundwork for a project to provide instant warning via automatic recognition of risky behaviour. It examines three aspects of the problem, behaviour taxonomy, techniques for its monitoring and recognition and means of giving appropriate feedback. Consideration is given to a way of quantifying the perception of risk a user may have. An ongoing project is described in which the three aspects are being combined in an attempt to better educate users to the risks and consequences of poor security behaviour. The paper concludes that affective feedback may be an appropriate method for interacting with users in a browser-based environment.

Smartphones have become the primary and most intimate computing devices that people rely on for their daily tasks. Sensor-based and network technologies have turned smartphones into a “context-aware” information hub and a vehicle for information exchange. These information provide apps and third party with a wealth of sensitive information to mine and profile user behavior. However, the Orwellian implications created by context-awareness technology have caused uneasiness to people when using smartphone applications and reluctance of using them [6]. To mitigate people’s privacy concerns, previous research suggests giving controls to people on how their information should be collected, accessed and shared. However, deciding

who

(people or the application) gets to access to

what

(types of information) could be an unattainable task. In order to develop appropriate applications and privacy policies it is important to understand under what circumstances people are willing to disclose information.

This paper presents an analysis of employees’ security behavior, which focuses upon improving user awareness to counter computer espionage attempts by corporate or state sponsored activity. The author examines existing literature, presents the results from initial experiments in security awareness and proposes further work.

Free mobile applications of cloud computing offer a range of diverse services (e.g. gaming, storage etc.) usally in return for delivering personalized advertising to their consenting end-users. In order to do so they may retain a range of personal information such as location and personal preferences. Thus, privacy-related interactions between service providers and end users are important to be studied as personal data are valuable in a subscription-based cloud system. In this paper, game theory is used as a tool to identify and analyze such interactions in order to understand stakeholder choices, as well as how to improve the quality of the service offered in a cloud computing setting.

Password authentication remains the dominant form of user authentication for online systems. As such, from a user perspective, it is an approach that they are very much expected to understand and use. However, a survey of 246 users revealed that about one third chose weak passwords, including personal information or dictionary words. To prevent such forms of bad security behavior, service providers should offer support, but the reality of the situation suggests that tangible weaknesses can exist amongst both parties, and thus despite their long-recognised importance, good password practices have yet to become an established part of our security culture. An experimental study was conducted in order to investigate the effect of providing password guidance upon end users’ password choices. The findings revealed that the mere presentation of guidance (without any accompanying enforcement of good practice) had a significant effect upon the resulting password quality.

Public discussion of the privacy concerns of individuals has focused on protecting them from criminal attacks, government spying and the manipulation of consumers by businesses. While these are important areas of concern, there is also a significant ethical and societal risk from privacy intrusion from other sources, such as employers. Many employers gather extensive and highly personal information on their staff. The availability of this information is often asymmetric, with higher status employees having correspondingly greater access to the personal data of others. This paper examines some of the risks inherent in this asymmetry and discusses to what extent existing legal and social measures are sufficient to protect individuals, organisations and society.

Citizens do not routinely agree to sacrifice their privacy. When cases come to light that the government has been spying on its citizens, there is outrage. Still, citizens’ fierce protection of personal privacy does not obviate their expectation of government to ensure national security. Public support for secret government operations is cyclical, self-interested, influenced by citizens’ knowledge of political affairs, and related to the public’s level of trust in its leaders and the perception of threats. Polls indicate that citizens are protective of their personal privacy but willing to give up a degree of control to trusted leaders.

Programmers develop code with a sense of purpose and with expectations on how units of code should interact with other units of code. But this intent of programmers is typically implicit and undocumented, goes beyond considerations of functional correctness, and may depend on trust assumptions that programmers make. At present, neither programming languages nor development environments offer a means of articulating such intent in a manner that could be used for controlling whether software executions meet such intentions and their associated expectations. We here study how extant research on trust can inform approaches to articulating programmers’ intent so that it may help with creating trust evidence for more trustworthy interaction of software units.

Many “good practices” in computer security are based on assumptions and local evidence that do not generalize. There are few quantifiable methods of establishing or refuting the validity of these practices from a user perspective. We propose a formal model of security policies that allows us to evaluate the claimed benefits to the user of the system quantitatively. We illustrate the use of the model by looking at a security policy we all live with daily: The Password Policy.

While the privacy concerns raised by advances in information technologies are widely recognized, recent developments have led to a convergence of these technologies in many situations, presenting new challenges to the right to privacy. This paper examines the information technologies and its potential impact on individual privacy interests. The paper first discusses the right to privacy, personal information and information privacy separately, noting ways that new technologies create privacy concerns. The paper then examines the legislation in U.S., E.U. Finally, the paper examines existing protections for privacy in China, considers why they are insufficient, and proposes measures to enhance the legal protection of privacy interests to address these new technologies.

Picking good passwords is a cornerstone of computer security. Yet already since the early days (e.g.

The Stockings Were Hung by the Chimney with Care

from 1973; we have also borrowed our title from the 1995 movie

Hackers

), insecure passwords have been a major liability. Ordinary users want simple and fast solutions – they either choose a trivial (to remember and to guess) password, or pick a good one, write it down and stick the paper under the mouse pad, inside the pocket book or to the monitor. They are also prone to reflecting their personal preferences in their password choices, providing telling hints online and giving them out on just a simple social engineering attack. Kevin Mitnick has said that security is not a product that can be purchased off the shelf, but consists of policies, people, processes, and technology. This applies fully to password security as well. We studied several different groups (students, educators, ICT specialists etc – more than 300 people in total) and their password usage. The methods included password practices survey, password training sessions, discussions and also simulated social engineering attacks (the victims were informed immediately about their mistakes).

We suggest that password training should be adjusted for different focus groups. For example, we found that schoolchildren tend to grasp new concepts faster – often, a simple explanation is enough to improve the password remarkably. Thus, we would stress the people and process aspects of the Mitnick formula mentioned above.At the same time, many officials and specialists tend to react to password training with dismissal and scorn (our study suggests that ’you cannot guess my password’ is an alarmingly common mindset). Examples like ’admin’, ’Password’, ’123456’ etc have occurred even at qualified security professionals, more so at educators. Yet, as Estonia is increasingly relying on the E-School system, these passwords are becoming a prime target. Therefore, for most adult users we suggest putting the emphasis on policy and technology aspects (strict, software-enforced lower limits of acceptable password length, character variability checks, but also clearly written rulesets etc).

This paper discusses the phenomenon, typical of our Digital Age, called as the ’privacy paradox’: although users are aware of the threats to their privacy, the analysis of their online behavior seemingly shows a lack of interest in their privacy, as they keep using online services and products, and even if they know their privacy rights and the existing legal measures to protect them, they appear unwilling of using available protection tools. This paper will show that the reason of this (apparent) paradox is not necessarily the users’ neglectful attitude towards their privacy but should be found in the lack of effective implementation tools, at both legal and technical level (e.g. privacy policies).

Very large distributed systems that aim to offer natural interaction with their human users fail to address the everyday nature of trust and its establishment at their peril. In human interactions trust builds slowly, it builds contextually, and it builds by association. In contrast most software systems make assumptions regarding user behaviour and do little to learn at the natural pace of the user, this leads to an unnatural relationship between the user and the software, system or service they are using. The claims of social networking to address this only go so far as in many cases the objectives of the service and those of the user do not align or one melds to the other – treating a person as a social network entity quite distinct from that same person as a natural person. What this paper intends to show is how the privacy and security problem is being addressed across the smart city projects in Europe with particular emphasis placed on material from case studies taken from the i-Tour and i-SCOPE projects.

The current proliferation of ubiquitous networking (e.g. WiFi, bluetooth) along with the high penetration of the pervasive devices (smart phones, tablets) have provided a substantial boost to life-logging; a framework for the every-day recording of sensitive and personal data of individuals. Life-logging systems usually consist of resource-constrained devices (sensors). Moreover, as for every emerging technology, life-logging is susceptible to a number of security threats. In this paper, we implement and evaluate a joint encryption and compression scheme using the current advances in compressed sensing theory. The evaluation shows that the reconstruction error is kept low even for high compression ratios, and the power consumption of the life-logging system significantly reduces.

The vast amount of information available online places decision makers wishing to use this content in an advantageous but also very difficult position. The advantages stem from the volume of content from a variety of sources that is readily available; the difficulties arise because of the often unknown quality and trustworthiness of the information – is it fact, opinion or purely meant to deceive? In this paper we reflect on and extend current work on information trust and quality metrics which can be used to address this difficulty. Specifically, we propose new metrics as worthy of consideration and the new combinatorics required to take measurements of the various trust factors into a single score. These feed into our existing overarching policy-based approach that uses trustworthiness metrics to support decision-making online.

This paper deals the aspects of data synchronization. The first part focuses on existing technologies and their features. We follow with the proposal of application that can be used as an alternative to the existing solutions. The proposed peer-to-peer application includes several safety improvements as well as it supports secure communication and data storage.

This paper deals with Global Internet Filtering.. Various technical solutions for Internet filtering are presented together with filtering analysis options. Several possibilities for blocked content access and filtering circumvention in general are discussed.

In an interconnected cyber-world, Cyber-Physical Systems (CPSs) appear to play an increasingly important role in smart ecosystems. A variety of resource-constrained thin clients, such as sensors, RFIDs, actuators and smart devices, are included in the list of CPS. These devices can be used in a number of medical, vehicular, aviation, military and smart cities applications. A plethora of sensitive data is transmitted in insecure wireless or wired environments whilst adversaries are eager to eavesdrop, modify or destroy sensed data invading the privacy of user-centric CPSs. This work presents an overview and analysis of the most effective attacks, privacy challenges and mitigation techniques for preserving the privacy of users and their interconnected devices. In order to preserve privacy, a privacy-level model is proposed in which users have the capability of assigning different privacy levels based on the variety and severity of privacy challenges and devices’ capabilities. Finally, we evaluate the performance of specific CPSs at different privacy-levels in terms of time and consumed energy in an experimental test-bed that we have developed.

Corporate security is threatened by Bring-Your-Own-Device trend. As mobile devices that provide high computing and wireless communication capabilities are increasingly being used in business, leakage of personal information and confidential data stored in a mobile device increases and bypass routes to corporate internal network are created by the mobile devices. A mobile device management system is a security solution to cope with these problems. This paper proposes platform-independent mobile device management system with using the Common Criteria for Information Technology Security Evaluation. As a result, the proposed design improves the security of the mobile device management system and guarantees high usability.

This research measured factors that influence the adoption of encryption to secure data in the cloud and provided guidance on when encryption might be most appropriate. Additionally, the study investigated the important elements necessary to develop a framework for a secure cloud computing environment. The objective of this research was to provide normative guidance and empirical data that assists both cloud service providers and users of cloud technology in selecting the best mitigation, or suite of mitigations, that most effectively protect data in the cloud. This research helps to fill a gap by examining issues affecting cloud consumers, the elements that play a role in the decision to use a cloud service, and the influencing factors in the decision to use encryption to secure data in the cloud.

Despite the apparent advantages of cloud computing, the fear of unauthorized exposure of sensitive user data [3,4,8,13] and non-compliance to privacy restrictions impedes its adoption for security-sensitive tasks. For the common setting in which the cloud infrastructure provider and the online service provider are different, end users have to trust the efforts of both of these parties for properly handling their private data as intended. To address this challenge, in this work, we take a step towards elevating the confidence of users for the safety of their cloud-resident data by introducing Cloudopsy, a service with the goal to provide a visual

autopsy

of the exchange of user data in the cloud premises. Cloudopsy offers a user-friendly interface to the customers of the cloud-hosted services to

independently

monitor and get a better understanding of the handling of their cloud-resident sensitive data by the third-party cloud-hosted services. While the framework is targeted mostly towards the end users, Cloudopsy provides also the service providers with an additional layer of protection against illegitimate data flows,

e.g.

, inadvertent data leaks, by offering a graphical more meaningful representation of the overall service dependencies and the relationships with third-parties outside the cloud premises, as they derive from the collected audit logs. The novelty of Cloudopsy lies in the fact that it leverages the power of

visualization

when presenting the final audit information to the end users (and the service providers), which adds significant benefits to the understanding of rich but ever-increasing audit trails. One of the most obvious benefits of the resulting visualization is the ability to better understand ongoing events, detect anomalies, and reduce decision latency, which can be particularly valuable in real-time environments.