Security awareness, training & practices

Paper session

会議の名前
CHI 2020
What is this URL's Destination? Empirical Evaluation of Users' URL Reading
要旨

Common anti-phishing advice tells users to mouse over links, look at the URL, and compare to the expected destination, implicitly assuming that they are able to read the URL. To test this assumption, we conducted a survey with 1929 participants recruited from the Amazon Mechanical Turk and Prolific Academic platforms. Participants were shown 23 URLs with various URL structures. For each URL, participants were asked via a multiple choice question where the URL would lead and how safe they feel clicking on it would be. Using latent class analysis, participants were stratified by self-reported technology use. Participants were strongly biased towards answering that the URL would lead to the website of the organization whose name appeared in the URL, regardless of its position in the URL structure. The group with the highest technology use was only minorly better at URL reading.

キーワード
Uniform Resource Locators
web literacy
URL readability
link destination
online security
technology usage
phishing
著者
Sara Albakry
University of Edinburgh, Edinburgh, United Kingdom
Kami Vaniea
University of Edinburgh, Edinburgh, United Kingdom
Maria K. Wolters
University of Edinburgh, Edinburgh, United Kingdom
DOI

10.1145/3313831.3376168

論文URL

https://doi.org/10.1145/3313831.3376168

動画
Measuring Identity Confusion with Uniform Resource Locators
要旨

Uniform Resource Locators (URLs) unambiguously specify host identity on the web. URLs are syntactically complex, and although software can accurately parse identity from URLs, users are frequently exposed to URLs and expected to do the same. Unfortunately, incorrect assessment of identity from a URL can expose users to attacks, such as typosquatting and phishing. Our work studies how well users can correctly determine the host identity of real URLs from common services and obfuscated "look-alike" URLs. We observe that participants employ a wide range of URL parsing strategies, and can identify real URLs 93% of time. However, only 40% of obfuscated URLs were identified correctly. These mistakes highlighted several ways in which URLs were confusing to users and why their existing URL parsing strategies fall short. We conclude with future research directions for reliably conveying website identity to users.

キーワード
Usable Security
URL
Phishing
Server Identity
Authentication, URL Readability
著者
Joshua Reynolds
University of Illinois at Urbana-Champaign, Urbana, IL, USA
Deepak Kumar
University of Illinois at Urbana-Champaign, Champaign, IL, USA
Zane Ma
University of Illinois at Urbana-Champaign, Urbana, IL, USA
Rohan Subramanian
University of Illinois at Urbana-Champaign, Urbana, IL, USA
Meishan Wu
University of Illinois at Urbana-Champaign, Urbana, IL, USA
Martin Shelton
Google, Inc., San Francisco, CA, USA
Joshua Mason
University of Illinois at Urbana-Champaign, Urbana, IL, USA
Emily Stark
Google, Inc., Mountain View, CA, USA
Michael Bailey
University of Illinois at Urbana-Champaign, Champaign, IL, USA
DOI

10.1145/3313831.3376298

論文URL

https://doi.org/10.1145/3313831.3376298

Evaluating the Information Security Awareness of Smartphone Users
要旨

Information security awareness (ISA) is a practice focused on the set of skills which help a user successfully mitigate social engineering (SE) attacks. Evaluating the ISA of users is crucial, since early identification of users who are more vulnerable to SE attacks improves system security. Previous studies for evaluating the ISA of smartphone users rely on subjective data sources (questionnaires) and do not address the differences between classes of SE attacks. This paper presents a framework for evaluating the ISA of smartphone users for specific attack classes. In addition to questionnaires, we utilize objective data sources: a mobile agent, a network traffic monitor, and cybersecurity challenges. We evaluated the framework by conducting a long-term user study involving 162 users. The results show that: the self-reported behavior of users differs significantly from their actual behavior and the ISA level derived from the actual behavior of users is highly correlated with their ability to mitigate SE attacks.

受賞
Honorable Mention
キーワード
Information Security Awareness
Social Engineering
Human Factors
Mobile Devices
著者
Ron Bitton
Ben Gurion University, Be'er Sheba, Israel
Kobi Boymgold
Ben Gurion University, Be'er Sheba, Israel
Rami Puzis
Ben Gurion University, Be'er Sheba, Israel
Asaf Shabtai
Ben Gurion University, Be'er Sheba, Israel
DOI

10.1145/3313831.3376385

論文URL

https://doi.org/10.1145/3313831.3376385

Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices
要旨

Users struggle to adhere to expert-recommended security and privacy practices. While prior work has studied initial adoption of such practices, little is known about the subsequent implementation and abandonment. We conducted an online survey (n=902) examining the adoption and abandonment of 30 commonly recommended practices. Security practices were more widely adopted than privacy and identity theft protection practices. Manual and fully automatic practices were more widely adopted than practices requiring recurring user interaction. Participants' gender, education, technical background, and prior negative experience are correlated with their levels of adoption. Furthermore, practices were abandoned when they were perceived as low-value, inconvenient, or when users overrode them with subjective judgment. We discuss how security, privacy, and identity theft protection recommendations and tools can be better aligned with user needs.

受賞
Honorable Mention
キーワード
user behavior
usable security and privacy
risk perception
security and privacy decision-making
adoption
abandonment
technology non-use
著者
Yixin Zou
University of Michigan, Ann Arbor, MI, USA
Kevin Roundy
NortonLifeLock Research Group, Culver City, CA, USA
Acar Tamersoy
NortonLifeLock Research Group, Culver City, CA, USA
Saurabh Shintre
NortonLifeLock Research Group, Mountain View, CA, USA
Johann Roturier
NortonLifeLock Research Group, Dublin, Ireland
Florian Schaub
University of Michigan, Ann Arbor, MI, USA
DOI

10.1145/3313831.3376570

論文URL

https://doi.org/10.1145/3313831.3376570

Understanding Cybersecurity Practices in Emergency Departments
要旨

Emergency departments (EDs) have unique operational requirements within hospitals. They have strong availability demands, are staffed by rotating personnel, and must provide services as quickly as possible. Modern EDs are also heavily computerized, and as such cybersecurity practices play a key role in meeting the expected operational standards. To better understand the cybersecurity challenges in EDs, we conducted a survey asking 347 ED personnel across Canada about their cybersecurity practices. The survey collected information relating to authentication and password management, use of personal devices for handling patient data, Internet connectivity on personal and hospital systems, and institutional security policies. Our results show that across multiple hospitals, deployed computer security systems fail to integrate with the requirements of staff and patients, leading to interruptions and inefficiencies.

キーワード
Security
Usability
Medicine
Hospitals
著者
Elizabeth Stobert
Carleton University, Ottawa, ON, Canada
David Barrera
Carleton University, Ottawa, ON, Canada
Valérie Homier
McGill University, Montreal, PQ, Canada
Daniel Kollek
McMaster University, Dundas, ON, Canada
DOI

10.1145/3313831.3376881

論文URL

https://doi.org/10.1145/3313831.3376881