Clickbait headlines work through superlatives and intensifiers, creating information gaps to increase the relevance of their associated links that direct users to time-wasting and sometimes even malicious websites. This approach can be amplified using targeted clickbait that takes publicly available information from social media to align clickbait to users' preferences and beliefs. In this work, we first conducted preliminary studies to understand the influence of targeted clickbait on users' clicking behavior. Based on our findings, we involved 24 users in the participatory design of story-based warnings against targeted clickbait. Our analysis of user-created warnings led to four design variations, which we evaluated through an online survey over Amazon Mechanical Turk. Our findings show the significance of integrating information with persuasive narratives to create effective warnings against targeted clickbait. Overall, our studies provide valuable insights into understanding users' perceptions and behaviors towards targeted clickbait, and the efficacy of story-based interventions.
doi.org/10.1145/3613904.3642301
Patching software theoretically leads to improvements including security critical changes, but it can also lead to new issues. For System Administrators (sysadmins) new issues can negatively impact operations at their organization. While mitigation options like test environments exist, little is known about their prevalence or how contextual factors like size of organization impact the practice of Patch Management. We surveyed 220 sysadmins engaged in Patch Management to investigate self-reported behaviors. We found that dedicated testing environments are not as prevalent as previously assumed. We also expand on known behaviours that sysadmins perform when facing a troublesome patch, such as employing a range of problem solving behaviours to inform their patching decisions.
doi.org/10.1145/3613904.3642456
The advent of Web3 technologies promises unprecedented levels of user control and autonomy. However, this decentralization shifts the burden of security onto the users, making it crucial to understand their security behaviors and perceptions. To address this, our study introduces a comprehensive framework that identifies four core components of user interaction within the Web3 ecosystem: blockchain infrastructures, Web3-based Decentralized Applications (DApps), online communities, and off-chain cryptocurrency platforms. We delve into the security concerns perceived by users in each of these components and analyze the mitigation strategies they employ, ranging from risk assessment and aversion to diversification and acceptance. We further discuss the landscape of both technical and human-induced security risks in the Web3 ecosystem, identify the unique security differences between Web2 and Web3, and highlight key challenges that render users vulnerable, to provide implications for security design in Web3.
doi.org/10.1145/3613904.3642291
Amidst growing IT security challenges, psychological underpinnings of security behaviors have received considerable interest, e.g. cybersecurity Self-Efficacy (SE), the belief in one’s own ability to enact cybersecurity-related skills. Due to diverging definitions and proposed mechanisms, research methods in this field vary considerably, potentially impeding replicable evidence and meaningful research synthesis. We report a preregistered systematic literature review investigating (a) cybersecurity SE measures, (b) SE’s proposed roles, and (c) intervention approaches. We minimized selection bias by detailed exclusion criteria, interdisciplinary search strategy, and double coding. Among 174 cybersecurity SE studies (2010-2021) from 18 databases with 55,758 subjects, we identified 173 different SE measures with considerable differences in psychometric quality and validity evidence. We found 276 variables as assumed causes/outcomes of cybersecurity SE and identified 13 intervention designs. This review demonstrates the extent of methodological and conceptual fragmentation in cybersecurity SE research. We offer recommendations to inspire our research community toward standardization.
doi.org/10.1145/3613904.3642432
Fallback authentication, the process of re-establishing access to an account when the primary authenticator is unavailable, holds critical significance. Approaches range from secondary channels like email and SMS to personal knowledge questions (PKQs) and social authentication. A key difference to primary authentication is that the duration between enrollment and authentication can be much longer, typically months or years. However, few systems have been studied over extended timeframes, making it difficult to know how well these systems truly help users recover their accounts. We also lack meaningful comparisons of schemes as most prior work examined two mechanisms at most. We report the results of a long-term user study of the usability of fallback authentication over 18 months to provide a fair comparison of the four most commonly used fallback authentication methods. We show that users prefer email and SMS-based methods, while mechanisms based on PKQs and trustees lag regarding successful resets and convenience.
doi.org/10.1145/3613904.3642889