Design and Field Evaluation of PassSec: Raising and Sustaining Web Surfer Risk Awareness

  • Melanie Volkamer
  • Karen Renaud
  • Gamze Canova
  • Benjamin Reinheimer
  • Kristoffer Braun
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9229)

Abstract

This paper presents PassSec, a Firefox Add-on that raises user awareness about safe and unsafe password entry while they surf the web. PassSec comprises a two-stage approach: highlighting as the web page loads, then bringing up a just-in-time helpful dialogue when the user demonstrates an intention to enter a password on an unsafe web page. PassSec was developed using a human-centred design approach. We performed a field study with 31 participants that showed that PassSec significantly reduces the number of logins on websites where password entry is unsafe.

References

  1. 1.
    Mixed Content Blocking Enabled in Firefox: 23! (2013). https://blog.mozilla.org/tanvi/ (last Access: June 2, 2015]
  2. 2.
    Akhawe, D., Felt, A.P.: Alice in warningland: A large-scale field study of browser security warning effectiveness. In: Usenix Security. pp. 257–272, Washington DC, 14–16 August 2013Google Scholar
  3. 3.
    Ayres, T.J., Gross, M.M., Wood, C.T., Horst, D.P., Beyer, R.R., Robinson, J.N.: What is a warning and when will it work? In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 33, pp. 426–430. SAGE Publications (1989)Google Scholar
  4. 4.
    Bauer, L., Bravo-Lillo, C., Cranor, L., Fragkaki, E.: Warning design guidelines. Technical report, Carnegie Mellon University (2013). CMU-CyLab-13-002Google Scholar
  5. 5.
    Bravo-Lillo, C., Cranor, L.F., Downs, J., Komanduri, S., Sleeper, M.: Improving computer security dialogs. In: Campos, P., Graham, N., Jorge, J., Nunes, N., Palanque, P., Winckler, M. (eds.) INTERACT 2011, Part IV. LNCS, vol. 6949, pp. 18–35. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  6. 6.
    Bravo-Lillo, C., Komanduri, S., Cranor, L.F., Reeder, R.W., Sleeper, M., Downs, J., Schechter, S.: Your attention please: designing security-decision UIs to make genuine risks harder to ignore. In: Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS 2013), pp. 6:1–6:12. ACM (2013)Google Scholar
  7. 7.
    Breznitz, S.: Cry Wolf: The Psychology of False Alarms. Psychology Press, New York (2013) Google Scholar
  8. 8.
    Brooke, J.: SUS: a Retrospective. J. Usability Stud. 8(2), 29–40 (2013)Google Scholar
  9. 9.
    Brustoloni, J.C., Villamarín-Salomón, R.: Improving security decisions with polymorphic and audited dialogs. In: Proceedings of the 3rd symposium on Usable privacy and security, pp. 76–85. ACM (2007)Google Scholar
  10. 10.
    Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: an anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Heidelberg (2014) Google Scholar
  11. 11.
    Cranor, L.F.: A framework for reasoning about the human in the loop. In: Proceedings of the 1st Conference on Usability, Psychology, and Security (UPSEC 2008), pp. 1:1–1:15. USENIX Association (2008)Google Scholar
  12. 12.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)Google Scholar
  13. 13.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM (2008)Google Scholar
  14. 14.
    Kahneman, D.: Thinking Fast and Slow. Farrar Strauss, Giroux, New York (2011)Google Scholar
  15. 15.
    Lin, E., Greenberg, S., Trotter, E., Ma, D., Aycock, J.: Does domain highlighting help people identify phishing sites? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI 2011), pp. 2075–2084. ACM (2011)Google Scholar
  16. 16.
    Locke, E.A.: Relationship of success and expectation to affect on goal-seeking tasks. J. Pers. Soc. Psychol. 7(2), 125–134 (1967)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Maurer, M.E.: Bringing effective security warnings to mobile browsing. In: 2nd International Workshop on Security and Privacy in Spontaneous Interaction and Mobile Phone Use (in Conjunction with Pervasive 2010), Helsinki (2010)Google Scholar
  18. 18.
    Maurer, M.E., De Luca, A., Kempe, S.: Using data type based security alert dialogs to raise online security awareness. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, p. 2. ACM (2011)Google Scholar
  19. 19.
    Meredith, C., Edworthy, J.: Are there too many alarms in the intensive care unit? An overview of the problems. J. Adv. Nurs. 21(1), 15–20 (1995)MATHCrossRefGoogle Scholar
  20. 20.
    Politis, I., Brewster, S., Pollick, F.: Speech tactons improve speech warnings for drivers. In: Proceedings of the 6th International Conference on Automotive User Interfaces and Interactive Vehicular Applications (AutomotiveUI 2014), pp. 4:1–4:8. ACM, New York (2014). http://doi.acm.org/10.1145/2667317.2667318
  21. 21.
    Potgieter, M., Marais, C., Gerber, M.: Fostering content relevant information security awareness through browser extensions. In: Dodge Jr., R.C., Futcher, L. (eds.) WISE 6/7/8. IFIP AICT, vol. 406, pp. 58–67. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  22. 22.
    Ruiter, R.A., Abraham, C., Kok, G.: Scary warnings and rational precautions: a review of the psychology of fear appeals. Psychol. Health 16(6), 613–630 (2001)MATHCrossRefGoogle Scholar
  23. 23.
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: IEEE Symposium on Security and Privacy (SP 2007), pp. 51–65. IEEE (2007)Google Scholar
  24. 24.
    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, pp. 88–99. ACM (2007)Google Scholar
  25. 25.
    Shepherd, L.A., Archibald, J., Ferguson, R.I.: Reducing risky security behaviours: utilising affective feedback to educate users. In: International Conference on Cyber Forensics, Glasgow, 23–24 June 2014Google Scholar
  26. 26.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of ssl warning effectiveness. In: USENIX Security Symposium, pp. 399–416 (2009)Google Scholar
  27. 27.
    West, R.: The psychology of security. Commun. ACM 51(4), 34–40 (2008)CrossRefGoogle Scholar
  28. 28.
    Wichmann, S.S.: Self-determination theory: the importance of autonomy to well-being across cultures. J. Humanistic Couns. 50(1), 16–26 (2011)CrossRefGoogle Scholar
  29. 29.
    Wogalter, M.S.: Communication-human information processing (C-HIP) model. In: Wogalter, M.S. (ed.) Handbook of Warnings. Lawrence Erlbaum Associates, Mahwah (2006)Google Scholar
  30. 30.
    Wogalter, M.S., Conzola, V.C.: Using technology to facilitate the design and delivery of warnings. Int. J. Syst. Sci. 33(6), 461–466 (2002)CrossRefGoogle Scholar
  31. 31.
    Wogalter, M.S., Desaulniers, D.R., Brelsford, J.W.: Consumer products: how are the hazards perceived? In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 31, pp. 615–619. SAGE Publications (1987)Google Scholar
  32. 32.
    Wogalter, M.S., Godfrey, S.S., Fontenelle, G.A., Desaulniers, D.R., Rothstein, P.R., Laughery, K.R.: Effectiveness of warnings. Hum. Factors J. Human Factors Ergon. Soc. 29(5), 599–612 (1987)Google Scholar
  33. 33.
    Wolf, M.S., Davis, T.C., Bass, P.F., Curtis, L.M., Lindquist, L.A., Webb, J.A., Bocchini, M.V., Bailey, S.C., Parker, R.M.: Improving prescription drug warnings to promote patient comprehension. Arch. Intern. Medicine 170(1), 50–56 (2010)CrossRefGoogle Scholar
  34. 34.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. pp. 601–610. ACM, Montreal, 22–27 April 2006Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Melanie Volkamer
    • 1
    • 3
  • Karen Renaud
    • 2
  • Gamze Canova
    • 1
  • Benjamin Reinheimer
    • 1
  • Kristoffer Braun
    • 1
  1. 1.Technische Universität DarmstadtDarmstadtGermany
  2. 2.University of GlasgowGlasgowUK
  3. 3.Karlstad UniversityKarlstadSweden

Personalised recommendations