Advertisement

Perception of Risky Security Behaviour by Users: Survey of Current Approaches

  • Lynsay A. Shepherd
  • Jacqueline Archibald
  • R. I. Ferguson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8030)

Abstract

What constitutes risky security behaviour is not necessarily obvious to users and as a consequence end-user devices could be vulnerable to compromise. This paper seeks to lay the groundwork for a project to provide instant warning via automatic recognition of risky behaviour. It examines three aspects of the problem, behaviour taxonomy, techniques for its monitoring and recognition and means of giving appropriate feedback. Consideration is given to a way of quantifying the perception of risk a user may have. An ongoing project is described in which the three aspects are being combined in an attempt to better educate users to the risks and consequences of poor security behaviour. The paper concludes that affective feedback may be an appropriate method for interacting with users in a browser-based environment.

Keywords

End-user security behaviours usable security affective computing user monitoring techniques user feedback risk perception security awareness 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Li, Y., Siponen, M.: A call for research on home users information security behaviour. In: PACIS 2011, Proceedings (2011) (paper 112)Google Scholar
  2. 2.
    Pfleeger, S., Caputo, D.: Leveraging behavioral science to mitigate cyber security risk, Computers & Security (2012), doi:10.1016/j.cose.2011.12.010 (accessed October 29, 2012)Google Scholar
  3. 3.
    Stanton, J.M., et al.: Analysis of end user security behaviors. Computers and Security 24, 124–133 (2005)CrossRefGoogle Scholar
  4. 4.
    Hilbert, D., Redmiles, D.F.: Extracting usability information from user interface events. ACM Computing Surveys, 384–421 (December 2000)Google Scholar
  5. 5.
    Fenstermacher, K.D., Ginsburg, M.A.: Lightweight framework for cross-application user monitoring. IEEE Computer, 51–58 (2002)Google Scholar
  6. 6.
    Heishman, R., Duric, Z., Wechsler, H.: Understanding cognitive and affective states using eyelid movements. In: First IEEE International Conference on Biometrics: Theory, Applications, and Systems, BTAS 2007, September 27-29, pp. 1–6 (2007), http://dx.doi.org/10.1109/BTAS.2007.4401944 (accessed November 2, 2012)
  7. 7.
    Doubleday, A., et al.: A comparison of usability techniques for evaluating design. In: Coles, S. (ed.) Proceedings of the 2nd Conference on Designing Interactive Systems: Processes, Practices, Methods, and Techniques, DIS 1997, pp. 101–110. ACM, New York (1997), http://doi.acm.org/10.1145/263552.263583 (accessed November 2, 2012)
  8. 8.
    Staddon, J., et al.: Are privacy concerns a turn-off?: engagement and privacy in social networks. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, Article 10, 13 pages. ACM, New York (2012), http://doi.acm.org/10.1145/2335356.2335370 (accessed November 2, 2012)
  9. 9.
    Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: Security 2012 Proceedings of the 21st USENIX Conference on Security Symposium, Berkeley, CA, USA (2012); Also presented at Symposium On Usable Privacy and Security, July 11-13, pp. 462–469. ACM, Washington, DC (2012), https://www.usenix.org/conference/usenixsecurity12/how-does-your-password-measure-effect-strength-meters-password-creation (accessed November 2, 2012)
  10. 10.
    Balduzzi, M.: Attacking the privacy of social network users. HITB Secconf 2011 Malaysia (2011), http://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20%20Marco%20Balduzzi%20-%20Attacking%20the%20Privacy%20of%20Social%20Network%20Users.pdf (accessed September 21, 2012)
  11. 11.
    Hadnagy, C.: Social engineering: the art of human hacking, pp. 23–24. Wiley Publishing, Indianapolis (2011)Google Scholar
  12. 12.
    Payne, B., Edwards, W.: A brief introduction to usable security, pp. 13–21 (May/June 2008)Google Scholar
  13. 13.
    Fetscherin, M.: Importance of cultural and risk aspects in music piracy: A cross-national comparison among university students. Journal of Electronic Commerce Research (January 2009), www.csulb.edu/journals/jecr/issues/20091/Paper4.pdf (accessed October 30, 2012)
  14. 14.
    Farahmand, F., et al.: Risk perceptions of information security: A measurement study. In: Proceedings of the 2009 International Conference on Computational Science and Engineering, CSE 2009, vol. 3, pp. 462–469. IEEE, Washington, DC (2012), http://dx.doi.org/10.1109/CSE.2009.449 (accessed November 2, 2012)
  15. 15.
    Fischoff, B., et al.: How safe is safe enough? A psychometric study of attitudes towards technological risks and benefits. Policy Sciences 9(2), 127–152 (1978)CrossRefGoogle Scholar
  16. 16.
    Ng, B., Kankanhalli, A., Xu, Y.: Studying users’ computer security behavior: A health belief perspective. Decision Support Systems 46(4), 815–825 (2009), http://dx.doi.org/10.1016/j.dss.2008.11.010, doi:10.1016/j.dss.2008.11.010 (accessed December 6, 2012)Google Scholar
  17. 17.
    Dehn, D., Van Mulken, S.: The impact of animated interface agents: a review of empirical research. International Journal of Human– Computer Studies 52(1), 1–22 (2012), http://dx.doi.org/10.1006/ijhc.1999.0325 (accessed May 30, 2012)Google Scholar
  18. 18.
    McDarby, G., et al.: Affective feedback. Media Lab Europe (2004), http://medialabeurope.org/mindgames/publications/publicationsAffectiveFeedbackEnablingTechnologies.pdf (accessed May 22, 2012)
  19. 19.
    Robison, J., McQuiggan, S., Lester, J.: Evaluating the consequences of affective feedback in intelligent tutoring systems. In: Proceedings of International Conference on Affective Computing and Intelligent Interaction, ACII 2009, Amsterdam, pp. 37–42. IEEE (2009), http://www4.ncsu.edu/~jlrobiso/papers/acii2009.pdf (accessed May 22, 2012)
  20. 20.
    Hall, L., Woods, S., Aylett, R.S., Newall, L., Paiva, A.C.R.: Achieving empathic engagement through affective interaction with synthetic characters. In: Tao, J., Tan, T., Picard, R.W. (eds.) ACII 2005. LNCS, vol. 3784, pp. 731–738. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Jakobsson, M., Ramzan, Z.: Crimeware: understanding new attacks and defenses, p. 400. Addison-Wesley, Upper Saddle River (2008)Google Scholar
  22. 22.
    Ed Team. Social. HITB Magazine 1(6), 44–47 (2011), http://magazine.hitb.org/issues/HITB-Ezine-Issue-006.pdf (accessed September 21, 2012)
  23. 23.
    Shepherd, L.: Enhancing security risk awareness in end-users via affective feedback. PhD Proposal, University of Abertay, Dundee (2012) (unpublished)Google Scholar
  24. 24.
    Lewicki, R.J., Bunker, B.B.: Developing and maintaining trust in work relationships. In: Kramer, R., Tyler, T. (eds.) Trust in Organizations: Frontiers of Theory and Research, pp. 114–139. Sage Publications, Thousand Oaks (1996)CrossRefGoogle Scholar
  25. 25.
    Mcknight, D., et al.: Trust in a specific technology: An investigation of its components and measures. ACM Transactions on Management Information Systems 2(2), Article 12 (2012), http://dx.doi.org/10.1145/1985347.1985353 (accessed December 6, 2012)
  26. 26.
    Padayachee, K.: Taxonomy of compliant information security behavior. Computers & Security 31(5), 673–680 (2012), http://dx.doi.org/10.1016/j.cose.2012.04.004 (accessed December 6, 2012)
  27. 27.
    Takemura, T.: Empirical analysis of behavior on information security. In: Proceedings of the 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, ITHINGSCPSCOM 2011, pp. 358–363. IEEE Computer Society, Washington, DC (2011), http://dx.doi.org/10.1109/iThings/CPSCom.2011.8 (accessed January 7, 2013)
  28. 28.
    San-José, P., Rodriguez, S.: Study on information security and e-Trust in Spanish households. In: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2011, pp. 1–6. ACM, New York (2011), http://doi.acm.org/10.1145/1978672.1978673 (accessed January 7, 2013)
  29. 29.
    Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Syst. 47(2), 154–165 (2009), http://dx.doi.org/10.1016/j.dss.2009.02.005 (accessed January 31, 2013)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Lynsay A. Shepherd
    • 1
  • Jacqueline Archibald
    • 1
  • R. I. Ferguson
    • 1
  1. 1.School of Engineering, Computing and Applied MathematicsUniversity of Abertay DundeeDundeeUK

Personalised recommendations