Security and Privacy Aspects of Human-Computer-Interactions
Permanent URI for this collection
Browse
Recent Submissions
Item Why Phishing Works on Smartphones: A Preliminary Study(2021-01-05) Loxdal, Joakim; Andersson, Måns; Hacks, Simon; Lagerström, RobertPhishing is a form of fraud where an attacker attempts to acquire sensitive information from a target by posing as trustworthy. One strategy to fool the target is spoofing of a legitimate website. But why do people fall for phishing, and what security indicators are utilized or not utilized when deciding the legitimacy of a website? Hitherto, two studies have been conducted in 2006 and 2015. As time has passed since then, we like to check if people are meanwhile more certain in identifying spoofed websites. Therefore, 20 participants were observed when they analyzed and classified websites as legitimate or spoofed. On average participants had a success rate of 69 %, like previous studies’ results. The URL was used as an indicator by most of the participants (80 %), indicating user behavior and ease of identifying spoofed and legitimate websites is not very different on a smartphone compared to a desktop. Almost all participants used the content of the website at least once when deciding if a website was spoofed or legitimate. These findings will be used to conduct a bigger study to create more resilient results.Item Understanding Security Behavior of Real Users: Analysis of a Phishing Study(2021-01-05) Kang, Mingqing; Shonman, Matthew; Subramanya, Anshul; Zhang, Haoruo; Li, Xiangyang; Dahbura, AntonThis paper presents a set of statistical analyses on an empirical study of phishing email sorting by real online users. Participants were assigned to multitasking and/or incentive conditions in unattended web-based tasks that are the most realistic in any comparable study to date. Our three stages of analyses included logistic regression models to identify individual phishing “cues” contributing to successful classifications, statistical significance tests assessing the links between participants’ training experience and self-assessments of success to their actual performance, significance tests searching for significant demographic factors influencing task completion performance, and lastly k-means clustering based on a range of performance measures and utilizing participants’ demographic attributes. In particular, the results indicate that multitasking and incentives create complex dynamics while demographic traits and cybersecurity training can be informative predictors of user security behavior. These findings strongly support the benefits of security training and education and advocate for customized and differentiated interventions to increase users’ success of correctly identifying phishing emails.Item Immersive Storytelling for Information Security Awareness Training in Virtual Reality(2021-01-05) Ulsamer, Philipp; Schütz, Andreas; Fertig, Tobias; Keller, LisaDue to the central role of the human factor in information security, the need for information security awareness (ISA) is constantly increasing. In order to maintain a high level of ISA, trainings have to be carried out frequently to ensure sustainability. Since education via VR has led to a sustainable learning effect in other fields, we evaluated the use of VR for ISA trainings. Moreover, we combined our VR training with immersive storytelling. For the evaluation we used two sets of participants. The first used a traditional e-Learning method to answer the questionnaire. The second used our VR training. After one week we repeated the questionnaires. The results showed that the VR group could achieve higher scores than the noVR group. Moreover, the VR group achieved even higher scores after one week which might be due to the sustained learning effect from the VR training.Item A Shoulder-Surfing Resistant Scheme Embedded in Traditional Passwords(2021-01-05) Lai, Jianwei; Arko, ErnestTyping passwords is vulnerable to shoulder-surfing attacks. We proposed a shoulder-surfing resistant scheme embedded in traditional textual passwords in this study. With the proposed scheme, when the password field is on focus, a pattern appears in it as a hint to tell the user how to enter a password. Following the hint, the user needs to skip some characters while typing the password. The characters to be skipped are randomly selected so that an observer will not be able to see the whole password even if the authentication procedure was recorded. We evaluated the proposed scheme in a usability study. Compared to traditional passwords, our scheme achieved a similar level of accuracy while only required marginal additional time to authenticate users. Participants also expressed significantly higher acceptance of the new technique for security-sensitive applications and gave it significantly higher ratings in perceived security, shoulders-surfing resistance, camera-recording resistance, and guess-attack resistance.Item Introduction to the Minitrack on Security and Privacy Aspects of Human-Computer-Interactions(2021-01-05) Weber, Kristin; Müller, Nicholas; Rosenthal, Paul