skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Who Provides Phishing Training?: Facts, Stories, and People Like Me
Humans represent one of the most persistent vulnerabilities in many computing systems. Since human users are independent agents who make their own choices, closing these vulnerabilities means persuading users to make different choices. Focusing on one specific human choice -- clicking on a link in a phishing email -- we conducted an experiment to identify better ways to train users to make more secure decisions. We compared traditional facts-and-advice training against training that uses a simple story to convey the same lessons. We found a surprising interaction effect: facts-and-advice training works better than not training users, but only when presented by a security expert. Stories don't work quite as well as facts-and-advice, but work much better when told by a peer. This suggests that the perceived origin of training materials can have a surprisingly large effect on security outcomes.  more » « less
Award ID(s):
1714126
PAR ID:
10064776
Author(s) / Creator(s):
;
Date Published:
Journal Name:
ACM Conference on Human Factors in Computing (CHI)
Page Range / eLocation ID:
1 to 12
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; (, International Conference on Security and Privacy in Communication Systems)
    Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all. 
    more » « less
  2. (, 2023 IEEE Symposium on Security and Privacy)
    Cybercafes remain a popular way to access the Internet in the developing world as many users still lack access to personal computers. Coupled with the recent digitization of government services, e.g. in Kenya, many users have turned to cybercafes to access essential services. Many of these users may have never used a computer, and face significant security and privacy issues at cybercafes. Yet, these challenges as well as the advice offered remain largely unexplored. We investigate these challenges along with the security advice and support provided by the operators at cybercafes in Kenya through n = 36 semi-structured interviews (n = 14 with cybercafe managers and n = 22 with customers). We find that cybercafes serve a crucial role in Kenya by enabling access to printing and government services. However, most customers face challenges with computer usage as well as security and usability challenges with account creation and password management. As a workaround, customers often rely on the support and advice of cybercafe managers who mostly direct them to use passwords that are memorable, e.g. simply using their national ID numbers or names. Some managers directly manage passwords for their customers, with one even using the same password for all their customers. These results suggest the need for more awareness about phone-based password managers, as well as a need for computer training and security awareness among these users. There is also a need to explore security and privacy advice beyond Western peripheries to support broader populations 
    more » « less
  3. ; ; ; (, CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems)
    The Internet enables users to access vast resources, but it can also expose users to harmful cyber-attacks. It is imperative that users be informed about a security incident in a timely manner in order to make proper decisions. Visualization of security threats and warnings is one of the effective ways to inform users. However, visual cues are not always accessible to all users, and in particular, those with visual impairments. This late-breaking-work paper hypothesizes that the use of proper sounds in conjunction with visual cues can better represent security alerts to all users. Toward our research goal to validate this hypothesis, we first describe a methodology, referred to as sonification, to effectively design and develop auditory cyber-security threat indicators to warn users about cyber-attacks. Next, we present a case study, along with the results, of various types of usability testing conducted on a number of Internet users who are visually impaired. The presented concept can be viewed as a general framework for the creation and evaluation of human factor interactions with sounds in a cyber-space domain. The paper concludes with a discussion of future steps to enhance this work. 
    more » « less
  4. ; ; ; ; (, ACM/IEEE International Conference on Human-Robot Interaction)
    null (Ed.)
    We examined how robots can successfully serve as moral advisors for humans. We evaluated the effectiveness of moral advice grounded in deontological, virtue, and Confucian role ethics frameworks in encouraging humans to make honest decisions. Participants were introduced to a tempting situation where extra monetary gain could be earned by choosing to cheat (i.e., violating the norm of honesty). Prior to their decision, a robot encouraged honest choices by offering a piece of moral advice grounded in one of the three ethics frameworks. While the robot’s advice was overall not effective at discouraging dishonest choices, there was preliminary evidence indicating the relative effectiveness of moral advice drawn from deontology. We also explored how different cultural orientations (i.e., vertical and horizontal collectivism and individualism) influence honest decisions across differentially-framed moral advice. We found that individuals with a strong cultural orientation of establishing their own power and status through competition (i.e., high vertical individualism) were more likely to make dishonest choices, especially when moral advice was drawn from virtue ethics. Our findings suggest the importance of considering different ethical frameworks and cultural differences to design robots that can guide humans to comply with the norm of honesty. 
    more » « less
  5. ; ; (, Proceedings of the ACM on Human-Computer Interaction)
    Remote Patient Monitoring (RPM) devices transmit patients' medical indicators (e.g., blood pressure) from the patient's home testing equipment to their healthcare providers, in order to monitor chronic conditions such as hypertension. AI systems have the potential to enhance access to timely medical advice based on the data that RPM devices produce. In this paper, we report on three studies investigating how the severity of users' medical condition (normal vs. high blood pressure), security risk (low vs. modest vs. high risk), and medical advice source (human doctor vs. AI) influence user perceptions of advisor trustworthiness and willingness to disclose RPM-acquired information. We found that trust mediated the relationship between the advice source and users' willingness to disclose health information: users trust doctors more than AI and are more willing to disclose their RPM-acquired health information to a more trusted advice source. However, we unexpectedly discovered that conditional on trust, users disclose RPM-acquired information more readily to AI than to doctors. We observed that the advice source did not influence perceptions of security and privacy risks. We conclude by discussing how our findings can support the design of RPM applications. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email