- Award ID(s):
- 1931108
- NSF-PAR ID:
- 10176924
- Date Published:
- Journal Name:
- Symposium on Usable Privacy and Security (SOUPS)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
This paper examines how habituation to frequent software notifications may carry over to infrequent security warnings. This general process— known as stimulus generalization or simply generalization—is a well-established phenomenon in neurobiology that has clear implications for information security. Because software user interface guidelines call for visual consistency, software notifications and security warnings have a similar look and feel. Consequently, through frequent exposure to notifications, people may become habituated to security warnings they have never seen before. The objective of this paper to propose an fMRI experimental design to measure the extent to which this occurs. We also propose testing security warning designs that are resistant to generalization of habituation effects.more » « less
-
Abstract Chronic stress has been extensively studied in both laboratory and field settings; however, a conclusive and consistent phenotype has not been reached. Several studies have reported attenuation of the hypothalamic–pituitary–adrenal axis during experiments intended to cause chronic stress. We sought to determine whether this attenuation could be indicative of habituation. Importantly, we were not investigating habituation to a specific stimulus—as many stress physiology studies do—but rather we assessed how the underlying physiology and behavior changed in response to repeated stressor presentation. We exposed house sparrows (
Passer domesticus ) to a single stimulus twice per day at random times for 8 consecutive days. We predicted that this period of time would be long enough for the birds to determine that these acute stressors were not, in fact, dangerous and they would, therefore, acclimate. A second control group remained undisturbed for the same period of time. We measured baseline, stress‐induced, negative feedback strength, and maximum production of corticosterone as well as neophobic behavior before, during, and after this 8‐day experiment. When birds experienced a stimulus for 4 days, their negative feedback strength was significantly diminished, but recovered after the second 4 days. Additionally, perch hopping decreased and recovered in this same time frame. These data suggest that distinct physiological and behavioral responses arise when house sparrows are exposed to the same stressor for several consecutive days as opposed to many stressors layered on top of one another. Furthermore, they indicate that habituation—as with chronic stress—can appear differently depending on the metric being examined. -
null (Ed.)Improving end-users’ awareness of cybersecurity warnings (e.g., phishing and malware alerts) remains a longstanding problem in usable security. Prior work suggests two key weaknesses with existing warnings: they are primarily communicated via saturated communication channels (e.g., visual, auditory, and vibrotactile); and, they are communicated rationally, not viscerally. We hypothesized that wrist-based affective haptics should address both of these weaknesses in a form-factor that is practically deployable: i.e., as a replaceable wristband compatible with modern smartwatches like the Apple Watch. To that end, we designed and implemented Spidey Sense, a wristband that produces customizable squeezing sensations to alert users to urgent cybersecurity warnings. To evaluate Spidey Sense, we applied a three-phased ‘Gen-Rank-Verify’ study methodology with 48 participants. We found evidence that, relative to vibrotactile alerts, Spidey Sense was considered more appropriate for the task of alerting people to cybersecurity warnings.more » « less
-
Witnessing the blooming adoption of push notifications on mobile devices, this new message delivery paradigm has become pervasive in diverse applications. Accompanying with its broad adoption, the potential security risks and privacy exposure issues raise public concerns regarding its great social impacts. This paper conducts the first attempt to exploit the mobile notification ecosystem. By dissecting its structural elements and implementation process, a comprehensive vulnerability analysis is conducted towards the complete flow of mobile notification from platform enrollment to messaging. Meanwhile, for privacy exposure, we first examine the implementation of privacy policy compliance by proposing a three-level inspection approach to guide our analysis. Then, our top-down methods from documentation analysis, application network traffic study, to static analysis expose the illicit data collection behaviors in released applications. In addition, we uncover the potential privacy inference resulted from the notification monitoring. To support our analysis, we conduct empirical studies on 12 most popular notification platforms and perform static analysis over 30,000+ applications. We discover: 1) six platforms either provide ambiguous KEY naming rules or offer vulnerable messaging APIs; 2) privacy policy compliance implementations are either stagnated at the documentation stages (8 of 12 platforms) or never implemented in apps, resulting in billions of users suffering from privacy exposure; and 3) some apps can stealthily monitor notification messages delivering to other apps, potentially incurring user privacy inference risks. Our study raises the urgent demand for better regulations of mobile notification deployment.more » « less
-
Abstract There are lingering questions about the effectiveness of the watch, warning, and advisory system (WWA) used to convey weather threats in the United States. Recently there has been a shift toward alternative communication strategies such as the impact-based forecast. The study reported here compared users’ interpretation of a color-coded impact-based prototype designed for email briefings, to a legacy WWA format. Participants, including emergency managers and members of the public, saw a weather briefing and rated event likelihood, severity, damage, and population affected. Then they recommended emergency response actions. Each briefing described the severity of the weather event and the degree of impact on population and property. In one condition a color-coded impacts scale was added to the text description. In another, an advisory and/or warning was added to the text description. These were compared with the text-only control. Both emergency managers and members of the public provided higher ratings for event likelihood, severity, damage, and population affected and recommended a greater response for higher impact levels regardless of format. For both groups, the color-coded format decreased ratings for lower-impact events. Among members of the public, the color-coded format also led to increases for many ratings and greater response at higher levels relative to the other two conditions. However, the highest ratings among members of the public were in the WWA condition. Somewhat surprisingly, the only effect of the WWA format on emergency managers was to
reduce action recommendations, probably because of the inclusion of the “advisory” in some briefings.