1 / 25

Improving Security Decisions with Polymorphic and Audited Dialogs

Improving Security Decisions with Polymorphic and Audited Dialogs. José Carlos Brustoloni and Ricardo Villamarín-Salomón Dept. Computer Science University of Pittsburgh {jcb,rvillsal}@cs.pitt.edu. The problem.

slade
Download Presentation

Improving Security Decisions with Polymorphic and Audited Dialogs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improving Security Decisions with Polymorphic and Audited Dialogs José Carlos Brustoloni and Ricardo Villamarín-Salomón Dept. Computer Science University of Pittsburgh {jcb,rvillsal}@cs.pitt.edu

  2. The problem • Context-dependent security decisions where application needs user input to characterize context • Problem: user will give false inputs if necessary to get application to perform action user wants J. Brustoloni and R. Villamarin

  3. Example • Should an email agent allow the user to open an email attachment? • Decision depends on context: • Does user know sender? • Would alleged sender have used that particular account? • Do message subject and body make sense? • Was user expecting attachment from sender? • ... • Email agent would need to ask user J. Brustoloni and R. Villamarin

  4. What do applications actually do? • Warn and continue (W&C) – e.g., IE, Firefox • Hope that user will competently and independently judge situation • Usually futile – most users blindly hit continue • No warning (NW) – e.g., Thunderbird • Trade off security for usability • No dialog (ND) – e.g., recent versions of MS Outlook • Application hides unsafe attachments – user cannot open or save them • Can puzzle and upset users • Trade off usability for security J. Brustoloni and R. Villamarin

  5. Can’t a dialog guide user’s decision? • Context Sensitive Guidance (CSG): • ask about user context → user gives true answers → perform secure action • In theory, it should work • In practice, much harder than you’d expect • User will answer anything that seems necessary to get action user wants • User will learn the “successful” sequence of answers and repeat it automatically in the future, regardless of context • They are not disturbed by the fact they’re being observed • Will gleefully volunteer that they do that all the time in real life J. Brustoloni and R. Villamarin

  6. Contributions • Two techniques for improving truthfulness of user inputs in security dialogs: • Polymorphic dialogs • Audited dialogs J. Brustoloni and R. Villamarin

  7. Theory • Context-sensitive guidance not necessarily rewarding: • user context → true answers → secure action (may not be what user wants) • Many security dialog prompts are fixed and user answers are nearly always the same • Operant conditioning theory predicts what actually happens: • fixed dialog → automatic answers → action user wants • Our interventions seek to improve users’ behavior (answers) by manipulating: • in polymorphic dialogs, the behavior’s antecedents (dialog prompts) • in audited dialogs, the behavior’s consequences (penalties for unjustified answers) J. Brustoloni and R. Villamarin

  8. Polymorphic dialogs • Deliberately vary dialog form to avoid triggering automatic answers • Thoughtless answers have unpredictable consequences • Greater effort to give false answers that enable action user wants • Design space for polymorphism is vast • We consider only two examples of polymorphism in experiments J. Brustoloni and R. Villamarin

  9. Example: display options in random order J. Brustoloni and R. Villamarin

  10. Another example: delay confirmation • A similar technique already used in dialog to install Firefox extensions • But general design principle (polymorphic dialogs) does not seem to have been enunciated or evaluated before J. Brustoloni and R. Villamarin

  11. Audited dialogs • Keep audit log to make users accountable for their answers • Operant conditioning: • dialog → false answer → action user wants, but also penalty • Three application modifications: • Notify users that answers may be audited J. Brustoloni and R. Villamarin

  12. Confirmation • Notify user that user’s answers and context (e.g., message and attachments) will be forwarded to auditors if user confirms operation J. Brustoloni and R. Villamarin

  13. Suspension • Auditors can suspend user if they find user’s answers unjustifiable. J. Brustoloni and R. Villamarin

  14. Deployment considerations • Intended for enterprise (not home) users • Probably easiest and least intrusive for auditors to send users training messages containing attachments that auditors a priori consider unjustified risks • Penalties for accepting unjustified risks: • analogy: penalties for traffic violations • may involve suspension, fines, required training, ... • could increase with each subsequent violation J. Brustoloni and R. Villamarin

  15. Evaluation • Compare 3 versions of Thunderbird • NW (no warning – current default) • CSG-PD (context sensitive guidance with polymorphic dialogs) • CSG-PAD (context sensitive guidance with polymorphic and audited dialogs) • User experiments in laboratory – two user groups J. Brustoloni and R. Villamarin

  16. Sidebar for context-sensitive guidance J. Brustoloni and R. Villamarin

  17. Scenarios • Each user role-played employees in two scenarios (random order) • First scenario used NW, second scenario used CSG-PD or CSG-PAD • Each scenario comprises 10 messages with attachments • 2 with justifiable risk • 8 with unjustifiable risk J. Brustoloni and R. Villamarin

  18. Comparison between NW and CSG-PD • Significant reduction in unjustified risks accepted, large effect • effect is due to CSG and polymorphism • in pilots, CSG alone seemed to have insignificant effect • Insignificant effect in justified risks accepted • Significant reduction in task completion time, medium effect • effect due to reduction in unjustified risks accepted (typically not task-relevant) J. Brustoloni and R. Villamarin

  19. Comparison between NW and CSG-PAD • Significant reduction in unjustified risks accepted, large effect • effect is due to CSG, polymorphism, and auditing • Insignificant effect in justified risks accepted • Insignificant effect in task completion time J. Brustoloni and R. Villamarin

  20. Comparison between CSG-PD and CSG-PAD • Significant reduction in unjustified risks accepted, large effect • effect is due to auditing only • Insignificant effect in justified risks accepted • Insignificant effect in task completion time J. Brustoloni and R. Villamarin

  21. Effects of habituation -36% -58% J. Brustoloni and R. Villamarin

  22. User perceptions (1=worst, 5=best) • Several users did not understand auditors’ messages, thus found penalties arbitrary • e.g., couldn’t understand how email from coworker might contain virus • auditor messages should better explain concepts and rules behind penalty decisions J. Brustoloni and R. Villamarin

  23. Related work • Xia and Brustoloni: • Guidance without override (GWO): application makes and enforces decision, based on inputs users find easier to provide legitimately (e.g. certificate verification) • Guidance with override (G+O): application merely suggests decision, based on inputs users can easily forge (e.g. whether to send password in plaintext) • We found it much harder to obtain significant benefits from the latter • possibly due to greater complexity of attachment security policy J. Brustoloni and R. Villamarin

  24. Other related work • Wu et al.: Web Wallet – G+O, effective against phishing, specialized • Whitten and Tygar: safe staging vs. just-in-time instruction (JITI, e.g., GWO, G+O) • Kumaraguru et al.: embedded training against phishing • graphics and especially comics more effective than text • similar approach could be used to improve auditors’ messages J. Brustoloni and R. Villamarin

  25. Conclusions • Designing effective security dialogs that elicit context information from users can be a formidable challenge • Many users do not hesitate to give false answers in order to get the actions they want • We contributed two techniques for significantly improving truthfulness of user answers • Polymorphic dialogs avoid triggering automatic answers by continuously changing the form of the dialog • Audited dialogs hold users accountable for their answers by forwarding them to auditors • User studies show both techniques give statistically significant, large benefits J. Brustoloni and R. Villamarin

More Related