Using reinforcement to strengthen users' secure behaviors

Authors:
Ricardo Mark Villamarín-Salomón;José Carlos Brustoloni
Affiliations:
University of Pittsburgh, Pittsburgh, PA, USA;University of Pittsburgh, Pittsburgh, PA, USA
Venue:
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Year:
2010

Citing 7
Cited 3

Users are not the enemy

Communications of the ACM
Hardening Web browsers against man-in-the-middle and eavesdropping attacks

WWW '05 Proceedings of the 14th international conference on World Wide Web
Improving security decisions with polymorphic and audited dialogs

Proceedings of the 3rd symposium on Usable privacy and security
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish

Proceedings of the 3rd symposium on Usable privacy and security
Getting users to pay attention to anti-phishing education: evaluation of retention and transfer

Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
You've been warned: an empirical study of the effectiveness of web browser phishing warnings

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Crying wolf: an empirical study of SSL warning effectiveness

SSYM'09 Proceedings of the 18th conference on USENIX security symposium

The security cost of cheap user interaction

Proceedings of the 2011 workshop on New security paradigms workshop
A usability test of whitelist and blacklist-based anti-phishing application

Proceeding of the 16th International Academic MindTrek Conference
CodeShield: towards personalized application whitelisting

Proceedings of the 28th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.01

Visualization

Abstract

Users have a strong tendency toward dismissing security dialogs unthinkingly. Prior research has shown that users' responses to security dialogs become significantly more thoughtful when dialogs are polymorphic, and that further improvements can be obtained when dialogs are also audited and auditors penalize users who give unreasonable responses. We contribute an Operant Conditioning model that fits these observations, and, inspired by the model, propose Security Reinforcing Applications (SRAs). SRAs seek to reward users' secure behavior, instead of penalizing insecure behavior. User studies show that SRAs improve users' secure behaviors and that behaviors strengthened in this way do not extinguish after a period of several weeks in which users do not interact with SRAs. Moreover, inspired by Social Learning theory, we propose Vicarious Security Reinforcement (VSR). A user study shows that VSR accelerates SRA benefits.