Copyright (c) 2009 All rights reserved. http://works.bepress.com/lorrie_cranor Recent documents in Lorrie F Cranor en-us Tue, 14 Jul 2009 20:37:59 PDT 3600 http://works.bepress.com/lorrie_cranor/13 http://works.bepress.com/lorrie_cranor/13 Thu, 25 Jun 2009 09:08:24 PDT Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little has been done to evaluate these systems in practical situations with real users, and few attempts have been made to discover and analyze the access-control policies that users actually want to implement. We report on a user study in which we derive the ideal access policies desired by a group of users for physical security in an office environment. We compare these ideal policies to the policies the users actually implemented with keys and with a smartphone-based distributed access-control system. We develop a methodology that allows us to show quantitatively that the smartphone system allowed our users to implement their ideal policies more accurately and securely than they could with keys, and we describe where each system fell short. Lorrie F. Cranor http://works.bepress.com/lorrie_cranor/12 http://works.bepress.com/lorrie_cranor/12 Thu, 25 Jun 2009 09:08:23 PDT Many popular web browsers now include active phishing warnings since research has shown that passive warnings are often ignored. In this laboratory study we examine the effectiveness of these warnings and examine if, how, and why they fail users. We simulated a spear phishing attack to expose users to browser warnings. We found that 97% of our sixty participants fell for at least one of the phishing messages that we sent them. However, we also found that when presented with the active warnings, 79% of participants heeded them, which was not the case for the passive warning that we tested--where only one participant heeded the warnings. Using a model from the warning sciences we analyzed how users perceive warning messages and offer suggestions for creating more effective phishing warnings. Jason Hong http://works.bepress.com/lorrie_cranor/11 http://works.bepress.com/lorrie_cranor/11 Thu, 25 Jun 2009 09:08:23 PDT There are currently dozens of freely available tools to combat phishing and other web-based scams, many of which are web browser extensions that warn users when they are browsing a suspected phishing site. We developed an automated test bed for testing antiphishing tools. We used 200 verified phishing URLs from two sources and 516 legitimate URLs to test the effectiveness of 10 popular anti-phishing tools. Only one tool was able to consistently identify more than 90% of phishing URLs correctly; however, it also incorrectly identified 42% of legitimate URLs as phish. The performance of the other tools varied considerably depending on the source of the phishing URLs. Of these remaining tools, only one correctly identified over 60% of phishing URLs from both sources. Performance also changed significantly depending on the freshness of the phishing URLs tested. Thus we demonstrate that the source of phishing URLs and the freshness of the URLs tested can significantly impact the results of anti-phishing tool testing. We also demonstrate that many of the tools we tested were vulnerable to simple exploits. In this paper we describe our anti-phishing tool test bed, summarize our findings, and offer observations about the effectiveness of these tools as well as ways they might be improved. Jason Hong http://works.bepress.com/lorrie_cranor/10 http://works.bepress.com/lorrie_cranor/10 Thu, 25 Jun 2009 09:08:22 PDT We introduce the Expandable Grid, a novel interaction technique for creating, editing, and viewing many types of security policies. Security policies, such as file permissions policies, have traditionally been displayed and edited in user interfaces based on a list of rules, each of which can only be viewed or edited in isolation. These list-of-rules interfaces cause problems for users when multiple rules interact, because the interfaces have no means of conveying the interactions amongst rules to users. Instead, users are left to figure out these rule interactions themselves. An Expandable Grid is an interactive matrix visualization designed to address the problems that list-of-rules interfaces have in conveying policies to users. This paper describes the Expandable Grid concept, shows a system using an Expandable Grid for setting file permissions in the MicrosoftWindows XP operating system, and gives results of a user study involving 36 participants in which the Expandable Grid approach vastly outperformed the nativeWindows XP file-permissions interface on a broad range of policy-authoring tasks. Lorrie F. Cranor http://works.bepress.com/lorrie_cranor/9 http://works.bepress.com/lorrie_cranor/9 Thu, 25 Jun 2009 09:08:21 PDT We describe our current work in developing novel mechanisms for managing security and privacy in pervasive computing environments. More specifically, we have developed and evaluated three different applications, including a contextual instant messenger, a people finder application, and a phone-based application for access control. We also draw out some themes we have learned thus far for user-controllable security and privacy. Bruce McLaren http://works.bepress.com/lorrie_cranor/8 http://works.bepress.com/lorrie_cranor/8 Thu, 25 Jun 2009 09:08:20 PDT Many popular web browsers now include active phishing warnings since research has shown that passive warnings are often ignored. In this laboratory study we examine the effectiveness of these warnings and examine if, how, and why they fail users. We simulated a spear phishing attack to expose users to browser warnings. We found that 97% of our sixty participants fell for at least one of the phishing messages that we sent them. However, we also found that when presented with the active warnings, 79% of participants heeded them, which was not the case for the passive warning that we tested--where only one participant heeded the warnings. Using a model from the warning sciences we analyzed how users perceive warning messages and offer suggestions for creating more effective phishing warnings. Lorrie F. Cranor http://works.bepress.com/lorrie_cranor/7 http://works.bepress.com/lorrie_cranor/7 Thu, 25 Jun 2009 09:08:19 PDT A proper security architecture is an essential part of implementing robust and reliable networked applications. Security patterns have shown how reoccurring problems can be best solved with proven solutions. However, while they are critical for ensuring the confidentiality, integrity and availability of computing systems, security patterns do not specifically (or necessarily) address the privacy of individuals. Building on existing privacy pattern work, we identify three privacy patterns for web-based activity: INFORMED CONSENT FOR WEB-BASED TRANSACTIONS, MASKED ONLINE TRAFFIC, and MINIMAL INFORMATION ASYMMETRY. The first pattern addresses a system architecture issue and draws on Friedman's model for informed consent. The second and third patterns provide support for end users and extend Jiang's 'Principle of Minimum Asymmetry.' These patterns describe how users can protect their privacy by both revealing less about themselves, and acquiring more information from the party with whom they are communicating. Jason Hong http://works.bepress.com/lorrie_cranor/6 http://works.bepress.com/lorrie_cranor/6 Thu, 25 Jun 2009 09:08:18 PDT A number of mobile applications have emerged that allow users to locate one another. However, people have expressed concerns about the privacy implications associated with this class of software, suggesting that broad adoption may only happen to the extent that these concerns are adequately addressed. In this article, we report on our work on PEOPLEFINDER, an application that enables cell phone and laptop users to selectively share their locations with others (e.g. friends, family, and colleagues). The objective of our work has been to better understand people's attitudes and behaviors towards privacy as they interact with such an application, and to explore technologies that empower users to more effectively and efficiently specify their privacy preferences (or "policies"). These technologies include user interfaces for specifying rules and auditing disclosures, as well as machine learning techniques to refine user policies based on their feedback. We present evaluations of these technologies in the context of one laboratory study and three field studies Jason Hong http://works.bepress.com/lorrie_cranor/5 http://works.bepress.com/lorrie_cranor/5 Thu, 25 Jun 2009 09:08:17 PDT While Internet users claim to be concerned about online privacy, their behavior rarely reflects those concerns. In this paper we investigate whether the availability of comparison information about the privacy practices of online merchants affects users' behavior. We conducted our study using Privacy Finder, a "privacy-enhanced search engine" that displays search results annotated with the privacy policy information of each site. The privacy information is garnered from computer-readable privacy policies found at the respective sites. We asked users to purchase one nonprivacy- sensitive item and then one privacy-sensitive item using Privacy Finder, and observed whether the privacy information provided by our search engine impacted users' purchasing decisions (participants' costs were reimbursed, in order to separate the effect of privacy policies from that of price). A control group was asked to make the same purchases using a search engine that produced the same results as Privacy Finder, but did not display privacy information. We found that while Privacy Finder had some influence on non-privacy-sensitive purchase decisions, it had a more significant impact on privacy-sensitive purchases. The results suggest that when privacy policy comparison information is readily available, individuals may be willing to seek out more privacy friendly web sites and perhaps even pay a premium for privacy depending on the nature of the items to be purchased. Lorrie Cranor http://works.bepress.com/lorrie_cranor/4 http://works.bepress.com/lorrie_cranor/4 Thu, 25 Jun 2009 09:08:16 PDT Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an embedded training email system that teaches people about phishing during their normal use of email. We conducted lab experiments contrasting the effectiveness of standard security notices about phishing with two embedded training designs we developed. We found that embedded training works better than the current practice of sending security notices. We also derived sound design principles for embedded training systems. Jason Hong