improving security decisions with polymorphic and audited dialogs

Improving Security Decisions Improving Security Decisions with Polymorphic and Audited with Polymorphic and Audited

DialogsDialogs

José Carlos Brustoloni and Ricardo Villamarín-Salomón

Dept. Computer ScienceUniversity of Pittsburgh

{jcb,rvillsal}@cs.pitt.edu

J. Brustoloni and R. Villamarin 2SOUPS 2007

The problem The problem

♦ Context-dependent security decisions where application needs user input to characterize context

♦ Problem: user will give false inputs if necessary to get application to perform action user wants

J. Brustoloni and R. Villamarin 3SOUPS 2007

ExampleExample

♦ Should an email agent allow the user to open an email attachment?

♦ Decision depends on context: ♦ Does user know sender? ♦ Would alleged sender have used that particular account?♦ Do message subject and body make sense?♦ Was user expecting attachment from sender?♦ ...

♦ Email agent would need to ask user

J. Brustoloni and R. Villamarin 4SOUPS 2007

What do applications actually do?What do applications actually do?

♦ Warn and continue (W&C) – e.g., IE, Firefox Hope that user will competently and independently judge

situation Usually futile – most users blindly hit continue

♦ No warning (NW) – e.g., Thunderbird Trade off security for usability

♦ No dialog (ND) – e.g., recent versions of MS Outlook Application hides unsafe attachments – user cannot open or

save them Can puzzle and upset users Trade off usability for security

J. Brustoloni and R. Villamarin 5SOUPS 2007

Can’t a dialog guide user’s decision?Can’t a dialog guide user’s decision?

♦ Context Sensitive Guidance (CSG): ask about user context → user gives true answers → perform secure

action

♦ In theory, it should work

♦ In practice, much harder than you’d expect User will answer anything that seems necessary to get action

user wants User will learn the “successful” sequence of answers and

repeat it automatically in the future, regardless of context They are not disturbed by the fact they’re being observed Will gleefully volunteer that they do that all the time in real

life

J. Brustoloni and R. Villamarin 6SOUPS 2007

ContributionsContributions

♦ Two techniques for improving truthfulness of user inputs in security dialogs: Polymorphic dialogs Audited dialogs

J. Brustoloni and R. Villamarin 7SOUPS 2007

TheoryTheory

♦ Context-sensitive guidance not necessarily rewarding: user context → true answers → secure action (may not be what

user wants)

♦ Many security dialog prompts are fixed and user answers are nearly always the same

♦ Operant conditioning theory predicts what actually happens: fixed dialog → automatic answers → action user wants

♦ Our interventions seek to improve users’ behavior (answers) by manipulating: in polymorphic dialogs, the behavior’s antecedents (dialog

prompts) in audited dialogs, the behavior’s consequences (penalties for

unjustified answers)

J. Brustoloni and R. Villamarin 8SOUPS 2007

Polymorphic dialogsPolymorphic dialogs

♦ Deliberately vary dialog form to avoid triggering automatic answers

♦ Thoughtless answers have unpredictable consequences

♦ Greater effort to give false answers that enable action user wants

♦ Design space for polymorphism is vast

♦ We consider only two examples of polymorphism in experiments

J. Brustoloni and R. Villamarin 9SOUPS 2007

Example: display options in random orderExample: display options in random order

J. Brustoloni and R. Villamarin 10SOUPS 2007

Another example: delay confirmationAnother example: delay confirmation

♦ A similar technique already used in dialog to install Firefox extensions

♦ But general design principle (polymorphic dialogs) does not seem to have been enunciated or evaluated before

J. Brustoloni and R. Villamarin 11SOUPS 2007

Audited dialogsAudited dialogs

♦ Keep audit log to make users accountable for their answers♦ Operant conditioning:

dialog → false answer → action user wants, but also penalty

♦ Three application modifications:

1. Notify users that answers may be audited

J. Brustoloni and R. Villamarin 12SOUPS 2007

ConfirmationConfirmation

2. Notify user that user’s answers and context (e.g., message and attachments) will be forwarded to auditors if user confirms operation

J. Brustoloni and R. Villamarin 13SOUPS 2007

SuspensionSuspension3. Auditors can suspend user if they find user’s answers

unjustifiable.

J. Brustoloni and R. Villamarin 14SOUPS 2007

Deployment considerationsDeployment considerations

♦ Intended for enterprise (not home) users

♦ Probably easiest and least intrusive for auditors to send users training messages containing attachments that auditors a priori consider unjustified risks

♦ Penalties for accepting unjustified risks: analogy: penalties for traffic violations may involve suspension, fines, required training, ... could increase with each subsequent violation

J. Brustoloni and R. Villamarin 15SOUPS 2007

EvaluationEvaluation

♦ Compare 3 versions of Thunderbird NW (no warning – current default) CSG-PD (context sensitive guidance with polymorphic

dialogs) CSG-PAD (context sensitive guidance with polymorphic

and audited dialogs)

♦ User experiments in laboratory – two user groupsCSG-PD CSG-PAD

# Participants 13 7

# Female 10 6

Familiarity with email agents (SR)

4.1 / 5 3.9 / 5

Ease of user study tasks (SR)

4.5 / 5 4.3 / 5

# Unjustified risks accepted w/ NW

79% 66%

J. Brustoloni and R. Villamarin 16SOUPS 2007

Sidebar for context-sensitive guidanceSidebar for context-sensitive guidance

J. Brustoloni and R. Villamarin 17SOUPS 2007

ScenariosScenarios

♦ Each user role-played employees in two scenarios (random order)

♦ First scenario used NW, second scenario used CSG-PD or CSG-PAD

♦ Each scenario comprises 10 messages with attachments 2 with justifiable risk 8 with unjustifiable risk

J. Brustoloni and R. Villamarin 18SOUPS 2007

Comparison between NW and CSG-PDComparison between NW and CSG-PD♦ Significant reduction in

unjustified risks accepted, large effect effect is due to CSG and

polymorphism in pilots, CSG alone seemed to

have insignificant effect

♦ Insignificant effect in justified risks accepted

♦ Significant reduction in task completion time, medium effect effect due to reduction in

unjustified risks accepted (typically not task-relevant)

J. Brustoloni and R. Villamarin 19SOUPS 2007

Comparison between NW and CSG-PADComparison between NW and CSG-PAD

♦ Significant reduction in unjustified risks accepted, large effect effect is due to CSG,

polymorphism, and auditing

♦ Insignificant effect in justified risks accepted

♦ Insignificant effect in task completion time

J. Brustoloni and R. Villamarin 20SOUPS 2007

Comparison between CSG-PD and CSG-PADComparison between CSG-PD and CSG-PAD

♦ Significant reduction in unjustified risks accepted, large effect effect is due to auditing only

♦ Insignificant effect in justified risks accepted

♦ Insignificant effect in task completion time

J. Brustoloni and R. Villamarin 21SOUPS 2007

Effects of habituationEffects of habituation

-36%

-58%

-100.00%

-80.00%

-60.00%

-40.00%

-20.00%

0.00%

20.00%

40.00%

1 2 3 4 5 6 7 8

Unjustified risk number

Ne

t a

cc

ep

tan

ce

fre

qu

en

cy

CSG-PD CSG-PAD

J. Brustoloni and R. Villamarin 22SOUPS 2007

User perceptionsUser perceptions

♦ Several users did not understand auditors’ messages, thus found penalties arbitrary e.g., couldn’t understand how email from coworker might contain virus auditor messages should better explain concepts and rules behind penalty decisions

CSG-PD CSG-PAD

Dialogs are easy to understand

3.9 3.7

Questions are helpful 2.4 2.1

Interface provides good guidance

3.6 2.6

Participant followed guidance

2.5 2.4

Would feel comfortable receiving such guidance in future

3.7 3.0

Would recommend to friend

3.1 1.9

(1=worst, 5=best)

J. Brustoloni and R. Villamarin 23SOUPS 2007

Related workRelated work

♦ Xia and Brustoloni: Guidance without override (GWO): application makes and

enforces decision, based on inputs users find easier to provide legitimately (e.g. certificate verification)

Guidance with override (G+O): application merely suggests decision, based on inputs users can easily forge (e.g. whether to send password in plaintext)

We found it much harder to obtain significant benefits from the latter

possibly due to greater complexity of attachment security policy

J. Brustoloni and R. Villamarin 24SOUPS 2007

Other related workOther related work

♦ Wu et al.: Web Wallet – G+O, effective against phishing, specialized

♦ Whitten and Tygar: safe staging vs. just-in-time instruction (JITI, e.g., GWO, G+O)

♦ Kumaraguru et al.: embedded training against phishing graphics and especially comics more effective than text similar approach could be used to improve auditors’ messages

J. Brustoloni and R. Villamarin 25SOUPS 2007

ConclusionsConclusions

♦ Designing effective security dialogs that elicit context information from users can be a formidable challenge

♦ Many users do not hesitate to give false answers in order to get the actions they want

♦ We contributed two techniques for significantly improving truthfulness of user answers

♦ Polymorphic dialogs avoid triggering automatic answers by continuously changing the form of the dialog

♦ Audited dialogs hold users accountable for their answers by forwarding them to auditors

♦ User studies show both techniques give statistically significant, large benefits