Improving Security Decisions with Polymorphic and Audited Dialogs

1
Improving Security Decisions with Polymorphic and
Audited Dialogs

• José Carlos Brustoloni and Ricardo
  Villamarín-Salomón
• Dept. Computer Science
• University of Pittsburgh
• jcb,rvillsal_at_cs.pitt.edu

2
The problem

• Context-dependent security decisions where
  application needs user input to characterize
  context
• Problem user will give false inputs if necessary
  to get application to perform action user wants

3
Example

• Should an email agent allow the user to open an
  email attachment?
• Decision depends on context
• Does user know sender?
• Would alleged sender have used that particular
  account?
• Do message subject and body make sense?
• Was user expecting attachment from sender?
• ...
• Email agent would need to ask user

4
What do applications actually do?

• Warn and continue (WC) e.g., IE, Firefox
• Hope that user will competently and independently
  judge situation
• Usually futile most users blindly hit continue
• No warning (NW) e.g., Thunderbird
• Trade off security for usability
• No dialog (ND) e.g., recent versions of MS
  Outlook
• Application hides unsafe attachments user
  cannot open or save them
• Can puzzle and upset users
• Trade off usability for security

5
Cant a dialog guide users decision?

• Context Sensitive Guidance (CSG)
• ask about user context ? user gives true answers
  ? perform secure action
• In theory, it should work
• In practice, much harder than youd expect
• User will answer anything that seems necessary to
  get action user wants
• User will learn the successful sequence of
  answers and repeat it automatically in the
  future, regardless of context
• They are not disturbed by the fact theyre being
  observed
• Will gleefully volunteer that they do that all
  the time in real life

6
Contributions

• Two techniques for improving truthfulness of user
  inputs in security dialogs
• Polymorphic dialogs
• Audited dialogs

7
Theory

• Context-sensitive guidance not necessarily
  rewarding
• user context ? true answers ? secure action (may
  not be what user wants)
• Many security dialog prompts are fixed and
  
  user answers are nearly always the same
• Operant conditioning theory predicts what
  actually happens
• fixed dialog ? automatic answers ? action user
  wants
• Our interventions seek to improve users behavior
  (answers) by manipulating
• in polymorphic dialogs, the behaviors
  antecedents (dialog prompts)
• in audited dialogs, the behaviors consequences
  (penalties for unjustified answers)

8
Polymorphic dialogs

• Deliberately vary dialog form to avoid triggering
  automatic answers
• Thoughtless answers have unpredictable
  consequences
• Greater effort to give false answers that enable
  action user wants
• Design space for polymorphism is vast
• We consider only two examples of polymorphism in
  experiments

9
Example display options in random order
10
Another example delay confirmation

• A similar technique already used in dialog to
  install Firefox extensions
• But general design principle (polymorphic
  dialogs) does not seem to have been enunciated or
  evaluated before

11
Audited dialogs

• Keep audit log to make users accountable for
  their answers
• Operant conditioning
• dialog ? false answer ? action user wants, but
  also penalty
• Three application modifications
• Notify users that answers may be audited

12
Confirmation

• Notify user that users answers and context
  (e.g., message and attachments) will be forwarded
  to auditors if user confirms operation

13
Suspension

• Auditors can suspend user if they find users
  answers unjustifiable.

14
Deployment considerations

• Intended for enterprise (not home) users
• Probably easiest and least intrusive for auditors
  to send users training messages containing
  attachments that auditors a priori consider
  unjustified risks
• Penalties for accepting unjustified risks
• analogy penalties for traffic violations
• may involve suspension, fines, required training,
  ...
• could increase with each subsequent violation

15
Evaluation

• Compare 3 versions of Thunderbird
• NW (no warning current default)
• CSG-PD (context sensitive guidance with
  polymorphic dialogs)
• CSG-PAD (context sensitive guidance with
  polymorphic and audited dialogs)
• User experiments in laboratory two user groups

16
Sidebar for context-sensitive guidance
17
Scenarios

• Each user role-played employees in two scenarios
  (random order)
• First scenario used NW, second scenario used
  CSG-PD or CSG-PAD
• Each scenario comprises 10 messages with
  attachments
• 2 with justifiable risk
• 8 with unjustifiable risk

18
Comparison between NW and CSG-PD

• Significant reduction in unjustified risks
  accepted, large effect
• effect is due to CSG and polymorphism
• in pilots, CSG alone seemed to have insignificant
  effect
• Insignificant effect in justified risks accepted
• Significant reduction in task completion time,
  medium effect
• effect due to reduction in unjustified risks
  accepted (typically not task-relevant)

19
Comparison between NW and CSG-PAD

• Significant reduction in unjustified risks
  accepted, large effect
• effect is due to CSG, polymorphism, and auditing
• Insignificant effect in justified risks accepted
• Insignificant effect in task completion time

20
Comparison between CSG-PD and CSG-PAD

• Significant reduction in unjustified risks
  accepted, large effect
• effect is due to auditing only
• Insignificant effect in justified risks accepted
• Insignificant effect in task completion time

21
Effects of habituation
-36
-58
22
User perceptions
(1worst, 5best)

• Several users did not understand auditors
  messages, thus found penalties arbitrary
• e.g., couldnt understand how email from coworker
  might contain virus
• auditor messages should better explain concepts
  and rules behind penalty decisions

23
Related work

• Xia and Brustoloni
• Guidance without override (GWO) application
  makes and enforces decision, based on inputs
  users find easier to provide legitimately (e.g.
  certificate verification)
• Guidance with override (GO) application merely
  suggests decision, based on inputs users can
  easily forge (e.g. whether to send password in
  plaintext)
• We found it much harder to obtain significant
  benefits from the latter
• possibly due to greater complexity of attachment
  security policy

24
Other related work

• Wu et al. Web Wallet GO, effective against
  phishing, specialized
• Whitten and Tygar safe staging vs. just-in-time
  instruction (JITI, e.g., GWO, GO)
• Kumaraguru et al. embedded training against
  phishing
• graphics and especially comics more effective
  than text
• similar approach could be used to improve
  auditors messages

25
Conclusions

• Designing effective security dialogs that elicit
  context information from users can be a
  formidable challenge
• Many users do not hesitate to give false answers
  in order to get the actions they want
• We contributed two techniques for significantly
  improving truthfulness of user answers
• Polymorphic dialogs avoid triggering automatic
  answers by continuously changing the form of the
  dialog
• Audited dialogs hold users accountable for their
  answers by forwarding them to auditors
• User studies show both techniques give
  statistically significant, large benefits