Warning users about cyber threats through sounds
01 Jul 2021-Vol. 3, Iss: 7, pp 1-21
TL;DR: “CyberWarner” is introduced, a sonification sandbox that can be installed on the Google Chrome browser to enable auditory representations of certain security threats and cues that are designed based on several URL heuristics that are feasible to develop sonified cyber security threat indicators that users intuitively understand with minimal experience and training.
Abstract: This paper reports a formative evaluation of auditory representations of cyber security threat indicators and cues, referred to as sonifications, to warn users about cyber threats. Most Internet browsers provide visual cues and textual warnings to help users identify when they are at risk. Although these alarming mechanisms are very effective in informing users, there are certain situations and circumstances where these alarming techniques are unsuccessful in drawing the user’s attention: (1) security warnings and features (e.g., blocking out malicious Websites) might overwhelm a typical Internet user and thus the users may overlook or ignore visual and textual warnings and, as a result, they might be targeted, (2) these visual cues are inaccessible to certain users such as those with visual impairments. This work is motivated by our previous work of the use of sonification of security warnings to users who are visually impaired. To investigate the usefulness of sonification in general security settings, this work uses real Websites instead of simulated Web applications with sighted participants. The study targets sonification for three different types of security threats: (1) phishing, (2) malware downloading, and (3) form filling. The results show that on average 58% of the participants were able to correctly remember what the sonification conveyed. Additionally, about 73% of the participants were able to correctly identify the threat that the sonification represented while performing tasks using real Websites. Furthermore, the paper introduces “CyberWarner”, a sonification sandbox that can be installed on the Google Chrome browser to enable auditory representations of certain security threats and cues that are designed based on several URL heuristics.
Citations
More filters
TL;DR: The development of several machine and deep learning models that predict the perceived and induced emotions associated with certain sounds are described and the accuracy of those predictions are analyzed and the results revealed that models built for predicting perceived emotions are more accurate than onesBuilt for predicting induced emotions.
Abstract: Sonification is the utilization of sounds to convey information about data or events. There are two types of emotions associated with sounds: (1) “perceived” emotions, in which listeners recognize the emotions expressed by the sound, and (2) “induced” emotions, in which listeners feel emotions induced by the sound. Although listeners may widely agree on the perceived emotion for a given sound, they often do not agree about the induced emotion of a given sound, so it is difficult to model induced emotions. This paper describes the development of several machine and deep learning models that predict the perceived and induced emotions associated with certain sounds, and it analyzes and compares the accuracy of those predictions. The results revealed that models built for predicting perceived emotions are more accurate than ones built for predicting induced emotions. However, the gap in predictive power between such models can be narrowed substantially through the optimization of the machine and deep learning models. This research has several applications in automated configurations of hardware devices and their integration with software components in the context of the Internet of Things, for which security is of utmost importance.
4 citations
Proceedings Article•
08 Jun 2019
TL;DR: This paper builds on the theory of self-regulation, which is essential for successful risk avoidance behavior, as well as the concept of ego-depletion resulting from a high amount ofSelf-regulatory activities, and concludes that subjective information overload is the most critical cause of security fatigue and a lack of adequate security behavior.
Abstract: Research on IS security behavior regularly identifies individuals’ personal characteristics as the reason why users refrain from adequate safeguarding techniques and ignore recommended security responses. This study aims to extend this body of literature, and sheds light on the concept of security fatigue: hereby, users receive numerous message cues reporting recent security risks and recommending certain response behaviors. However, instead of fostering awareness among individuals, users are too exhausted to follow these security recommendations. This setback may result in a lack of adequate response behavior and personal information systems being vulnerable to future threats. This paper builds on the theory of self-regulation, which is essential for successful risk avoidance behavior, as well as the concept of ego-depletion resulting from a high amount of self-regulatory activities. A measurement instrument for security fatigue is adopted, based on self-regulatory theory. Perceived information overload and locus of control are further tested to determine the level of security fatigue. In two consecutive online surveys, we pre-test the validity of the context adapted scales. Conducting a follow-up study to validate our conceptual research model, we conclude that subjective information overload is the most critical cause of security fatigue and a lack of adequate security behavior.
3 citations
TL;DR: In this paper , the authors investigate the mental models of cybersecurity novices and experts when faced with the need to protect their smart environment from security and privacy threats through the definition of security-oriented rules.
Abstract: As the Internet of Things (IoT) technology continues to grow, more and more people with no technical expertise are demanding the ability to get the most out of smart devices according to their level of knowledge. To meet user needs, task automation systems (TAS) are used to customize the behavior of IoT devices by defining trigger-action rules. However, while TASs allow different types of behavior to be defined, they do not address the aspects that can make smart devices vulnerable to security and privacy threats. To truly democratize cybersecurity in smart environments, TAS should enable end users (both experts and novices) to protect their devices from external threats. To design TASs that are effective for both types of users, it is necessary to investigate how they differ in the definition of rules in natural language. This research aims to contribute to this issue by investigating the mental models of cybersecurity novices and experts when faced with the need to protect their smart environment from security and privacy threats through the definition of security-oriented rules.
1 citations
Peer Review•
TL;DR: In this paper , a comprehensive literature review of empirically published studies on IT security warning messages is performed, and a comprehensive theoretical model that entails both communication-human information processing (C-HIP) and protection motivation theory is proposed.
Abstract: Research on the effects of IT security warning messages has increased in the last several years. Most studies empirically examining such warning messages chiefly focus on warning content and/or aesthetics and their effects on attention and/or behavior. Many of these studies cite the Communication-Human Information Processing (C-HIP) model as a foundation, yet this model includes other important and under-researched constructs, including perceptions of the source of a message, comprehension of a message, attitudes and beliefs, and fear. In this study, we performed a comprehensive literature review of empirically published studies on IT security warning messages. We propose a comprehensive theoretical model that entails both C-HIP and Protection Motivation Theory. We then categorize our catalog of IT security warning message research papers according to which propositions in our model have been previously studied. We focus specifically in this paper on those under-researched areas that provide opportunities for future research.
TL;DR: In this paper , the authors used non-expert participants to group cyber-attack consequences based on perceived similarity, and then they used those ratings to determine the perceived severity of each cluster.
Abstract: Cyber-attacks are a continuing problem. These attacks are problematic for users who are visually impaired and cannot rely on visual cues to indicate a potential cyber-attack. Sonification is an alternative way to help users who are visually impaired detect potential cyber-attacks. Sonification provides information to users using non-speech sounds. Sonification could provide users who are visually impaired with information on potential cyber-attack consequences that could stem from their actions. However, there are two challenges with sonifying cyber-attack consequences. First, there are many potential cyber-attack consequences to sonify, and humans have a limited ability to remember associations between sonifications and their meanings. Second, cyber-attack warning messages are better trusted when they align the severity of the consequences with the user’s perceived severity. However, we do not know the perceived severity of individual consequences. Therefore, we need to reduce the number of consequences to sonify and to determine the perceived severity of these consequences. We had non-expert participants group cyber-attack consequences based on perceived similarity. Analyses revealed that participants’ groupings formed seven clusters. We then had non-expert participants rate the perceived severity of each cyber-attack consequence. Those ratings were used to determine the perceived severity of each cluster. These efforts resulted in a set of cyber-attack consequence clusters that (a) is small enough that users should be able to remember associations between sonifications and their meanings, and (b) can be sonified in a way that reflects users’ perceptions regarding the severity of the clustered cyber-attack consequences. As such, the results of these studies are critical steps towards creating effective sonifications that serve as cyber-security warning messages.
References
More filters
Book•
01 Dec 1997
TL;DR: 1. Introduction to Human Factors, 2. Design and Evaluation Methods, and 3. Human-Computer Interaction.
Abstract: 1. Introduction to Human Factors. 2. Research Methods. 3. Design and Evaluation Methods. 4. Visual Sensory System. 5. Auditory, Tactile, and Vestibular System. 6. Cognition. 7. Decision Making. 8. Displays. 9. Controls. 10. Engineering Anthropometry and Workspace Design. 11. Biomechanics at Work. 12. Work Physiology. 13. Stress and Workload. 14. Safety, Accidents, and Human Error. 15. Human-Computer Interaction. 16. Automation. 17. Transportation Human Factors. 18. Selection and Training. 19. Social Factors.
1,549 citations
TL;DR: It is argued that technical theories must be considered in the context of the uses to which they are put and help the theorist to determine what is a good approximation, the degree of formalization that is justified, the appropriate commingling of qualitative and quantitative techniques, and encourages cumulative progress through the heuristic of divide and conquer.
Abstract: There is growing interest in the use of sound to convey information in computer interfaces. The strategies employed thus far have been based on an understanding of sound that leads to either an arbitrary or metaphorical relation between the sounds used and the data to be represented. In this article, an alternative approach to the use of sound in computer interfaces is outlined, one that emphasizes the role of sound in conveying information about the world to the listener. According to this approach, auditory icons, caricatures of naturally occurring sounds, could be used to provide information about sources of data. Auditory icons provide a natural way to represent dimensional data as well as conceptual objects in a computer system. They allow categorization of data into distinct families, using a single sound. Perhaps the most important advantage of this strategy is that it is based on the way people listen to the world in their everyday lives.
709 citations
06 Apr 2008
TL;DR: Using a model from the warning sciences, how users perceive warning messages is analyzed and suggestions for creating more effective warning messages within the phishing context are offered.
Abstract: Many popular web browsers are now including active phishing warnings after previous research has shown that passive warnings are often ignored. In this laboratory study we examine the effectiveness of these warnings and examine if, how, and why they fail users. We simulated a spear phishing attack to expose users to browser warnings. We found that 97% of our sixty participants fell for at least one of the phishing messages that we sent them. However, we also found that when presented with the active warnings, 79% of participants heeded them, which was not the case for the passive warning that we tested---where only one participant heeded the warnings. Using a model from the warning sciences we analyzed how users perceive warning messages and offer suggestions for creating more effective warning messages within the phishing context.
613 citations
06 Jun 2003
TL;DR: Comments in the top 18 areas that people noticed when evaluating Web site credibility are shared, and reasons for the prominence of design look are discussed.
Abstract: In this study 2,684 people evaluated the credibility of two live Web sites on a similar topic (such as health sites). We gathered the comments people wrote about each siteis credibility and analyzed the comments to find out what features of a Web site get noticed when people evaluate credibility. We found that the idesign looki of the site was mentioned most frequently, being present in 46.1% of the comments. Next most common were comments about information structure and information focus. In this paper we share sample participant comments in the top 18 areas that people noticed when evaluating Web site credibility. We discuss reasons for the prominence of design look, point out how future studies can build on what we have learned in this new line of research, and outline six design implications for human-computer interaction professionals.
612 citations
Book•
26 Jan 2011
TL;DR: In this paper, the authors propose a CONCRETE-based approach to solve the problem of concreTE-convexity, i.e., concrete-concrete.
Abstract: CONCRETE
447 citations