Assessing the role of conceptual knowledge in an anti-phishing game

Copyright @ 2014 IEEE. This is the author accepted version of this article.Games can be used to support learning and confidence development in several domains, including the secure use of computers. However, emphasizing different types of knowledge in a game design can lead to different outcomes. This study explores two game designs that aim to enhance students' ability to identify phishing hyperlinks. One design focuses on procedural knowledge: developing students' tacit ability to recognize phishing hyperlinks through systematic practice. The other design focuses on conceptual knowledge: helping students to explicitly reflect upon and identify the features of phishing hyperlinks. The results of a double-blind randomized trial with 66 participants suggests that using a game designed for conceptual knowledge leads to a greater increase in learners' ability to identify phishing hyperlinks. Hence, incorporating conceptual knowledge development into educational games enhances their efficacy within the computer security context

Countering Social Engineering through Social Media: An Enterprise Security Perspective

The increasing threat of social engineers targeting social media channels to advance their attack effectiveness on company data has seen many organizations introducing initiatives to better understand these vulnerabilities. This paper examines concerns of social engineering through social media within the enterprise and explores countermeasures undertaken to stem ensuing risk. Also included is an analysis of existing social media security policies and guidelines within the public and private sectors.Comment: Proceedings of The 7th International Conference on Computational Collective Intelligence Technologies and Applications (ICCCI 2015), LNAI, Springer, Vol. 9330, pp. 54-6

Editorial: Cognition, Behavior and Cybersecurity

Cybersecurity appears to be the ultimate paradox: while cybersecurity budgets are increased every year, and a vast array of new security products and services appear in the market, cyber attacks have been increasing in scale and scope every year. 2020 will perhaps be remembered as the “Year of Ransomware” as malware authors rendered useless every technical attempt to block them from attacking critical systems and data.Full Tex

ACIS

In this paper, we develop a theoretical model for the adoption process of Information System Security innovations in organisations. The model stemmed from the Diffusion of Innovation theory (DOI), the Technology Acceptance Model (TAM), the Theory of Planned Behaviour (TPB) and the Technology- Organisation-Environment (TOE) framework. The model portrays Information System Security adoption process progressing in a sequence of stages. The study considers the adoption process from the initiation stage until the acquisition of innovation as an organisational level judgement while the process of innovation assimilation and integration is assessed in terms of the user behaviour within the organisation. The model also introduces several factors that influence the Information System Security innovation adoption. By merging the organisational adoption and user acceptance of innovation in a single depiction, this research contributes to IS security literature a more comprehensive model for IS security adoption in organisation, compare to any of the past representations

ACM International Conference Proceeding Series

Lack of usability of security Application Programming Interfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that provide cryptographic functionalities such as password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API to identify usability issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution using Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experience for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them

Am I Responsible for End-User’s Security?

Previous research has pointed that software applications shouldnot depend on programmers to provide security for end-usersas majority of programmers are not experts of computer security.On the other hand, some studies have revealed thatsecurity experts believe programmers have a major role toplay in ensuring the end-users’ security. However, there havebeen no investigation on what programmers perceive abouttheir responsibility for the end-users’ security of applicationsthey develop. In this work, by conducting a qualitative experimentalstudy with 40 software developers, we attemptedto understand the programmer’s perception on who is responsiblefor ensuring end-users’ security of the applicationsthey develop. Results revealed majority of programmersperceive that they are responsible for the end-users’ securityof applications they develop. Furthermore, results showedthat even though programmers aware of things they needto do to ensure end-users’ security, they do not often followthem. We believe these results would change the currentview on the role that different stakeholders of the softwaredevelopment process (i.e. researchers, security experts,programmers and Application Programming Interface (API)developers) have to play in order to ensure the security ofsoftware applications

Why Johnny Can’t Develop a Secure Application? A Usability Analysis of Java Secure Socket Extension API

Lack of usability of security Application Programming Interfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that provide Transport Layer Security (TLS) related functionalities are sometimes too complex for programmers to learn and use. Therefore, applications are often diagnosed with vulnerable TLS implementations due to mistakes made by programmers. In this work, we evaluated the usability of Java Secure Socket Extension (JSSE) API to identify usability issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 11 programmers where each of them spent around 2 hours and attempted to develop a secure programming solution using JSSE API. From data we collected, we identified 59 usability issues that exist in JSSE API. Then we divided those usability issues into 15 cognitive dimensions and analyzed how those issues affected the experience of participant programmers. Results of our study provided useful insights about how TLS APIs and similar security APIs should be designed, developed and improved to provide a better experience for programmers who use them

Proceedings 19th International Conference on Human-Computer Interaction (HCII)

Programmers use security APIs to embed security into the applications they develop. Security vulnerabilities get introduced into those applications, due to the usability issues that exist in the security APIs. Improving usability of security APIs would contribute to improve the security of applications that programmers develop. However, currently there is no methodology to evaluate the usability of security APIs. In this study, we attempt to improve the Cognitive Dimensions framework based API usability evaluation methodology, to evaluate the usability of security APIs

PPIG

Usability issues that exist in security APIs cause programmers to embed thosesecurity APIs incorrectly to the applications they develop. This results inintroduction of security vulnerabilities to those applications. One of the mainreasons for security APIs to be not usable is currently there is no propermethod by which the usability issues of security APIs can be identified. Weconducted a study to assess the effectiveness of the cognitive dimensionsquestionnaire based usability evaluation methodology in evaluating theusability of security APIs. We used a cognitive dimensions based genericquestionnaire to collect feedback from programmers who participated in thestudy. Results revealed interesting facts about the prevailing usability issuesin four commonly used security APIs and the capability of the methodology to identify those issues