Search results

1 – 5 of 5
Per page
102050
Citations:
Loading...
Access Restricted. View access options
Article
Publication date: 10 October 2016

Melanie Volkamer, Karen Renaud and Paul Gerber

Phishing is still a very popular and effective security threat, and it takes, on average, more than a day to detect new phish websites. Protection by purely technical means is…

563

Abstract

Purpose

Phishing is still a very popular and effective security threat, and it takes, on average, more than a day to detect new phish websites. Protection by purely technical means is hampered by this vulnerability window. During this window, users need to act to protect themselves. To support users in doing so, the paper aims to propose to first make users aware of the need to consult the address bar. Moreover, the authors propose to prune URL displayed in the address bar. The authors report on an evaluation of this proposal.

Design/methodology/approach

The paper opted for an online study with 411 participants, judging 16 websites – all with authentic design: half with legitimate and half with phish URLs. The authors applied four popular widely used types of URL manipulation techniques. The authors conducted a within-subject and between-subject study with participants randomly assigned to one of two groups (domain highlighting or pruning). The authors then tested both proposals using a repeated-measures multivariate analysis of variance.

Findings

The analysis shows a significant improvement in terms of phish detection after providing the hint to check the address bar. Furthermore, the analysis shows a significant improvement in terms of phish detection after the hint to check the address bar for uninitiated participants in the pruning group, as compared to those in the highlighting group.

Research limitations/implications

Because of the chosen research approach, the research results may lack generalisability. Therefore, researchers are encouraged to test the proposed propositions further.

Practical implications

This paper confirms the efficacy of URL pruning and of prompting users to consult the address bar for phish detection.

Originality/value

This paper introduces a classification for URL manipulation techniques used by phishers. We also provide evidence that drawing people’s attention to the address bar makes them more likely to spot phish websites, but does not impair their ability to identify authentic websites.

Details

Information & Computer Security, vol. 24 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Access Restricted. View access options
Article
Publication date: 10 October 2016

Karen Renaud, Stephen Flowerday, Rosanne English and Melanie Volkamer

The purpose of this study was to identify to identify reasons for the lack of protest against dragnet surveillance in the UK. As part of this investigation, a study was carried…

570

Abstract

Purpose

The purpose of this study was to identify to identify reasons for the lack of protest against dragnet surveillance in the UK. As part of this investigation, a study was carried out to gauge the understanding of “privacy” and “confidentiality” by the well-informed.

Design/methodology/approach

To perform a best-case study, the authors identified a group of well-informed participants in terms of security. To gain insights into their privacy-related mental models, they were asked first to define the three core terms and then to identify the scenarios. Then, the participants were provided with privacy-related scenarios and were asked to demonstrate their understanding by classifying the scenarios and identifying violations.

Findings

Although the participants were mostly able to identify privacy and confidentiality scenarios, they experienced difficulties in articulating the actual meaning of the terms privacy, confidentiality and security.

Research limitations/implications

There were a limited number of participants, yet the findings are interesting and justify further investigation. The implications, even of this initial study, are significant in that if citizens’ privacy rights are being violated and they did not seem to know how to protest this and if indeed they had the desire to do so.

Practical implications

Had the citizens understood the meaning of privacy, and their ancient right thereto, which is enshrined in law, their response to the Snowden revelations about ongoing wide-scale surveillance might well have been more strident and insistent.

Originality/value

People in the UK, where this study was carried out, do not seem to protest the privacy invasion effected by dragnet surveillance with any verve. The authors identify a number of possible reasons for this from the literature. One possible explanation is that people do not understand privacy. Thus, this study posits that privacy is unusual in that understanding does not seem to align with the ability to articulate the rights to privacy and their disapproval of such widespread surveillance. This seems to make protests unlikely.

Details

Information & Computer Security, vol. 24 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Access Restricted. View access options
Article
Publication date: 12 June 2017

Peter Mayer, Nina Gerber, Ronja McDermott, Melanie Volkamer and Joachim Vogt

This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals.

643

Abstract

Purpose

This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals.

Design/methodology/approach

This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees’ security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small- to medium-sized organizations (SMEs) with overall 90 employees.

Findings

The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees.

Research limitations/implications

Both studies rely on self-reported data and are, therefore, likely to contain some kind of bias.

Practical implications

Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations.

Originality/value

This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.

Details

Information & Computer Security, vol. 25 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Access Restricted. View access options
Article
Publication date: 15 March 2013

Cristian Thiago Moecke and Melanie Volkamer

Email communication has been used for many years, and has begun to replace traditional, physical correspondence more and more. Compared to a traditional postal service, email…

1856

Abstract

Purpose

Email communication has been used for many years, and has begun to replace traditional, physical correspondence more and more. Compared to a traditional postal service, email services are easier, faster, and free of charge. Standard email, however, is, from a security point of view, more comparable to post cards than letters. Some security techniques and services exist, but few people use them due to lack of awareness, low usability, and a lack of understanding of Public Key Infrastructures (PKIs). A comprehensive comparison is missing, which makes it difficult for users to decide which email service to use. The purpose of this paper is to identify evaluation criteria covering security, usability, and interoperability aspects of email, and to apply them to existing email services.

Design/methodology/approach

The authors first define criteria based on literature review, threat analysis and expert consultation. These criteria are then applied, when applicable, to existing approaches including DKIM, SPF, PGP, S/MIME and Opportunistic Encryption, and to common secure email providers including Gmail, Hushmail, and De‐Mail.

Findings

None of the existing analysed services meets all the derived criteria. Based on the result of the application of these criteria and the corresponding comparison, the authors propose future directions for usable secure email communication.

Originality/value

The criteria proposed are original and allow an evaluation and a comparison of different email systems that not only considers security aspects, but also the relation and trade‐offs between security, usability and interoperability. Moreover, the trust assumptions involved are also considered.

Details

Information Management & Computer Security, vol. 21 no. 1
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 7 October 2014

M. Maina Olembo, Timo Kilian, Simon Stockhardt, Andreas Hülsing and Melanie Volkamer

The purpose of this study was to develop and test SCoP. Users find comparing long meaningless strings of alphanumeric characters difficult. While visual hashes – where users…

163

Abstract

Purpose

The purpose of this study was to develop and test SCoP. Users find comparing long meaningless strings of alphanumeric characters difficult. While visual hashes – where users compare images rather than strings – have been proposed as an alternative, people are unable to sufficiently distinguish more than 30 bits, which does not provide adequate security against collision attacks. Our goal is to improve the situation.

Design/methodology/approach

A visual hash scheme was developed using shapes, colours, patterns and position parameters. It was evaluated in a series of pilot user studies and improved iteratively, leading to SCoP, which encodes 60 distinguishable bits. We tested SCoP further in two follow-up studies, simulating verifying in remote electronic voting and https certificate validation.

Findings

Participants attained an average accuracy rate of 97 per cent with SCoP when comparing two visual hash images, one placed above the other. From the follow-up studies, SCoP was seen to be more promising for the https certificate validation use case, with direct image comparison, while a low average accuracy rate in simulating verifiability in remote electronic voting limits its applicability in an image-recall use case.

Research limitations/implications

Participants achieved high accuracy rates in unrealistic situations, where the images appeared on the screen at the same time and in the same size. Studies in more realistic situations are therefore necessary.

Originality/value

We identify a visual hash scheme encoding a higher number of distinguishable bits than previously reported in literature, and extend the testing to realistic scenarios.

Details

Information Management & Computer Security, vol. 22 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

1 – 5 of 5
Per page
102050