Melanie Volkamer, Karen Renaud and Paul Gerber
Phishing is still a very popular and effective security threat, and it takes, on average, more than a day to detect new phish websites. Protection by purely technical means is…
Abstract
Purpose
Phishing is still a very popular and effective security threat, and it takes, on average, more than a day to detect new phish websites. Protection by purely technical means is hampered by this vulnerability window. During this window, users need to act to protect themselves. To support users in doing so, the paper aims to propose to first make users aware of the need to consult the address bar. Moreover, the authors propose to prune URL displayed in the address bar. The authors report on an evaluation of this proposal.
Design/methodology/approach
The paper opted for an online study with 411 participants, judging 16 websites – all with authentic design: half with legitimate and half with phish URLs. The authors applied four popular widely used types of URL manipulation techniques. The authors conducted a within-subject and between-subject study with participants randomly assigned to one of two groups (domain highlighting or pruning). The authors then tested both proposals using a repeated-measures multivariate analysis of variance.
Findings
The analysis shows a significant improvement in terms of phish detection after providing the hint to check the address bar. Furthermore, the analysis shows a significant improvement in terms of phish detection after the hint to check the address bar for uninitiated participants in the pruning group, as compared to those in the highlighting group.
Research limitations/implications
Because of the chosen research approach, the research results may lack generalisability. Therefore, researchers are encouraged to test the proposed propositions further.
Practical implications
This paper confirms the efficacy of URL pruning and of prompting users to consult the address bar for phish detection.
Originality/value
This paper introduces a classification for URL manipulation techniques used by phishers. We also provide evidence that drawing people’s attention to the address bar makes them more likely to spot phish websites, but does not impair their ability to identify authentic websites.
Details
Keywords
Karen Renaud, Stephen Flowerday, Rosanne English and Melanie Volkamer
The purpose of this study was to identify to identify reasons for the lack of protest against dragnet surveillance in the UK. As part of this investigation, a study was carried…
Abstract
Purpose
The purpose of this study was to identify to identify reasons for the lack of protest against dragnet surveillance in the UK. As part of this investigation, a study was carried out to gauge the understanding of “privacy” and “confidentiality” by the well-informed.
Design/methodology/approach
To perform a best-case study, the authors identified a group of well-informed participants in terms of security. To gain insights into their privacy-related mental models, they were asked first to define the three core terms and then to identify the scenarios. Then, the participants were provided with privacy-related scenarios and were asked to demonstrate their understanding by classifying the scenarios and identifying violations.
Findings
Although the participants were mostly able to identify privacy and confidentiality scenarios, they experienced difficulties in articulating the actual meaning of the terms privacy, confidentiality and security.
Research limitations/implications
There were a limited number of participants, yet the findings are interesting and justify further investigation. The implications, even of this initial study, are significant in that if citizens’ privacy rights are being violated and they did not seem to know how to protest this and if indeed they had the desire to do so.
Practical implications
Had the citizens understood the meaning of privacy, and their ancient right thereto, which is enshrined in law, their response to the Snowden revelations about ongoing wide-scale surveillance might well have been more strident and insistent.
Originality/value
People in the UK, where this study was carried out, do not seem to protest the privacy invasion effected by dragnet surveillance with any verve. The authors identify a number of possible reasons for this from the literature. One possible explanation is that people do not understand privacy. Thus, this study posits that privacy is unusual in that understanding does not seem to align with the ability to articulate the rights to privacy and their disapproval of such widespread surveillance. This seems to make protests unlikely.
Details
Keywords
Peter Mayer, Nina Gerber, Ronja McDermott, Melanie Volkamer and Joachim Vogt
This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals.
Abstract
Purpose
This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals.
Design/methodology/approach
This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees’ security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small- to medium-sized organizations (SMEs) with overall 90 employees.
Findings
The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees.
Research limitations/implications
Both studies rely on self-reported data and are, therefore, likely to contain some kind of bias.
Practical implications
Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations.
Originality/value
This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.
Details
Keywords
Cristian Thiago Moecke and Melanie Volkamer
Email communication has been used for many years, and has begun to replace traditional, physical correspondence more and more. Compared to a traditional postal service, email…
Abstract
Purpose
Email communication has been used for many years, and has begun to replace traditional, physical correspondence more and more. Compared to a traditional postal service, email services are easier, faster, and free of charge. Standard email, however, is, from a security point of view, more comparable to post cards than letters. Some security techniques and services exist, but few people use them due to lack of awareness, low usability, and a lack of understanding of Public Key Infrastructures (PKIs). A comprehensive comparison is missing, which makes it difficult for users to decide which email service to use. The purpose of this paper is to identify evaluation criteria covering security, usability, and interoperability aspects of email, and to apply them to existing email services.
Design/methodology/approach
The authors first define criteria based on literature review, threat analysis and expert consultation. These criteria are then applied, when applicable, to existing approaches including DKIM, SPF, PGP, S/MIME and Opportunistic Encryption, and to common secure email providers including Gmail, Hushmail, and De‐Mail.
Findings
None of the existing analysed services meets all the derived criteria. Based on the result of the application of these criteria and the corresponding comparison, the authors propose future directions for usable secure email communication.
Originality/value
The criteria proposed are original and allow an evaluation and a comparison of different email systems that not only considers security aspects, but also the relation and trade‐offs between security, usability and interoperability. Moreover, the trust assumptions involved are also considered.
Details
Keywords
M. Maina Olembo, Timo Kilian, Simon Stockhardt, Andreas Hülsing and Melanie Volkamer
The purpose of this study was to develop and test SCoP. Users find comparing long meaningless strings of alphanumeric characters difficult. While visual hashes – where users…
Abstract
Purpose
The purpose of this study was to develop and test SCoP. Users find comparing long meaningless strings of alphanumeric characters difficult. While visual hashes – where users compare images rather than strings – have been proposed as an alternative, people are unable to sufficiently distinguish more than 30 bits, which does not provide adequate security against collision attacks. Our goal is to improve the situation.
Design/methodology/approach
A visual hash scheme was developed using shapes, colours, patterns and position parameters. It was evaluated in a series of pilot user studies and improved iteratively, leading to SCoP, which encodes 60 distinguishable bits. We tested SCoP further in two follow-up studies, simulating verifying in remote electronic voting and https certificate validation.
Findings
Participants attained an average accuracy rate of 97 per cent with SCoP when comparing two visual hash images, one placed above the other. From the follow-up studies, SCoP was seen to be more promising for the https certificate validation use case, with direct image comparison, while a low average accuracy rate in simulating verifiability in remote electronic voting limits its applicability in an image-recall use case.
Research limitations/implications
Participants achieved high accuracy rates in unrealistic situations, where the images appeared on the screen at the same time and in the same size. Studies in more realistic situations are therefore necessary.
Originality/value
We identify a visual hash scheme encoding a higher number of distinguishable bits than previously reported in literature, and extend the testing to realistic scenarios.