Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amber McConahy.  Multifaceted and multidimensional  Marsh & Dibben (2003) definition and layers of trust  “Trust concerns a positive expectation regarding.

Similar presentations


Presentation on theme: "Amber McConahy.  Multifaceted and multidimensional  Marsh & Dibben (2003) definition and layers of trust  “Trust concerns a positive expectation regarding."— Presentation transcript:

1 Amber McConahy

2  Multifaceted and multidimensional  Marsh & Dibben (2003) definition and layers of trust  “Trust concerns a positive expectation regarding the behavior of somebody or something is a situation that entails risk to the trusting party” ▪ Dispositional Trust – personality trait relating to trust ▪ Learned Trust – tendency to trust based on experience ▪ Situational Trust – trust adjusted based on situational cues  Key Questions  Reliable representation of trust in interactions and interfaces?  Transforming trust to security and vice versa?  Identification and mitigation of trust failings? 2

3  Vital to security but poorly understood  Perfect information removes need for trust  Trust without risk is meaningless  Online users must develop knowledge to make trust decisions  Developers must provide trustable designs  Must trust both people and technology  Halo Effect  Judgment based on attractiveness  Trust is built slowly and destroyed quickly 3

4  Meyer et al.  Ability to fulfill promises  Integrity relates meeting expectations  Benevolence is acting in best interest of client  Egger’s MoTEC  Superficial trust based on interface  Reasoned trust based on content analysis  Relationship trust based on transactional history 4

5 Trust Willingness to Transact Familiarity 5

6  Lee, Kim, and Moon  Trust and transaction cost are opposing factors  Corritore et al.  Credibility, ease of use, and risk affect trust  McKnight et al.  Trusting beliefs, intentions, and behaviors  Riegelsberger et al.  Focuses on incentives rather than opinions and beliefs 6

7  Trust and risk are related  Trust relates to beliefs  Ease of use can affect trust  Trust likely develops in stages  External factors and context can be relevant 7

8 DO  Ensure ease of use  Make design attractive  Convey real world  Include seals of approval  TRUSTe  Explain and justify content  Provide security and privacy statements  Provide background  Define roles  Personalize service DON’T  Make spelling mistakes  Mix ads and content  Be inconsistent or unpredictable  Forget peer evaluations  References  User feedback  Ignore alternatives  Links to other sites  Poor response or communication 8

9  Norm of Reciprocity (Goulder 1960)  Information likely to be provided in exchange for information of services  Leads to increased trust  Could increase vulnerability  Zhu et al.  Study of user behavior under reciprocity attacks  Use of InfoSource software with “Alice” guide 9

10  Experimental group disclosed more  Over 85% of users found “Alice” helpful  Perception of importance related to disclosure  Relevance of requested information matters  Income not provided due to perceived irrelevance  Beliefs and attitudes correlated with willingness to share information  Trust is related to willingness to share information 10

11  Users often don’t comprehend what computer is asking  Presents dilemma rather than decision  Users seek alternative information resources  Trust is aggregation of clues and tradeoffs  Large scopes and less context lead to impede consent  User’s are reluctant to provide personal data 11

12  Claims often do not correspond to actions  Consequences are often not fully evaluated  Users don’t like making global decisions  Developers and users have different views  Users confuse terminology  Hacking vs. virus  Software bug vs. virus 12

13 13

14 14

15  Secure default choses “Don’t Install”  Labels changed from “Yes” and “No” to “Install” and “Don’t Install”  Options provided  Simplified primary text  Evidence via certificates  Auxiliary text separated  “What’s the Risk?” link provided for more information 15

16 16

17 17

18  Purposeful similarity to ActiveX to promote consistency  Secure default option “Cancel”  Label changed from “Open” to “Run”  Primary text simplified to single question  Options provided  Evidence of filename and source provided  Assistance text separated with “What’s the risk?” link 18

19  Trust decisions should be made in context  Narrow scope and avoid global setups  Make the most trusted option the default  Replace dilemmas with choices  Always provide trusted response option  Convey consequences to actions  Respect the user’s decision  Submit even when decision is not comprehended by computer 19

20 Sauvik Das

21 Physical Attacks Syntactic Attacks 21

22 Semantic Attacks: “... Attacks that target the way we, as humans, assign meaning to content....Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet “ 22

23 Semantic Attacks: “... Attacks that target the way we, as humans, assign meaning to content....Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet “ 23

24  Semantic Attacks…  violate trust  deceive  are a new form of “hacking”—Cognitive Hacking 24

25  “Pump-and-Dump” schemes  Buy penny stocks cheap  Artificially inflate price (spread misinformation)  Sell for profit, leaving others “holding-the-bag” Pump Inflate Dump 25

26  WTF Stuxnet?  Had elements of semantic attack:  Tricked technicians into believing centrifuges were operating fine Looks okay to me 26

27  And, of course: Phishing 27

28  Phishing is…:  deceiving users to obtain sensitive information  spoofing “trustworthy” communications  phreaking + fishing  a growing threat 28

29  It is very lucrative.  $2.4 million to $9.4 million dollars per yer per million online banking customers  ~$2000 on each compromised bank account. 29

30  It’s easy.  There are Do-it-Yourself Phishing Kits  AND, several easy accessible tutorials 30

31  It’s hard to defend against.  “You and I can think about things. Symbols in our brains have meanings. The question is, can a [computer] think about things, or merely process digits that have no Aboutness—no meaning—no semantic content” – Neal Stephenson, Anathem Meaning 31

32  Easy to distribute, and low success rate is okay.  4700 per 1,000,000 banking credentials lost on average (0.47%)  BUT, bad guys still make plenty of money from that 32

33  With Social Web, phishing is more effective.  Paper by Jagatic et al: ▪ Mined relationships of students using publicly available information ▪ Using this information, conducted a spear phishing attack ▪ Found that using social info, people were 4.5x more likely to fall for phish (16% versus 72%). 33

34 It all goes back to trust. 1. People judge legitimacy by design 2. People do not trust web browser security 3. Awareness is not a strategy 4. Severity of the consequences does not seem to inform behavior 34

35  Study by Sheng et al.  Women more likely than men  Age at highest risk  Lower technical knowledge at higher risk  Generally risk averse people are at lower risk  Not orthogonal. 35

36  Study by Sheng et al.  Women more likely than men  Age at highest risk  Lower technical knowledge at higher risk  Generally risk averse people are at lower risk  Not orthogonal. 36

37  Study by Sheng et al.  Women more likely than men  Age at highest risk  Lower technical knowledge at higher risk  Generally risk averse people are at lower risk  Not orthogonal. 37

38  How can we mitigate phishing and other semantic attacks?  Raise Awareness?  Education?  Automatic Detection?  Better Visualizations of Danger?  ??? 38

39  It’s a tough problem  Only a small percentage (0.47%) of users need to be compromised for phishing to continue to be lucrative  Don’t want to make users afraid to go to legitimate websites (majority) in the process.  How do current mitigation strategies help? 39

40  Improve visual cues 40

41  Improving visual cues  Not as effective as it could be.  People don’t trust their web browsers (ahem…IE)  Dhamija et al. study (Firefox): ▪ Many people do not look at browser-based cues ▪ 23% didn’t look at all ▪ Make incorrect choices about phishing 40% of the time 41

42  Education 42

43  Education  Effective…but awareness alone not sufficient  Need to offer course of action  Sheng et al. study: ▪ 40% improvement among participants ▪ Some forms of education inhibit clicking of legitimate links as well (learn avoidance not phishing awareness) 43

44  Phishing scams are still increasing! 44

45  We have some effective strategies, but the problem is still open.  The Phishing explosion can be attributed to:  Users are still falling for it  DIY Phishing Kits making it increasingly easier to make phishing scams  We can mitigate the first problem, but what about the second? 45

46  Semantic attacks hack a user’s mind  Phishing is one common semantic attack  Deceive users to obtain their sensitive information  Phishing is tough to mitigate because:  It is lucrative  Easy to do  Education seems to be one great way to reduce the incidence of phishing.  We also need to find ways to make creating phish less appealing or more difficult. 46

47 47


Download ppt "Amber McConahy.  Multifaceted and multidimensional  Marsh & Dibben (2003) definition and layers of trust  “Trust concerns a positive expectation regarding."

Similar presentations


Ads by Google