Evaluating the Information Security Awareness of Smartphone Users

Information security awareness (ISA) is a practice focused on the set of skills which help a user successfully mitigate social engineering (SE) attacks. Evaluating the ISA of users is crucial, since early identification of users who are more vulnerable to SE attacks improves system security. Previous studies for evaluating the ISA of smartphone users rely on subjective data sources (questionnaires) and do not address the differences between classes of SE attacks. This paper presents a framework for evaluating the ISA of smartphone users for specific attack classes. In addition to questionnaires, we utilize objective data sources: a mobile agent, a network traffic monitor, and cybersecurity challenges. We evaluated the framework by conducting a long-term user study involving 162 users. The results show that: the self-reported behavior of users differs significantly from their actual behavior and the ISA level derived from the actual behavior of users is highly correlated with their ability to mitigate SE attacks.

[1]  Nicolas Christin,et al.  Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes , 2016, SOUPS.

[2]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[3]  Judy Robertson,et al.  Rethinking statistical analysis methods for CHI , 2012, CHI.

[4]  Varun Gauria,et al.  Organizational Behavior and Human Decision Processes , 2019 .

[5]  Sokratis K. Katsikas,et al.  User Modelling Validation over the Security Awareness of Digital Natives , 2017, Future Internet.

[6]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[7]  Gorazd Kandus,et al.  Bluetooth® usage among students as an indicator of security awareness and feeling , 2011, Proceedings ELMAR-2011.

[8]  Daniele Sgandurra,et al.  A Survey on Security for Mobile Devices , 2013, IEEE Communications Surveys & Tutorials.

[9]  Serge Egelman,et al.  Behavior Ever Follows Intention?: A Validation of the Security Behavior Intentions Scale (SeBIS) , 2016, CHI.

[10]  Tudor Dumitras,et al.  Asking for a Friend: Evaluating Response Biases in Security User Studies , 2018, CCS.

[11]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[12]  Hamed Haddadi,et al.  Privacy Leakage in Mobile Computing: Tools, Methods, and Characteristics , 2014, ArXiv.

[13]  Rick Wash,et al.  Can People Self-Report Security Accurately?: Agreement Between Self-Report and Behavioral Measures , 2017, CHI.

[14]  Gorazd Kandus,et al.  Mobile Phone Security Awareness and Practices of Students in Budapest , 2011 .

[15]  Mohammadjafar Esmaeili,et al.  Assessment of Users' Information Security Behavior in Smartphone Networks , 2014 .

[16]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[17]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[18]  Aaron Striegel,et al.  Modifying smartphone user locking behavior , 2013, SOUPS.

[19]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Tapio Soikkeli,et al.  Contextual usage patterns in smartphone communication services , 2011, Personal and Ubiquitous Computing.

[21]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.

[22]  Engin Kirda,et al.  Insights into User Behavior in Dealing with Internet Attacks , 2012, NDSS.

[23]  M. Kabay,et al.  Using Social Psychology to Implement Security Policies , 2015 .

[24]  Kregg Aytes,et al.  A Research Model for Investigating Human Behavior Related to Computer Security , 2003, AMCIS.

[25]  Mikko Hypponen,et al.  Malware goes mobile. , 2006, Scientific American.

[26]  James T. Reason,et al.  Managing the risks of organizational accidents , 1997 .

[27]  Nicolas Christin,et al.  Security Behavior Observatory: Infrastructure for Long-term Monitoring of Client Machines (CMU-CyLab-14-009) , 2014 .

[28]  George K. Karagiannidis,et al.  Security Awareness of the Digital Natives , 2017, Inf..

[29]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[30]  Gorazd Kandus,et al.  A Survey on Saving Personal Data in the Mobile Phone , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[31]  Ivar Krumpal Determinants of social desirability bias in sensitive surveys: a literature review , 2013 .

[32]  Sancheng Peng,et al.  Smartphone Malware and Its Propagation Modeling: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[33]  Rossouw von Solms,et al.  Phishing for phishing awareness , 2013, Behav. Inf. Technol..

[34]  Marcus A. Butavicius,et al.  Test-retest reliability and internal consistency of the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2016, ACIS.

[35]  Rami Puzis,et al.  Taxonomy of mobile users' security awareness , 2018, Comput. Secur..

[36]  Dimitris Gritzalis,et al.  Delegate the smartphone user? Security awareness in smartphone platforms , 2013, Comput. Secur..

[37]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[38]  I. Ajzen The theory of planned behavior , 1991 .

[39]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[40]  Hannes Holm,et al.  Using phishing experiments and scenario-based surveys to understand security behaviours in practice , 2014, Inf. Manag. Comput. Secur..

[41]  Thomas L. Saaty,et al.  DECISION MAKING WITH THE ANALYTIC HIERARCHY PROCESS , 2008 .

[42]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[43]  Dimitris Gritzalis,et al.  Assessing Privacy Risks in Android: A User-Centric Approach , 2013, RISK@ICTSS.

[44]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[45]  Hennie A. Kruger,et al.  A Framework for Evaluating ICT Security Awareness , 2006, ISSA.

[46]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[47]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[48]  ParsonsKathryn,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q) , 2017 .

[49]  M. Brewer,et al.  Research Design and Issues of Validity , 2000 .

[50]  Fang Chen,et al.  A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing , 2017, SOUPS.

[51]  Georgios Kambourakis,et al.  iSAM: An iPhone Stealth Airborne Malware , 2011, SEC.

[52]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[53]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.