Context-sensitive guidance (CSG) can help users make better security decisions. Applications with CSG ask the user to provide relevant context information. Based on such information, these applications then decide or suggest an appropriate course of action. However, users often deem security dialogs irrelevant to the tasks they are performing and try to evade them. This paper contributes two new techniques for hardening CSG against automatic and false user answers. Polymorphic dialogs continuously change the form of required user inputs and intentionally delay the latter, forcing users to pay attention to security decisions. Audited dialogs thwart false user answers by (1) warning users that their answers will be forwarded to auditors, and (2) allowing auditors to quarantine users who provide unjustified answers. We implemented CSG against email-borne viruses on the Thunderbird email agent. One version, CSG-PD, includes CSG and polymorphic dialogs. Another version, CSG-PAD, includes CSG and both polymorphic and audited dialogs. In user studies, we found that untrained users accept significantly less unjustified risks with CSG-PD than with conventional dialogs. Moreover, they accept significantly less unjustified risks with CSG-PAD than with CSG-PD. CSG-PD and CSG-PAD have insignificant effect on acceptance of justified risks.
[1]
J. D. Tygar,et al.
Safe Staging for Computer Security
,
2003
.
[2]
José Carlos Brustoloni,et al.
Hardening Web browsers against man-in-the-middle and eavesdropping attacks
,
2005,
WWW '05.
[3]
Min Wu,et al.
Web wallet: preventing phishing attacks by revealing user intentions
,
2006,
SOUPS '06.
[4]
Jacob Cohen.
Statistical Power Analysis for the Behavioral Sciences
,
1969,
The SAGE Encyclopedia of Research Design.
[5]
José Carlos Brustoloni,et al.
Using Secure Coprocessors to Protect Access to Enterprise Networks
,
2005,
NETWORKING.
[6]
Lorrie Faith Cranor,et al.
Protecting people from phishing: the design and evaluation of an embedded training email system
,
2007,
CHI.
[7]
Lorrie Faith Cranor,et al.
Security and Usability: Designing Secure Systems that People Can Use
,
2005
.
[8]
José Carlos Brustoloni,et al.
Improving User Decisions about Opening Potentially Dangerous Attachments in Email Clients
,
2006
.
[9]
Simson L. Garfinkel,et al.
Security and Usability
,
2005
.