Trust Amber McConahy

2

Trust

Multifaceted and multidimensional Marsh & Dibben (2003) definition and layers of

trust “Trust concerns a positive expectation regarding the

behavior of somebody or something is a situation that entails risk to the trusting party” ▪ Dispositional Trust – personality trait relating to trust▪ Learned Trust – tendency to trust based on experience▪ Situational Trust – trust adjusted based on situational cues

Key Questions Reliable representation of trust in interactions and

interfaces? Transforming trust to security and vice versa? Identification and mitigation of trust failings?

3

Trust in Digital Realm

Vital to security but poorly understood Perfect information removes need for trust Trust without risk is meaningless Online users must develop knowledge to

make trust decisions Developers must provide trustable designs

Must trust both people and technology Halo Effect

Judgment based on attractiveness Trust is built slowly and destroyed quickly

4

Models of Trust

Meyer et al. Ability to fulfill promises Integrity relates meeting expectations Benevolence is acting in best interest of

client Egger’s MoTEC

Superficial trust based on interface Reasoned trust based on content

analysis Relationship trust based on transactional

history

5

Bhattacherjee’s Model

Trust

Willingness to Transact

Familiarity

+ +

+

6

Additional Trust Models

Lee, Kim, and Moon Trust and transaction cost are opposing

factors Corritore et al.

Credibility, ease of use, and risk affect trust

McKnight et al. Trusting beliefs, intentions, and

behaviors Riegelsberger et al.

Focuses on incentives rather than opinions and beliefs

7

Model Summary

Trust and risk are related Trust relates to beliefs Ease of use can affect trust Trust likely develops in stages External factors and context can be

relevant

8

Trust Guidelines

DO Ensure ease of use Make design attractive Convey real world Include seals of approval

TRUSTe Explain and justify

content Provide security and

privacy statements Provide background Define roles Personalize service

DON’T

Make spelling mistakes Mix ads and content Be inconsistent or

unpredictable Forget peer evaluations

References User feedback

Ignore alternatives Links to other sites

Poor response or communication

9

Reciprocity

Norm of Reciprocity (Goulder 1960) Information likely to be provided in

exchange for information of services Leads to increased trust Could increase vulnerability

Zhu et al. Study of user behavior under reciprocity

attacks Use of InfoSource software with “Alice”

guide

10

Results of Reciprocity Study Experimental group disclosed more Over 85% of users found “Alice” helpful Perception of importance related to

disclosure Relevance of requested information matters

Income not provided due to perceived irrelevance

Beliefs and attitudes correlated with willingness to share information

Trust is related to willingness to share information

11

Users & Trust

Users often don’t comprehend what computer is asking Presents dilemma rather than

decision Users seek alternative information

resources Trust is aggregation of clues and

tradeoffs Large scopes and less context

lead to impede consent User’s are reluctant to provide

personal data

12

Behaviors & Trust

Claims often do not correspond to actions

Consequences are often not fully evaluated

Users don’t like making global decisions

Developers and users have different views

Users confuse terminology Hacking vs. virus Software bug vs. virus

13

ActiveX (SP 1)

14

Redesigned ActiveX (SP2)

15

Key Design Changes

Secure default choses “Don’t Install” Labels changed from “Yes” and “No”

to “Install” and “Don’t Install” Options provided Simplified primary text Evidence via certificates Auxiliary text separated “What’s the Risk?” link provided for

more information

16

File Download Dialog (SP1)

17

File Download Dialog (SP2)

18

Redesign Features

Purposeful similarity to ActiveX to promote consistency

Secure default option “Cancel” Label changed from “Open” to “Run” Primary text simplified to single

question Options provided Evidence of filename and source

provided Assistance text separated with

“What’s the risk?” link

19

Conclusions

Trust decisions should be made in context Narrow scope and avoid global setups

Make the most trusted option the default

Replace dilemmas with choices Always provide trusted response option Convey consequences to actions

Respect the user’s decision Submit even when decision is not

comprehended by computerSimilarities to models of trust?

Semantic AttacksSauvik Das

21

Schneier’s Security Attacks

Physical Attacks

Syntactic Attacks

22

Schneier’s Security AttacksSemantic Attacks: “. . . Attacks that target the way we, as humans, assign meaning to content. . . .Semantic attacks directly

target the human/computer interface, the most insecure interface on the Internet“

23

Schneier’s Security AttacksSemantic Attacks: “. . . Attacks that target the way we, as humans, assign meaning to content. . . .Semantic attacks directly

target the human/computer interface, the most insecure interface on the Internet“

http://lol-gonna-log-ur-keys.com

24

Semantic Attacks

Semantic Attacks… violate trust deceive are a new form of “hacking”—Cognitive

Hacking

25

Types of Semantic Attacks

“Pump-and-Dump” schemes Buy penny stocks cheap Artificially inflate price (spread

misinformation) Sell for profit, leaving others “holding-

the-bag”

Pump

Inflate

Dump

26

Types of Semantic Attacks

WTF Stuxnet? Had elements of semantic attack:

Tricked technicians into believing centrifuges were operating fine

Looks okay to me

27

Types of Semantic Attacks

And, of course: Phishing

28

What is Phishing?

Phishing is…: deceiving users to obtain sensitive information spoofing “trustworthy” communications phreaking + fishing a growing threat

29

Why Phish?

It is very lucrative. $2.4 million to $9.4 million dollars per

yer per million online banking customers ~$2000 on each compromised bank

account.

30

Why Phish?

It’s easy. There are Do-it-Yourself Phishing Kits AND, several easy accessible tutorials

31

Why Phish?

It’s hard to defend against. “You and I can think about things.

Symbols in our brains have meanings. The question is, can a [computer] think about things, or merely process digits that have no Aboutness—no meaning—no semantic content” – Neal Stephenson, AnathemMeaning

32

Why Phish?

Easy to distribute, and low success rate is okay. 4700 per 1,000,000 banking credentials

lost on average (0.47%) BUT, bad guys still make plenty of money

from that

33

Why Phish?

With Social Web, phishing is more effective. Paper by Jagatic et al:▪ Mined relationships of students using publicly

available information▪ Using this information, conducted a spear

phishing attack▪ Found that using social info, people were 4.5x

more likely to fall for phish (16% versus 72%).

34

Why do people fall for Phish?

It all goes back to trust.

1. People judge legitimacy by design2. People do not trust web browser

security3. Awareness is not a strategy4. Severity of the consequences does

not seem to inform behavior

35

Who Falls for Phish?

Study by Sheng et al. Women more likely than men Age 18-25 at highest risk Lower technical knowledge at higher risk Generally risk averse people are at lower

risk

Not orthogonal.

36

Who Falls for Phish?

Study by Sheng et al. Women more likely than men Age 18-25 at highest risk Lower technical knowledge at higher risk Generally risk averse people are at lower

risk

Not orthogonal.

37

Who Falls for Phish?

Study by Sheng et al. Women more likely than men Age 18-25 at highest risk Lower technical knowledge at higher risk Generally risk averse people are at lower

risk

Not orthogonal.

38

Mitigation

How can we mitigate phishing and other semantic attacks?

Raise Awareness? Education? Automatic Detection? Better Visualizations of Danger? ???

39

Mitigation

It’s a tough problem Only a small percentage (0.47%) of

users need to be compromised for phishing to continue to be lucrative

Don’t want to make users afraid to go to legitimate websites (majority) in the process.

How do current mitigation strategies help?

40

Mitigation Strategies

Improve visual cues

41

Mitigation Strategies

Improving visual cues Not as effective as it could be. People don’t trust their web browsers (ahem…IE) Dhamija et al. study (Firefox):▪ Many people do not look at browser-based cues▪ 23% didn’t look at all

▪ Make incorrect choices about phishing 40% of the time

42

Mitigation Strategies

Education

43

Mitigation Strategies

Education Effective…but awareness alone not

sufficient Need to offer course of action Sheng et al. study:▪ 40% improvement among participants▪ Some forms of education inhibit clicking of

legitimate links as well (learn avoidance not phishing awareness)

44

BUT…

Phishing scams are still increasing!

45

Phishing Growth

We have some effective strategies, but the problem is still open.

The Phishing explosion can be attributed to: Users are still falling for it DIY Phishing Kits making it increasingly easier

to make phishing scams

We can mitigate the first problem, but what about the second?

46

Summary

Semantic attacks hack a user’s mind Phishing is one common semantic attack

Deceive users to obtain their sensitive information

Phishing is tough to mitigate because: It is lucrative Easy to do

Education seems to be one great way to reduce the incidence of phishing.

We also need to find ways to make creating phish less appealing or more difficult.

47

Questions?