What Does the Brain Tell Us about Usable Security? Anthony Vance - - PowerPoint PPT Presentation

▶

Aug 16, 2023 263 likes •1.12k views

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given a choice between dancing pigs and security, users will pick dancing pigs every time. Felton and McGraw (1999) clicky lusers BYU LAB

SLIDE 1

What Does the Brain Tell Us about Usable Security?

Anthony Vance Brigham Young University

SLIDE 2

Given a choice between dancing pigs and security, users will pick dancing pigs every time.

—Felton and McGraw (1999)

SLIDE 3

“clicky lusers”

SLIDE 4

Neurosecurity

BYU LAB

SLIDE 5

SLIDE 6

1. Dual-task Interference
2. Habituation
3. Generalization

SLIDE 7

SLIDE 8

1. Dual-task Interference

SLIDE 9

SLIDE 10

SLIDE 11

SLIDE 12

How bad is this problem?

SLIDE 13

SLIDE 14

Baseline (resting)

SLIDE 15

Memory task Baseline (resting)

SLIDE 16

4382359

SLIDE 17

2. 4382369
3. 4382359
4. 4383359
1. 4381358

SLIDE 18

Security task Memory task Baseline (resting)

SLIDE 19

SLIDE 20

SLIDE 21

Security task Memory task High DTI Baseline (resting)

SLIDE 22

Memorize code Recall code 1. 2. 3.

SLIDE 23

Temporal Lobe

SLIDE 24

High DTI vs. Warning Only

SLIDE 25

Security Task Performance

Treatment Warning Disregard High-DTI 22.9% Warning-Only 7.4%

SLIDE 26

Memorize code Recall code 1. 2. 3.

SLIDE 27

Memorize code Recall code 1. 2. 3.

SLIDE 28

Security Task Performance

Treatment Warning Disregard High-DTI 22.9% Low-DTI 8.8% Warning-Only 7.4%

SLIDE 29

chrome

SLIDE 30

SLIDE 31

SLIDE 32

SLIDE 33

SLIDE 34

Low-DTI times

SLIDE 35

After a video

SLIDE 36

On loading of a page

SLIDE 37

Waiting for web-based task to complete

SLIDE 38

Percentage of Disregard Ranking Code Condition Disregarded Low-DTI Conditions LowDTI-5 Low-DTI: Waiting for page load 22% LowDTI-4 Low-DTI: While processing 24% LowDTI-2 Low-DTI: After video 44% LowDTI-1 Low-DTI: On first page load 45% LowDTI-3 Low-DTI: Switching domains 46% Average 36% High-DTI Conditions HighDTI-4 High-DTI: On the way to close window 74% HighDTI-2 High-DTI: While typing 78% HighDTI-1 High-DTI: During video 79% HighDTI-3 High-DTI: While transferring information 87% Average 80%

SLIDE 39

Security Message Disregard

0% 25% 50% 75% 100%

Low-DTI High-DTI

SLIDE 40

Take-aways

SLIDE 41

1. The brain isn’t good at

handling interruptions.

SLIDE 42

2. Timing a security message

to display at a low-DTI results in marked improvement.

SLIDE 43

2. Habituation

SLIDE 44

SLIDE 45

SLIDE 46

SLIDE 47

How bad is this problem?

SLIDE 48

SLIDE 49

SLIDE 50

SLIDE 51

SLIDE 52

Animations

SLIDE 53

SLIDE 54

SLIDE 55

SLIDE 56

SLIDE 57

SLIDE 58

SLIDE 59

SLIDE 60

SLIDE 61

SLIDE 62

Mobile field experiment

SLIDE 63

Adherence behavior

SLIDE 64

SLIDE 65

SLIDE 66

Charge purchases to your credit card
Delete your photos
Record microphone audio any time
Sell your web-browsing data

SLIDE 67

SLIDE 68

SLIDE 69

40% 50% 60% 70% 80% 90% 100% 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Warning adherence Days

SLIDE 70

Take-aways

SLIDE 71

1. The human brain is wired

to tune out things it has seen before.

SLIDE 72

2. Updating the security UI

can reduce habituation.

SLIDE 73

3. Generalization

SLIDE 74

Generalization of habituation

SLIDE 75

SLIDE 76

SLIDE 77

How bad is this problem?

SLIDE 78

Take-aways

SLIDE 79

1. Frequent notifications

likely contribute to habituation to rare security messages.

SLIDE 80

2. Design security

messages to be visually distinct

SLIDE 81

1. Dual-task Interference
2. Habituation
3. Generalization

SLIDE 82

SLIDE 83

SLIDE 84

Neurosecurity

BYU LAB

neurosecurity.byu.edu @neurosecurity