amber mcconahy
Download
Skip this Video
Download Presentation
Trust

Loading in 2 Seconds...

play fullscreen
1 / 47

Trust - PowerPoint PPT Presentation


  • 153 Views
  • Uploaded on

Amber McConahy. Trust . Trust. Multifaceted and multidimensional Marsh & Dibben (2003) definition and layers of trust “Trust concerns a positive expectation regarding the behavior of somebody or something is a situation that entails risk to the trusting party”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Trust' - lotte


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
trust
Trust
  • Multifaceted and multidimensional
  • Marsh & Dibben (2003) definition and layers of trust
    • “Trust concerns a positive expectation regarding the behavior of somebody or something is a situation that entails risk to the trusting party”
      • Dispositional Trust – personality trait relating to trust
      • Learned Trust – tendency to trust based on experience
      • Situational Trust – trust adjusted based on situational cues
  • Key Questions
    • Reliable representation of trust in interactions and interfaces?
    • Transforming trust to security and vice versa?
    • Identification and mitigation of trust failings?
trust in digital realm
Trust in Digital Realm
  • Vital to security but poorly understood
  • Perfect information removes need for trust
  • Trust without risk is meaningless
  • Online users must develop knowledge to make trust decisions
    • Developers must provide trustable designs
  • Must trust both people and technology
  • Halo Effect
    • Judgment based on attractiveness
  • Trust is built slowly and destroyed quickly
models of trust
Models of Trust
  • Meyer et al.
    • Ability to fulfill promises
    • Integrity relates meeting expectations
    • Benevolence is acting in best interest of client
  • Egger’s MoTEC
    • Superficial trust based on interface
    • Reasoned trust based on content analysis
    • Relationship trust based on transactional history
additional trust models
Additional Trust Models
  • Lee, Kim, and Moon
    • Trust and transaction cost are opposing factors
  • Corritore et al.
    • Credibility, ease of use, and risk affect trust
  • McKnight et al.
    • Trusting beliefs, intentions, and behaviors
  • Riegelsberger et al.
    • Focuses on incentives rather than opinions and beliefs
model summary
Model Summary
  • Trust and risk are related
  • Trust relates to beliefs
  • Ease of use can affect trust
  • Trust likely develops in stages
  • External factors and context can be relevant
trust guidelines
Trust Guidelines

Do

Don’t

Make spelling mistakes

Mix ads and content

Be inconsistent or unpredictable

Forget peer evaluations

References

User feedback

Ignore alternatives

Links to other sites

Poor response or communication

  • Ensure ease of use
  • Make design attractive
  • Convey real world
  • Include seals of approval
    • TRUSTe
  • Explain and justify content
  • Provide security and privacy statements
  • Provide background
  • Define roles
  • Personalize service
reciprocity
Reciprocity
  • Norm of Reciprocity (Goulder 1960)
    • Information likely to be provided in exchange for information of services
    • Leads to increased trust
    • Could increase vulnerability
  • Zhu et al.
    • Study of user behavior under reciprocity attacks
    • Use of InfoSource software with “Alice” guide
results of reciprocity study
Results of Reciprocity Study
  • Experimental group disclosed more
  • Over 85% of users found “Alice” helpful
  • Perception of importance related to disclosure
  • Relevance of requested information matters
    • Income not provided due to perceived irrelevance
  • Beliefs and attitudes correlated with willingness to share information
  • Trust is related to willingness to share information
users trust
Users & Trust
  • Users often don’t comprehend what computer is asking
    • Presents dilemma rather than decision
  • Users seek alternative information resources
  • Trust is aggregation of clues and tradeoffs
  • Large scopes and less context lead to impede consent
  • User’s are reluctant to provide personal data
behaviors trust
Behaviors & Trust
  • Claims often do not correspond to actions
  • Consequences are often not fully evaluated
  • Users don’t like making global decisions
  • Developers and users have different views
  • Users confuse terminology
    • Hacking vs. virus
    • Software bug vs. virus
key design changes
Key Design Changes
  • Secure default choses “Don’t Install”
  • Labels changed from “Yes” and “No” to “Install” and “Don’t Install”
  • Options provided
  • Simplified primary text
  • Evidence via certificates
  • Auxiliary text separated
  • “What’s the Risk?” link provided for more information
redesign features
Redesign Features
  • Purposeful similarity to ActiveX to promote consistency
  • Secure default option “Cancel”
  • Label changed from “Open” to “Run”
  • Primary text simplified to single question
  • Options provided
  • Evidence of filename and source provided
  • Assistance text separated with “What’s the risk?” link
conclusions
Conclusions
  • Trust decisions should be made in context
    • Narrow scope and avoid global setups
  • Make the most trusted option the default
  • Replace dilemmas with choices
    • Always provide trusted response option
    • Convey consequences to actions
  • Respect the user’s decision
    • Submit even when decision is not comprehended by computer

Similarities to models of trust?

schneier s security attacks
Schneier’s Security Attacks

Physical Attacks

Syntactic Attacks

schneier s security attacks1
Schneier’sSecurity Attacks

Semantic Attacks:

“. . . Attacks that target the way we, as humans, assign meaning to content. . . .Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet“

schneier s security attacks2
Schneier’sSecurity Attacks

Semantic Attacks:

“. . . Attacks that target the way we, as humans, assign meaning to content. . . .Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet“

http://lol-gonna-log-ur-keys.com

semantic attacks
Semantic Attacks
  • Semantic Attacks…
    • violate trust
    • deceive
    • are a new form of “hacking”—Cognitive Hacking
types of semantic attacks
Types of Semantic Attacks
  • “Pump-and-Dump” schemes
    • Buy penny stocks cheap
    • Artificially inflate price (spread misinformation)
    • Sell for profit, leaving others “holding-the-bag”

Dump

Inflate

Pump

types of semantic attacks1
Types of Semantic Attacks
  • WTF Stuxnet?
  • Had elements of semantic attack:
    • Tricked technicians into believing centrifuges were operating fine

Looks okay to me

types of semantic attacks2
Types of Semantic Attacks
  • And, of course: Phishing
what is phishing
What is Phishing?
  • Phishing is…:
    • deceiving users to obtain sensitive information
    • spoofing “trustworthy” communications
    • phreaking + fishing
    • agrowing threat
why phish
Why Phish?
  • It is very lucrative.
    • $2.4 million to $9.4 million dollars per yer per million online banking customers
    • ~$2000 on each compromised bank account.
why phish1
Why Phish?
  • It’s easy.
    • There are Do-it-Yourself Phishing Kits
    • AND, several easy accessible tutorials
why phish2
Why Phish?
  • It’s hard to defend against.
    • “You and I can think about things. Symbols in our brains have meanings. The question is, can a [computer] think about things, or merely process digits that have no Aboutness—no meaning—no semantic content” – Neal Stephenson, Anathem

Meaning

why phish3
Why Phish?
  • Easy to distribute, and low success rate is okay.
    • 4700 per 1,000,000 banking credentials lost on average (0.47%)
    • BUT, bad guys still make plenty of money from that
why phish4
Why Phish?
  • With Social Web, phishing is more effective.
    • Paper by Jagatic et al:
      • Mined relationships of students using publicly available information
      • Using this information, conducted a spear phishing attack
      • Found that using social info, people were 4.5x more likely to fall for phish (16% versus 72%).
why do people fall for phish
Why do people fall for Phish?

It all goes back to trust.

  • People judge legitimacy by design
  • People do not trust web browser security
  • Awareness is not a strategy
  • Severity of the consequences does not seem to inform behavior
who falls for phish
Who Falls for Phish?
  • Study by Sheng et al.
    • Women more likely than men
    • Age 18-25 at highest risk
    • Lower technical knowledge at higher risk
    • Generally risk averse people are at lower risk
  • Not orthogonal.
who falls for phish1
Who Falls for Phish?
  • Study by Sheng et al.
    • Women more likely than men
    • Age 18-25 at highest risk
    • Lower technical knowledge at higher risk
    • Generally risk averse people are at lower risk
  • Not orthogonal.
who falls for phish2
Who Falls for Phish?
  • Study by Sheng et al.
    • Women more likely than men
    • Age 18-25 at highest risk
    • Lower technical knowledge at higher risk
    • Generally risk averse people are at lower risk
  • Not orthogonal.
mitigation
Mitigation
  • How can we mitigate phishing and other semantic attacks?
    • Raise Awareness?
    • Education?
    • Automatic Detection?
    • Better Visualizations of Danger?
    • ???
mitigation1
Mitigation
  • It’s a tough problem
    • Only a small percentage (0.47%) of users need to be compromised for phishing to continue to be lucrative
    • Don’t want to make users afraid to go to legitimate websites (majority) in the process.
  • How do current mitigation strategies help?
mitigation strategies
Mitigation Strategies
  • Improve visual cues
mitigation strategies1
Mitigation Strategies
  • Improving visual cues
    • Not as effective as it could be.
    • People don’t trust their web browsers (ahem…IE)
    • Dhamija et al. study (Firefox):
      • Many people do not look at browser-based cues
        • 23% didn’t look at all
      • Make incorrect choices about phishing 40% of the time
mitigation strategies3
Mitigation Strategies
  • Education
    • Effective…but awareness alone not sufficient
    • Need to offer course of action
    • Sheng et al. study:
      • 40% improvement among participants
      • Some forms of education inhibit clicking of legitimate links as well (learn avoidance not phishing awareness)
slide44
BUT…
  • Phishing scams are still increasing!
phishing growth
Phishing Growth
  • We have some effective strategies, but the problem is still open.
  • The Phishing explosion can be attributed to:
    • Users are still falling for it
    • DIY Phishing Kits making it increasingly easier to make phishing scams
  • We can mitigate the first problem, but what about the second?
summary
Summary
  • Semantic attacks hack a user’s mind
  • Phishing is one common semantic attack
    • Deceive users to obtain their sensitive information
  • Phishing is tough to mitigate because:
    • It is lucrative
    • Easy to do
  • Education seems to be one great way to reduce the incidence of phishing.
  • We also need to find ways to make creating phish less appealing or more difficult.
ad