An Evaluation of Targeted Security Awareness for End Users

Abstract

Users are frequently cited as being the weakest link in the information security chain. However, in many cases they are ill-positioned to follow good practice and make the necessary decisions. Part of the reason here is that even if security awareness, training and/or education have been provided, some of the key points may have been forgotten by the time that users find themselves facing security-related decisions. There are several scenarios in which users find themselves facing security-related decisions. However, while in such situations, many do not have an adequate understanding of security and do not receive the appropriate advice to make the necessary decisions they are required to make. One possible solution to this situation is to ensure that security guidance and feedback are available when necessary, and to provide effective information that can help the user make informed decisions at the right time to avoid security risks. Such targeted security awareness-raising has the potential to provide support to users at the point of need, in order to take the necessary security precautions and make informed decisions. To examine the approach of targeted security awareness-raising, an experimental study was conducted to test the effectiveness of this approach and presents the results of the study. This experiment was based around the scenario of connecting to Wi-Fi networks, and determining whether participants could make informed and correct decisions about which networks were safe to connect to. Four alternative interfaces were tested (ranging from a version that mimicked the standard Windows Wi-Fi network selection interface, through to versions with security ratings and additional guidance). The aim of the experiment was to determine the extent to which providing such information could affect user decisions when presented with a range of networks to connect to, and help to move them more effectively in the direction of security. The findings revealed that, users always tended to connect to the known names first in the absence of security information and very prone to connecting to names that look like a known name. In addition, claimed signal strength is also found to be a persuading factor. Results have also revealed that users can be influenced positively, if suitably visible feedback and guidance is given at the task in hand. While users did not exhibit perfect behaviour in terms of selecting more secure networks in preference to less protected ones, there was a tangible improvement amongst the users that had been exposed to the selection interfaces offering and promoting more security-related information. In common with findings from other security contexts, these results suggest that users’ security behaviours can be positively influenced purely through the provision of additional information, enabling them to make better choices even if the system does not provide any further means of enforcement. This research also has led to introduce a series of related design principles and guidelines that have been identified from the experimental study. To study the effectiveness of the proposed design principles and guidelines, existing applications have been examined in order to evaluate their consistency with these recommendations and have identified scope for improvement, which would in turn assist user awareness via a more targeted approach. This is illustrated through an example where the design principles and guidelines are applied to the appearance of email notifications that aim to assist users in spotting phishing threats. In addition to the aforementioned results of the experimental work, the findings demonstrate that the abstraction of design principles and guidelines allows the lessons to be transferred to other contexts. Furthermore, following and applying the guidelines enables subtle but relevant refinements to the user interface. Considering the application of this security lesson more broadly, guidance and feedback/nudges should be provided by default in other security contexts.