Usable Privacy and Security: A Grand Challenge for HCI Jason Hong Carnegie Mellon University

Everyday Security Problems Install this software?

Everyday Security Problems Setting File Permissions In 2003, one Senate Judiciary staffer found that files for that subcommittee were readable to all users, rather than just to Democrats or Republicans See Reeder et al CHI 2008

Everyday Security Problems Many Laptops with Sensitive Data being Lost or Stolen

Costs of Unusable Privacy & Security High People not updating software with patches -> Spyware, viruses, worms Too many passwords!!! -> Easy to guess, and wasted time resetting them Hard to configure systems -> WiFi boxes returned -> Misconfigured firewalls Ubicomp sensing systems scare a lot of people -> Less potential adoption

Usable Privacy and Security “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Grand Challenges in Information Security & Assurance Computing Research Association (2003) More research needed on how “cultural and social influences can affect how people use computers and electronic information in ways that increase the risk of cybersecurity breaches.” - Grand Challenges for Engineering National Academy of Engineering (2008)

Talk Outline  Why Usable Privacy and Security  Highlights: My Experiences with Anti-Phishing  Open Challenges in Usable Privacy and Security  A Lens for Critiquing HCI

Everyday Privacy and Security Problem

This entire process known as phishing

Phishing is a Plague on the Internet Estimated ~$3b direct losses a year –Does not include damage to reputation, lost sales, etc –Does not include response costs (call centers, recovery) –Rapidly growing Spear-phishing and whaling attacks escalating

Phishing Becoming Pervasive Stealing corporate secrets Damaging national security Targeting: –universities –Online social networking sites (Facebook, MySpace) –Social media (Twitter, World of Warcraft)

Project: Supporting Trust Decisions Goal: help people make better online trust decisions –Specifically in context of anti-phishing Large multi-disciplinary team project at CMU –Economics, public policy, computer security, social and decision sciences, human-computer interaction, machine learning, e-commerce

Our Multi-Pronged Approach Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists –Social web + machine learning to combat scams Automate where possible, support where necessary

Impact of Our Work Game teaching people about phish played 100k times, featured in over 20 media articles Study on browser warnings -> Internet Explorer 8 Our filter is labeling several million s per day Our evaluation of anti-phishing toolbars cited by several companies, presented to Anti-Phishing Working Group (APWG) PhishGuru embedded training undergone field trials at three companies, variant in use by large provider, and used in APWG’s takedown page

Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings How to train people not to fall for phish?

PhishGuru Embedded Training A lot of training materials are boring and ignored Can we “train” people during their normal use of to avoid phishing attacks? –Periodically, people get sent a training by admins –Training looks same as a phishing attack –If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format

Everyday Privacy and Security Problem

Learning science principles Learning by Doing Immediate feedback Conceptual-Procedural Knowledge

Evaluation of PhishGuru Is embedded training effective? Yes! –Study 1: Lab study, 30 participants –Study 2: Lab study, 42 participants –Study 3: Field evaluation at company, ~300 participants –Study 4: Ongoing at CMU, ~500 participants In first study, examined what kind of intervention –Comic strip telling a story most effective Will highlight study #2 in next slides P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training System. CHI P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007.

Study #2 Questions: –Have to fall for phishing to be effective? –How well do people retain knowledge? Experimental protocol –Role play as Bobby Smith at Cognix Inc, go thru 16 s to study how people read Embedded condition means have to fall for our Non-embedded means we just send the comic strip Suspicion means got a warning about phish from friend Control means they got no warnings or training –Also had people come back after 1 week

Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?

Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?

Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?

Discussion of PhishGuru Act of falling for phish is teachable moment –Just sending intervention not effective PhishGuru can teach people to identify phish better –People retain the knowledge –People aren’t resentful, many happy to have learned 68 out of 85 surveyed said they recommend CMU continue doing this sort of training in future “I really liked the idea of sending CMU students fake phishing s and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”

APWG Landing Page CMU helped Anti-Phishing Working Group develop landing page for phishing sites taken down –Already in use by several takedown companies –Seen by 31,000 people already in past 4 months

Anti-Phishing Phil A game to teach people not to fall for phish –Embedded training about , this game about web browser –Also based on learning science principles Goals –How to parse URLs –Where to look for URLs –Use search engines for help Try the game! –Search for “phishing game” S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium on Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

Anti-Phishing Phil

Evaluation of Anti-Phishing Phil Is Phil effective? Study 1: 56 people in lab study Study 2: 4517 people in field trial Brief results of Study 1 –Phil about as effective in helping people detect phishing web sites as paying people to read training material –But Phil has significantly fewer false positives overall Suggests that existing training material making people paranoid about phish rather than differentiating

Evaluation of Anti-Phishing Phil Study 2: 4517 participants in field trial –Randomly selected from people Conditions –Control: Label 12 sites then play game –Game: Label 6 sites, play game, then label 6 more, then after 7 days, label 6 more (18 total) Participants –2021 people in game condition, 674 did retention portion

Anti-Phishing Phil: Study 2 Novices showed most improvement in false negatives (calling phish legitimate)

Anti-Phishing Phil: Study 2 Improvement all around for false positives

Outline Human side –Interviews to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Do people see, understand, and believe web browser warnings?

Screenshots Internet Explorer – Passive Warning

Screenshots Internet Explorer – Active Block

Screenshots Mozilla FireFox – Active Block

How Effective are these Warnings? Tested four conditions –FireFox Active Block –IE Active Block –IE Passive Warning –Control (no warnings or blocks) “Shopping Study” –Setup some fake phishing pages and added to blacklists –We phished users after purchases (2 phish/user) –Real accounts and personal information S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.

How Effective are these Warnings? Almost everyone clicked, even those with technical backgrounds

How Effective are these Warnings?

Discussion of Phish Warnings Nearly everyone will fall for highly contextual phish Passive IE warning failed for many reasons –Didn’t interrupt the main task –Slow to appear (up to 5 seconds) –Not clear what the right action was –Looked too much like other ignorable warnings (habituation) –Bug in implementation, any keystroke dismisses

Screenshots Internet Explorer – Passive Warning

Discussion of Phish Warnings Active IE warnings –Most saw but did not believe it “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad” –Some element of habituation (looks like other warnings) –Saw two pathological cases

Screenshots Internet Explorer – Active Block

Internet Explorer 8 Re-design

A Science of Warnings See the warning? Understand? Believe it? Motivated? Can and will act? Refining this model for computer warnings

Talk Outline  Why Usable Privacy and Security  Highlights: My Experiences with Anti-Phishing  Open Challenges in Usable Privacy and Security  A Lens for Critiquing HCI

Helping End-Users Cope Personal info fragmented across devices and services –Each with different UIs, notifications, policies More and more information being collected –Surveillance in workplace and public places, search engines, ubicomp sensors, etc Better division of labor for privacy and security? –Think spam: ISP, local sysadmin, client, user Lots of ideas in literature, when to use what? –Rules, ambiguity, translucency, deniability, invisible, optimistic vs pessimistic privacy and security –Is there really such a thing as informed consent?

Understanding Attitudes and Behaviors Science of warnings Decision making / Behavioral economics –I just got a dancing bear in ? I really want to see it now! –vs unknown probability in future of unknown level of harm How (and why) attitudes and behaviors change over time regarding privacy –Cameras and phones, RFIDs and sensors in future –Food for thought: Facebook Newsfeed Same info as before but easier -> huge protest Facebook put in “privacy placebos”, waited a while Barely a peep about Newsfeed privacy today, probably increased utility and popularity of Facebook

Helping Organizations Cope How to train organizations regarding security? –Social engineering and Insider threat, b/c no defenses today Better tools for helping organizations maintain privacy of consumer data? –Tools to help comply with privacy policies and laws How to get people to share more personal info, but also feel safer about who it is shared with? –Too much privacy can harm adoption of system –Caller ID example, People Finder example –Privacy corollary to Grudin’s law: when those who share personal information do not benefit in proportion to the perceived risks, the technology is likely to fail

Toolbox Perspective Design Prototype Evaluate Design –Better models of individuals and organizations Science of warnings (perception, attention, motivation) –Better design patterns for usable privacy and security Evaluate –Better methods for realistic evaluations Conventional HCI does not assume intelligent and active adversary Big brother vs Little Sister adversaries –Discount usability as well Heuristic eval, cognitive walkthru, etc

Talk Outline  Why Usable Privacy and Security  Highlights: My Experiences with Anti-Phishing  Open Challenges in Usable Privacy and Security  A Lens for Critiquing HCI

Usable Privacy & Security is Good for HCI Usable privacy and security can increase perceived relevance of HCI –Our usable privacy and security course has introduced many people to HCI, who would not normally take such a course –Also easy to argue that privacy and security are critical to companies and national security –Possible strategy: more bridges to other national priorities Security, electrical grid, emergency response, health care, developing countries Things that we can pinpoint costing $billions that have HCI failures

Thoughts from Working on Startup One of my motivations for startup was that I felt too many CHI papers ended up only as CHI papers –Not as much impact on products and practice as desired –Even within the conventional wisdom of 15 years –Compare #startups in HCI vs DB / Systems / Networking –Compare $$ going to HCI, HCI is underperforming

Thoughts from Working on Startup

Business professor: feature, product, business? –Is it a big enough problem that people would pay money? –Easier to get small inoffensive paper in than big paper Incentive is for researchers to aim for smaller papers More body of knowledge makes narrow papers easier –Note: this doesn’t measure quality of the science Big ideas need love too! –Put a cap on “interaction technique” papers –Put a cap on “last 10%” papers –Special sessions at conferences for big ideas We need to encourage more things like SketchPad, Memex, Engelbart’s NLS, without sacrificing quality –More alcohol + rump sessions on outrageous ideas at UIST and CSCW

Summary Usable Privacy and Security critical to continue getting benefits of Information Communication Tech Whirlwind tour of our work on anti-phishing –Effective training mechanisms, warnings Fertile research areas for HCI –Helping end-users, attitudes and behaviors, helping organizations, toolbox Improving the HCI community –Bridges, tech adoption

Acknowledgments Alessandro Acquisti Lorrie Cranor Sven Dietrich Julie Downs Mandy Holbrook Norman Sadeh Anthony Tomasic Umut Topkara Supported by NSF, ARO, CyLab, Portugal Telecom Serge Egelman Ian Fette Ponnurangam Kumaraguru Bryant Magnien Elizabeth Nunge Yong Rhee Steve Sheng Yue Zhang

HCI Folk and Security and Privacy Folk Have Much in Common Both require holistic view of entire system –Bad usability in one small part can ruin interaction –Bad security in one small part can compromise entire system Both lament being done at end of design process –“Can’t just sprinkle security dust on a system” Both lack widely accepted metrics –Outside of encryption, security does not have good ways of demonstrating something is secure

Everyday Security Problems

Anti-Phishing Phil: Study 1 No statistical difference in false negatives (calling phish legitimate) between first three conditions

Anti-Phishing Phil: Study 1 Our game has significantly fewer false positives (labeling legitimate site as phish)

Phishguru.org Our site to teach general public more about phishing