Program

Background—This study is related to the understanding of Android malware that now populate smartphone’s markets.

Aim—Our main objective is to help other malware researchers to better understand how malware works. Additionally, we aim at supporting the reproducibility of experiments analyzing malware samples: such a collection should improve the comparison of new detection or analysis methods.

Methodology—In order to achieve these goals, we describe here an Android malware collection called Kharon. This collection gives as much as possible a representation of the diversity of malware types. With such a dataset, we manually dissected each malware by reversing their code. We run them in a controlled and monitored real smartphone in order to extract their precise behavior. We also summarized their behavior using a graph representations of the information flows induced by an execution. With such a process, we obtained a precise knowledge of their malicious code and actions.

Results and conclusions—Researchers can figure out the engineering efforts of malware developers and understand their programming patterns. Another important result of this study is that most of malware now include triggering techniques that delay and hide their malicious activities. We also think that this collection can initiate a reference test set for future research works.

Background. Understanding the human aspects of phishing susceptibility is an important component in building effective defenses. People type passwords so often that it is possible that this act makes each individual password less safe from phishing attacks.

Aim. This study investigated whether the act of re-authenticating to password-based login forms causes users to become less vigilant toward impostor sites, thus making them more susceptible to phishing attacks. Our goal was to determine whether users who type their passwords more often are more susceptible to phishing than users who type their passwords less often. If so, this result could lead to theoretically well-grounded best practices regarding login-session length limits and re-authentication practices.

Method. We built a custom browser extension which logs password entry events and has the capability of shortening session times for a treatment group of users. We recruited subjects from our local campus population, and had them run the extension for two months. After this time, we conducted a synthetic phishing attack on all research subjects, followed by a debriefing. Our research protocol was approved by the University’s IRB.

Results. We failed to reject the null hypothesis. We found that login frequency has no noticeable effect on phishing susceptibility. Our high phishing success rate of 39.3% was likely a leading factor in this result.

Conclusions. This study confirmed prior research showing exceedingly high phishing success rates. We also observed that recruiting only in-person and campus-affiliated users greatly reduced our subject pool, and that the extension-based investigation method, while promising, faces significant challenges itself due to deployed extension-based malware defenses.

Background: Human beings are an integral part of computer security, whether we actively participate or simply build the systems. Despite this importance, understanding users and their interaction with security is a blind spot for most security practitioners and designers.

Aim: Define principles for conducting experiments into usable security and privacy, to improve study robustness and usefulness.

Data: The authors’ experiences conducting several research projects complemented with a literature survey.

Method: We extract principles based on relevance to the advancement of the state of the art. We then justify our choices by providing published experiments as cases of where the principles are and are not followed in practice to demonstrate the impact. Each principle is a discipline-specific instantiation of desirable experiment-design elements as previously established in the domain of philosophy of science.

Results: Five high-priority principles – (i) give participants a primary task; (ii) incorporate realistic risk; (iii) avoid priming the participants; (iv) perform double-blind experiments whenever possible and (v) think carefully about how meaning is assigned to the terms threat model, security, privacy, and usability.

Conclusion: The principles do not replace researcher acumen or experience, however they can provide a valuable service for facilitating evaluation, guiding younger researchers and students, and marking a baseline common language for discussing further improvements.

Background. Visualization tools have been developed for various network analysis tasks for Computer Network Defense (CND) analysts, yet there are few empirical studies in the domain of cyber security that validate the efficacy of various graphical constructions with respect to enhancing analysts’ situation awareness.

Aim. The aim of this study is to empirically evaluate the utility of graphical tools for enhancing analysts’ situation awareness of network alert data compared with traditional tabular/textual tools. This paper focuses on results of the study and lessons learned for future similar studies.

Method. A tabular display was presented along with two alternative graphical displays in a web-based environment to 24 experienced network analysts. Participants were asked to use the displays sequentially to identify intrusion attempts as quickly and accurately as possible. Data were fabricated by an experienced analyst and do not rely on alert data from a real network.

Results. Analysts performed well on the tabular (baseline) display and also preferred this display to others. However, they were slightly faster and similarly accurate using one of the graphical alternatives (node-link). Subjective feedback shows that many analysts are receptive to new tools while some are skeptical.

Conclusions. Graphical analysis tools have the capability of enhancing situation awareness by preprocessing and graphically arranging data for analysis. Real-world analysts bring a wealth of experience and insight to this sort of research, and the large number of expert responses included in this study is unique. Tempering analyst expectations for the study by clearly explaining the study environment and tasks to be completed would likely lead to more accurate results.

Background: A person’s security behavior is driven by underlying mental constructs, perceptions and beliefs. Examination of security behavior is often based on dialogue with users of security, which is analysed in textual form by qualitative research methods such as Qualitative Coding (QC). Yet QC has drawbacks: security issues are often time-sensitive but QC is extremely time-consuming. QC is often carried out by a single researcher raising questions about the validity and repeatability of the results. Previous research has identified frequent tensions between security and other tasks, which can evoke emotional responses. Sentiment Analysis (SA) is simpler to execute and has been shown to deliver accurate and repeatable results.

Aim: By combining QC with SA we aim to focus the analysis to areas of strongly represented sentiment. Additionally we can analyse the variations in sentiment across populations for each of the QC codes, allowing us to identify beneficial and harmful security practises.

Method: We code QC-annotated transcripts independently for sentiment. The distribution of sentiment for each QC code is statistically tested against the distribution of sentiment of all other QC codes. Similarly we also test the sentiment of each QC code across population subsets. We compare our findings with the results from the original QC analysis. Here we analyse 21 QC-treated interviews with 9 security specialists, 9 developers and 3 usability experts, at 3 large organisations claiming to develop ‘usable security products’. This combines 4983 manually annotated instances of sentiment with 3737 quotations over 76 QC codes.

Results: The methodology identified 83 statistically significant variations (with p < 0.05). The original qualitative analysis implied that organisations considered usability only when not doing so impacted revenue; our approach finds that developers appreciate usability tools to aid the development process, but that conflicts arise due to the disconnect of customers and developers. We find organisational cultures which put security first, creating an artificial trade-off for developers between security and usability.

Conclusions: Our methodology confirmed many of the QC findings, but gave more nuanced insights. The analysis across different organisations and employees confirmed the repeatability of our approach, and provided evidence of variations that were lost in the QC findings alone. The methodology adds objectivity to QC in the form of reliable SA, but does not remove the need for interpretation. Instead it shifts it from large QC data to condensed statistical tables which make it more accessible to a wider audience not necessarily versed in QC and SA.

Background. The Limited Strength model [3] of cognitive psychology predicts that human capacity to exert cognitive effort is limited and that decision making is impeded once high depletion is reached.

Aim. We investigate how password choice differs between depleted and undepleted users.

Method. Two groups of 50 subjects each were asked to generate a password. One group was cognitively depleted, the other was not. Password strength was measured and compared across groups.

Results. Using a stepwise linear regression we found that password strength is predicted by depletion level, personality traits and mood, with an overall adjusted R2 = .206. The depletion level was the strongest predictor of password strength (predictor importance 0.371 and p = .001). Participants with slight effortful exertion created significantly better passwords than the undepleted control group. Participants with high depletion created worse passwords than the control group.

Conclusions. That strong depletion diminishes the capacity to choose strong passwords indicates that cognitive effort is necessary for the creation of strong passwords. It is surprising that slight exertion of cognitive effort prior to the password creation leads to stronger passwords. Our findings open up new avenues for usable security research through deliberately eliciting cognitive effort and replenishing after depletion and indicate the potential of investigating personality traits and current mood.