research-article

Using reinforcement to strengthen users' secure behaviors

Authors:

Ricardo Mark Villamarín-Salomón,

José Carlos BrustoloniAuthors Info & Claims

CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 363 - 372

https://doi.org/10.1145/1753326.1753382

Published: 10 April 2010 Publication History

Abstract

Users have a strong tendency toward dismissing security dialogs unthinkingly. Prior research has shown that users' responses to security dialogs become significantly more thoughtful when dialogs are polymorphic, and that further improvements can be obtained when dialogs are also audited and auditors penalize users who give unreasonable responses. We contribute an Operant Conditioning model that fits these observations, and, inspired by the model, propose Security Reinforcing Applications (SRAs). SRAs seek to reward users' secure behavior, instead of penalizing insecure behavior. User studies show that SRAs improve users' secure behaviors and that behaviors strengthened in this way do not extinguish after a period of several weeks in which users do not interact with SRAs. Moreover, inspired by Social Learning theory, we propose Vicarious Security Reinforcement (VSR). A user study shows that VSR accelerates SRA benefits.

References

[1]

A. Adams, and M.A. Sasse, "Users are not the enemy. Why users compromise computer security mechanisms and how to take remedial measures," Communications of the ACM, vol. 42, no. 12, 1999, pp. 40--46.

Digital Library

[2]

A. Bandura, Social learning theory, Prentice-Hall, 1977.

[3]

A.P. Goldstein, and M. Sorcher, Changing supervisor behavior, Pergamon Press, 1974.

[4]

B. Klimt, and Y. Yang, "Introducing the Enron corpus," in Proc. CEAS, 2004.

[5]

B.F. Skinner, "Operant behavior," American Psychologist, vol. 18, no. 8, 1963, pp. 503--515.

[6]

B.F. Skinner, Science and human behavior, Macmillan Pub Co, 1953.

[7]

C.B. Ferster, and B.F. Skinner, Schedules of reinforcement, Appleton-Century-Crofts, 1957.

[8]

G.P. Latham, and L.M. Saari, "Application of social-learning theory to training supervisors through behavioral modeling," Journal of Applied Psychology, vol. 64, no. 3, 1979, pp. 239--246.

[9]

H. Xia, and J.C. Brustoloni, "Hardening Web browsers against man-in-the-middle and eavesdropping attacks," in proc. WWW, ACM, 2005, pp. 489--498.

Digital Library

[10]

J. Cameron, & W.D. Pierce, Rewards and intrinsic motivation: Resolving the controversy, Bergin & Garvey, 2002

[11]

J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, & L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness," in Proc. USENIX Security 2009

Digital Library

[12]

J.C. Brustoloni, and R. Villamarín-Salomón, "Improving security decisions with polymorphic and audited dialogs," in Proc. SOUPS, 2007, pp. 76--85.

Digital Library

[13]

M.A. Sasse, and I. Flechais, "Usable Security: Why do we need it? How do we get it," in Security and Usability: Designing Secure Systems That People Can Use, L. Cranor, and S. Garfinkel eds., O'Reilly, 2005, pp. 13--30.

[14]

N.A. Macmillan, and C.D. Creelman, Detection theory: A user's guide, Cambridge University Press, 1991.

[15]

P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L.F. Cranor, and J. Hong, "Getting users to pay attention to anti-phishing education: evaluation of retention and transfer," in Proc. APWG's annual eCrime researchers summit, 2007, pp. 70--81.

Digital Library

[16]

P.J. Decker, "The enhancement of behavior modeling training of supervisory skills by the inclusion of retention processes," Personnel psychology, vol. 35, no. 2, 1982

[17]

P.W. Dowrick, Practical guide to using video in the behavioral sciences, Wiley New York, 1991.

[18]

R.G. Miltenberger, Behavior modification: Principles and procedures, Cole Publishing Company, 1997.

[19]

S. Egelman, L.F. Cranor, and J. Hong, "You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings," in Proc. CHI, 2008.

Digital Library

[20]

S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L.F. Cranor, J. Hong, and E. Nunge, "Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish," in Proc. SOUPS 2007, pp. 88--99.

Digital Library

[21]

VSR intervention; http://vsr.securityconditioning.org

Cited By

Rapp ABoldi A(2024)Open Issues in Persuasive Technologies: Six HCI Challenges for the Design of Behavior Change SystemsHuman-Computer Interaction10.1007/978-3-031-60428-7_8(99-116)Online publication date: 1-Jun-2024
https://doi.org/10.1007/978-3-031-60428-7_8
Rapp ABoldi A(2023)Exploring the Lived Experience of Behavior Change Technologies: Towards an Existential Model of Behavior Change for HCIACM Transactions on Computer-Human Interaction10.1145/360349730:6(1-50)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1145/3603497
Nhinda GShava F(2021)Towards the use of Participatory Methods in Cybersecurity research in rural Africa: A grassroots Approach2021 3rd International Multidisciplinary Information Technology and Engineering Conference (IMITEC)10.1109/IMITEC52926.2021.9714649(1-7)Online publication date: 23-Nov-2021
https://doi.org/10.1109/IMITEC52926.2021.9714649
Show More Cited By

Index Terms

Using reinforcement to strengthen users' secure behaviors
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Improving security decisions with polymorphic and audited dialogs
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security

Context-sensitive guidance (CSG) can help users make better security decisions. Applications with CSG ask the user to provide relevant context information. Based on such information, these applications then decide or suggest an appropriate course of ...
Exploring the factors driving impulse buying tendency on advertisements of Facebook: a social learning theory perspective
ICETC '18: Proceedings of the 10th International Conference on Education Technology and Computers

Nowadays, advertising on Facebook has grown into a highly popular marketing channel, resulting in how advertisements can capture users' attention becomes a vital issue for practitioners and researchers. This study aims to use the Social Learning Theory ...
Original Contribution: A learning rule based on empirically-derived activity-dependent neuromodulation supports operant conditioning in a small network

Activity-dependent neuromodulation has been proposed as a cellular mechanism for classical conditioning in Aplysia. Previously, we developed a mathematical model of an Aplysia sensory neuron that reflects the subcellular processes underlying this form ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2010

2690 pages

ISBN:9781605589299

DOI:10.1145/1753326

General Chair:
Elizabeth Mynatt
Georgia Institute of Technology
,
Program Chairs:
Geraldine Fitzpatrick
Vienna University of Technology
,
Scott Hudson
Carnegie Mellon University
,
Keith Edwards
Georgia Tech
,
Tom Rodden
University of Nottingham

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '10

Sponsor:

SIGCHI

CHI '10: CHI Conference on Human Factors in Computing Systems

April 10 - 15, 2010

Georgia, Atlanta, USA

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
707
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)1

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rapp ABoldi A(2024)Open Issues in Persuasive Technologies: Six HCI Challenges for the Design of Behavior Change SystemsHuman-Computer Interaction10.1007/978-3-031-60428-7_8(99-116)Online publication date: 1-Jun-2024
https://doi.org/10.1007/978-3-031-60428-7_8
Rapp ABoldi A(2023)Exploring the Lived Experience of Behavior Change Technologies: Towards an Existential Model of Behavior Change for HCIACM Transactions on Computer-Human Interaction10.1145/360349730:6(1-50)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1145/3603497
Nhinda GShava F(2021)Towards the use of Participatory Methods in Cybersecurity research in rural Africa: A grassroots Approach2021 3rd International Multidisciplinary Information Technology and Engineering Conference (IMITEC)10.1109/IMITEC52926.2021.9714649(1-7)Online publication date: 23-Nov-2021
https://doi.org/10.1109/IMITEC52926.2021.9714649
Pinder CVermeulen JCowan BBeale R(2018)Digital Behaviour Change Interventions to Break and Form HabitsACM Transactions on Computer-Human Interaction10.1145/319683025:3(1-66)Online publication date: 12-Jun-2018
https://dl.acm.org/doi/10.1145/3196830
Gould SCox ABrumby DWickersham AKaye JDruin ALampe CMorris DHourcade J(2016)Now Check Your InputProceedings of the 2016 CHI Conference on Human Factors in Computing Systems10.1145/2858036.2858067(3311-3323)Online publication date: 7-May-2016
https://dl.acm.org/doi/10.1145/2858036.2858067
Li LBerki EHelenius MOvaska S(2014)Towards a contingency approach with whitelist-and blacklist-based anti-phishing applicationsBehaviour & Information Technology10.1080/0144929X.2013.87522133:11(1136-1147)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1080/0144929X.2013.875221
Gates CLi NChen JProctor RZakon R(2012)CodeShieldProceedings of the 28th Annual Computer Security Applications Conference10.1145/2420950.2420992(279-288)Online publication date: 3-Dec-2012
https://dl.acm.org/doi/10.1145/2420950.2420992
Li LHelenius MBerki ELugmayr A(2012)A usability test of whitelist and blacklist-based anti-phishing applicationProceeding of the 16th International Academic MindTrek Conference10.1145/2393132.2393170(195-202)Online publication date: 3-Oct-2012
https://dl.acm.org/doi/10.1145/2393132.2393170
Renaud KGoucher W(2012)Health service employees and information security policies: an uneasy partnership?Information Management & Computer Security10.1108/0968522121126766620:4(296-311)Online publication date: 5-Oct-2012
https://doi.org/10.1108/09685221211267666
Böhme RGrossklags JPeisert SFord RGates CHerley C(2011)The security cost of cheap user interactionProceedings of the 2011 New Security Paradigms Workshop10.1145/2073276.2073284(67-82)Online publication date: 12-Sep-2011
https://dl.acm.org/doi/10.1145/2073276.2073284

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten