NSFSaTC-BSF: TWC: Small: Using Individual Differences to Personalize Security Mitigations

NSFSaTC-BSF：TWC：小：利用个体差异来个性化安全缓解措施

• 批准号: 1528070
• 负责人: Serge Egelman
• 金额: $ 49.97万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-09-01 至 2019-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1528070&HistoricalAwards=false
• 关键词: NSFSaTC; BSF; TWC; Small; Using

Over the past decade, people have realized that failure to account for human factors has resulted in many software security problems. Yet, when software does feature user-centric design, it takes into account average user behavior rather than catering to the individual. Thus, systems designers have gone from designing for security experts to now appealing to the least common denominator. The goal of this project is to examine the ways in which security mitigations can be tailored to individuals, and how this is likely to result in even greater security compliance than what has been previously achieved through user-centric design. Specifically, this research focuses on demonstrating how security mitigations can be tailored to individuals through indirect measurements and inferences of individual differences. This research could help security and privacy engineers develop more personalized and salient means to alert users to security and privacy risks, which could increase users' compliance with security messaging and therefore reduce threats to users and their organizations.The challenge to personalizing security mitigations is to infer the individual differences between users that are predictive of whether they are likely to respond more favorably to one mitigation design over another. This approach relies on using well-studied individual differences in the psychology and decision-making literature that are predictive of compliance to computer security mitigations. Building on extensive work on choice architecture and "nudges," this research aims to personalize security mitigations to specific user traits in order to be able to dynamically present each user with the security "nudge" that would be most effective for her. For example, if the target user measures high on decision-making "dependence" (i.e., looking to others for advice), the system might state the number of experts who selected the recommended option. Specifically, the researchers focus on framing the following types of security mitigations based on users' psychometric traits: smartphone/tablet lock screen enrollment, password creation instructions, web browser warnings, and software update notices. Their goal is to implement systems that infer the ways in which users are likely to respond to particular security mitigation designs and then tailor security environments accordingly.

在过去的十年中，人们意识到未能考虑人为因素，导致了许多软件安全问题。但是，当软件确实具有以用户为中心的设计时，它会考虑到平均用户行为而不是迎合个人的行为。因此，系统设计师已经从为安全专家设计到现在吸引最不常见的分母。该项目的目的是检查对个人量身定制安全性缓解的方式，以及与以用户为中心的设计相比，这可能会导致更大的安全合规性。具体而言，这项研究重点是证明如何通过间接测量和推断个体差异来为个人量身定制安全性缓解。这项研究可以帮助安全和隐私工程师开发更个性化和显着的手段，以提醒用户了解安全性和隐私风险，从而增加用户对安全消息的依从性，从而减少对用户及其组织的威胁。对安全性缓解的挑战是，个性化安全性的挑战是推断用户之间的个体差异，这些用户可以预测他们是否对某人对某人的响应更为良好地响应了一种对某人的响应。这种方法依赖于在心理学和决策文献中使用良好的个体差异，这些文献可预测遵守计算机安全性缓解。这项研究旨在在选择体系结构和“轻推”上进行广泛的工作，旨在个性化对特定用户特征的安全性缓解，以便能够动态地向每个用户展示对她最有效的安全性“ Nudge”。例如，如果目标用户在决策“依赖性”（即寻求其他建议）方面的测量很高，则系统可能会说明选择了推荐选项的专家数量。具体来说，研究人员专注于基于用户心理测量特征来构建以下类型的安全性缓解类型：智能手机/平板电脑锁定屏幕注册，密码创建指令，Web浏览器警告和软件更新通知。他们的目标是实施系统，以推断用户可能对特定安全缓解设计的响应方式，然后相应地量身定制安全环境。