权益分类	功能权益	普通用户	{{item.name}}会员
{{category.name}}	{{benefitItem.name}}

SaTC: CORE: Small: Using Stories to Improve Computer Security Decision Making

SaTC：核心：小：使用故事改进计算机安全决策

基本信息

批准号：
1714126
负责人：
Richard Wash
金额：
$ 51.6万
依托单位：
Michigan State University
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2017
资助国家：
美国
起止时间：
2017-08-15 至 2021-07-31
项目状态：
已结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=1714126&HistoricalAwards=false
关键词：
SaTC CORE Small Using Stories

项目摘要

People regularly need to make security and privacy decisions; however, they often don't realize they are making these decisions, and when they do, they often lack the experience and ability to make good choices. Based on studies of how people make decisions "in the wild", this project looks to improve people's security education, training, and awareness (SETA) by (1) using short stories about regular users' security behaviors, rather than expert advice, facts, and warnings, to raise awareness of and suggest responses to security risks, and (2) deliver those stories at exactly the times people might need them, rather than as a separate training program divorced from people's regular use and needs around security. Through a series of interviews the project team will learn more about how experts versus non-experts make security-related decisions in the moment. Using these insights and theories of decision-making, the team will develop and test a set of story-based training materials for common security decisions including selecting passwords, ignoring phishing emails that lure people to download malware or give personal information to fake websites, and avoiding sites that present invalid security credentials. These experiments will increase knowledge of how people make security decisions and how to design materials to support SETA, as well as directly improving security at the lead researcher's institution through live testing with students and staff. The PI will also involve both undergraduate students and people from underrepresented groups in the research and publicly release the materials the team develops. The project seeks to test the hypothesis that telling end users stories about security incidents can better train them to resist semantic attacks than traditional facts-and-advice training. The researchers will first develop a detailed understanding of how people make everyday in-the-moment security decisions, using Critical Decision Method and Experience Sampling Method-based approaches that focus on specific past attacks. The team will interview both experts and non-experts to learn what features they use to recognize attacks and how they identify actions to take; comparing expert to non-expert behavior will help identify vulnerabilities and inform both effective training goals and materials. These insights will be used in developing a set of story-based training materials that emphasize important constructs suggested by the theory of Naturalistic Decision Making including incident typicality, social norms around responses, causality (linking responses to outcomes), and empowerment and efficacy in security decision-making. Through a series of field experiments in collaboration with security mangers at the lead researcher's institution, the team will iteratively improve the training materials while developing theoretical knowledge of how stories about security incidents can support security decision-making in naturalistic settings.

人们经常需要做出安全和隐私的决定；然而，他们往往没有意识到自己正在做出这些决定，而且当他们这样做的时候，他们往往缺乏做出良好选择的经验和能力。基于对人们如何在野外做出决策的研究，该项目希望通过以下方式提高人们的安全教育、培训和意识(SETA)：(1)使用关于常规用户安全行为的短篇故事，而不是专家建议、事实和警告，以提高人们对安全风险的认识和建议；(2)在人们可能需要的时间提供这些故事，而不是作为一个独立的培训计划，脱离人们的日常使用和安全方面的需求。通过一系列访谈，项目团队将更多地了解专家和非专家目前如何做出与安全相关的决策。利用这些洞察力和决策理论，该团队将开发和测试一套基于故事的培训材料，用于常见的安全决策，包括选择密码，忽略引诱人们下载恶意软件或向虚假网站提供个人信息的钓鱼电子邮件，以及避免提供无效安全凭据的网站。这些实验将增加人们如何做出安全决策以及如何设计材料来支持SETA的知识，并通过与学生和工作人员的现场测试直接改善首席研究员所在机构的安全性。PI还将让本科生和来自代表性不足群体的人参与研究，并公开发布团队开发的材料。该项目旨在测试这样一种假设，即向最终用户讲述安全事件的故事可以比传统的事实和建议培训更好地训练他们抵御语义攻击。研究人员将首先详细了解人们是如何使用关键决策法和基于经验抽样方法的方法做出日常即时安全决策的，这些方法侧重于过去的特定攻击。该团队将采访专家和非专家，以了解他们使用哪些功能来识别攻击以及如何确定要采取的操作；将专家行为与非专家行为进行比较将有助于识别漏洞，并为有效的培训目标和材料提供信息。这些见解将被用于开发一套以故事为基础的培训材料，强调自然主义决策理论提出的重要结构，包括事件典型性、围绕反应的社会规范、因果关系(将反应与结果联系起来)以及安全决策中的赋权和有效性。通过与首席研究员所在机构的安全经理合作进行的一系列现场实验，该团队将反复改进培训材料，同时开发有关安全事件的故事如何支持自然环境中的安全决策的理论知识。