Benjamin Reinheimer

User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn

We propose a concept called TORPEDO to improve phish detection by providing just-in-time and just-in-place trustworthy tooltips. These help people to identify phish links embedded in emails. TORPEDOs tooltips contain the actual URL with the domain highlighted. Link activation is delayed for a short period, giving the person time to inspect the URL before they click on a link. Furthermore, TORPEDO provides an information diagram to explain phish detection. We evaluated TORPEDOs effectiveness, as compared to the worst case “status bar” as provided by other Web email interfaces. People using TORPEDO performed significantly better in detecting phishes and identifying legitimate emails (85.17% versus 43.31% correct answers for phish). We then carried out a field study with a number of TORPEDO users to explore actual user experiences of TORPEDO. We conclude the paper by reporting on the outcome of this field study and suggest improvements based on the feedback from the field study participants.

Teaching Phishing-Security: Which Way is Best?

Ever more processes of our daily lives are shifting into the digital realm. Consequently, users face a variety of IT-security threats with possibly severe ramifications. It has been shown that technical measures alone are insufficient to counter all threats. For instance, it takes technical measures on average 32 h before identifying and blocking phishing websites. Therefore, teaching users how to identify malicious websites is of utmost importance, if they are to be protected at all times. A number of ways to deliver the necessary knowledge to users exist. Among the most broadly used are instructor-based, computer-based and text-based training. We compare all three formats in the security context, or to be more precise in the context of anti-phishing training.

TORPEDO: TOoltip-poweRed Phishing Email DetectiOn

We propose a concept called TORPEDO to improve phish detection by providing just-in-time and just-in-place trustworthy tooltips to help people judge links embedded in emails. TORPEDO’s tooltips contain the actual URL with the domain highlighted and delay link activation for a short period, giving the person time to inspect the URL before they click. Furthermore, TORPEDO consists of an information diagram to explain phish detection. We evaluated TORPEDO in particular with respect to its effectiveness: Compared to the worst case ‘status bar’. as used in Thunderbird and Web email clients. TORPEDO performed significantly better in detecting phishes and identifying legitimate emails (85.17 % versus 43.31 % correct answers for phish). A proof of concept implementation is available as a Thunderbird Add-On.

Design and Field Evaluation of PassSec: Raising and Sustaining Web Surfer Risk Awareness

This paper presents PassSec, a Firefox Add-on that raises user awareness about safe and unsafe password entry while they surf the web. PassSec comprises a two-stage approach: highlighting as the web page loads, then bringing up a just-in-time helpful dialogue when the user demonstrates an intention to enter a password on an unsafe web page. PassSec was developed using a human-centred design approach. We performed a field study with 31 participants that showed that PassSec significantly reduces the number of logins on websites where password entry is unsafe.

Don’t Be Deceived: The Message Might Be Fake

In an increasingly digital world, fraudsters, too, exploit this new environment and distribute fraudulent messages that trick victims into taking particular actions. There is no substitute for making users aware of scammers’ favoured techniques and giving them the ability to detect fraudulent messages. We developed an awareness-raising programme, specifically focusing on the needs of small and medium-sized enterprises (SMEs). The programme was evaluated in the field. The participating employees demonstrated significantly improved skills in terms of ability to classify messages as fraudulent or genuine. Particularly with regard to one of the most widespread attack types, namely fraudulent messages with links that contain well-known domains as sub-domains of generic domains, recipients of the programme improved their recognition rates from \(56.6\%\) to \(88\%\). Thus, the developed security awareness-raising programme contributes to improving the security in SMEs.

Human Factors in Security

Das Kapitel gibt eine Einfuhrung in das Thema „Human Factors in Security“ mit Fokus auf den Endanwender. Dabei wird zunachst das Problem allgemein eingefuhrt und an den konkreten Beispielen „E-Mail-Verschlusselung“, „HTTPS-Verbindungen im Internet“ sowie „Passworter“ beschrieben und diskutiert. Anschliesend werden allgemeine Losungsansatze basierend auf „Human Centered Security by Design“ vorgestellt, sowie einige methodische Beispiele genannt. Besondere Herausforderungen im Vergleich zu „Human Centered Design“ werden vorgestellt und einige Beispiele aus der Praxis im Bereich „Human Centered Security by Design“ vorgestellt und diskutiert.

Effektiver Schutz vor betrügerischen Nachrichten

ZusammenfassungIn einer zunehmend digitalisierten Welt wird auch Betrug digital. Trotz einer Vielzahl technischer Hilfsmittel bleiben Fähigkeiten zur Erkennung betrügerischer E-Mail-Nachrichten von grundlegender Bedeutung für einen effektiven Schutz. Der vorliegende Beitrag stellt ein Schulungsprogramm zur Erkennung von betrügerischen E-Mails vor, dasin der Praxis wissenschaftlich evaluiert wurde. Speziell die Erkennungsraten von betrügerischen Nachrichten mit Links, die bekannte Domains im Bereich der Sub-Domains von generischen Domains beinhalten, konnten von 56,6% auf 88% gesteigert werden.

Sharing Information with Web Services – A Mental Model Approach in the Context of Optional Information

Web forms are a common way for web service providers to collect data from their users. Usually, the users are asked for a lot of information while some items are labeled as optional and others as mandatory. When filling in the web form, users have to decide, which data, often of personal and sensitive nature, they want to share. The factors that influence the decision whether or not to share some information has been studied in the literature in various contexts. However, it is unclear to which extent their results can be transferred to other contexts. In this work we conduct a qualitative user study to verify, whether the reasons for sharing optional information from previous studies [12] are relevant for the context of interacting with a commercial website. We found, that only a few of them were named by the participants of our study.