Information Security on the Web and App Platforms: An Economic and Socio-Behavioral Perspective
MetadataShow full item record
Various security measures are ineffective having been designed without adequate usability and economic considerations. The primary objective of this thesis is to add an economic and socio-behavioral perspective to the traditional computer science research in information security. The resulting research is interdisciplinary, and the papers combine different approaches, ranging from analytic modeling to empirical measurements and user studies. Contributing to the fields of usable security and security economics, this thesis fulfills three motivations. First, it provides a realistic game theoretical model for analyzing the dynamics of attack and defense on the Web. Adapted from the classical Colonel Blotto games, our Colonel Blotto Phishing model captures the asymmetric conflict (resource, information, action) between a resource-constrained attacker and a defender. It also factors in the practical scenario where the attacker creates large numbers of phishing websites (endogenous dimensionality), while the defender reactively detects and strives to take them down promptly. Second, the thesis challenges the conventional view that users are always the weakest link or liability in security. It explores the feasibility of leveraging inputs from expert and ordinary users for improving information security. While several potential challenges are identified, we find that community inputs are more comprehensive and relevant than automated assessments. This does not imply that users should be made liable to protect themselves; it demonstrates the potentials of community efforts in complementing conventional security measures. We further analyze the contribution characteristics of serious and casual security volunteers, and suggest ways for improvement. Third, following the rise of third party applications (apps), the thesis explores the security and privacy risks and challenges with both centralized and decentralized app control models. Centralized app control can lead to the risk of central judgment and the risk of habituation, while the increasingly widespread decentralized user-consent permission model also suffers from the lack of effective risk signaling. We find the tendency of popular apps requesting more permissions than average. Compound with the absence of alternative risk signals, users will habitually click through the permission request dialogs. In addition, we find the free apps, apps with mature content, and apps with names mimicking the popular ones, request more permissions than typical. These indicate possible attempts to trick the users into compromising their privacy.
Has partsChia, Pern Hui; Chuang, John. Colonel Blotto in the Phishing War. Decision and Game Theory for Security, 2011. 10.1007/978-3-642-25280-8_16.
Chia, Pern Hui; Knapskog, Svein. Re-evaluating the Wisdom of Crowds in Assessing Web Security. Financial Cryptography and Data Security, 2012. 10.1007/978-3-642-27576-0_25.
Chia, Pern Hui; Chuang, John. Community-based web security: complementary roles of the serious and casual contributors. Proceedings of the ACM 2012 conference on Computer Supported Cooperative Work, 2012. 10.1145/2145204.2145356.
Chia, Pern Hui. Analyzing the incentives in Community-based Security Systems. , 2011. 10.1109/PERCOMW.2011.5766882.
Chia, Pern Hui; Heiner, Andreas; Asokan, N.. Use of Ratings from Personalized Communities for Trustworthy Application Installation. Information Security Technology for Applications, 2012. 10.1007/978-3-642-27937-9_6.
Chia, Pern Hui; Yamamoto, Yusuke; Asokan, N.. Is this app safe? a large scale study on application permissions and risk signals. Proceedings of the 21st international conference on World Wide Web, 2012. 10.1145/2187836.2187879.