When Internet users are asked to
make "trust" decisions they often make the wrong decision. Implicit
trust decisions include decisions about whether or not to open an
email attachment or provide information in response to an email that
claims to have been sent by a trusted entity. Explicit trust decisions
are decisions made in response to specific trust- or security-related
prompts such as pop-up boxes that ask the user whether to trust an
expired certificate, execute downloaded software, or allow macros to
execute. Attackers are able to take advantage of most users' poor
trust decision-making skills through a class of attacks known as
"semantic attacks." It is not always possible for systems to make
accurate trust decisions on a user's behalf, especially when those
decisions require knowledge of contextual information. The
goal of this research is not to make trust decisions for users, but
rather to develop approaches to support users when they make trust
decisions. Our research will begin with a mental models study
aimed at understanding and modeling how people make trust decisions in
the online context and ultimately result in the development and
evaluation of new software. (See also the CyLab
announcement about this project and the Supporting
trust decisions project page.)
[L. Cranor, A. Acquisti, S. Dietrich, J. Downs,
J. Hong, N. Sadeh, M. Holbrook,
S. Egelman, I. Fette, S. Sheng, P. Kumaraguru]
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the
Effectiveness of Web Browser Phishing Warnings. CHI 2008.
J. Downs, M. Holbrook, and L. Cranor. Behavioral
Response to Phishing Risk. Proceedings of the 2nd Annual eCrime Researchers Summit,
October 4-5, 2007, Pittsburgh, PA, p. 37-44.
P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan,
A. Acquisti, L. Cranor and J. Hong. Getting Users to Pay Attention to
Anti-Phishing Education: Evaluation of Retention and
Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit,
October 4-5, 2007, Pittsburgh, PA, p. 70-81.
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti,
L. Cranor, J. Hong, and E. Nunge. Anti-Phishing
Phil: The Design and Evaluation of a Game That Teaches People Not to
Fall for Phish. In Proceedings of the 2007 Symposium On
Usable Privacy and Security, Pittsburgh, PA, July 18-20,
2007.
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor,
and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report. CMU-CyLab-07-003, 2007.
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor,
J. Hong, and E. Nunge. Protecting People
from Phishing: The Design and Evaluation of an Embedded Training
Email System. In CHI 2007: Conference on Human Factors in
Computing Systems, San Jose, California, 28 April - May 3, 2007,
905-914.
[Originally published as CyLab Technical Report CMU-CyLab-06-017,
2006]
J. Downs, M. Holbrook, and L. Cranor. Decision
Strategies and
Susceptibility to Phishing. In Proceedings of the 2006 Symposium On
Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
I. Fette, N. Sadeh, and A. Tomasic. Learning
to Detect Phishing
Emails In Proceedings
of the 16th International
conference on World Wide
Web, Banff, Alberta, Canada,
May 8-12, 2007. [Earlier
version available as ISRI Technical
Report. CMU-ISRI-06-112, 2006.]
Y. Zhang, J. Hong, and L. Cranor. CANTINA:
A content-based
approach to
detecting
phishing web
sites. In Proceedings
of the 16th International
conference on World Wide
Web, Banff, Alberta, Canada,
May 8-12, 2007.
Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish:
Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28th February - 2nd March, 2007.