GGrantIndex
← Search

NSFSaTC-BSF: TWC: Small: Using Individual Differences to Personalize Security Mitigations

$515,732FY2015CSENSF

International Computer Science Institute, Berkeley CA

Investigators

Abstract

Over the past decade, people have realized that failure to account for human factors has resulted in many software security problems. Yet, when software does feature user-centric design, it takes into account average user behavior rather than catering to the individual. Thus, systems designers have gone from designing for security experts to now appealing to the least common denominator. The goal of this project is to examine the ways in which security mitigations can be tailored to individuals, and how this is likely to result in even greater security compliance than what has been previously achieved through user-centric design. Specifically, this research focuses on demonstrating how security mitigations can be tailored to individuals through indirect measurements and inferences of individual differences. This research could help security and privacy engineers develop more personalized and salient means to alert users to security and privacy risks, which could increase users' compliance with security messaging and therefore reduce threats to users and their organizations. The challenge to personalizing security mitigations is to infer the individual differences between users that are predictive of whether they are likely to respond more favorably to one mitigation design over another. This approach relies on using well-studied individual differences in the psychology and decision-making literature that are predictive of compliance to computer security mitigations. Building on extensive work on choice architecture and "nudges," this research aims to personalize security mitigations to specific user traits in order to be able to dynamically present each user with the security "nudge" that would be most effective for her. For example, if the target user measures high on decision-making "dependence" (i.e., looking to others for advice), the system might state the number of experts who selected the recommended option. Specifically, the researchers focus on framing the following types of security mitigations based on users' psychometric traits: smartphone/tablet lock screen enrollment, password creation instructions, web browser warnings, and software update notices. Their goal is to implement systems that infer the ways in which users are likely to respond to particular security mitigation designs and then tailor security environments accordingly.

View original record on NSF Award Search →