Information Security on the Web and App Platforms : An Economic and Socio-Behavioral Perspective

• Main Author: Chia, Pern Hui
• Format: Doctoral Thesis
• Language: English
• Published: Norges teknisk-naturvitenskapelige universitet, Centre for Quantifiable Quality of Service in Communication Systems 2012
• Subjects: Information Security; Security Economics; Usable Security
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-19751; http://nbn-resolving.de/urn:isbn:978-82-471-3969-1

Various security measures are ineffective having been designed without adequate usability and economic considerations. The primary objective of this thesis is to add an economic and socio-behavioral perspective to the traditional computer science research in information security. The resulting research is interdisciplinary, and the papers combine different approaches, ranging from analytic modeling to empirical measurements and user studies. Contributing to the fields of usable security and security economics, this thesis fulfills three motivations. First, it provides a realistic game theoretical model for analyzing the dynamics of attack and defense on the Web. Adapted from the classical Colonel Blotto games, our Colonel Blotto Phishing model captures the asymmetric conflict (resource, information, action) between a resource-constrained attacker and a defender. It also factors in the practical scenario where the attacker creates large numbers of phishing websites (endogenous dimensionality), while the defender reactively detects and strives to take them down promptly. Second, the thesis challenges the conventional view that users are always the weakest link or liability in security. It explores the feasibility of leveraging inputs from expert and ordinary users for improving information security. While several potential challenges are identified, we find that community inputs are more comprehensive and relevant than automated assessments. This does not imply that users should be made liable to protect themselves; it demonstrates the potentials of community efforts in complementing conventional security measures. We further analyze the contribution characteristics of serious and casual security volunteers, and suggest ways for improvement. Third, following the rise of third party applications (apps), the thesis explores the security and privacy risks and challenges with both centralized and decentralized app control models. Centralized app control can lead to the risk of central judgment and the risk of habituation, while the increasingly widespread decentralized user-consent permission model also suffers from the lack of effective risk signaling. We find the tendency of popular apps requesting more permissions than average. Compound with the absence of alternative risk signals, users will habitually click through the permission request dialogs. In addition, we find the free apps, apps with mature content, and apps with names mimicking the popular ones, request more permissions than typical. These indicate possible attempts to trick the users into compromising their privacy.