More Web Proxy on the site http://driver.im/

research-article

Modifying smartphone user locking behavior

Authors:

Dirk Van Bruggen,

Aaron Striegel,

Charles R. Crowell,

John D'ArcyAuthors Info & Claims

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

Article No.: 10, Pages 1 - 14

https://doi.org/10.1145/2501604.2501614

Published: 24 July 2013 Publication History

Abstract

With an increasing number of organizations allowing personal smart phones onto their networks, considerable security risk is introduced. The security risk is exacerbated by the tremendous heterogeneity of the personal mobile devices and their respective installed pool of applications. Furthermore, by virtue of the devices not being owned by the organization, the ability to authoritatively enforce organizational security polices is challenging. As a result, a critical part of organizational security is the ability to drive user security behavior through either on-device mechanisms or security awareness programs. In this paper, we establish a baseline for user security behavior from a population of over one hundred fifty smart phone users. We then systematically evaluate the ability to drive behavioral change via messaging centered on morality, deterrence, and incentives. Our findings suggest that appeals to morality are most effective over time, whereas deterrence produces the most immediate reaction. Additionally, our findings show that while a significant portion of users are securing their devices without prior intervention, it is difficult to influence change in those who do not.

References

[1]

CTIA. U.S. Wireless Quick Facts, 2012.

[2]

Cisco. Cisco VNI Mobile Data Traffic Forecast 2012-2017. Feburary 2013.

[3]

Webroot. SURVEY: Mobile Threats are Real and Costly, 2012.

[4]

Enterproid. Implementing Your BYOD Mobility Strategy. 2012.

[5]

B. Bergstein. IBM Faces the Perils of "Bring Your Own Device" - Technology Review, 2012.

[6]

Cisco. Cisco NAC Appliance (Clean Access), 2012.

[7]

Apperian. Solving Android Multiple Personality Disorder: No Drugs Required. 2011.

[8]

Fraunhofer. BizzTrust, 2012.

[9]

J. H. Fowler and N. A. Christakis. Estimating peer effects on health in social networks, 2008.

[10]

P. Puhakainen and M. Siponen. Improving employees' compliance through information systems security training: an action research study. MIS Quarterly, 34(4):757--778, December 2010.

[11]

iGillottResearch. Securing Mobile Devices on Converged Networks. 2006.

[12]

J. D'Arcy and A Hovav. Does one size fit all? examining the differential effects of is security countermeasures. Journal of Business Ethics, 89:59--71, 2009.

[13]

P. Dunphy, A. P. Heiner, and N. Asokan. A closer look at recognition-based graphical passwords on mobile devices. Proceedings of the Sixth Symposium on Usable Privacy and Security - SOUPS '10, page 1, 2010.

Digital Library

[14]

S. Cobb. Sizing Up the BYOD Security Challenge. 2012.

[15]

P. J. Connolly. iPad, iPhone Challenge Management Orthodoxy, 2012.

[16]

C. L. Anderson and R. Agarwal. Practicing Safe Computing: A MultiMethod Empirical Examination of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34(3):613--643, 2010.

Digital Library

[17]

R. Jaroslovsky. Help for Lost Cell Phones, 2012.

[18]

Enterproid. The Divide#8482;platform enables BYOD mobility, 2012.

[19]

Samsung. Mobile Device Management, 2013.

[20]

Android. Device Administration API, 2012.

[21]

M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and C. Wolf. Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In Security and Privacy (SP), 2011 IEEE Symposium on, pages 96--111. IEEE, 2011.

Digital Library

[22]

AP Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proceedings of the 2nd USENIX conference on Web application development, pages 7--7. USENIX Association, 2011.

Digital Library

[23]

S. Liu and A. Striegel. Casting doubts on the viability of wifi offloading. In Proceedings of the 2012 ACM SIGCOMM workshop on Cellular networks: operations, challenges, and future design, CellNet '12, pages 25--30, New York, NY, USA, 2012. ACM.

Digital Library

[24]

C. Herley. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop, pages 133--144. ACM, 2009.

Digital Library

[25]

P. T. Costa and R. R. McCrae. Professional manual: revised neo personality inventory (neo-pi-r) and neo five-factor inventory (neo-ffi). Odessa, FL: Psychological Assessment Resources, 1992.

[26]

S Liu and A. Striegel. Accurate extraction of face-to-face proximity using smartphones and bluetooth. In Computer Communications and Networks (ICCCN), 2011 Proceedings of 20th International Conference on, pages 1--5, 2011.

[27]

N. Eagle and AS Pentland. Reality mining: sensing complex social systems. Personal Ubiquitous Comput., 10(4):255--268, March 2006.

Digital Library

[28]

F. C. Harris. Subject reactivity in direct observational assessment: A review and critical analysis. Clinical Psychology Review, 2:523--538, 1982.

[29]

J. F. George. Computer-based monitoring: common perceptions and empirical results. MIS Quarterly, 20(4):459--480, 1996.

Digital Library

[30]

J. Gittelsohn, A. V. Shankar, K. P. West, and R. M. Ram. Estimating reactivity in direct observation studies of health behaviors. Human Organization, 56(2):182--189, 1997.

[31]

M. Richtel. "Young, in Love and Sharing Everything, Including a Password", 2012.

[32]

A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In USENIX 4th Workshop on Offensive Technologies, 2010.

Digital Library

[33]

N. H. Zakaria, D. Griffiths, S. Brostoff, and J. Yan. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS '11, pages 6:1--6:12, New York, NY, USA, 2011. ACM.

Digital Library

[34]

R. Wash and J. K. Mackie-mason. Security When People Matter: Structuring Incentives For User Behavior. Screening, 2007.

[35]

J. M. Stanton, K. R. Stam, P. R. Mastrangelo, and J. Jolton. Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices. In Information Security, 2004.

[36]

R. West. The psychology of security. Commun. ACM, 51(4):34--40, April 2008.

Digital Library

[37]

A. C. Johnston. Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3):549--566, 2010.

[38]

H. Xu and M. B. Rosson. Increasing the Persuasiveness of IT Security Communication: Effects of Fear Appeals and Self-View. Workshop on Usable IT Security, 2007.

[39]

C. Wright and P. Ayton. Focusing on what might happen and how it could feel: can the anticipation of regret change students' computing-related choices? International Journal of Human-Computer Studies, 62(6):759--783, June 2005.

Digital Library

[40]

R. B. Cialdini. Basic social influence is underestimated. Psychological inquiry, 16(4):158--161, 2005.

[41]

E. A. Locke. Toward a theory of task motivation and incentives. Organizational Behavior and Human Performance, 3(2):157--189, 1968.

[42]

M. T. Siponen. Advanced topics in information resources management. chapter On the role of human mortality in information system security: from the problems of descriptivism to non-descriptive foundations, pages 301--319. IGI Publishing, Hershey, PA, USA, 2003.

Digital Library

[43]

P. M. King and M. J. Mayhew. Moral judgement development in higher education: Insights from the defining issues test. Journal of moral education, 31(3):247--270, 2002.

[44]

M. Siponen, R. Willison, and R. Baskerville. Power and practice in information systems security research. 2008.

[45]

J. P. Gibbs. Crime, punishment, and deterrence. Elsevier New York, 1975.

[46]

S. Pahnila, M. Siponen, and A. Mahmood. Employees' behavior towards is security policy compliance. In System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, pages 156b--156b. IEEE, 2007.

Digital Library

[47]

T. August and T. I. Tunca. Network software security and user incentives. Management Science, 52(11):1703--1720, 2006.

Digital Library

[48]

B. Bulgurcu. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. Women, 221(243):243, 2010.

[49]

SR Boss and LJ Kirsch. The last line of defense: motivating employees to follow corporate security guidelines. In Proceedings of the 28th International Conference on Information Systems, pages 9--12, 2007.

[50]

J. D'arcy and T. Herath. A review and analysis of deterrence theory in the is security literature: making sense of the disparate findings. European Journal of Information Systems, 20(6):643--658, 2011.

[51]

R. D. Gopal and G L Sanders. Preventive and deterrent controls for software piracy. Journal of Management Information Systems, pages 29--47, 1997.

Digital Library

[52]

A. Kankanhalli, HH Teo, B. CY Tan, and KK Wei. An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2):139--154, 2003.

Digital Library

[53]

C. B. Foltz and P. Adviser-Cronan. The impact of deterrent countermeasures upon individual intent to commit misuse: a behavioral approach. University of Arkansas, 2000.

[54]

S. J. Harrington. The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS quarterly, pages 257--278, 1996.

Digital Library

[55]

S. M. Lee, SG Lee, and S. Yoo. An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6):707--718, 2004.

Digital Library

[56]

L. Myyry, M. Siponen, S. Pahnila, T. Vartiainen, and A. Vance. What levels of moral reasoning and values explain adherence to information security rules&quest; an empirical study. European Journal of Information Systems, 18(2):126--139, 2009.

[57]

L. Kohlberg. Stages in the development of moral thought and action, 1969.

[58]

M. T. Siponen. On the role of human mortality in information system security: from the problems of descriptivism to non-descriptive foundations. Information Resources Management Journal (IRMJ), 14(4):15--23, 2001.

Digital Library

[59]

A. Blasi. Bridging moral cognition and moral action: A critical review of the literature. Psychological Bulletin, 88(1):1, 1980.

[60]

J. Greenberg. Who stole the money, and when? individual and situational determinants of employee theft. Organizational Behavior and Human Decision Processes, 89(1):985--1003, 2002.

[61]

Notre Dame. Information Security Policy, 2012.

[62]

DL Huang, PL P Rau, and G Salvendy. Perception of information security. Behaviour & Information Technology, 29(3):221--232, 2010.

Digital Library

Cited By

Wang CXiao YGao XLi LWang J(2023)A Framework for Behavioral Biometric Authentication Using Deep Metric Learning on Mobile DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2021.307260822:1(19-36)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TMC.2021.3072608
Yamada ACrichton KSawaya YDong JPearman SKubota AChristin NChiasson SKapadia A(2022)On recruiting and retaining users for security-sensitive longitudinal measurement panelsProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563628(347-366)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563628
Vargheese JCollinson MMasthoff J(2022)A Quantitative Field Study of a Persuasive Security Technology in the WildSocial Informatics10.1007/978-3-031-19097-1_13(211-232)Online publication date: 12-Oct-2022
https://doi.org/10.1007/978-3-031-19097-1_13
Show More Cited By

Index Terms

Modifying smartphone user locking behavior
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Usability and Security of Text Passwords on Mobile Devices
CHI '16: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems

Recent research has improved our understanding of how to create strong, memorable text passwords. However, this research has generally been in the context of desktops and laptops, while users are increasingly creating and entering passwords on mobile ...
Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance
NordiCHI '14: Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational

In this paper, we present the results of two studies on the influence of mobile devices on authentication performance and password composition. A pre-study in the lab (n = 24) showed a lower performance for password-entry on mobile devices, in ...
Awareness, Knowledge, and Ability of Mobile Security Among Young Mobile Phone Users

The research literature on awareness, knowledge, and ability of mobile security of young mobile phone users was reviewed in this article. The existing literature suggests that young mobile phone users are usually not aware of potential mobile security ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

July 2013

241 pages

ISBN:9781450323192

DOI:10.1145/2501604

Conference Chairs:
Lujo Bauer
Carnegie Mellon University
,
Konstantin Beznosov
University of British Columbia
,
General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2013 Copyright is held by the owner/author(s).

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 July 2013

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Division of Information and Intelligent Systems

Conference

SOUPS '13

Sponsor:

Carnegie Mellon University

SOUPS '13: Symposium On Usable Privacy and Security

July 24 - 26, 2013

Newcastle, United Kingdom

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

41
Total Citations
View Citations
1,104
Total Downloads

Downloads (Last 12 months)50
Downloads (Last 6 weeks)2

Reflects downloads up to 30 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang CXiao YGao XLi LWang J(2023)A Framework for Behavioral Biometric Authentication Using Deep Metric Learning on Mobile DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2021.307260822:1(19-36)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TMC.2021.3072608
Yamada ACrichton KSawaya YDong JPearman SKubota AChristin NChiasson SKapadia A(2022)On recruiting and retaining users for security-sensitive longitudinal measurement panelsProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563628(347-366)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563628
Vargheese JCollinson MMasthoff J(2022)A Quantitative Field Study of a Persuasive Security Technology in the WildSocial Informatics10.1007/978-3-031-19097-1_13(211-232)Online publication date: 12-Oct-2022
https://doi.org/10.1007/978-3-031-19097-1_13
Vaid SHarari G(2022)Smartphones in Personal Informatics: A Framework for Self-Tracking Research with Mobile SensingDigital Phenotyping and Mobile Sensing10.1007/978-3-030-98546-2_6(77-104)Online publication date: 23-Jul-2022
https://doi.org/10.1007/978-3-030-98546-2_6
Albayram YLiu JCangonj S(2021)Comparing the Effectiveness of Text-based and Video-based Delivery in Motivating Users to Adopt a Password ManagerProceedings of the 2021 European Symposium on Usable Security10.1145/3481357.3481519(89-104)Online publication date: 11-Oct-2021
https://dl.acm.org/doi/10.1145/3481357.3481519
Yang YWang YChen YWang CSun HShieh SGu GAteniese G(2020)EchoLock: Towards Low-effort Mobile User Identification Leveraging Structure-borne EchosProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384741(772-783)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384741
Bitton RBoymgold KPuzis RShabtai ABernhaupt RMueller FVerweij DAndres JMcGrenere JCockburn AAvellino IGoguey ABjørn PZhao SSamson BKocielnik R(2020)Evaluating the Information Security Awareness of Smartphone UsersProceedings of the 2020 CHI Conference on Human Factors in Computing Systems10.1145/3313831.3376385(1-13)Online publication date: 21-Apr-2020
https://dl.acm.org/doi/10.1145/3313831.3376385
Findling RQuddus TSigg S(2019)Hide my Gaze with EOG!Proceedings of the 17th International Conference on Advances in Mobile Computing & Multimedia10.1145/3365921.3365922(107-116)Online publication date: 2-Dec-2019
https://dl.acm.org/doi/10.1145/3365921.3365922
Sae-Bae NWu JMemon NKonrad JIshwar P(2019)Emerging NUI-Based Methods for User Authentication: A New Taxonomy and SurveyIEEE Transactions on Biometrics, Behavior, and Identity Science10.1109/TBIOM.2019.28932971:1(5-31)Online publication date: Jan-2019
https://doi.org/10.1109/TBIOM.2019.2893297
Vaid SHarari G(2019)Smartphones in Personal Informatics: A Framework for Self-Tracking Research with Mobile SensingDigital Phenotyping and Mobile Sensing10.1007/978-3-030-31620-4_5(65-92)Online publication date: 1-Nov-2019
https://doi.org/10.1007/978-3-030-31620-4_5
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents