Link to the University of Pittsburgh Homepage
Link to the University Library System Homepage Link to the Contact Us Form


Villamarin Salomon, Ricardo Mark (2010) IMPROVING COMPUTER-SYSTEM SECURITY WITH POLYMORPHIC WARNING DIALOGS AND SECURITY-CONDITIONING APPLICATIONS. Doctoral Dissertation, University of Pittsburgh. (Unpublished)

PDF (Improving Computer-System Security with Polymorphic Warning Dialogs and Security-Conditioning Applications)
Primary Text

Download (6MB) | Preview
[img] Video (MP4) (Email Security - VicariousSecurityReinforcement)
Supplemental Material

Download (56MB)
[img] Video (MP4) (Rules for Handling Email Securely_Explanation)
Supplemental Material

Download (583kB)
[img] Video (MP4) (Email Security_VicariousInsecurityPunishment)
Supplemental Material

Download (44MB)
[img] Video (MP4) (Rules for Handling Email Securely_Explanation)
Supplemental Material

Download (790kB)
[img] Video (WMV) (CSG Explanation)
Supplemental Material

Download (3MB)
[img] Video (WMV) (CSG-PAD Explanation)
Supplemental Material

Download (4MB)
[img] Video (WMV) (Vicarious Insecurity-Punishment Video)
Supplemental Material

Download (175MB)
[img] Video (WMV) (Vicarious Security-Punishment Video)
Supplemental Material

Download (239MB)


Many computer security decisions depend on contextual information that computer systems cannot automatically obtain or verify. Users need to supply such information through, e.g., computer dialogs. Unfortunately, users often do not provide true information to computer systems, but rather (intentionally or automatically) input whatever information will quickly dismiss security dialogs and allow users to proceed with their primary goal (which is rarely computer security). Obviously, such user behavior can compromise computer systems' security. With the generalized use of the Internet today, an individual's insecure behavior can have severe negative consequences to his organization, including financial losses, unintended release of private information, or an inability to operate normally in everyday activities. In spite of such potential consequences, users continue to behave insecurely. Industry surveys and security researchers still find users to be the weakest link in the computer security chain.To address the aforementioned problems, we first propose a model that helps explain why users behave insecurely when operating computer systems. Then, based on that model, we propose and evaluate techniques that improve users' security behaviors by automatically manipulating antecedents and consequences of such behaviors. First, we propose the use of warning polymorphism, which randomizes options in security warning dialogs, and delays activation of some of those options, so as to avoid cuing automatic, possibly untrue user responses. Second, we contribute the notion of security-conditioning applications (SCAs), and implement and evaluate two types of such applications, namely, security-reinforcing applications (SRAs) and insecurity-punishing applications (IPAs). SRAs strengthen users' secure behaviors by reliably delivering reinforcing stimuli contingently upon such behaviors, according to a specific reinforcement policy and schedule. IPAs weaken users' insecure behaviors by reliably delivering aversive stimuli, pre-specified by a policy, contingently upon those behaviors. Finally, we devise vicarious security-conditioning interventions to prepare users for interaction with SCAs and accelerate the latter's security benefits and user acceptance.Results of empirical evaluations of our proposed techniques show that they are, indeed, effective in improving users' security behaviors, increasing computer systems' security. Moreover, we show that, with appropriate schedules and stimuli, such improvements are resistant to extinction over time.


Social Networking:
Share |


Item Type: University of Pittsburgh ETD
Status: Unpublished
CreatorsEmailPitt UsernameORCID
Villamarin Salomon, Ricardo
ETD Committee:
TitleMemberEmail AddressPitt UsernameORCID
Committee CoChairLee, Adam Jadamlee@cs.pitt.eduADAMLEE
Committee CoChairBrustoloni, José Carlos
Committee MemberMarai, G. Elisabetamarai@cs.pitt.eduMARAI
Committee MemberJoshi, James B. Djjoshi@mail.sis.pitt.eduJJOSHI
Date: 12 January 2010
Date Type: Completion
Defense Date: 29 October 2009
Approval Date: 12 January 2010
Submission Date: 22 November 2009
Access Restriction: 5 year -- Restrict access to University of Pittsburgh for a period of 5 years.
Institution: University of Pittsburgh
Schools and Programs: Dietrich School of Arts and Sciences > Computer Science
Degree: PhD - Doctor of Philosophy
Thesis Type: Doctoral Dissertation
Refereed: Yes
Uncontrolled Keywords: context-sensitive guidance; reinforcement; vicarious learning; vicarious security reinforcement; insecurity-punishing application; operant conditioning; security-reinforcing application; vicarious insecurity punishment; computer security; polymorphic dialogs; audited dialog
Other ID:, etd-11222009-212128
Date Deposited: 10 Nov 2011 20:05
Last Modified: 19 Dec 2016 14:37


Monthly Views for the past 3 years

Plum Analytics

Actions (login required)

View Item View Item