Louis F. DeKoven
Stefan Savage
Abstract
Users are encouraged to adopt a wide array of technologies and behaviors to reduce their security risk. However, the adoption of these "best practices," ranging from the use of antivirus products to keeping software updated, is not well understood, nor is their practical impact on security risk well established. To explore these issues, we conducted a large-scale measurement of 15,000 computers over six months. We use passive monitoring to infer and characterize the prevalence of various security practices as well as a range of other potentially security-relevant behaviors. We then explore the extent to which differences in key security behaviors impact the real-world outcomes (i.e., that a device shows clear evidence of having been compromised).
- Apple. Update your iPhone, iPad, or iPod touch, 2018. https://support.apple.com/en-us/HT204204.Google Scholar
- Bellare, M., Rogaway, P. The FFX mode of operation for format-preserving encryption. Manuscript (standards proposal) submitted to NIST (2010).Google Scholar
- Bilge, L., Han, Y., Dell'Amico, M. RiskTeller: Predicting the risk of cyber incidents. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS) (Dallas, Texas, USA, November 2017).Google ScholarDigital Library
- Canali, D., Bilge, L., Balzarotti, D. On the effectiveness of risk prediction based on users browsing behavior. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (CCS) (Kyoto, Japan, June 2014).Google ScholarDigital Library
- Marshall, C., Ellis, C. The best free password manager 2019, 2018. https://www.techradar.com/news/software/applications/the-best-password-manager-1325845.Google Scholar
- CVE Details. Mozilla Thunderbird Vulnerability Statistics, 2019. https://www.cvedetails.com/product/3678/?q=Thunderbird.Google Scholar
- The Enigmail Project. Enigmail---OpenPGP encryption for Thunderbird, 2019. https://www.enigmail.net/index.php/en/home.Google Scholar
- Forget, A., Pearman, S., Thomas, J., Acquisti, A., Christin, N., Cranor, L.F., Egelman, S., Harbach, M., Telang, R. Do or do not, there is no try: User engagement may not improve security outcomes. In Proceedings of the 12th Symposium on Usable Privacy and Security (SOUPS) (Denver, CO, USA, June 2016).Google Scholar
- Hastie, T., Tibshirani, R., Friedman, J. The Elements of Statistical Learning. Springer New York Inc., 2001.Google ScholarCross Ref
- Herley, C. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the 2009 Workshop on New Security Paradigms Workshop (Oxford, United Kingdom, September 2009).Google ScholarDigital Library
- Hosmer Jr, D.W., Lemeshow, S. Applied Logistic Regression. 2nd edn. John Wiley & Sons, New Jersey, USA, 2000.Google ScholarCross Ref
- IAB. IAB Tech Lab Content Taxonomy, 2019. https://www.iab.com/guidelines/iab-tech-lab-content-taxonomy/.Google Scholar
- Khan, M., Bi, Z., Copeland, J.A. Software updates as a security metric: Passive identification of update trends and effect on machine infection. In Proceedings of IEEE Military Communications Conference (MILCOM) (Orlando, Florida, USA, October 2012).Google ScholarCross Ref
- Microsoft. Microsoft update catalog, 2019. https://www.catalog.update.microsoft.com/Home.aspx.Google Scholar
- Mozilla Foundation. Public suffix list website, 2019. https://publicsuffix.org/.Google Scholar
- Rubenking, N.J. The best antivirus protection for 2019, 2019. https://www.pcmag.com/article2/0,2817,2372364,00.asp.Google Scholar
- ProofPoint. ET Pro Ruleset, 2019. https://www.proofpoint.com/us/threat-insight/et-pro-ruleset.Google Scholar
- Redmiles, E.M., Kross, S., Mazurek, M.L. Where is the digital divide?: A survey of security, privacy, and socioeconomics. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (Denver, Colorado, USA, May 2017).Google ScholarDigital Library
- Redmiles, E.M., Kross, S., Mazurek, M.L. How well do my results generalize? Comparing security and privacy survey results from MTurk, web, and telephone samples. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (San Fransisco, CA, USA, May 2019).Google ScholarCross Ref
- Reeder, R., Ion, I., Consolvo, S. 152 Simple steps to stay safe online: Security advice for non-tech-savvy users. IEEE Security and Privacy 15, 5 (June 2017):55--64.Google ScholarDigital Library
- Sawaya, Y., Sharif, M., Christin, N., Kubota, A., Nakarai, A. Yamada, A. Self-confidence trumps knowledge: A cross-cultural study of security behavior. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (Denver, Colorado, USA, May 2017).Google ScholarDigital Library
- Sharif, M., Urakawa, J., Christin, N., Kubota, A., Yamada, A. Predicting impending exposure to malicious content from user behavior. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS) (Toronto, Canada, October 2018).Google ScholarDigital Library
- Vitale, F., McGrenere, J., Tabard, A., Beaudouin-Lafon, M., Mackay, W.E. High costs and small benefits: A field study of how users experience operating system upgrades. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (Denver, Colorado, USA, May 2017).Google ScholarDigital Library
- Webshrinker. IAB categories, 2018. https://docs.webshrinker.com/v3/iab-website-categories.html#iab-categories.Google Scholar
- Webshrinker. Webshrinker website, 2019. https://www.webshrinker.com/.Google Scholar
Index Terms
- Measuring security practices
Recommendations
Measuring Security Practices and How They Impact Security
IMC '19: Proceedings of the Internet Measurement ConferenceSecurity is a discipline that places significant expectations on lay users. Thus, there are a wide array of technologies and behaviors that we exhort end users to adopt and thereby reduce their security risk. However, the adoption of these "best ...
Unleashing IoT Security: Assessing the Effectiveness of Best Practices in Protecting Against Threats
ACSAC '23: Proceedings of the 39th Annual Computer Security Applications ConferenceThe Internet of Things (IoT) market is rapidly growing and is expected to double from 2020 to 2025. The increasing use of IoT devices, particularly in smart homes, raises crucial concerns as inadequate security designs and implementations by IoT vendors ...
Measuring security in IoT communications
AbstractMore smart objects and more applications on the Internet of Things (IoT) mean more security challenges. In IoT security is crucial but difficult to obtain. On the one hand the usual trade-off between highly secure and usable systems is ...
Comments