Influencing Factors

The issues identified in the previous section may be exacerbated by different factors in different ways. Some of the factors that may influence the user’s communication processing and can cause these issues are described in this sections and summarised in Table 3.2.

ˆ Spoofed login, so secure ceremony is never used. An essential precondition to security is getting users to use the security protocol. If a phisher tricks a user into entering their password in a spoofed web page, so that the secure protocol is never used, then the cryptographic countermeasures are bypassed

Issue Influencing Factors Supportive literature Spoofed login, secure Knowledge of the ceremony ([176], [38], [57], ceremony never used Interference, delivery channel [47], [83])

Format, font size, length

Delay in displaying a HPA Technology failures, deficiencies ([47], [184], [83]) Interference, delivery channel

Format, font size, length

User skipping security step Distraction from primary task ([47], [184], [135], Doing more interesting things [47], [222], [34]) Motivation, habituation

User busy with primary task Distraction from primary task ([226], [38], [202], Interference, delivery channel [221], [47], [83], Format, font size, length [57], [60]) Habituation

Not able to recognise the HPA Cognitive or physical skills ([193], [68], [47],

Memorability [38], [83])

Interference, delivery channel Format, font size, length

User interface design Cognitive or physical skills [47], [38], [186],

Delivery channel [83])

Format, font size, length

Table 3.2: Communication processing issues and influencing factors

[176]. Knowledge of the ceremony with user training, and user interface fea-tures such as format, font size, length and type of delivery channel are the main influencing factors to consider for this issue. Interference with the login prompt by an attacker or other related and unrelated communications such as advertisements may also contribute to the user not switching attention as to whether the login prompt is correct or if the HPA is presented. [57, 47, 38, 83]

ˆ Delay in displaying HPA. If there is a delay in displaying HPA due to technol-ogy failures, deficiencies or interference, in some ceremony implementations the user can still enter their login and password and proceed with login with-out checking the HPA. [184, 47] Format, font size, length and type of delivery channel could make this problem better or worse. [83] There is no guaran-tee that the user’s attention will be switched to or maintained if there is a considerable delay in presenting the HPA.

ˆ User skipping security step. Research shows that if security tasks are not re-quired actions (i.e. acting on security warnings, checking security indicators), then users routinely skip them as usually there are no immediate visible con-sequences of not doing so [194, 144]. Users may not be motivated to perform security steps properly, as they require extra time and effort [57].

According to Karlof [135], human psychological tendency to develop automatic responses to frequently encountered situations is one of the main contributors to success of the phishing attacks. Some researchers define this tendency as habituation [47, 222, 34]. This notion of habituation seems to be the same as what the psychologist Cialdini [42] refers to as human click-whirr responses.

Habituation or click-whirr responses means that the user automatically enters his/her username/password on any login page which looks familiar and legiti-mate. Especially as they will usually be doing something more interesting on

a website after they complete the login.

ˆ User busy with primary task. When logging in to a website, security is almost never the main goal of the user [38, 221, 226, 202]. Hence, users may not switch attention to the HPA, or notice that it is missing or that is different.

Habituation and predictability is an important influencing factor as a busy user may over time ignore a HPA that they observe frequently and they are usually correct [57, 60]. Characteristics of the HPA and user interface design such as format, font size, length, delivery channel will strongly influence this issue [47, 83]. If they switch the attention to the HPA, it is not guaranteed that that they will examine in detail and elaborate on the security communication presented to them.

ˆ Not able to recognise the right HPA. A wide range of people with mixed capabil-ities use authentication ceremonies, including different cognitive and technical abilities. Depending on the type of communication, i.e. whether the user needs to recall, recognise or compare as part of the authentication, specific ca-pabilities, knowledge, attention or memory may be necessary to complete the login. [47, 38, 83] Overloading humans’ memory by requiring them to remem-ber large amount of data has become a big problem of online authentication.

Even more so as many password policies force users to choose a random data as a password. [68, 193]

ˆ User interface design. The importance of usable security is widely accepted and recognised as one of the factors that can compromise the protocol security [48, 233]. It is essential that the human interface be designed for ease of use, so that users apply the security mechanisms correctly without too much effort [191]. Therefore, the design of input/output communication, i.e. login prompt, will affect the ceremony’s security level and should be taken into account

during the user interface design. Also, it is important that user interface design (format, font size, length, delivery channel) is able to cater for people with mixed cognitive and physical skills to allow successful completion of security tasks. [47, 83, 38, 186]

3.4 Conclusion

In this chapter, we have shown how the assumptions about the behaviour of humans in authentication ceremonies can affect its anti-phishing security. We described related issues that can arise due to these assumptions as to how humans process communication within authentication protocols. We presented the main factors that may influence these issues in different ways.

We have shown that there is no guarantee that a user will switch to, pay enough attention to, or examine in detail the authentication login prompt presented to them.

The user also may not be motivated enough to perform additional security tasks. In addition, some users may not have cognitive or technical abilities to perform them correctly.

Recognising these assumptions, issues and influencing factors (presented in Sec-tions 3.3.2 and 3.3.3, and summarised in Table 3.2) helped us to identify the components of the framework described in Chapter 4.

Chapter 4

Human Factors in Anti-Phishing