Kholekile L. Gwebu,Jing Wang,Ermira Zifla

DOI: https://doi.org/10.1080/0144929x.2021.2002932

2021-01-01

Behaviour and Information Technology

Abstract:Despite attempts by social media companies to curb the spread of fake news with warnings flagging news credibility, the effectiveness of such measures remains unclear. Through the lens of the cognitive dissonance theory and individuals' trust in the news, this study develops a theoretical model that explains why and how warnings affect an individual's intention to share fake news. The study empirically assesses the predicted relationships using experimental survey data from 382 individuals. The findings provide evidence for two processes that underlie the effectiveness of warnings in curbing fake news sharing: (1) warnings negatively impact intention to share fake news through the psychological mechanism of lowering people's cognitive and emotional trust in the news and (2) warnings mitigate the impact of cognitive trust on intention to share fake news. Confirmation bias is found to serve as a boundary condition for the effectiveness of warnings in lowering individuals' cognitive and emotional trust in the news and in reducing the impacts of trust on an individual's intention to share fake news.

Ben Kaiser,Jerry Wei,Eli Lucherini,Kevin Lee,J. Nathan Matias,Jonathan Mayer

DOI: https://doi.org/10.48550/arXiv.2008.10772

IF: 6.4588

2020-08-25

Human-Computer Interaction

Abstract:Disinformation is proliferating on the internet, and platforms are responding by attaching warnings to content. There is little evidence, however, that these warnings help users identify or avoid disinformation. In this work, we adapt methods and results from the information security warning literature in order to design and evaluate effective disinformation warnings. In an initial laboratory study, we used a simulated search task to examine contextual and interstitial disinformation warning designs. We found that users routinely ignore contextual warnings, but users notice interstitial warnings -- and respond by seeking information from alternative sources. We then conducted a follow-on crowdworker study with eight interstitial warning designs. We confirmed a significant impact on user information-seeking behavior, and we found that a warning's design could effectively inform users or convey a risk of harm. We also found, however, that neither user comprehension nor fear of harm moderated behavioral effects. Our work provides evidence that disinformation warnings can -- when designed well -- help users identify and avoid disinformation. We show a path forward for designing effective warnings, and we contribute repeatable methods for evaluating behavioral effects. We also surface a possible dilemma: disinformation warnings might be able to inform users and guide behavior, but the behavioral effects might result from user experience friction, not informed decision making.

Jie Wang,Jiaming Shi,Xin Wen,Liang Xu,Ke Zhao,Fuyang Tao,Wenbiao Zhao,Xiuying Qian

DOI: https://doi.org/10.1016/j.cose.2022.102839

IF: 5.105

2022-01-01

Computers & Security

Abstract:The rapid increase in the use of mobile technology and online communication has facilitated more opportunities for social interactions as well as for online fraud. Warnings are one of the last lines of defense in transaction security. Many warnings used in anti-fraud processes are often ineffective due to habituation and the trial-and-error method used in their design. Following psychological theories of persuasion and warning design principles, in this paper, we design fourteen warnings and examine their effectiveness in an eye-tracker experiment (Study 1) and in an online A/B test on the Alipay platform (Study 2). Based on the communication-human information processing (C-HIP) model, Study 1 found that pictorial signal icons and persuasion strategies significantly improved the effectiveness of warnings. Specifically, pictorial signal icons attracted users’ attention better than the conventional signal icons, and warnings with authority, social influence, diversion, questioning, and multiple strategies performed better than those without a persuasion strategy. Study 2 showed that our warnings performed better than the original Alipay warnings. The overall case rate was reduced by 33.2%, avoiding at least 30 million yuan in economic losses. Our work contributes to the field of security warning design with both theoretical and practical value and provides an important reference for future research.

Robert Kaufman,Aaron Broukhim,Michael Haupt

2024-07-03

Abstract:Social media platforms enhance the propagation of online misinformation by providing large user bases with a quick means to share content. One way to disrupt the rapid dissemination of misinformation at scale is through warning tags, which label content as potentially false or misleading. Past warning tag mitigation studies yield mixed results for diverse audiences, however. We hypothesize that personalizing warning tags to the individual characteristics of their diverse users may enhance mitigation effectiveness. To reach the goal of personalization, we need to understand how people differ and how those differences predict a person's attitudes and self-described behaviors toward tags and tagged content. In this study, we leverage Amazon Mechanical Turk (n = 132) and undergraduate students (n = 112) to provide this foundational understanding. Specifically, we find attitudes towards warning tags and self-described behaviors are positively influenced by factors such as Personality Openness and Agreeableness, Need for Cognitive Closure (NFCC), Cognitive Reflection Test (CRT) score, and Trust in Medical Scientists. Conversely, Trust in Religious Leaders, Conscientiousness, and political conservatism were negatively correlated with these attitudes and behaviors. We synthesize our results into design insights and a future research agenda for more effective and personalized misinformation warning tags and misinformation mitigation strategies more generally.

Human-Computer Interaction,Social and Information Networks

Xin Wen,Liang Xu,Jie Wang,Yuan Gao,Jiaming Shi,Ke Zhao,Fuyang Tao,Xiuying Qian

DOI: https://doi.org/10.3390/ijerph19148294

IF: 4.614

2022-07-07

International Journal of Environmental Research and Public Health

Abstract:The internet's convenience and anonymity have facilitated different types of covert fraud, resulting in economic, mental, and social harm to victims. Understanding why people are deceived and implementing appropriate interventions is critical for fraud reduction. Based on the Bayesian brain theory, individuals' mental states may be a key point in scam compliance and warning compliance. Fraud victims with different mental states may construct various hypotheses and explanations about the fraud they are exposed to, causing different cognition and behavior patterns. Therefore, we first conducted a semi-structured in-depth interview with online fraud victims to investigate the individual and social factors that affect victims' mental states. Grounded theory analysis showed five core factors influencing scam compliance: psychological traits, empirical factors, motivation, cognitive biases, and emotional imbalance. Based on our findings of psychological processes and deception's influential factors, we then designed warnings to inform victims of fraud, particularly for those involving novel types of scams. Tested on a real-life setting, our designed warnings effectively enhanced warning compliance, allowing more fraud victims to avoid financial losses.

public, environmental & occupational health,environmental sciences

Xin Wen,Liang Xu,Jie Wang,Yuan Gao,Jiaming Shi,Ke Zhao,Fuyang Tao,Xiuying Qian

DOI: https://doi.org/10.3390/ijerph19148294

2022-01-01

Abstract:The internet’s convenience and anonymity have facilitated different types of covert fraud, resulting in economic, mental, and social harm to victims. Understanding why people are deceived and implementing appropriate interventions is critical for fraud reduction. Based on the Bayesian brain theory, individuals’ mental states may be a key point in scam compliance and warning compliance. Fraud victims with different mental states may construct various hypotheses and explanations about the fraud they are exposed to, causing different cognition and behavior patterns. Therefore, we first conducted a semi-structured in-depth interview with online fraud victims to investigate the individual and social factors that affect victims’ mental states. Grounded theory analysis showed five core factors influencing scam compliance: psychological traits, empirical factors, motivation, cognitive biases, and emotional imbalance. Based on our findings of psychological processes and deception’s influential factors, we then designed warnings to inform victims of fraud, particularly for those involving novel types of scams. Tested on a real-life setting, our designed warnings effectively enhanced warning compliance, allowing more fraud victims to avoid financial losses.

Affan Yasin,Rubia Fatima,Lin Liu,Jianmin Wang,Raian Ali,Ziqi Wei

DOI: https://doi.org/10.1002/spy2.161

2021-01-01

Security and Privacy

Abstract:Malicious scammers and social engineers are causing great harms to modern society, as they have led to the loss of data, information, money, and many more for individuals and companies. Knowledge about social engineering (SE) is wide‐spread and it exits in non‐academic papers and communication channels. Knowledge is mostly based on expert opinion and experience reports. Such knowledge, if articulated, can provide a valid source of knowledge and information. We performed the analysis of such sources, guided by academic principles around SE, and solicit existing SE scenarios from public awareness education materials, news stories, research literature, official advisories to public departments. We adopted grounded theory to extract the general knowledge behind SE, such as, attacking cycles, information gathering strategies, psychological principles, attack vectors, and so on. In this article, we aim to review and synthesize a body of knowledge (rationale and motivation of social engineers). The study aims to: (a) understand the rationale of social engineers; (b) capture the knowledge of SE attacks and extract important information from the sources; (c) propose an activity for counteracting SE attacks, and how it can be used in security education.

Shahryar Baki,Rakesh M. Verma,Arjun Mukherjee,Omprakash Gnawali

DOI: https://doi.org/10.48550/arXiv.2006.13499

2020-06-24

Abstract:Cyber attacks such as phishing, IRS scams, etc., still are successful in fooling Internet users. Users are the last line of defense against these attacks since attackers seem to always find a way to bypass security systems. Understanding users' reason about the scams and frauds can help security providers to improve users security hygiene practices. In this work, we study the users' reasoning and the effectiveness of several variables within the context of the company representative fraud. Some of the variables that we study are: 1) the effect of using LinkedIn as a medium for delivering the phishing message instead of using email, 2) the effectiveness of natural language generation techniques in generating phishing emails, and 3) how some simple customizations, e.g., adding sender's contact info to the email, affect participants perception. The results obtained from the within-subject study show that participants are not prepared even for a well-known attack - company representative fraud. Findings include: approximately 65% mean detection rate and insights into how the success rate changes with the facade and correspondent (sender/receiver) information. A significant finding is that a smaller set of well-chosen strategies is better than a large `mess' of strategies. We also find significant differences in how males and females approach the same company representative fraud. Insights from our work could help defenders in developing better strategies to evaluate their defenses and in devising better training strategies.

Cryptography and Security,Human-Computer Interaction,Social and Information Networks

Michele M. Wood,Dennis S. Mileti,Hamilton Bean,Brooke F. Liu,Jeannette Sutton,Stephanie Madden

DOI: https://doi.org/10.1177/0013916517709561

2017-05-30

Environment and Behavior

Abstract:Given the potential of modern warning technology to save lives, discovering whether it is possible to craft mobile alerts for imminent events in a way that reduces people’s tendency to seek and confirm information before initiating protective action is essential. The purpose of this study was to examine the possibility of designing messages for mobile devices, such as Wireless Emergency Alert (WEA) messages, to minimize action delay. The impact of messages with varied amounts of information on respondents’ understanding, believing, personalizing, deciding, and intended milling was used to test Emergent Norm Theory, using quantitative and qualitative methods. Relative to shorter messages, longer public warning messages reduced people’s inclination to search for and confirm information, thereby shortening warning response delay. The Emergent Norm Theory used herein is broader in application than the context-specific models provided by leading warning scholars to date and yields deeper understanding about how people respond to warnings.

psychology, multidisciplinary,environmental studies

Ankit Shrestha,Arezou Behfar,Nasrullah Al-Ameen,Ankit ShresthaArezou BehfarMahdi Nasrullah Al-AmeenDepartment of Computer Science,Utah State University,Logan,UT,USAAnkit Shrestha is a PhD candidate and research assistant at the PIXEL (Privacy,desIgn,and user eXperiencE Lab) in Computer Science department of Utah State University. His research interests lie in the boundary of human computer interaction and privacy including a focus on behavior changing interventions.Arezou Behfar,a Computer Science PhD candidate at Utah State University,specializes in user experience research and usability testing. She engages in collaborative HCI problem-solving at the PIXEL Lab,utilizing methods like design,prototyping,and interviews.Mahdi Nasrullah Al-Ameen leads the PIXEL in the Computer Science department of Utah State University. He completed his PhD from University of Texas,Arlington in 2016. His research work focuses on systemizing the human and societal factors that impact people's secure and privacy-preserving use of a technology.

DOI: https://doi.org/10.1080/10447318.2024.2323248

IF: 4.92

2024-03-09

International Journal of Human-Computer Interaction

Abstract:Clickbait, a social engineering attack performed through social media, tricks users through sensationalized or misleading posts into clicking on links that direct them to malicious websites. With the recent boom in social media, clickbait has become a substantial security concern, necessitating efforts from platforms and academia to control it. Despite these attempts, clickbait is effective due to the lack of users' knowledge. Therefore, we explore user mental models (thought processes about how something works) about clickbait to analyze their deficiencies and their influences on users' behavior towards clickbait warnings. To this end, we conducted an online study with 770 participants over MTurk to generate user mental models about clickbait and to evaluate the clickbait warnings conveying harm. Our findings suggest that a large portion of users have a simple mental model that fails to comprehend the dangers of clickbait, indicating the importance of warnings in supporting and educating users. Overall, our studies provide valuable insights into understanding the impact of clickbait mental models on users' online security behavior in social media and offer guidelines for future research in these directions.

computer science, cybernetics,ergonomics

Affan Yasin,Rubia Fatima,Lin Liu,Awaid Yasin,Jianmin Wang

DOI: https://doi.org/10.1002/spy2.73

2019-01-01

Abstract:The previous year has seen an enormous increase in the studies related to social engineering. This increase is partly due to increasing number of social engineering attacks and partly due to people's inability to identify the attack. Thus, it is of great importance to find solutions which are helpful for human to understand the social engineering attacks and scenarios. To address this, we have performed a literature review of studies (on social engineering) in top-notch journals and conferences. In this paper, we have enlisted the types of attacks, and the persuasion techniques used by social engineers as listed in the literature. We also combined different theories which researchers tried to use to explain various activities of social engineers. Furthermore, we have mentioned that a better understanding of the social engineering attack scenarios can be done using thematic and game-based analysis techniques. Preliminary empirical evaluation of the proposed game based method shows overall neutral results. Future extension and evaluation is needed for the proposed methods.

Theodore Longtchi,Rosana Montañez Rodriguez,Laith Al-Shawaf,Adham Atyabi,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2203.08302

2022-03-15

Cryptography and Security

Abstract:Social engineering attacks are a major cyber threat because they often serve as a first step for an attacker to break into an otherwise well-defended network, steal victims' credentials, and cause financial losses. The problem has received due amount of attention with many publications proposing defenses against them. Despite this, the situation has not improved. In this paper, we aim to understand and explain this phenomenon by looking into the root cause of the problem. To this end, we examine the literature on attacks and defenses through a unique lens we propose -- {\em psychological factors (PFs) and techniques (PTs)}. We find that there is a big discrepancy between attacks and defenses: Attacks have deliberately exploited PFs by leveraging PTs, but defenses rarely take either of these into consideration, preferring technical solutions. This explains why existing defenses have achieved limited success. This prompts us to propose a roadmap for a more systematic approach towards designing effective defenses against social engineering attacks.

F. Mariam Zahedi,Ahmed Abbasi,Yan Chen

DOI: https://doi.org/10.48550/arXiv.1309.7262

2013-09-27

Abstract:Fake websites have emerged as a major source of online fraud, accounting for billions of dollars of loss by Internet users. We explore the process by which salient design elements could increase the use of protective tools, thus reducing the success rate of fake websites. Using the protection motivation theory, we conceptualize a model to investigate how salient design elements of detection tools could influence user perceptions of the tools, efficacy in dealing with threats, and use of such tools. The research method was a controlled lab experiment with a novel and extensive experimental design and protocol. We found that trust in the detector is the pivotal coping mechanism in dealing with security threats and is a major conduit for transforming salient design elements into increased use. We also found that design elements have profound and unexpected impacts on self-efficacy. The significant theoretical and empirical implications of findings are discussed.

Computers and Society

Asier Moneva,E Rutger Leukfeldt,Wouter Klijnsoon

DOI: https://doi.org/10.1007/s11292-022-09504-2

2022-03-24

Abstract:Objective: Aiming to reduce distributed denial-of-service (DDoS) attacks by alerting the consciences of Internet users, this paper evaluates the effectiveness of four warning banners displayed as online ads (deterrent-control, social, informative, and reorienting) and the contents of their two linked landing pages. Methods: We implement a 4 × 2 quasi-experimental design on a self-selected sample of Internet users to measure the engagement generated by the ads and the pages. Engagement is measured on the ads as the ratio of clicks to impressions and on the pages as percentage of page scrolled, average session duration, video interaction rate, and URLs click rate. Results: Social ads generate significantly more engagement than the rest with low to medium effect sizes. Data reveal no differences in engagement between both landing page designs. Conclusions: Social messages may be a better alternative for engaging with potential cyber offenders than the traditional deterrent messages. Supplementary information: The online version contains supplementary material available at 10.1007/s11292-022-09504-2.

Onur Varol,Ismail Uluturk

DOI: https://doi.org/10.5210/fm.v22i5.7883

2019-06-27

Abstract:Communication plays a major role in social systems. Effective communications, which requires transmission of the messages between individuals without disruptions or noise, can be a powerful tool to deliver intended impact. Language and style of the content can be leveraged to deceive and manipulate recipients. These deception and persuasion strategies can be applied to exert power and amass capital in politics and business. In this work, we provide a modest review of how such deception and persuasion strategies were applied to different communication channels over the years. We provide examples of campaigns that has occurred in different periods over the last 100 years, together with their corresponding dissemination mediums. In the Internet age, we enjoy access to the vast amount of information and the ability to communicate without borders. However, malicious actors work toward abusing online systems to disseminate disinformation, disrupt communication, and manipulate people by the means of automated tools, such as social bots. It is important to study the old practices of persuasion to be able to investigate modern practices and tools. Here we provide a discussion of current threats against society while drawing parallels with the historical practices and the recent research efforts on systems of detection and prevention.

Social and Information Networks

Marcus Butavicius,Kathryn Parsons,Malcolm Pattinson,Agata McCormac

DOI: https://doi.org/10.48550/arXiv.1606.00887

2016-05-28

Abstract:We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.

Computers and Society,Cryptography and Security

Elissa M. Redmiles

DOI: https://doi.org/10.48550/arXiv.1808.08177

2019-01-10

Abstract:Digital security technology is able to identify and prevent many threats to users accounts. However, some threats remain that, to provide reliable security, require human intervention: e.g., through users paying attention to warning messages or completing secondary authentication procedures. While prior work has broadly explored people's mental models of digital security threats, we know little about users' precise, in-the-moment response process to in-the-wild threats. In this work, we conduct a series of qualitative interviews (n=67) with users who had recently experienced suspicious login incidents on their real Facebook accounts in order to explore this process of account security incident response. We find a common process across participants from five countries -- with differing online and offline cultures -- allowing us to identify areas for future technical development to best support user security. We provide additional insights on the unique nature of incident-response information seeking, known attacker threat models, and lessons learned from a large, cross-cultural qualitative study of digital security.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Filipo Sharevski,Amy Devine,Emma Pieroni,Peter Jacnim

DOI: https://doi.org/10.48550/arXiv.2205.01243

2022-05-03

Abstract:Warning users about misinformation on social media is not a simple usability task. Soft moderation has to balance between debunking falsehoods and avoiding moderation bias while preserving the social media consumption flow. Platforms thus employ minimally distinguishable warning tags with generic text under a suspected misinformation content. This approach resulted in an unfavorable outcome where the warnings "backfired" and users believed the misinformation more, not less. In response, we developed enhancements to the misinformation warnings where users are advised on the context of the information hazard and exposed to standard warning iconography. We ran an A/B evaluation with the Twitter's original warning tags in a 337 participant usability study. The majority of the participants preferred the enhancements as a nudge toward recognizing and avoiding misinformation. The enhanced warning tags were most favored by the politically left-leaning and to a lesser degree moderate participants, but they also appealed to roughly a third of the right-leaning participants. The education level was the only demographic factor shaping participants' preferences. We use our findings to propose user-tailored improvements in the soft moderation of misinformation on social media.

Computers and Society,Human-Computer Interaction,Social and Information Networks

Florian Brühlmann,Zgjim Memeti,Lena F. Aeschbach,Sebastian A. C. Perrig,Klaus Opwis

DOI: https://doi.org/10.3758/s13428-023-02321-z

IF: 5.953

2024-01-20

Behavior Research Methods

Abstract:Carelessness or insufficient effort responding is a widespread problem in online research, with estimates ranging from 3% to almost 50% of participants in online surveys being inattentive. While detecting carelessness has been subject to multiple studies, the factors that reduce or prevent carelessness are not as well understood. Initial evidence suggests that warning statements prior to study participation may reduce carelessness, but there is a lack of conclusive high-powered studies. This preregistered randomized controlled experiment aimed to test the effectiveness of a warning statement and an improved implementation of a warning statement in reducing participant inattention. A study with 812 participants recruited on Amazon Mechanical Turk was conducted. Results suggest that presenting a warning statement is not effective in reducing carelessness. However, requiring participants to actively type the warning statement statistically significantly reduced carelessness as measured with self-reported diligence, even-odd consistency, psychometric synonyms and antonyms, and individual response variability. The active warning statements also led to statistically significantly more attrition and potentially deterred those who were likely to be careless from even participating in this study. We show that the current standard practice of implementing warning statements is ineffective and novel methods to prevent and deter carelessness are needed.

psychology, experimental, mathematical

Affan Yasin,Rubia Fatima,Lin Liu,Jianmin Wanga

DOI: https://doi.org/10.1016/s1361-3723(21)00108-1

2021-01-01

Computer Fraud & Security

Abstract:Social engineers are very successful at exploiting human weaknesses, gathering information, communicating with people and creating creative storylines attacking people's psychological needs and weaknesses. And that is why people, who are among the weakest links in the information security chain, remain susceptible to social engineering attacks.