Skip to main content

Seminar:  Spoofing Operating System Security Interfaces to Study User Security Behaviors

Date:October 22, 2012 
Talk Title:Spoofing Operating System Security Interfaces to Study User Security Behaviors
Speaker:Lorrie Cranor
Time & Location:12:00pm - 1:00pm
CIC Building, Pittsburgh


Many of the pop-up dialogs that appear in operating systems and application software are intended to provide security-related functions. For example, some are designed to provide a trusted authentication path when users need to provide their password to their operating system. Others warn users about potential security threats and help them select a safe course of action. However, users have not learned to recognize trusted authentication dialogs, and they are bombarded with confusing warning dialogs, even when they are not actually at risk. We have developed a model for how users interact with secure systems that has helped us reason about user behavior when confronted with these dialogs. In order to improve these dialogs, we need to observe user behavior when the dialogs appear and measure the impact of interface changes on user behavior. We developed a test platform to facilitate observation of a large number of users interacting with OS dialogs. We use Amazon's Mechanical Turk crowd-sourcing system to recruit Internet users to evaluate online games. During the game evaluation, we make spoofed OS dialogs appear in the user's web browser and remotely observe user response. In this talk I will present our study framework and discuss two studies that made use of this framework. In one study we observed over 700 users who were exposed to spoofed password entry dialogs. In another study we observed over 2000 users who were exposed to variations on a software installation dialog in both benign and malicious scenarios. I will present the results of these studies and discuss the implications for usable security interface design.

Speaker Bio

Lorrie Cranor Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University.

For more information, please visit Dr. Cranor's website at