Advisory Committee Chair
Advisory Committee Members
Date of Award
Degree Name by School
Doctor of Philosophy (PhD) College of Arts and Sciences
Computing has become increasingly common in many spheres of users' daily lives. At the same time, the need for securing computer systems has become paramount. The security of computer systems often rely upon decisions and actions of end users -- a principle sometimes referred to as "human in the loop''. User behavior when faced with security tasks can therefore directly or indirectly impact the overall security of the system. In this light, it is vital to understand users' behavior when subject to such tasks. A large volume of prior research in the field of user-centered security has mostly focused on users' task performance (i.e., how well, or poorly, users perform the tasks) but did not explore the inner workings of users' underlying behavior (i.e., how users process the tasks or why they may fail at them). In this research, we set out to investigate user-centered security by concentrating at the human neuro-physiology governing the processing of security tasks, thereby introducing a novel study methodology to inform the design of user-centered security systems. By incorporating three state-of-the-art neuroimaging techniques possessing distinctive capabilities, fMRI (functional Magnetic Resonance Imaging), EEG (electroencephalography) and fNIRS (functional Near-Infrared Spectroscopy) to study the cognitive patterns, and the eye-tracking technology to study gaze patterns and gaze dynamics, our research aims to provide unique, root-level insights into user-centered security not known or understood previously. At a higher level, we identify neural markers and eye movement patterns that might be controlling and defining users' performance in security tasks, and establish relationships between neural activity, gaze patterns and task performance. While our general methodology applies to many user-centered security tasks, as a case in point, this dissertation work focuses on two classical tasks: (1) distinguishing between real and fake artifacts (e.g., websites as in a phishing attack or voices as in a voice impersonation attack), and (2) heeding warnings provided by modern browsers when connecting to potentially malicious web-sites. The contribution of this dissertation lies in the introduction of a new methodology for studying neuro-physiological patterns governing users' performance and behavior with respect to user-centered security tasks. First, we present our study of phishing detection and malware warnings, using fMRI, and show that users exhibit significant brain activity in key regions associated with decision-making, attention, and problem-solving (phishing attacks, and malware warnings) as well as language comprehension and reading (malware warnings). Second, we discuss our study of phishing detection and malware warnings using together EEG and eye tracking, in more realistic experimental settings than the fMRI set-up. Our results demonstrate that users do not spend enough time analyzing key phishing indicators and often fail at detecting these attacks, although they may be mentally engaged in the task and subconsciously processing real sites differently from fake sites. In the malware warning tasks, in contrast, we show that users are frequently reading, possibly comprehending, and eventually heeding the message embedded in the warning. Third, we perform an fNIRS study especially focusing on automated detection of real and fake websites based on subconscious neural differences also observed in our fMRI and EEG studies. Fourth, we conduct an fNIRS study to test whether the neural activities are different when users are listening to the voices of original and fake speakers. In our studies, we also demonstrate that certain individual traits, such as impulsivity measured via an established questionnaire, can have a significant negative effect on brain activation in the security tasks and also discover that users' behavior in one task may potentially be predicted by their behavior in the other task. Finally, we discuss the broader impacts and implications of our work on the field of user-centered security, including the domain of security education, targeted security training, and security screening. Our work is well-aligned with the past President Obama's BRAIN initiative, and hopes to enhance people's cyber health, safety and well-being in the long-run with an inter-disciplinary venture cutting across Computer Science, Psychology and Neuroscience.
Neupane, Ajaya, "Neuro-Physiological Underpinnings of User-Centered Security" (2017). All ETDs from UAB. 2576.