TY - JOUR
T1 - Alerting about possible risks vs. blocking risky choices
T2 - A quantitative model and its empirical evaluation
AU - Meyer, Joachim
AU - Dembinsky, Omer
AU - Raviv, Tal
N1 - Funding Information:
This research is based on the second author's M.Sc. thesis, for which the first author served as advisor. The research was funded by the Israeli Ministry of Science and Technology and the Israel Cyber Authority through the Interdisciplinary Center for Research in Cyber at Tel Aviv University. We thank Zeev Shteiman for his help in developing the experimental system.
Publisher Copyright:
© 2020 Elsevier Ltd
PY - 2020/10/1
Y1 - 2020/10/1
N2 - Alerting users about possible threats or blocking users’ ability to perform potentially dangerous actions are two common ways to protect systems from the adverse effects of threats, such as malicious email attachments, fraudulent requests, or system malfunctions. We present a normative model of the effects of alerting and blocking on the value of the outcomes, on measures of risk-taking, and on the number of successful attacks. We compared warning and blocking systems and binary- and likelihood-alarm systems as a function of properties of the threats and the security system. We also compared model predictions to actual user behavior, as measured in a controlled experiment. The experimental results were generally in line with the normative model. However, the model predicted that the outcomes from blocking would always be worse or equal to those from warnings. The experiment, however, showed that blocking may have an advantage over warnings, because it leads to fewer undetected events (as predicted by the model), without significantly lowering the mean value of outcomes (the model predicts a lower value). We discuss practical implications regarding the use of blocking and alerting and the more general value of combining optimal decision models and empirical experiments for determining system designs.
AB - Alerting users about possible threats or blocking users’ ability to perform potentially dangerous actions are two common ways to protect systems from the adverse effects of threats, such as malicious email attachments, fraudulent requests, or system malfunctions. We present a normative model of the effects of alerting and blocking on the value of the outcomes, on measures of risk-taking, and on the number of successful attacks. We compared warning and blocking systems and binary- and likelihood-alarm systems as a function of properties of the threats and the security system. We also compared model predictions to actual user behavior, as measured in a controlled experiment. The experimental results were generally in line with the normative model. However, the model predicted that the outcomes from blocking would always be worse or equal to those from warnings. The experiment, however, showed that blocking may have an advantage over warnings, because it leads to fewer undetected events (as predicted by the model), without significantly lowering the mean value of outcomes (the model predicts a lower value). We discuss practical implications regarding the use of blocking and alerting and the more general value of combining optimal decision models and empirical experiments for determining system designs.
KW - Alarms
KW - Alerts
KW - Behavioral validation
KW - Blocking
KW - Cyber security
KW - Decision making
KW - Optimal behavior modeling
KW - Signal detection theory
KW - Warnings
UR - http://www.scopus.com/inward/record.url?scp=85087830297&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2020.101944
DO - 10.1016/j.cose.2020.101944
M3 - Article
AN - SCOPUS:85087830297
SN - 0167-4048
VL - 97
JO - Computers and Security
JF - Computers and Security
M1 - 101944
ER -