The security of computer systems often relies on actions of or decisions made by the end users. However, users tend to perform poorly at security tasks or fail to comply with security instructions. Studies have shown that users exhibit little intrinsic motivation for (and understanding, or awareness of) security. Consequently, even theoretically sound security solutions repeatedly fail to provide much security in practice.
This project aims to tackle this problematic state of current user-involved security practices. It embarks upon an exploration of a novel research direction called “Playful Security”, which aims to improve usable security via extrinsic motivation. The playful approaches to user-involved security will motivate and incentivize the users, while they perform security tasks, through the use of rewards, and perception of fun and entertainment. This is dubbed the Tom Sawyer Effect after a popular incident in Mark Twain’s literary classic, The Adventures of Tom Sawyer. In this incident, the boy Tom is punished to paint a fence on his day off. To escape his plight, the clever Tom treats the task as fun rather than resenting it. Upon observing his delight, his friends insist that they be given an opportunity to paint the fence so that they can enjoy it as well. Much in the same way that Tom convinces his friends to complete what would otherwise be considered an uninteresting job by treating it as a game, this project seeks to better (extrinsically) motivate the users during security operations by making these operations enjoyable.
In a nutshell, this project investigates the use of a reward system based on the principles of human psychology. Secondly, in order to make security tasks entertaining, computer games or game like constructs, and game elements will be adopted to facilitate user involvement. For instance, the user would be asked to play a short and intuitive game which accomplishes the underlying security task as a side effect. Based on the sheer popularity of games and reward systems, playful security promises to appeal to a large fraction of user population (especially the youth). Moreover, playful security approaches can seamlessly co-exist with traditional security mechanisms in most cases. Although the topic of playful security is new, there is growing evidence and agreement that not only playful approaches to security are needed and important but also they can actually work in practice.
This project explores the playful security paradigm in the context of three application domains:
- Wireless Device Association (pairing): bootstrapping secure communication between two previously unassociated wireless devices.
- User Authentication: proving that a user is indeed who the user claims to be.
- Service Abuse Resilience: defending against automated mechanisms that attack and abuse the resources of an online entity.
Despite years of research efforts, the user-centric security requirements of these three domains have not been adequately addressed. The current techniques, for example, numeric PINs and textual passwords for pairing and authentication, and CAPTCHAs for abuse resilience, are all plagued with numerous well-documented usability and security drawbacks.
The merit of this project lies in the realization of playful security mechanisms to address the aforementioned shortcomings. One anticipated contribution is the design of a reward system based on the self-determination theory that can be integrated with traditional security mechanisms, thus improving their security and usability. Emphasis will be on the use of timers, reward points, visual scores, and the sense of competition and completeness so as to reward user diligence and good behavior as part of a security task.
Another intended contribution is the design of a suite of playful security approaches. First, playful solutions for device pairing will be developed. These solutions can help accomplish the underlying human tasks of comparison and transfer, both of which are traditionally prone to human errors. Next, for user authentication, playful graphical passwords will be designed that can facilitate memorability and improve recognition or recall accuracy. Another research direction is the exploration of playful biometrics based on video game playing patterns. As opposed to most existing biometric systems, this approach is software-only, non-invasive and potentially difficult to impersonate. Finally, in the context of service abuse resilience, playful CAPTCHAs are envisioned. These are games that are easy for the humans, but very hard for a computer, to play successfully. Unlike existing solutions, game CAPTCHAs are expected to be fun, hard to break and resistant to relay attacks.
A core objective of this research is to improve the usability of security technologies. To this end, usability studies are planned which will facilitate a deeper understanding of the main factors presiding over the speed, error-tolerance and psychological acceptability of playful security approaches when compared to the prior state-of-the-art solutions.