research-article

Open access

Measuring Security Practices and How They Impact Security

Authors:

Louis F. DeKoven,

Audrey Randall,

Gautam Akiwate,

Lawrence K. Saul,

Aaron Schulman,

Geoffrey M. Voelker,

Stefan SavageAuthors Info & Claims

IMC '19: Proceedings of the Internet Measurement Conference

Pages 36 - 49

https://doi.org/10.1145/3355369.3355571

Published: 21 October 2019 Publication History

Abstract

Security is a discipline that places significant expectations on lay users. Thus, there are a wide array of technologies and behaviors that we exhort end users to adopt and thereby reduce their security risk. However, the adoption of these "best practices" --- ranging from the use of antivirus products to actively keeping software updated --- is not well understood, nor is their practical impact on security risk well-established. This paper explores both of these issues via a large-scale empirical measurement study covering approximately 15,000 computers over six months. We use passive monitoring to infer and characterize the prevalence of various security practices in situ as well as a range of other potentially security-relevant behaviors. We then explore the extent to which differences in key security behaviors impact real-world outcomes (i.e., that a device shows clear evidence of having been compromised).

References

[1]

Apache Software Foundation. 2019. Apache Hive Website. https://hive.apache.org/. (2019).

[2]

Apple. 2018. Update your iPhone, iPad, or iPod touch. https://support.apple.com/en-us/HT204204. (2018).

[3]

Mihir Bellare and Phillip Rogaway. 2010. The FFX Mode of Operation for Format-Preserving Encryption. Manuscript (standards proposal) submitted to NIST (January 2010).

[4]

Leyla Bilge, Yufei Han, and Matteo Dell'Amico. 2017. RiskTeller: Predicting the Risk of Cyber Incidents. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS). Dallas, Texas, USA.

Digital Library

[5]

Davide Canali, Leyla Bilge, and Davide Balzarotti. 2014. On the Effectiveness of Risk Prediction Based on Users Browsing Behavior. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (CCS). Kyoto, Japan.

Digital Library

[6]

Yannick Carlinet, Ludovic Mé, Hervé Debar, and Yvon Gourhant. 2008. Analysis of Computer Infection Risk Factors Based on Customer Network Usage. In 2008 Second International Conference on Emerging Security Information, Systems and Technologies. Cap Esterel, France.

[7]

Carrie Marshall and Cat Ellis. 2018. The best free password manager 2019. https://www.techradar.com/news/software/applications/the-best-password-manager-1325845. (2018).

[8]

CVE Details. 2019. Mozilla Thunderbird Vulnerability Statistics. https://www.cvedetails.com/product/3678/?q=Thunderbird. (2019).

[9]

DNSFilter. 2019. DNSFilter Website. https://www.dnsfilter.com/. (2019).

[10]

The Enigmail Project. 2019. Enigmail --- OpenPGP encryption for Thunderbird. https://www.enigmail.net/index.php/en/home. (2019).

[11]

Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel1, and Parisa Tabriz. 2017. Measuring HTTPS Adoption on the Web. In Proceedings of the 26th USENIX Security Symposium. Vancouver, BC, Canada.

Digital Library

[12]

Firefox. 2019. How to stop Firefox from making automatic connections. https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections. (2019).

[13]

Alain Forget, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, Marian Harbach, and Rahul Telang. 2016. Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes. In Procedings of the 12th Symposium on Usable Privacy and Security (SOUPS). Denver, CO, USA.

[14]

Aaron Gember, Ashok Anand, and Aditya Akella. 2011. A Comparative Study of Handheld and Non-handheld Traffic in Campus Wi-Fi Networks. In Proceedings of the 12th International Conference on Passive and Active Measurement. Berlin, Heidelberg.

Digital Library

[15]

Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, and Wenke Lee. 2007. BotHunter: Detecting Malware Infection Through IDS-driven Dialog Correlation. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium. Boston, MA, USA.

Digital Library

[16]

Trevor Hastie, Robert Tibshirani, and Jerome Friedman. 2001. The Elements of Statistical Learning. Springer New York Inc.

[17]

Cormac Herley. 2009. So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In Proceedings of the 2009 Workshop on New Security Paradigms Workshop. Oxford, United Kingdom.

Digital Library

[18]

David W Hosmer Jr and Stanley Lemeshow. 2000. Applied Logistic Regression (2nd ed.). John Wiley & Sons.

[19]

IAB. 2019. IAB Tech Lab Content Taxonomy. https://www.iab.com/guidelines/iab-tech-lab-content-taxonomy/. (2019).

[20]

Gareth James, Daniela Witten, Trevor Hastie, and Robert Tibshirani. 2014. An Introduction to Statistical Learning: With Applications in R. Springer Publishing Company, Incorporated.

[21]

Moazzam Khan, Zehui Bi, and John A. Copeland. 2012. Software updates as a security metric: Passive identification of update trends and effect on machine infection. In Proceedings of IEEE Military Communications Conference (MILCOM). Orlando, Florida, USA.

[22]

Fanny Lalonde Lévesque, Jude Nsiempba, José M. Fernandez, Sonia Chiasson, and Anil Somayaji. 2013. A Clinical Study of Risk Factors Related to Malware Infections. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). Berlin, Germany.

Digital Library

[23]

Yang Liu, Armin Sarabi, Jing Zhang, Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. 2015. Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents. In Proceedings of the 24th USENIX Conference on Security Symposium. Washington, DC, USA.

[24]

Microsoft. 2019. Microsoft Update Catalog. https://www.catalog.update.microsoft.com/Home.aspx. (2019).

[25]

Mozilla Foundation. 2019. Public Suffix List Website. https://publicsuffix.org/. (2019).

[26]

Neil J. Rubenking. 2019. The Best Antivirus Protectionfor2019. https://www.pcmag.com/article2/0,2817,2372364,00.asp. (2019).

[27]

ntop. 2018. PF_RING ZC (Zero Copy) Website. https://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/. (2018).

[28]

Vern Paxson. 1999. Bro: a System for Detecting Network Intruders in Real-Time. Computer Networks 31, 23--24 (1999), 2435--2463.

Digital Library

[29]

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research 12 (2011), 2825--2830.

Digital Library

[30]

ProofPoint. 2019. ET Pro Ruleset. https://www.proofpoint.com/us/threat-insight/et-pro-ruleset. (2019).

[31]

Redislabs. 2019. Redis Website. https://redis.io/. (2019).

[32]

Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. 2016. How I Learned to Be Secure: A Census-Representative Survey of Security Advice Sources and Behavior. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria.

Digital Library

[33]

Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. 2017. Where is the Digital Divide?: A Survey of Security, Privacy, and Socioeconomics. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. Denver, Colorado, USA.

[34]

Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. 2019. How Well Do My Results Generalize? Comparing Security and Privacy Survey Results from MTurk, Web, and Telephone Samples. In Proceedings of the 2019 IEEE Symposium on Security and Privacy. San Fransisco, CA, USA.

[35]

Robert Reeder, Iulia Ion, and Sunny Consolvo. 2017. 152 Simple Steps to Stay Safe Online: Security Advice for Non-tech-savvy Users. IEEE Security and Privacy 15, 5 (June 2017), 55--64.

Digital Library

[36]

Armin Sarabi, Ziyun Zhu, Chaowei Xiao, Mingyan Liu, and Tudor Dumitras. 2017. Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State. In Proceedings of the 18th Passive and Active Measurement PAM. Sydney, Australia.

[37]

Yukiko Sawaya, Mahmood Sharif, Nicolas Christin, Ayumu Kubota, Akihiro Nakarai, and Akira Yamada. 2017. Self-Confidence Trumps Knowledge: A Cross-Cultural Study of Security Behavior. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. Denver, Colorado, USA.

Digital Library

[38]

Mahmood Sharif, Jumpei Urakawa, Nicolas Christin, Ayumu Kubota, and Akira Yamada. 2018. Predicting Impending Exposure to Malicious Content from User Behavior. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). Toronto, Canada.

Digital Library

[39]

Suricata. 2019. Suricata IDS Website. https://suricata-ids.org/. (2019).

[40]

Samaneh Tajalizadehkhoob, Tom Van Goethem, Maciej Korczyński, Arman Noroozian, Rainer Böhme, Tyler Moore, Wouter Joosen, and Michel van Eeten. 2017. Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (CCS). Dallas, TX, USA.

Digital Library

[41]

Update Google Chrome. 2019. Update Google Chrome. https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en. (2019).

[42]

Tom van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, and Wouter Joosen. 2014. Large-Scale Security Analysis of the Web: Challenges and Findings. In Proceedings of the International Conference on Trust and Trustworth Computing. Heraklion, Crete, Greece.

Digital Library

[43]

Francesco Vitale, Joanna McGrenere, Aurélien Tabard, Michel Beaudouin-Lafon, and Wendy E. Mackay. 2017. High Costs and Small Benefits: A Field Study of How Users Experience Operating System Upgrades. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. Denver, Colorado, USA.

[44]

Rick Wash. 2010. Folk Models of Home Computer Security. In Proceedings of the Sixth Symposium on Usable Privacy and Security. Redmond, Washington, USA.

Digital Library

[45]

Rick Wash and Emilee Rader. 2015. Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users. In Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security. Ottawa, Canada.

Digital Library

[46]

Webshrinker. 2018. IAB Categories. https://docs.webshrinker.com/v3/iab-website-categories.html#iab-categories. (2018).

[47]

Webshrinker. 2019. Webshrinker Website. https://www.webshrinker.com/. (2019).

[48]

The Wireshark Team. 2019. Wireshark Website. https://www.wireshark.org/. (2019).

[49]

Chaowei Xiao, Armin Sarabi, Yang Liu, Bo Li, Mingyan Liu, and Tudor Dumitras. 2018. From Patching Delays to Infection Symptoms: Using Risk Profiles for an Early Discovery of Vulnerabilities Exploited in the Wild. In Procedings of the 27th USENIX Security Symposium (USENIX Security). Baltimore, MD, USA.

[50]

Zeek. 2019. Zeek Protocol Analyzers Website. https://docs.zeek.org/en/stable/script-reference/proto-analyzers.html. (2019).

Cited By

Schmüser JSri Ramulu HWöhler NStransky CBensmann FDimitrov DSchellhammer SWermke DDietze SAcar YFahl S(2024)Analyzing Security and Privacy Advice During the 2022 Russian Invasion of Ukraine on TwitterProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642826(1-16)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642826
Woods DSeymour S(2024)Evidence-based cybersecurity policy? A meta-review of security control effectivenessJournal of Cyber Policy10.1080/23738871.2024.23354618:3(365-383)Online publication date: 7-Apr-2024
https://doi.org/10.1080/23738871.2024.2335461
Ukani AMirian ASnoeren ALevin DMislove AAmann JLuckie M(2021)Locked-in during lock-downProceedings of the 21st ACM Internet Measurement Conference10.1145/3487552.3487828(480-486)Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1145/3487552.3487828
Show More Cited By

Index Terms

Measuring Security Practices and How They Impact Security
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Measuring security practices

Users are encouraged to adopt a wide array of technologies and behaviors to reduce their security risk. However, the adoption of these "best practices," ranging from the use of antivirus products to keeping software updated, is not well understood, nor ...
IoT Security: Practical guide book
Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the IoT ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '19: Proceedings of the Internet Measurement Conference

October 2019

497 pages

ISBN:9781450369480

DOI:10.1145/3355369

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

IMC '19

Sponsor:

IMC '19: ACM Internet Measurement Conference

October 21 - 23, 2019

Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
2,123
Total Downloads

Downloads (Last 12 months)572
Downloads (Last 6 weeks)51

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Schmüser JSri Ramulu HWöhler NStransky CBensmann FDimitrov DSchellhammer SWermke DDietze SAcar YFahl S(2024)Analyzing Security and Privacy Advice During the 2022 Russian Invasion of Ukraine on TwitterProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642826(1-16)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642826
Woods DSeymour S(2024)Evidence-based cybersecurity policy? A meta-review of security control effectivenessJournal of Cyber Policy10.1080/23738871.2024.23354618:3(365-383)Online publication date: 7-Apr-2024
https://doi.org/10.1080/23738871.2024.2335461
Ukani AMirian ASnoeren ALevin DMislove AAmann JLuckie M(2021)Locked-in during lock-downProceedings of the 21st ACM Internet Measurement Conference10.1145/3487552.3487828(480-486)Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1145/3487552.3487828
Woods DBöhme R(2021)SoK: Quantifying Cyber Risk2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00053(211-228)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00053
Ramanathan SHossain AMirkovic JYu MAfroz S(2020)Quantifying the Impact of Blocklisting in the Age of Address ReuseProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423657(360-369)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423657
Saidi SMandalari AKolcun RHaddadi HDubois DChoffnes DSmaragdakis GFeldmann A(2020)A Haystack Full of NeedlesProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423650(87-100)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423650

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents