Description of original award (Fiscal Year 2016, $49,997)
As submitted by the proposer: The security of computer systems often relies upon decisions and actions of end users -a principle sometimes referred to as "human in the loop". User behavior when faced with security tasks can therefore directly or indirectly impact the overall security of the system. In this light, it is vital to understand users' behavior when subject to such tasks. A large volume of prior research in the field of user-centered security has mostly focused on users' task performance (i.e., how well, or poorly, users perform the tasks) but did not explore the inner workings of users' underlying behavior (i.e., how users process the tasks). In this proposal, we set out to investigate users susceptibility to cyber criminal attacks by concentrating at the most fundamental component governing user behavior the human brain. We introduce a novel neuroscience-based study methodology to inform the design of user-centered security systems as it relates to cyber crime. This proposed work is based on our two accomplished studies of phishing detection and malware warnings, one using fMRI (functional Magnetic Resonance Imaging) and the other using EEG (electroencephalography) and eye tracking. We outline our planned fNIRS (functional Near-Infrared Spectroscopy) study especially focusing on difference in neural activations while users view real and fake artifacts, and an automated detection of real and fake artifacts (e.g detection of real and fake websites) based on subconscious neural differences. Finally, we discuss the broader impacts and implications of our work to the field of user-centered security, including the domain of security education, targeted security training, and security screening. Our work is well-aligned with President Obama's BRAIN initiative, and hopes to enhance people's cyber health, safety and well-being in the long-run with an inter-disciplinary venture cutting across Computer Science, Psychology and Neuroscience.
Note: This project contains a research and/or development component, as defined in applicable law.