Maass, Max ; Stöver, Alina ; Pridöhl, Henning ; Bretthauer, Sebastian ; Herrmann, Dominik ; Hollick, Matthias ; Spiecker, Indra (2022)
Effective Notification Campaigns on the Web: A Matter of Trust, Framing, and Support.
30th USENIX Security Symposium (USENIX Security 21). Virtual event (11.-13.08.2021)
doi: 10.26083/tuprints-00020574
Konferenzveröffentlichung, Zweitveröffentlichung, Verlagsversion
Kurzbeschreibung (Abstract)
Misconfigurations and outdated software are a major cause of compromised websites and data leaks. Past research has proposed and evaluated sending automated security notifications to the operators of misconfigured websites, but encountered issues with reachability, mistrust, and a perceived lack of importance. In this paper, we seek to understand the determinants of effective notifications. We identify a data protection misconfiguration that affects 12.7 % of the 1.3 million websites we scanned and opens them up to legal liability. Using a subset of 4754 websites, we conduct a multivariate randomized controlled notification experiment, evaluating contact medium, sender, and framing of the message. We also include a link to a public web-based self-service tool that is run by us in disguise and conduct an anonymous survey of the notified website owners (N=477) to understand their perspective.
We find that framing a misconfiguration as a problem of legal compliance can increase remediation rates, especially when the notification is sent as a letter from a legal research group, achieving remediation rates of 76.3 % compared to 33.9 % for emails sent by computer science researchers warning about a privacy issue. Across all groups, 56.6 % of notified owners remediated the issue, compared to 9.2 % in the control group. In conclusion, we present factors that lead website owners to trust a notification, show what framing of the notification brings them into action, and how they can be supported in remediating the issue.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2022 |
| Autor(en): | Maass, Max ; Stöver, Alina ; Pridöhl, Henning ; Bretthauer, Sebastian ; Herrmann, Dominik ; Hollick, Matthias ; Spiecker, Indra |
| Art des Eintrags: | Zweitveröffentlichung |
| Titel: | Effective Notification Campaigns on the Web: A Matter of Trust, Framing, and Support |
| Sprache: | Englisch |
| Publikationsjahr: | 2022 |
| Ort: | Darmstadt |
| Verlag: | USENIX Association |
| Buchtitel: | Proceedings of the 30th USENIX Security Symposium |
| Veranstaltungstitel: | 30th USENIX Security Symposium (USENIX Security 21) |
| Veranstaltungsort: | Virtual event |
| Veranstaltungsdatum: | 11.-13.08.2021 |
| DOI: | 10.26083/tuprints-00020574 |
| URL / URN: | https://tuprints.ulb.tu-darmstadt.de/20574 |
| Zugehörige Links: | |
| Herkunft: | Zweitveröffentlichungsservice |
| Kurzbeschreibung (Abstract): | Misconfigurations and outdated software are a major cause of compromised websites and data leaks. Past research has proposed and evaluated sending automated security notifications to the operators of misconfigured websites, but encountered issues with reachability, mistrust, and a perceived lack of importance. In this paper, we seek to understand the determinants of effective notifications. We identify a data protection misconfiguration that affects 12.7 % of the 1.3 million websites we scanned and opens them up to legal liability. Using a subset of 4754 websites, we conduct a multivariate randomized controlled notification experiment, evaluating contact medium, sender, and framing of the message. We also include a link to a public web-based self-service tool that is run by us in disguise and conduct an anonymous survey of the notified website owners (N=477) to understand their perspective. We find that framing a misconfiguration as a problem of legal compliance can increase remediation rates, especially when the notification is sent as a letter from a legal research group, achieving remediation rates of 76.3 % compared to 33.9 % for emails sent by computer science researchers warning about a privacy issue. Across all groups, 56.6 % of notified owners remediated the issue, compared to 9.2 % in the control group. In conclusion, we present factors that lead website owners to trust a notification, show what framing of the notification brings them into action, and how they can be supported in remediating the issue. |
| Status: | Verlagsversion |
| URN: | urn:nbn:de:tuda-tuprints-205745 |
| Zusätzliche Informationen: | Presentation: 11 slides |
| Sachgruppe der Dewey Dezimalklassifikatin (DDC): | 000 Allgemeines, Informatik, Informationswissenschaft > 004 Informatik |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Sichere Mobile Netze DFG-Graduiertenkollegs DFG-Graduiertenkollegs > Graduiertenkolleg 2050 Privacy and Trust for Mobile Users |
| Hinterlegungsdatum: | 16 Feb 2022 13:11 |
| Letzte Änderung: | 21 Feb 2022 10:55 |
| PPN: | |
| Zugehörige Links: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum