NSF Award on Preventing Psychology Cyber-Attacks

Approximately six million Americans are targets of identity theft each year. Many of the attacks on identity privacy use psychological influence strategies ("psychological attacks") to induce individuals to provide their private information. Although people are appropriately concerned about their privacy, they often unnecessarily disclose information that could be used to their disadvantage. Our studies have shown that people's privacy exposure behaviors may be severely affected by psychological attacks. Unfortunately, research from a psychological perspective to mitigate the attacks is scarce. This research identifies critical aspects of warnings for a sub-set of psychological cyber-attacks on privacy and provides guidelines for developing effective mitigations against other types of psychological cyber-attacks. We create computer-mediated countermeasures. We also ascertain the extent to which the warnings capture attention, are understood, are memorable, increase perceptions of risk, decrease trust, and lead to compliance under conditions of psychological attacks.

This research is a first investigation of whether theoretical models developed to reduce risky behaviors (e.g., health-related behaviors) can be extended to the domain of computer privacy. The research determines whether warnings can have significant impact on people?s decisions about disclosure of their private information. The effectiveness of our mitigation approach is tested on hand-held devices and web sites with the goal of increasing compliance with the warnings.

This research provides mitigation strategies for private information exposure and provides guidelines for software developers to use when designing privacy preserving software. Potentially, the results can be generalized to mitigate other current and future psychological privacy attacks. Research findings are disseminated in both social psychology and computer science. In addition, a website is developed to share the research results, the data sets, and the lessons learned, in order to raise the awareness of the importance of protecting identity information and mitigating psychological cyber-attacks.