Study Main Script: We will show here the main script for the study that includes the variables that will be changes and randomized across participants in the sample. We will follow that with an example of what a condition of the study may look like. You are working on your laptop using $NetworkType. You are $transactiontype. You are relying on a web browser to perform your task. The browser is already using SSL for the session. To log in to the system and start your task, you will need to authenticate using $PWStrength. The system will $AutoLogOff The $Threat is a serious security concern. Please answer the following questions with regards to mitigating this threat. $NetworkType values: 1. Your employer’s network at your office 2. Public unencrypted Wi-Fi at a public area (restaurant, airport) 3. Your employer’s VPN that you connected to through public unencrypted Wi-Fi 4. Your employer’s VPN that you connected to through public encrypted Wi-Fi $transactiontype values: 1. Accessing your email account and replying to confidential emails. 2. Performing a financial transaction using your credit card $PWStrength 1. A password that is at least 8 characters long. 2. A password that is at least 16 characters and must include an uppercase and a lowercase letter, a symbol, and a number digit. $AutoLogOff 1. Automatically log you off the session after 15 minutes of inactivity 2. Never time-out $Threat 1. Man-in-the-middle 2. Packet-sniffing Q1: Overall, how would you assess the security of system in the scenario above? - Adequate security measures that is enough to mitigate the threat - Inadequate security measures that not enough to mitigate the threat - Excessive security measures that exceeds the requirements to mitigate the threat Q2: For each of the following security settings in the scenario above, please indicate their level of security that influenced your answer for question 1. The flowing is a definition of the legends used in the table: - Excessive: The item describes an excessive measure for my security needs. - Adequate: The item describes a measure that is enough for my security needs. - Inadequate: The item describes a measure that is don’t meet my minimum-security requirements - - No Effect: This item had no effect on my decision regarding the overall system security (for this question, we might decide to use a slider scale instead of the likert scale used, or we might conduct the study with both to compare) Excessive Adequate Inadequate No effect $NetworkType $transactiontype $Threat $PWStrength $AutoLogOff Please list any comments for improvement that you may have. (Repeat the first question to test if we primed them) Q3: Overall, how would you assess the security of system in the scenario above? - Adequate security measures that is enough to mitigate the threat - Inadequate security measures that not enough to mitigate the threat - Excessive security measures that exceeds the requirements to mitigate the threat Example: The following is an example of what a participant may see network type scenarios: You are working on your laptop using your employer’s network at your office. You are accessing your email account and replying to confidential emails. You are relying on a web browser to perform your task. The browser is already using SSL for the session. To log in to the system and start your task, you will need to authenticate using a password that is at least 8 characters long. The system will never time out. The man-in-the-middle attack is a serious security concern. Please answer the following questions with regards to mitigating this threat. Q1: Overall, how would you assess the security of system in the scenario above? - Adequate security measures that is enough to mitigate the threat - Inadequate security measures that not enough to mitigate the threat - Excessive security measures that exceeds the requirements to mitigate the threat Q2: For each of the following elements in the scenario above, please indicate their level of security that influenced your answer for question 1. The following is a definition of the legends used in the table: - Excessive: The item describes an excessive measure for my security needs. - Adequate: The item describes a measure that is enough for my security needs. - Inadequate: The item describes a measure that is don’t meet my minimum-security requirements - - Inadequate: This item had no effect on my decision regarding the overall system security Excessive Adequate Inadequate No Effect employer’s network at your office ☐ ☐ ☐ ☐ accessing your email account and replying to confidential emails Man-in-the-middle-attack ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ need to authenticate using a password that is at least 8 characters long The system will never time out ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Please list any comments for improvement that you may have. 1. How would you describe your level of expertise in computer security? (Check all that apply) [ ] I understand how to configure file system permissions on my preferred operating system for multiple users [ ] I understand how to configure a firewall to close unnecessary ports and prevent unwanted scanning [ ] I understand how to setup PKI for personal or enterprise systems [ ] None of the above 2. In Linux or Mac OS X, which of the following commands is used to change read permissions for the owner of a file or directory: ( ) chmod ( ) chgrp ( ) chown ( ) chroot 3. In Linux or Mac OS X, the setgid flag for the group permission on a directory is used to: ( ) Grant group members read and write access to the directory ( ) Propagate the group name to new files in the directory ( ) Set the user identifier for the owner of the directory ( ) Restrict permission to execute files in the directory to only group members 4. Companies allow their employees remote access to the network (e.g., they work from home, travel, etc.). What is a company’s most important motivation for requiring employees to use a VPN when remotely accessing the network? ( ) Guarantee encrypted traffic, which secures against the impact of running packet sniffers (e.g. Wireshark, TCPDump, etc.) ( ) To secure the employee’s connection to the company’s internal servers (e.g. e-mail server) ( ) To prevent opening a public port to the company’s private network ( ) To ensure data encryption throughout the whole session. 5. Which of the following is considered a good encryption algorithm for encrypting files on your hard disk: ( ) SSL ( ) PGP ( ) SHA256 ( ) MD5 ( ) TLS ( ) AES ( ) DES 6. From the following list, choose the most secure algorithm for hashing: ( ) SSL ( ) PGP ( ) SHA256 ( ) MD5 ( ) TLS ( ) AES 7. Please Mark True or False: T F The Diffie-Hillman key exchange protocol is not resistant to the Man-in-the-Middle attack () () Opening a (* .exe) malware file from email attachments is equally harmful on MAC, Linux and Windows platforms. () () It is a good secure practice to use the setuid flag on directories in UNIX-based systems () () 8. Consider the following firewall rules (Linux) iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Why would an administrator set these rules: ( ) To allow outgoing SSH secure connections. ( ) To allow incoming SSH secure connections. ( ) To allow both: outgoing and incoming SSH secure connections. ( ) To allow both: outgoing and incoming SSH secure connections but only to a specific network. Demographics 1. Please choose your preferred operating system for daily use: ( ) Microsoft Windows ( ) Mac OS X ( ) Linux. (Please specify distribution): _________________________________________________* ( ) Other. (Please specify): _________________________________________________* 2. What is your gender? ( ) Male ( ) Female ( ) Prefer not to say 3. What is your age group? ( ) 18-24 ( ) 25-34 ( ) 35-54 ( ) 55+ 4. Please indicate the source(s) of your security knowledge and background: [ ] academic classes [ ] job training [ ] self-taught [ ] other-please specify: _________________________________________________* 5. Which job role from the list below is closest to you: please check all that applies [ ] programmer [ ] web application developer [ ] systems developer [ ] systems administrator [ ] network administrator [ ] security analyst [ ] business analyst [ ] software engineeer [ ] professor [ ] graduate student [ ] undergraduate student [ ] Other, technology related. (Please specify): _________________________________________________* [ ] Other, non-technology related. (Please specify): ___________________________________________* 6. What is the highest degree of education that you have completed: ( ) Graduated high school or equivalent ( ) Some college, no degree ( ) Associate degree ( ) Bachelor's degree ( ) Masters graduate degree ( ) PhD degree 7. What is your annual household income: ( ) Less than $25,000 ( ) $25,000 to $34,999 ( ) $35,000 to $49,999 ( ) $50,000 to $74,999 ( ) $75,000 to $99,999 ( ) $100,000 to $124,999 ( ) $125,000 to $149,999 ( ) $150,000 or more 30) Which country do you reside in?