Poster: Towards a Model for Analysing Anti-Phishing Authentication Ceremonies

Phishing uses both social engineering and technical means to carry out attacks. Therefore, human factors incorrect human trust decisions play an important role in phishing. Many online authentication techniques place a disproportional burden on human abilities. Assumptions made about human-protocol behaviour are often flawed. In our approach we use the concept of a ceremony to analyse and improve the anti-phishing security of web authentication. A ceremony [4] is an extension of the concept of network protocol that includes user interface, human-to-human communication and transfers of physical objects that carry data. It is one way of extending the reach of current methods for analysing protocols to include humans. A secure ceremony is secure against both normal and social engineering attacks, such as phishing. The complexity of defining a ceremony comes with modelling a human node and the major effort yet to be accomplished in the field of ceremony design and analysis is the modelling of the memory and processing performed by human nodes [4], [1]. In this paper we present our recent and on-going work on researching human communication processing in antiphishing authentication ceremonies. We propose a new Human Factors in Anti-Phishing Authentication Ceremonies (APAC) framework and outline how to apply the framework to model human node behaviour. By applying our model, it will be possible to identify design principles for minimising human node interaction errors in anti-phishing authentication ceremonies.