L. Marinos and I. Askoxylakis (Eds.): HAS/HCII 2013, LNCS 8030, pp. 176–185, 2013. © Springer-Verlag Berlin Heidelberg 2013 Perception of Risky Security Behaviour by Users: Survey of Current Approaches Lynsay A. Shepherd, Jacqueline Archibald, and R.I. Ferguson University of Abertay Dundee, School of Engineering, Computing and Applied Mathematics, Dundee, DD1 1HG {lynsay.shepherd,j.archibald,i.ferguson}@abertay.ac.uk Abstract. What constitutes risky security behaviour is not necessarily obvious to users and as a consequence end-user devices could be vulnerable to compromise. This paper seeks to lay the groundwork for a project to provide instant warning via automatic recognition of risky behaviour. It examines three aspects of the problem, behaviour taxonomy, techniques for its monitoring and recognition and means of giving appropriate feedback. Consideration is given to a way of quantifying the perception of risk a user may have. An ongoing project is described in which the three aspects are being combined in an attempt to better educate users to the risks and consequences of poor security behaviour. The paper concludes that affective feedback may be an appropriate method for interacting with users in a browser-based environment. Keywords: End-user security behaviours, usable security, affective computing, user monitoring techniques, user feedback, risk perception, security awareness. 1 Introduction Despite the widespread availability of security tools such as virus scanners and firewalls, risky behaviour exhibited by the end-user has the potential to make devices vulnerable to compromise [1]. This paper aims to identify what constitutes risky security behaviour, review current methods of monitoring user behaviour, and examine ways in which feedback can be provided to users with a view to educating them into modifying their behaviour when browsing the web. Previous work has indicated users need to learn and recognise patterns of risky behaviour themselves [21] [22], thus improving system security. 2 Background Users often regard system security as obtrusive and restrictive of their ability to perform tasks. Owing to this, they often attempt to circumvent these measures, at the risk of breaching system security [2]. It is possible to place risky security behaviours into categories, allowing monitoring techniques to be developed which attempt to capture the behaviour.