Jessica Westbrook

Filipo Sharevski, Paige Treebridge, Peter Jachim et al.

Social media trolling is a powerful tactic to manipulate public opinion on issues with a high moral component. Troll farms, as evidenced in the past, created fabricated content to provoke or silence people to share their opinion on social media during the US presidential election in 2016. In this paper, we introduce an alternate way of provoking or silencing social media discourse by manipulating how users perceive authentic content. This manipulation is performed by man-in-the-middle malware that covertly rearranges the linguistic content of an authentic social media post and comments. We call this attack Malware-Induced Misperception (MIM) because the goal is to socially engineer spiral-of-silence conditions on social media by inducing perception. We conducted experimental tests in controlled settings (N = 311) where a malware covertly altered selected words in a Facebook post about the freedom of political expression on college campuses. The empirical results (1) confirm the previous findings about the presence of the spiral-of-silence effect on social media; and (2) demonstrate that inducing misperception is an effective tactic to silence or provoke targeted users on Facebook to express their opinion on a polarizing political issue.

Filipo Sharevski, Paige Treebridge, Peter Jachim et al.

This paper reports the findings of a study where users (N=220) interacted with Malexa, Alexa's malicious twin. Malexa is an intelligent voice assistant with a simple and seemingly harmless third-party skill that delivers news briefings to users. The twist, however, is that Malexa covertly rewords these briefings to intentionally introduce misperception about the reported events. This covert rewording is referred to as a Malware-Induced Misperception (MIM) attack. It differs from squatting or invocation hijacking attacks in that it is focused on manipulating the "content" delivered through a third-party skill instead of the skill's "invocation logic." Malexa, in the study, reworded regulatory briefings to make a government response sound more accidental or lenient than the original news delivered by Alexa. The results show that users who interacted with Malexa perceived that the government was less friendly to working people and more in favor of big businesses. The results also show that Malexa is capable of inducing misperceptions regardless of the user's gender, political ideology or frequency of interaction with intelligent voice assistants. We discuss the implications in the context of using Malexa as a covert "influencer" in people's living or working environments.

Filipo Sharevski, Paige Treebridge, Jessica Westbrook

This paper presents a specific man-in-the-middle exploit: Ambient Tactical Deception (ATD) in online communication, realized via a malicious web browser extension. Extensions manipulate web content in unobtrusive ways as ambient intermediaries of the overall browsing experience. In our previous work, we demonstrated that it is possible to employ tactical deception by making covert changes in the text content of a web page, regardless of the source. In this work, we investigated the application of ATD in a web-based email discourse where the objective is to manipulate the interpersonal perception without the knowledge of the involved parties. We focus on web-based email text because it is asynchronous and usually revised for clarity and politeness. Previous research has demonstrated that people's perception of politeness in online communication is based on three factors: the degree of imposition, the power of the receiver over the sender, and the social distance between them. We interviewed participants about their perception of these factors to establish the plausibility of ATD for email discourse. The results indicate that by covertly altering the politeness strategy in an email, it is possible for an ATD attacker to manipulate the receiver's perception on all of the politeness factors. Our findings support the Brown and Levinson's politeness theory and Walther's hyperpersonal model of email communication.

Adam Trowbridge, Jessica Westbrook, Filipo Sharevski

In this paper we argue, drawing from the perspectives of cybersecurity and social psychology, that Internet-based manipulation of an individual or group reality using ambient tactical deception is possible using only software and changing words in a web browser. We call this attack Ambient Tactical Deception (ATD). Ambient, in artificial intelligence, describes software that is "unobtrusive," and completely integrated into a user's life. Tactical deception is an information warfare term for the use of deception on an opposing force. We suggest that an ATD attack could change the sentiment of text in a web browser. This could alter the victim's perception of reality by providing disinformation. Within the limit of online communication, even a pause in replying to a text can affect how people perceive each other. The outcomes of an ATD attack could include alienation, upsetting a victim, and influencing their feelings about an election, a spouse, or a corporation.

Adam Trowbridge, Filipo Sharevski, Jessica Westbrook

This paper explores the factors and theory behind the user-centered research that is necessary to create a successful game-like prototype, and user experience, for malicious users in a cybersecurity context. We explore what is known about successful addictive design in the fields of video games and gambling to understand the allure of breaking into a system, and the joy of thwarting the security to reach a goal or a reward of data. Based on the malicious user research, game user research, and using the GameFlow framework, we propose a novel malicious user experience design approach

Filipo Sharevski, Adam Trowbridge, Jessica Westbrook

Training the future cybersecurity workforce to respond to emerging threats requires introduction of novel educational interventions into the cybersecurity curriculum. To be effective, these interventions have to incorporate trending knowledge from cybersecurity and other related domains while allowing for experiential learning through hands-on experimentation. To date, the traditional interdisciplinary approach for cybersecurity training has infused political science, law, economics or linguistics knowledge into the cybersecurity curriculum, allowing for limited experimentation. Cybersecurity students were left with little opportunity to acquire knowledge, skills, and abilities in domains outside of these. Also, students in outside majors had no options to get into cybersecurity. With this in mind, we developed an interdisciplinary course for experiential learning in the fields of cybersecurity and interaction design. The inaugural course teaches students from cybersecurity, user interaction design, and visual design the principles of designing for secure use - or secure design - and allows them to apply them for prototyping of Internet-of-Things (IoT) products for smart homes. This paper elaborates on the concepts of secure design and how our approach enhances the training of the future cybersecurity workforce.