Final Exam Review
Privacy and Contextual Integrity
Q: What is contextual integrity?
A: A privacy framework focusing on appropriate information flow based on norms of specific contexts.
Q: Name the four key elements of contextual integrity.
A: Contexts, actors, attributes, and transmission principles.
Q: What are transmission principles in contextual integrity?
A: Rules governing how information should flow between parties (e.g., confidentiality).
Q: Give an example of a context where privacy expectations differ.
A: Workplace monitoring versus private home activities.
Q: What role do actors play in contextual integrity?
A: They are the participants involved in the information exchange (e.g., sender, receiver).
Q: How does contextual integrity address digital privacy?
A: It evaluates how new technologies disrupt traditional information norms.
Q: What is a privacy violation under contextual integrity?
A: Sharing health records without consent outside the healthcare context.
Q: Why is contextual integrity important for designing privacy-preserving systems?
A: It ensures systems respect existing norms and user expectations.
Q: What is the first step in applying contextual integrity to a privacy issue?
A: Identifying the relevant context and its norms.
Q: How does contextual integrity differ from traditional privacy approaches?
A: It focuses on context-specific norms rather than universal rules.
Q: What is an example of a transmission principle in healthcare?
A: Maintaining confidentiality between doctor and patient.
Q: Can contextual integrity be violated unintentionally? How?
A: Yes, through ignorance of context-specific norms, such as over-sharing on social media.
Q: How does contextual integrity guide policy-making?
A: By ensuring laws respect the norms of specific contexts.
Q: What is the impact of social media on contextual integrity?
A: It blurs traditional contexts, leading to privacy confusion.
Q: Why is contextual integrity relevant in the age of big data?
A: It helps evaluate ethical information use in large-scale data analytics.
Folk Models and Expert/Non-expert Security
Q: What are folk models in security?
A: Simplified mental frameworks non-experts use to understand security threats.
Q: How do folk models influence security behavior?
A: They shape how non-experts identify and respond to threats, often incorrectly.
Q: What is a common folk model of email security?
A: Believing an email with a trusted sender name is always safe.
Q: Contrast expert and non-expert approaches to security warnings.
A: Experts analyze technical details, while non-experts rely on surface cues.
Q: What role does usability play in non-expert security tools?
A: It ensures tools align with non-expert mental models to improve adoption.
Q: What is a key limitation of folk models in security?
A: Over-reliance on visible signs like padlocks, which attackers can spoof.
Q: Why is it important to study folk models in cybersecurity?
A: To design more intuitive and effective security systems.
Q: How do non-experts typically evaluate website security?
A: By looking for visual cues like HTTPS or familiar logos.
Q: What’s an example of a mismatch between expert knowledge and folk models?
A: Believing antivirus software alone can prevent all cyberattacks.
Q: How can folk models be leveraged in security training?
A: By using relatable analogies and scenarios to teach best practices.
Q: How does culture influence folk models?
A: Different cultures may prioritize varying aspects of security, like privacy versus accessibility.
Q: What is a folk model regarding password complexity?
A: Longer passwords with symbols are always secure (not true if reused).
Q: How do experts view phishing compared to non-experts?
A: Experts recognize nuanced patterns, while non-experts rely on superficial trust cues.
Q: What is a limitation of using only expert-designed security protocols?
A: They may be too complex or unintuitive for non-experts to follow.
Q: How can security systems bridge the gap between expert advice and folk models?
A: By incorporating user-friendly features that reflect folk model expectations.
Usable Authentication
Q: What is the main goal of usable authentication?
A: To balance security with ease of use for users.
Q: What is password reuse?
A: Using the same password across multiple accounts, creating vulnerabilities.
Q: Name three password alternatives.
A: Biometrics, hardware tokens, and password managers.
Q: Why are biometrics considered an improvement over passwords?
A: They are harder to replicate and don’t require memory.
Q: What are two-factor authentication (2FA) methods?
A: A combination of passwords and secondary factors like SMS codes.
Q: How do password managers enhance security?
A: By generating and storing unique, complex passwords for every account.
Q: What is a challenge of using biometrics?
A: Potential for theft or misuse of biometric data.
Q: How do authentication systems improve usability?
A: By reducing cognitive load, such as with single sign-on (SSO).
Q: Why is password expiration problematic?
A: It encourages weak, predictable password choices.
Q: What is the main drawback of relying solely on passwords?
A: They are prone to theft and difficult to manage securely.
Q: What is the benefit of multi-factor authentication (MFA)?
A: It provides an additional layer of security beyond passwords.
Q: What usability issues arise from frequent password changes?
A: Increased frustration and likelihood of poor practices like writing down passwords.
Q: How does single sign-on (SSO) address usability?
A: It allows users to access multiple services with one set of credentials.
Q: What is the role of user education in authentication?
A: To promote the use of secure methods and avoid risky behaviors like password reuse.
Q: Why is device-based authentication growing in popularity?
A: It integrates seamlessly with smartphones and wearable tech for ease and security.
Phishing
Q: What is phishing?
A: A cyberattack that uses deception to steal sensitive information.
Q: Name three common phishing methods.
A: Email phishing, spear-phishing, and SMiShing.
Q: What makes phishing attacks effective?
A: Exploitation of human factors like urgency, authority, and trust.
Q: What is spear-phishing?
A: A targeted phishing attack personalized to a specific individual.
Q: How does vishing differ from traditional phishing?
A: It uses phone calls or voice messages instead of emails.
Q: Name a human factor that increases phishing susceptibility.
A: Complacency or lack of awareness.
Q: What is the role of training in phishing defense?
A: To teach users to recognize and avoid phishing attempts.
Q: Name two phishing awareness tools.
A: PhishGuru and Anti-Phishing Phil.
Q: What is the Phish Scale?
A: A framework to evaluate the difficulty of detecting phishing emails.
Q: Why are game-based training tools effective against phishing?
A: They engage users interactively, improving retention of key concepts.
Q: What is SMiShing?
A: Phishing via SMS or instant messaging.
Q: How can phishing websites mimic legitimate ones?
A: By using similar domain names and visual design.
Q: What is a phishing hook?
A: A tactic like a fake urgency or reward to lure victims.
Q: What is pharming?
A: Redirecting users to fraudulent websites without their knowledge.
Q: How do attackers personalize spear-phishing emails?
A: By gathering details about the victim from social media or other sources.
Q: What is a defensive measure against phishing?
A: Browser plugins that flag suspicious URLs.
Q: Why do phishing simulations improve awareness?
A: They let users practice identifying and avoiding attacks in a safe environment.
Q: What is the impact of urgency cues in phishing emails?
A: They pressure users into acting quickly, reducing critical thinking.
Q: What human factor often leads to phishing success?
A: A lack of digital literacy or security knowledge.
Q: How has phishing evolved during the COVID-19 pandemic?
A: Increased use of fear and urgency around health and financial issues.