UC San Diego

Security is an ever growing concern for daily Internet users, especially sincemany facets of a user's daily interactions (banking, commerce, workplace) are now accessed via the Internet. Fortunately, recent technical advancements – such as encrypted web browsing, email spam filtering, and login two factor authentication – have increased the accessibility and practicality of security for users. However, studies show that the majority of exploited attacks take advantage of the human in the loop. Technology and humans are required to work in harmony for security to be effective. As a result, it is crucial that we understand the extent to which users follow best practices, and that we evaluate whether their behaviors in fact help prevent adverse security outcomes. In this dissertation, I argue that large-scale empirical measurement is a practical and effective technique to answer these questions as the basis for prioritizing security practices, and I support this argument with three different projects. First, I use network traffic data and measurement methods to quantify user behavior ``best practices'' and how they relate to an outcome (in this case, compromise). Next I examine how communication about a security policy change can affect an organization by analyzing large-scale organizational data. Finally, I quantify attacker behavior in the “Hack for Hire” market by hiring and monitoring attackers, which provides insight into which defenses to prioritize for better protecting users from these types of attacks. By empirically understanding and prioritizing effective security practices, we can further improve security for users.