Nair Padmesh PDF

Educating social networking users
A thesis submitted to the University of Plymouth in partial

fulfilment of the requirements for the degree of Master of Science
Project Supervisor: Dr. Maria Papadaki
Padmesh Nair
August 2011
School of Computing, Communications and Electronics

Faculty of Technology
University Of Plymouth
Declaration
________________________________________________________________
This is to certify that the candidate, Padmesh Nair carried out the work submitted herewith
Candidates Signature:
Padmesh Nair
Date:
Supervisors Signature:
Dr.Maria Papadaki
Date:
Second Supervisors Signature:

Dr.Shirley Atkinson
Date:
Copyright & Legal Notice
This copy of the dissertation has been supplied on the condition that anyone who consults it
is understood to recognize that its copyright rests with its author and that no part of this
dissertation and information derived from it may be published without the authors prior
written consent.
The names of actual companies and products mentioned throughout this dissertation are
trademarks or registered trademarks of their respective owners.
ACKNOWLEDGEMENTS
I wish to extend my warmest regards and appreciation to all those people who
helped me during my thesis work and without whose support, encouragement
and guidance this thesis would not have been possible
I would like to begin by thanking my project co-ordinator, Dr.Maria Papadaki
under whose guidance I was able to complete this thesis and by providing me
with an opportunity to work with her. Her guidance and professional advice
during the course of the project has been invaluable and very important for me.
I would also like to thank my family which includes my parents, my sister and
my grandmother who have all been very supportive and encouraging. I have
always had their blessings to be able to complete this project.
Lastly I would like to thank God, without whose blessing and presence none of
this could have been possible
ABSTRACT
Privacy is dead, and social media hold the smoking gun. Pete Cashmore, Mashable CEO
Social networks arent about Web sites. Theyre about experiences. Mike DiLorenzo,
NHL social media marketing director.
Since the turn of the 21st century, there have been many developments in the technological
world, developments and findings that may not have necessarily improved the way the world
lives, but definitely have changed and revolutionised the way it works . The Internet itself has
changed so much from being a service designed for CERN scientists to communicate
amongst themselves to a global phenomenon (Anderson, 2007). And now with the rise of
Web 2.0 or simply a second much better version of the Web, people are getting more and
more dependent on the Web for everything that they do. The participatory nature of Web 2.0
along with its user friendly design and outlook meant that it became an endless repository of
dynamic information and information exchange into which anybody can both add to as well
as take from (Sharma, 2011). Many services like blogging, interactive and target centric
advertisements and product placements, e-commerce soon started to blossom due to the
advent of Web 2.0 however none of them could profit as much as social networking sites did
during the last half a decade.
In this project an effort will be made to educate users about the potential threats involved on
social networking sites by creating a Flash based game designed in the format of a quiz. The
users will be put in make believe situations where they will have to answer questions based
on their existing knowledge of social networking sites and its functionalites. The users
through the game will also be made aware of additional facts that can further help their
security measures against the threats on social networking sites.The game will be sent to a
selected group of participants and the results will be collected for analysis purpose. The
results will be studied in depth to evaluate the success of the game and whether creating
awareness by using interactive medium is a good choice over other means like designing
posters, making videos, lectures, seminars etc. Based on some of the scenarios a few
solutions and changes will be suggested to the already existing precautions and measures.The
results of the game shows there is a scope for more user responsibility in creating awareness
and users are open to similar awareness based initiatives instead of the tried and testing ones
i
like video and seminars. Users were also seen to better react to situations if they were able to
co-relate it with similar situations.
ii
TABLE OF CONTENTS
Contents
1.0 Introduction ...................................................................................................................................... 1
1.1 Motivation..................................................................................................................................... 2
1.2 Aims and Objectives ...................................................................................................................... 3
1.3 Thesis Structure ............................................................................................................................ 4
1.4 Chapter Summary ......................................................................................................................... 5
2.0 Literature Review .............................................................................................................................. 7
2.1 Background ..................................................................................................................................... 15
2.1.1 Social Network Definitions and Origin ..................................................................................... 15
2.1.2 Types of social networking sites .............................................................................................. 17
2.1.3 Social Networking Sites and their features .............................................................................. 23
2.2 Summary of the Chapter ................................................................................................................. 25
3.0 Analysis ........................................................................................................................................... 27
3.1 Reasons and motivations for cyber criminals ................................................................................. 27
3.2 Threats on social networking sites.................................................................................................. 28
3.2.1 Cross Site Scripting (XSS) .......................................................................................................... 28
Reasons for success on social networking sites ............................................................................ 29
How to avoid the threat ................................................................................................................ 29
Limitations..................................................................................................................................... 29
3.2.2 Phishing .................................................................................................................................... 30
Reasons for success on social networking sites ............................................................................ 30
How to avoid the threat ................................................................................................................ 31
Factors hindering the solutions .................................................................................................... 33
3.2.3 Location tagging and loss of locational privacy ....................................................................... 33
Reasons for success ...................................................................................................................... 34
How to protect your location privacy ........................................................................................... 34
Factors hindering the solution ...................................................................................................... 35
3.2.4 Identity theft ............................................................................................................................ 36
iii

How to protect against identity theft ........................................................................................... 37
3.2.5 Facial recognition ..................................................................................................................... 39
How to protect from facial recognition ........................................................................................ 40
3.2.6 Real life threats ........................................................................................................................ 41
Safety of children and the growing worries .................................................................................. 42
How to prevent the situations ...................................................................................................... 45
3.3 Sources of threats on social networking sites ................................................................................ 46
3.3.1 Threats from known contacts and friends ............................................................................... 47
1) Spam ......................................................................................................................................... 47
Real Life Example .......................................................................................................................... 48
2) Tagging ...................................................................................................................................... 50
3) Status updates and posts/communication ............................................................................... 51
Remedies and solutions to the problem ....................................................................................... 52
3.3.2 Threats caused by self due to ignorance or neglect ................................................................ 56
Oversharing ................................................................................................................................... 56
Threats .......................................................................................................................................... 57
Real Life Example .......................................................................................................................... 57
3.3.3 Threats from other sources including third-party applications and vendors .......................... 59
3.4 Types of threats on social networking sites .................................................................................... 61
1) Privacy related threats .............................................................................................................. 61
2) Payload/drive-by download related threats............................................................................. 61
3) Identity related threats ............................................................................................................. 62
4) Real life threats ......................................................................................................................... 62
3.5 Chapter Summary ........................................................................................................................... 63
4.0 Game design, scenarios and research methodology ...................................................................... 64
4.1 Rationale behind the game ......................................................................................................... 64
iv
4.2 General Format of the game....................................................................................................... 65

4.3 Game Scenarios and the threats covered ................................................................................... 66
Scenario 1: Passwords and its implications .................................................................................. 67
Scenario 2: Phishing and identity theft protection ....................................................................... 70
Scenario 3: Oversharing and privacy settings ............................................................................... 72
Scenario 4: Privacy Policy .............................................................................................................. 74
Scenario 5: Child Protection on Social Networking Websites....................................................... 75
4.4 Research methodology ............................................................................................................... 76
Sample Size ................................................................................................................................... 76
Getting the sample size to play the game..................................................................................... 76
Data collection, analysis and storage............................................................................................ 76
4.5 Chapter Summary ....................................................................................................................... 77
5.0 Analysis of the game results and evaluation .................................................................................. 78
5.1 Question wise breakdown of the score .......................................................................................... 78
Question 1: Password Strength ........................................................................................................ 78
Question 2:Same password for all accounts ..................................................................................... 78
Question 3: One single password for the rest of life ........................................................................ 79
Question 4:Email from social networking site .................................................................................. 79
Question 5:Profile information that needs to be hidden from public view ..................................... 80
Question 6:Profile Information details ............................................................................................. 80
Question7:Privacy Policy................................................................................................................... 81
Question 8:Under-age profile search................................................................................................ 82
5.2 Questionnaire Results ..................................................................................................................... 82
1)Gender: Male or Female ................................................................................................................ 82
2) Age Group ..................................................................................................................................... 83
3) Have come across such awareness based game before ............................................................... 83
4) Whether participants read the feedback only if their answers were wrong ............................... 84
5) On which social networking sites do participants have an account in ......................................... 84
6) Opinions on the Quiz .................................................................................................................... 84
5.3 Analysis in depth ............................................................................................................................. 87
Scenario based results ...................................................................................................................... 87
Scenario 1: Password Awareness.................................................................................................. 87
Scenario 2: Phishing and identity theft protection ....................................................................... 89
Scenario 3:Oversharing and privacy settings ................................................................................ 90
v
Scenario 4:Privacy Policy ............................................................................................................... 92

Scenario 5: Child Protection on Social Networking Websites....................................................... 93
Important points ............................................................................................................................... 93
5.4 Evaluation of the game ................................................................................................................... 94
Questionnaire analysis ...................................................................................................................... 94
Demographic structure ................................................................................................................. 94
New Concept ................................................................................................................................. 94
Reluctant and uncaring users........................................................................................................ 95
Facebook triumphs again .............................................................................................................. 96
Opinions on the quiz ..................................................................................................................... 96
5.5 Chapter Summary ........................................................................................................................... 98
6.0 Conclusions and Future work.......................................................................................................... 99
6.1 Limitations of the work ................................................................................................................. 100
Development of the game .............................................................................................................. 100
Format of the game ........................................................................................................................ 100
6.2 Scope for Future work................................................................................................................... 101
References: ......................................................................................................................................... 101
vi
1.0 Introduction
Social networking sites today have become something much more than just a chat service
provider, the social networking sites these days provide services and interactions as varied
and far fletched as job profiling, video and photos sharing, some sites like Second Life and
World of Warcraft even offer users a chance to lead an alternate virtual life. The variety of
applications that social networking sites can provide for an individual is almost unparalleled
amongst other Web services. Therefore it is no surprise that social networking sites have been
expanding the most among all other services (Leitner and Grechenig, 2008). Bausch and Han
(2006) had said that social networking sites were growing at the rate of 47 per cent every year
and contributing to 45 per cent of the web users.
However as more and more people are getting attracted towards it, the lesser and lesser social
networking sites are becoming safer for users. Social networking sites are becoming a
preferred area of target for cyber criminals as the wide ranging reach of these sites coupled
with the interactive and media friendly nature has meant that they can exploit it for any need
of theirs as they wish. Some of the top threats that are facing the users on social networking
sites include worms, phishing attacks, Trojans, data leaks, address obfuscation, botnets,
cross-site request forgery and many others (Network World, 2010). Although it is not always
necessary that all security mishaps on social networking sites are the brain child of hard core
cyber criminals, script kiddies and novice hackers also have known to have caused certain
problems in the past. Like the infamous Samy worm that infected MySpace users which was
created by a 19 year old teenager purely to boost his ratings. While the worm did cause little
panic, in the long run it only alerted the developers to tighten their security against XSS
(cross site scripting) attacks (Lai, 2005). However examples like these are few and far in
between and it is safe to say that majority of the security lapses on social networking sites,
whether on the users end or the developers end, could cause a serious breach in privacy and
lead to information loss.
Social networking sites on their part know that it is essential to keep hold of the users and
provide for their safety, making sure that they improve security and devise new methods to
keep away the cyber criminals. But the fact remains that the main reason that cyber criminals
thrive so much on social networking sites is due to the fact that the efforts put in to protect
1
the users by the sites is not been reciprocated by the users themselves. Lax security measures
combined with not adhering to the proper social networking etiquettes with regards to sharing
of personal information has meant that it is the end user that is the weak link when it comes
to the fight against cyber criminals. It is easier to lull users into a false sense of security in a
virtual online world as opposed to in real life, primarily due to the lack of direct physical
interaction and the heightened sense of anonymity that the Internet brings with itself
(McDowell, 2006). As a result the users think that that many of the security concerns and
precautions are over exaggerated and blown out of proportion.
Creating awareness on the side of the user and educating the user will ensure that the efforts
made by the social networking sites in protecting the users wont go waste and that it will
become that much more difficult for a cyber-criminal to take advantage of the users.
1.1 Motivation
By now it is common sense that social networking sites can be exploited by cyber criminals
far more than any other Internet service these days, mainly due to its popularity and wide
spread reach. As the years have gone by the threats have only increased, Sophos (2011) in
their report have substantiated this very fact by claiming that over the last two years,
incidents like spam, phishing and malware have doubled on social networking sites For
example, in April 2009, almost 33% of the people surveyed said they have received spam
messages, while for the year 2011, 67% of the people surveyed agreed they had received
spam. Facebook seems to be one of the favourite and preferred social networking sites for the
cyber criminals, perhaps not surprising considering that Facebook has one of the highest
number of users amongst all the social networking sites, comScore (2011) have said that
Facebook was the leading social networking sites in 15 of the 18 countries they surveyed in
the Europe, with the UK having the second highest penetration rate with over 80 per cent.
The UK police have released a statement that in the country over a period of five years,
Facebook related crimes has touched the 1,00,000 mark with complaints being received with
regards to crimes like suspected terrorism, sudden deaths, missing pets, firearm offences,
frauds, hate crimes, sexual offences by the police in over 16 forces(Gill, 2010).
The motivation for the topic was derived from these statistics and figures that proved that a
general awareness for social networking threats needs to be inculcated among the users. The
Sophos(2007) experiment was a good example of how it was relevant for someone to bring
notice to the fact that users on social networking sites clearly at times dont care with whom
they share information and are willing to gamble on their security to get more
friends/followers and become popular online. Most of the crimes that takes place are due to
this very fact that users on their part are too careless about the security of their own
information and in the process are not only putting themselves at risk but also in some cases
their own friends/contacts. The scope of the social networking sites these days being
extended to a business oriented/organisational level tool meant that the subject of creating
awareness meant that certain aspects of information security management were also covered,
aspects like data protection, information retrieval, access policy, reputation management etc.
Everett (2009) has rightly said that while the benefits of social networking tools to business
are many, fears of data leakage, time wasting, reduction in productivity means that social
networking is more of a risk to companies than a boon and should be factored into a
companys information security strategy. BBC News(2007) claim that a study conducted by a
law firm called Peninsula, has revealed that UK businesses lost 233 million working hours
per month to social networking sites and the time spent on them by employees.
1.2 Aims and Objectives
The aim of the project of creating user awareness and educating the users about the perils of
the social networking sites will primarily consist of three phases which are as follows:
1) Get a clear picture of the current scenario with regards to the following areas
Security and privacy issues in social networking
The extent of the problem
The factors that are hindering the area and the possible solutions to the situation
2) Designing and developing an interactive situation-based game that will raise

awareness of the situation
3) Evaluate the success of the game and understand how it can help the user in better
understanding the threats involved and help them tackle such problems if they are
faced with it
3
The game to be developed will have the format of a quiz based nature and will be developed
in Flash using software called Articulate Quizmaker 09. The game will consist of real life
scenarios which will test the participants knowledge of social networking dos and donts. At
the end of the quiz, the results will be analysed to have a look at some of the common
mistakes a user does. At the end of the quiz there will be a small questionnaire which will
help in evaluating the success of the game, besides also acting as a demographic tool. By
trying to collect other information such as whether the user has played/been involved in a
game of such a nature before, wherein they are made aware of the social networking threats,
one can make a case for such fun and interactive based awareness measures to be developed
as opposed to just plain old sermonising material which the user may or not go through many
times. The attention span of the average user these days is dwindling at a very fast rate,
therefore it is important to make sure to try and do something which will attract and possibly
make them self-aware of the problems that exist.
1.3 Thesis Structure
The thesis will be divided into six sections with each section containing many sub sections
and paragraphs according to the ebb and flow of the section. Section 1 was Introduction and
contained a brief description of the thesis topic, the motivation for choosing the topic and the
aims and objectives that needed to be completed so as to make the thesis comprehensive.
Every section will contain a summary at the end which will act like a gist for the entire
Section and help in understanding the main points to be taken from each of the sections.
Section 2 begins with a literature review which takes a look at some of the relevant and
useful literature that was researched whilst writing the thesis and also during the development
of the game as well. The literature that is described in the section may not necessarily have
been a body of related work, but in some or the other way has better helped the author to
understand the psyche of the users and also of the various features of social networking sites.
The section titled Background acts like a scene setter that will look at what a social
networking site is, the various types of a social network and some of the features of a social
networking site
Section 3 contains the analysis part of the thesis where the various threats that exist today in
social networking sites will be analysed and certain solutions to those problems will be
discussed and developed.
Section 4 contains discussion about the development of the game, its working and how the
success of the game will be evaluated. The section will also contain a research methodology
section where the way the process of distributing the game to its sample size of 30 users was
achieved will be discussed in addition to explaining how the data was collected and stored,
where it was stored and so on and so forth.
Section 5 will contain the analysis of the results of the game and its various implications.
After every analysis, a level of awareness that is needed for that particular threat or topic will
be discussed with respect to its current situation i.e. how much the user knows about the
topic.threat. The analysis of the questionnaire will go a long way in helping evaluate the
success of the game and the needs to make a case for more such awareness based initiatives.
In the sixth and final section there will be a brief wrap up of the thesis in terms of what it was
able to achieve and what could have been done better. In the Scope for future work section,
there will be discussions giving evidence from the current thesis of why the concept of
educating users with the help of a game medium has still a lot of work to be done.
1.4 Chapter Summary
Social networking sites are one of the most popular and hence most frequently used
Web services offering many features and applications attracting people from all age
groups, gender and nationality/race alike.
Social networking services/sites are also one of the fastest growing web services with
adult usage of statistics in countries like US expected to grow by 44% by the year
2013(Walsh,2009) while in parts of Europe the growth is expected to be around 42%
by 2015(Tavilla, 2011)
However due to its immense popularity, it is also becoming a very unsafe place to be
with cyber criminals ensuring that they make it their preferred area of target.
The need for social networking awareness is now more important than ever,
especially considering that many of the younger generation are getting addicted to it
but seem unaware of the threats involved in it.
The project will be divided into three phases which includes getting an idea of the
current scenario with regards to the threats followed by designing and developing a
game that creates user awareness amongst users and finally the success of the game is
evaluated to understand whether the game was able to create an awareness among the
users/participants taking part in the game
2.0 Literature Review

While working on a thesis that involves creating user awareness of the various social
networking threats, it is important to know the kind of mistakes or bad practices the user can
do to put him/her in trouble online. One of the big mistakes that a user makes on social
networking sites is sharing too much information with often the wrong people or with all of
the people. The extent to which people can often share and reveal information to anybody
especially to a stranger was always a subject of intrigue and much criticism even in the days
before the rise of social networking sites. Online chat rooms and blogs were prime examples
of where many people have shared personal details to very disastrous consequences.
However the seriousness of the same problem being prevalent on social networking sites was
first brought to light by the study conducted by Sophos (2007). In this study Sophos created a
fake profile under the name of Freddi Staur (the words ID Fraudster rearranged) and
randomly sent contact requests to 200 Facebook users all over the world. Freddi Staurs
profile had minimum information divulged including a display picture of a toy frog. It was
found out that 43.5% of the 200 contacted responded to the friendship request from Freddi
Staur. 82 out of the 200 or 41% of the user even shared personal information upfront. A
detailed breakdown of the personal information leaked is as follows:
Birth Dates revealed 84% of the respondents
Email information(one or more email IDs) 72%
Address or current location 78%
Phone number 23%
Education or workplace details 87%
IM screen names 26%
In addition to this, Freddi was able to gain access to quite a few of the users photos of family
and friends, likes and dislikes. One user even went to the extent of giving his mothers
maiden name away , a detail often to verify or confirm a persons true identity while
retrieving his/her account details with credit cards and bank accounts. As seen by the study,
some of the details so openly revealed were of a highly personal nature and if such details
and information were to be handed to an identity thief or an impostor today then the
consequences could have been worse. Spammers could have used the same information to
add to their database of users to send spam to, while it would not have taken an impostor to
7
create a fake profile of any of the 82 users within seconds on any social networking site of
their choice.
While it is fair to say that a lot of changes and awareness have been created since then, not to
mention a lot of Facebooks security settings have been changed and improved, this study is
shocking and again proves the point that unless the human element is controlled, perfect
security can never be achieved even with all the high tech firewalls and encryption methods
(Mitnick and Simon, 2002). The report even says that many responded back to Freddi Staur
by sending him emails asking him about his identity, while some even went on to place
Freddi Staur as their top friend. As a side project, Sophos also poked (Facebooks way of
pinging someone without establishing actual contact with them) an additional 100 users and
found that only 8 people responded with just 5 out of them revealing personal information
with Freddi. This conclusively proved to Sophos that users are willing to divulge personal
information with strangers only in return of a long term friendship or commitment, a
feeling/emotion which a cyber-criminal wouldnt find too hard to fake online anyways. The
Sophos report was an eye opening report at its time, one which made everyone pay notice
about some of the problems that seem to exist at that time. The report in its entirety has not
blamed Facebook for the users revealing their information and has in fact heaped praise on
Facebook for having one of the better security settings in place compared to some of the other
sites.
From the point of view of complete analysis and creating a demographic, the Sophos report
can be said to have been limited in its scope. To have an exact breakdown of the people who
responded would have helped to understand and precisely identify the exact group of people
who seem to be so lax with their security. At this moment one can only guess that since
Freddi Staur masqueraded as a young single male that perhaps majority of the respondents
could have been women with a similar background, although without any concrete evidence
this assumption is inaccurate. Also it would have been interesting if the report had some
data/information with regards to the respondents computer knowledge. One can assume that
those from a computer/information security background would think twice before accepting
any random stranger as his friend. This kind of information would have made easier to
establish the fact that people with a certain background or knowledge about an issue is less
likely to have problems dealing with that issue as opposed to someone who hasnt any idea.
8
Therefore it is also possible that such those people with a better idea of security would also
advise other nave users to not make those mistakes. On the topic of sharing information on
Facebook, there has been other research as well with Christofides, Muise and Desmarais
(2011) saying that adults are as much likely to share information on Facebook as teens are.
Bringing the attention of the world to the threats of identity theft by using some of the
information that people carelessly share on social networking sites,
Acquisti and
Gross(2009) have proved that how it is easy to accurately predict someones SSN by just
knowing a users personal details. Using a publicly available file called DMF (Death Master
File), which is used to store the SSN of the deceased, to accurately guess up to 5 digits of the
SSN for 44% of the people on the DMF list on first attempt. An additional 8.5% of the DMF
numbers was accurately up to all six digits with less than 1,000 attempts. The SSN was
guessed by knowing various details. While the entire details used to guess the SSN was not
taken from social networking sites, some of them were taken from voter registration details
available on public databases, this paper from Acquisti and Gross (2009) was another eye
opener in the right direction that not following the security procedures on social networking
sites could not only lead to malwares and worms but also potentially more serious crimes like
identity theft. The paper in itself was more on the predictability with which SSNs are
calculated and allocated and why it is not a good idea to use it as form of authentication
rather than on social networking sites. But the underlying message from the paper was to
avoid sharing too much publicly on social networking sites especially information like date of
birth, address
The way the human psyche works has always been a topic of mystery and interest, in our
scenario it would make for fascinating reading to see how do users respond when they see
that they have a friend /contact request from a complete stranger, what goes through their
mind when they share their information with someone who they have clearly just met online.
Turkle (1995) feels that the Internet acts like a virtual laboratory where users can mix and
match and casually experiment with various versions of their own self due to factors like
anonymity and multiple outlets of social interaction. As a result, an average user tends to
attract more attention than he/she would have normally got at a real life social event. The
urge to interact and connect to a complete stranger is a personal decision and may vary from
one person to person on the Internet. The users must clearly have their very own perceptions
9
of security and trust which may not always correspond to the actual definition of security or
what can be considered as safe and acceptable in terms of their online security. Then there is
the added factor of peer pressure that comes with social networking sites which means that it
becomes important for everyone to have so and so amount of friends/followers on their social
networks. It becomes as much as a personal statement for an individual these days to have a
social network profile with over 500 friends/contacts as it is to perhaps own a top of the range
luxury car or the latest flat screen TV.
In this quest to have more friends on their online networks, many users are tempted to go
overboard on certain aspects of their life online. In fact even the process of joining a social
network site often comes from the fact that there is a certain amount of influence on a user
from his friend circle/ office group/family etc. This interpersonal social influence will always
have an important say in every users personalization, identity and decisions (Friedkin and
Johnson, 1999). The study conducted by Backstrom et al. (2006) only proves this point of
social influence. Backstrom et al. (2006) tried learning the reasons why people join groups or
communities in a social networking site. They found out that an individual is more likely to
join a social networking group if he/she has friends who are already in a group or a
community. Basically the study says that an individuals ability to choose something is
greatly influenced by the number of his/her friends doing it. Peer pressure of this kind is one
of the main reasons why a majority of the people especially teens turn towards social
networking sites. They are tempted to share their private life on social network sites because
they feel the urge to do so after seeing others in their network do the same. There have been
many other bodies of research that have taken a look at how relationships develop online
(Lyon, 1997; Wellman and Gulia, 1999). In the scope of this research it is essential to know
how relationships develop online and what makes a user more likely/less likely to
connect/add/follow a certain individual, page, community on social networking sites
The work done by Lampe, Ellison and Steinfield (2007) helped further understand the
mentality behind users sharing too much information on social networking sites and with
whom they are more likely to share information with. The study says that there is a clear
correlation with the amount of information shared on a Facebook profile and the number of
friends a user has on his/her contact list. Using a dataset of over 30,000 Facebook profiles,
Lampe, Ellison and Steinfield(2007) prove that profile elements or what fields are filled in
10
profiles, can act as signals that can reveal information about the identity of the user. Profiles
can also give away or contain information that can help enhance mutual understanding by
developing a common reference point between users which further leads to a better and
stronger connection between users. Users have clearly no other choice but to share a lot of
information because it would automatically mean that they get noticed by many more people
on Facebook and therefore have more connections. The ability of social networking users to
add and find people by their names is very useful in cases where it is essential to reconnect
with old high school mates whose current whereabouts are not known, but can be searched by
their name instead. The study by Lampe, Ellison and Steinfield (2007) says that basically if
one has more information filled out on their Facebook profile it becomes that much easier to
precisely search for that particular user out of possibly thousands of users with the same
name.
Using three indices, namely referents, interests and contacts the study was able to make out
what information people are likely to share under each of those areas. In terms of our existing
topic, this paper was able to help us understand why the users give in to desire to share too
much information on their profiles. The users on their part can argue that they share
information owing to reasons as varied as peer pressure (with having a complete and filled
out profile) to the ease with which they would want themselves to be connected to others.
While some of the arguments put forth by users and by Lampe, Ellison and Steinfield makes
sense, what the users must be made to educate and learn is the use of profile visibility
settings. It is never a good idea for users to share their information to absolutely anyone on
the Internet, but to only certain subsection of their friends and if they are unsure of the
friends, they also have the option to hide the information. Also in the case of staying safe
online it is important to make the user aware of sharing information that can have different
meanings and different implications depending from user to user. For example, while it may
be okay for a single mother to list her relationship status as single, it wont be a good idea for
her to list the names of her children or the school that they attend on her profile. Because the
information can be useful to any paedophile who happens to be lurking around her profile
and if she has also happened to have her occupation/work place information and address
listed, then it can make the paedophiles job that much more easier in terms of getting to her
children when she is at work or away.
11
Shin (2010) tries to understand the role of social networking sites themselves when it comes
to creating a perceived security effect on users. The report also tries to learn the role of trust
in social networking sites. Though for a layman, the report is very exhaustive and not at all
easy to understand, using the principles of trust based decision making process; Shin (2010)
has created a user model for accepted security perception when it comes to social networking
sites. In the paper, two new terms - perceived security and perceived privacy, have been
identified. Perceived security can be termed as the extent to which users believe in the
security of a social networking site (Yenisei et al, 2005), it is basically the users idea of
security as can be seen by him/her. Shin (2010) states that perceived security has much more
effect on user attitude than perceived privacy. The report further goes on to say that basic
protection techniques may not prove enough for users to trust social networking sites, they
always want some other form of comfort to calm their concerns about privacy and gain more
trust. Social networking sites often dont encourage good practices, but are quick to point out
potential bad security settings of a user. By equally appreciating the good practices and the
bad practices, social networking sites must ensure that they arent making bad examples of
users, but also believe in some positive reinforcements. In terms of creating awareness and
imparting education, there has to be a greater stress on rewarding the good users. Social
networking sites can take a cue from Web 2.0 and its information sharing and dissemination
capabilities and ensure that the good user is able to share some load of the responsibility that
comes with ensuring safety and be able to teach the not so safe users about the same. Social
networking sites should have a system where they have real life examples of users who have
followed the sites policies on security and have benefitted from it.
Another example of an unexpected and seemingly innocuous attack was devised by

Wondracek et al. (2010) which exploits and uses a users group information to steal away
vital revealing information about the user. In the study they attack group membership
information on social networks to completely identify a user. With the help of history
stealing, Wondracek et al (2010) suggest they can uniquely identify or de-anonymise a user
or at least significantly reduce the number of possible result sets. This paper clearly throws a
new light on the personal privacy settings issue, as with the help of this attack it is possible to
find out about a user through the groups he/she may have joined and not necessarily through
his/her personal information alone as was previously thought. In the paper, Wondracek et al
(2010) concentrated on sites like Facebook, LinkedIn and Xing for the attack. The paper quite
12
clearly states how sometimes one can be open to attacks like phishing, identity thefts etc. and
the perpetrators dont require your personal needs for such attacks. Wondracek et al (2010)
have highlighted the importance of social networking sites to educate users about such
attacks, it is important to let them know that disclosing information about group membership
can also be quite dangerous these days. In terms of the scope of this particular topic, the study
done by Wondracek at al.(2010) confirms that when it comes to security and privacy online,
it is always good to be on the extra cautious side with minimum information divulged rather
than end up having your information stolen and misused.
Considering the gravity of the social networking scenarios and the threats posed by them, it is
important for government to have some form of control over the amount of information and
the security settings enforcement in social networking sites. Hogben (2007) have some
government policy recommendations such as having awareness raising and educational
campaigns about the issues both at the users end as well as software developers side. Other
suggestion in the paper is to continuously review and reinterpret regulatory framework, to
ensure that no loop holes develop in them over a period of time which can then be misused by
criminals. The report says that users must know various details like the status of their account
and its information after voluntary or forced account closure, the position of image tagging
with respect to third parties, who is to be held responsible for security flaws that happen due
to the user introducing some script or mark-up.
Hogben (2007) states that social networking sites must be more transparent about what they
are going to do with user information or why they need particular information. It is only
logical for the user to totally understand the way in which his personal information is being
used by the social networking sites. The paper funded by ENISA although dates to a few
years back but nevertheless contain some good information and updates on social networking
sites, its working, certain terminologies etc. Stronger authentication is also encouraged in
certain scenarios wherein the user can benefit. The paper was very useful in terms of the
scope of the current topic as it touched on government policy recommendations on awareness
and educational campaigns on various issues as well as recommending reinterpretation of
regulatory frameworks. The fight against cybercrime on social networking site is not too
different from other information security related threats and should be fought on many fronts.
13
User awareness, policy changes, developmental regulations all have to be looked upon to
ensure that the social networking sites can become a safe place.
Lastly, since the topic heavily deals with the issue of raising awareness in a security related
context, there are quite a few papers available that talk about the importance of creating
corporate awareness and/or policies in work places which were found relevant to the creation
of the design and the working of the game. Rasmussen (2005), Kabay (1993), Wilson and
Hash (2003) have all looked at ways of creating and implementing security awareness. While
the literatures have been written keeping in mind a corporate/work place audience, there are
many relevant points that can be used in this topic. Kabay (1993) focuses on the stress needed
to be laid on changing beliefs, attitudes and behaviour of not only individuals but also of
groups if security needs to be improved. Citing Lippa (1990), the paper touches on how often
preconceived schemas influence the way we think or view an idea.
Translating the concepts of schemas described by Kabay(1993) to the present topic it can be
inferred that users tend to think that they are different from the rest and often rely on their
own judgement of a stranger and think that it is different, unique and often right from those of
other people. Every individual user believes that their main threat is always from a
stranger/contact who happens to be from someone elses friend/contact list. A user often
believes that the threat comes from hackers/users who look the part and that they are safe
from their own friends/contacts. They obviously overlook the threats that are incurred form
their own negligence, mistakes, misbehaviours and those of their friends/contacts. As a result,
they wouldnt think twice before clicking on a spam containing link or message that is
originated from a known friend/contact. Spammers and malware creators often feed on this
particular weakness and always ensure that when targeting a user they try to make it look as
if the spam/worm and/or its contents originated or were shared from a known contact of the
targeted user.
Wilson and Hash (2003) feel there are three crucial steps in development of an awareness and
training program which includes designing the program, developing the awareness material
and lastly implementing the program. The game developed for this particular topic was
designed keeping in mind the steps as mentioned by Wilson and Hash (2003). The
14
implementation was crucial for this topic as it helped in analysis and drawing a conclusion
with respect to evaluating the success of the game.
2.1 Background
2.1.1 Social Network Definitions and Origin
To understand what social networking sites are, it is essential to understand first what a
network or in this case what a social network is. Social networks are nothing but nodes of
individuals, groups, organizations that are inter-related and inter-dependant in such a way that
they may share interests, other contacts, vision, ideas, dislikes etc. (Serrat, 2009). Social
networking sites can be defined as Web based service that allows the formation of
aforementioned social networks in a virtual world online. Boyd and Ellison (2007) define
social networking sites as web based services that allow the user to essentially do three
things.
1) Creating a public or semi- public profile in a controlled/bound environment
2) To specify a list of people with whom they have a connection to be seen by others
3) To view and go through their own list and also of others in the social networking system.
15
Figure 1 : A social network (King, 2006)

Exploiting the growing effect of the Web over the computing world during the late 1990s,
Sixdegrees.com launched the first ever social networking site in 1997. The site borrowed its
name from Hungarian writer, Frigyes Karinthy, who came up with the notion that any
randomly selected human in this world could be linked to any other through six
steps/links/networks(Zang and Tu,2009). As a predecessor to todays sites, Six Degrees
allowed members to list friends, contacts, kin both on the site and externally (Boyd and
Ellison, 2007). During that time there were some other sites that provided a similar
functionality of networking with others. Popular examples included chat sites, dating services
and matrimonial sites, but very few if none of them allowed the users to share their contact
list and see what the other users did. This is one of the features which in separates social
networking sites from other web services, the ability to share and see one anothers
friend/contact list
Live Journal created two years later in 1999 by Brad Fitzpatrick helped users to exchange
journals between them and was an instant hit (Live Journal, 1999).
Some other companies to follow suit in the subsequent years were:
16
Cyworld (Korean company): 2001

Lunar World (Sweden): 2001
Ryze.com (business oriented):2001
A more detailed time-line of social networking sites and its growth can be seen in Fig.2
2.1.2 Types of social networking sites
Though the basic premise of most social networking sites is the same, i.e. to connect and stay
in touch with friends and associates, there are various options to the content that can be
shared on social networking sites and also on the interest or themes around which a social
networking site can be based upon. It is possible to divide social networking sites into
different types depending on many factors like, who/what they cater to, the type of content
that can be shared, the type of people that they are designed for etc.
1) Social networking sites based on the audience they cater to

Depending on the kind of people and/or businesses that a particular site can cater to, it is
possible to classify social networking sites into two, broad-range social networking sites and
special category/niche social networking sites(Hudson Hroizons,2011)
17
Figure 2: Social networking sites and its growth (Boyd and Ellison,
2007)
a) Broad-range social networking sites

Broad-range social networking sites are sites that can cater to a wide variety of people
offering a variety of services like chat (video chatting is a new option), photo and
18
video sharing, applications, games. Examples include Facebook, MySpace that cater
to people of all ages, gender, nationality
b) Niche social networking sites

There are other social networking sites that cater to a particular type/category of
people or catering to a particular interest/need. Examples include YouTube where
users share videos, Flickr where users share photos. There are even social networking
sites for pet-lovers to have their dogs and cats online, sites like Catsters, Dogsters,
MyDogSpace, PetBrags etc. (Nations, 2011)
2) Social networking sites based on the type of services provided

Depending on the type of services provided, it is possible to classify social networking sites
into business oriented, dating applications/match making sites, medical applications, sociopolitical applications, entertainment oriented, academic social networking sites, financial
applications based
a) Business oriented social networking sites

Ryze was one of the first business oriented social networking web sites to be
developed by Adrian Scott in 2001. Ryze is used to help people with businesses
connect with each other in an effort to help each other out and expand their
businesses, while alternatively helping people to find jobs and build a career (Ryze,
2011). Ryze is an example of a business oriented website where membership is both
free and paid, depending on the type of service needed on the site
Other examples of business oriented sites include LinkedIn, Hub Culture. In fact Hub
Culture is a type of invitation only social network that brings in the worlds leading
knowledge leaders combining the real and virtual worlds while dealing with
knowledge sharing materials based on a virtual currency called Ven (Dryza, 2009).
19
b) Dating Applications
Working on the principle of good old match making matrimonial services, dating
applications provide people to meet their real life partners by having them fill out
information like age, gender, sexual preferences, likes, dislikes etc. that can be then
used to find out the right match for a particular individual. In keeping with the
modern times and changing attitudes there are even dedicated dating sites for
homosexuals, sites like Gaydar, GayRomeo etc., while there are few open dating sites
that allows for same sex dating.
The rise of popular social networking sites like MySpace, Facebook in recent years
has meant that the dating sites have lost their pull due to many reasons like
membership fees, more crowd, popularity and limited features/services (Francisco,
2006). Popular examples of dating web sites include Match.com, eHarmony.com,
Chemistry.com, Yahoo! Personals (closed down at present)
c) Medical Applications
Medical professionals are turning to the features of social networking sites to further
spread their knowledge but also to get connected with other medical institutions from
across the world finding out rare cures or medicines in the process. Pharmaceutical
companies are already making their presence felt on social networking sites as it was
revealed that they spent over 30 per cent of their marketing money on social
networking sites (Stanford GSB, 2010). There are sites developed for specific types of
diseases and even addictions as well. SoberCircle (also known as OneRecovery) is
one such site that allows alcoholics and other chronic addicted people to recover by
interacting with each other and getting guidance
Other examples of medical applications oriented social networking sites include

PatientsLikeMe, Daily Strength, Spark People etc.
d) Socio Political applications

While there arent any known social networking sites that can purely cater to any
government or organisations, social networking sites have known to have created
pages and profiles that have helped them reach out to the general public. In the US,
20
agencies and organisations have known to have their social networking pages.
Agencies like US Environmental Protection Agency, USA.Gov and the Library of
Congress (USA.Gov, 2011)
In other examples politicians and social workers have known to create a campaign or
an awareness page to get closer to the masses. The general public feel that they are
part of the larger process because of the involvement of the government organisations
in their life and the social networking sites allow for a greater transparency in the
various workings of the agencies and organisations. Social networking sites and Web
2.0 have had a lot of impact on recent resolutions in Egypt and Libya (Gaudin, 2011)
e) Entertainment Oriented
Popular video sharing sites like YouTube, Fotki, Gather.com are popular forms of this
type of sites. While to be honest even the general category of social networking sites
offer video and photo sharing capabilities amongst other services, there are the ones
like YouTube, Flickr that are primarily used to share videos and photos. Then there
are social networking sites that offer users a gaming experience by allowing them to
live a virtual life, Second Life is one such popular online service with over one
million active users as of 2011 (Rosedale, 2011). Playfire, Wakoopa and Raptr are a
few other social networking sites which provide gaming services to the user, although
these sites havent developed their own games like Second Life and just have games
hosted from other sources
There are social networking sites that are based on movies and lets users share and
discuss their favourite movies and lets them review upcoming movies. Users can find
and connect users who share a similar interest in movies as another. Some famous
examples of such sites include FilmAffinity, Flixster. And if movies are there, can
music be far behind; sites like Gogoyoko, Indaba Music, Last.fm, MOG are few such
sites which provide a platform for music lovers including budding and upcoming
musicians and singers. Not to forget sites like MySpace which already has
pages/profiles of many famous music bands and artists?
21
f) Academic Social networking sites

Even though in most schools, social networking sites are frowned upon, social
networking sites have their part to play in academic areas as well. Academia.edu is
one such site that allows academics from all over the world to collaborate with and
share each others literary works in over 100,000 research areas (Academia, 2011).
Social networking sites like Ning are also being used to foster relationships between
teachers and students and further help the process of learning and teaching (LSIS,
2011). Other examples of similar sites include TeamWiki, LearnCentral, TeachStreet
etc.
g) Financial applications
Sites like Hub Central mentioned before are an example of a financial application
based social networking sites, where using a virtual currency called Ven, trades and
businesses can be simulated. Ven is the only currency to be linked to the environment
through its courtesy of having carbon pricing contracts used to valuate Ven
(HubCulture, 2010). Other examples like Meettheboss and LinkedIn are also widely
used for the purpose of finance related trading and meetings
h) Location based social networking sites

Location based social networking sites or
Social networking sites can be sometimes also classified depending on the country or
nationality it is being used for; these social networking sites have been specifically designed
for a particular country, its people and language. Also sometimes it is possible for social
networking sites to exist in different languages so as to cater to a wider audience. For
example SkyRock is a very popular social networking site designed in languages like French,
German, Dutch, Italian, Spanish and also English. Other examples include QQ, Xianoei, 51
in China, V Kontakte, Odnoklassniki in Russia, while Maktoob is very famous in the Arab
speaking community (Coleman, 2009)
According to Coleman (2009), here are some other social networking sites that are specific to
various countries which many people outside those countries wouldnt have heard of.
22
Country
Social Networking Site
Hungary
Iwiw
Poland
Nasza-Klasa
South Korea
Cyworld
Philippines
Friendster
Netherlands
Hives
Czech Republic
Lide
Japan
Mixi
Latvia/Lithuania
One
Taiwan
Wretch
Vietnam
Zing
2.1.3 Social Networking Sites and their features
Social networking sites are often designed around an assumption that there is always a need
for people to make more connections than they already have and that the best way to do so is
to use an already existing network of connections (Donath and Boyd, 2004). To facilitate the
need for users to always make new connections, social networking sites ensure that users can
search for other users on their site. By default, social networking sites ensure that a particular
user can be searched on their site by other users. It is up to the decision of the user to change
this setting if he/she wishes to and make sure that other users can only connect with them if
the user sends them an invite or a personal request via their email ID or user name.
The creation and maintenance of a profile/ bio on a social networking site is another design
by the site to ensure that a user can be searched for a social networking site more easily and
through many other means than just by name or email ID. As previously mentioned by
23
Lampe, Ellison and Steinfield (2007), the more a user fills in his/her profile the more his/her
likelihood of having connections and friends.
So is it the almost voyeuristic pleasure of being anonymous and connecting with strangers
and having the capability to fake a different life to what ones actually living, the main reason
why people are drawn towards the social networking sites? Haythornwaite (2005) partly
agrees with the judgement saying that people like social networking sites because of the fact
that one of the features of it includes to view each others connections/networks and says that
it is a feature that allows people who otherwise wouldnt have networked with each other to
do so. Boyd and Ellison (2007) agree to this fact by saying that it is the ability of users to
display their social connections that makes social networking sites unique and yet appealing
to the users. While this was obviously a good idea at the time of design by the social
networking sites, could they have possibly foreseen the perils in ensuring that would have
users fill out their personal information and thus have those information being accessed and
viewed by strangers and friends alike.
The popularity of social networking sites seems to be due to the fact that social networking
sites have begun to evolve from a service where one can meet up and socialize with your
friends and contacts to a one stop destination for every users online needs and demands.
Social networking sites like Twitter have now proven to be a good source of news and the
latest happenings, so much so that many significant events are being reported first on these
sites as opposed to traditional sources like news channels and radio. The Japan earthquake is
one such example where people used the power of wireless internet and social networking
sites to give regular updates and stay in touch with their loved ones(Wallop, 2011).
Video sharing sites like YouTube, Vimeo have meant that users can access the latest movie
trailers, song releases etc. all in one place. The introduction of group video calling on sites
like Facebook and Google Plus have now meant that even the good old chat and messenger
systems are been ignored and replaced. And it is not only the chat and messenger systems
that are getting pushed out of the way, but the quintessential symbol of the Internet in the
1990s the Email, is also been left behind by the social networking sites if a report by
Nielsen(2009) is to be believed. The report said that 66.8 % of users across the Internet used
social networking sites as opposed to 65.1 % of users using email. It is not only the personal
24
needs that are getting fulfilled by social networking sites, as it is not rare for companies and
organisations to use them as an effective tool for brand launching and product feedback by
creating pages and communities around their releases. Customers find it easier to relate to
products and feel closer to their favourite brands by interacting with them through their fan
pages. Social networking sites themselves have realized the potential of the visibility and
mass appeal they provide to organisations and companies with regards to their products and
ad campaigns and are tapping into that potential by including advertisements and banners into
their sites. comScore(2009) have showed that social networking sites have accounted for at
least 20 per cent of all online advertising in the US, with Facebook and MySpace having the
lions share of the social networking sites at more than four-fifth of the total.
2.2 Summary of the Chapter
The literature that was analysed in respect of the thesis was helpful in understanding
and creating a better understanding of the situation vis--vis the various mentalities of
the users when it comes to security and also of some of the lax practices users indulge
in during their daily lives on social networking sites.
Sophos(2007) experiment proved that information sharing on social networking sites

is an area that needs to be looked into thoroughly and must be always tackled and
highlighted when dealing with educating and creating user awareness
Users' heightened sense of anonymity coupled with peer pressure means that users
feel that sharing more information about themselves wont cause too much too harm,
Besides users have their own perceptions of security which may not always be right or
safe.
Profile elements can act as signals and there is a higher probability of a user having
more connections if they have more details and information on their profile (Lampe,
Ellison and Steinfield, 2007). It is for the same reason that users often tend to fill out
almost every information possible on their profiles as they believe it will help them
get more friends/contacts
Basic protection techniques is never enough for users when it comes to the doubts and
fears that they have about their security and they always expect the social networking
sites to have more measures to protect them and their accounts(Shin, 2010). Group
25
membership information is often enough to completely de-anonymise a user on social

networking sites (Wondracek et al., 2010).
In order to create better awareness it is important to change preconceived schemas if

awareness needs to be created more effectively (Kabay, 1993). The user always has
an attitude that the threat always come from outside his network of contacts and that
they have nothing to fear from their own friends and contacts. Besides there is a
greater emphasis on social networking sites to be more specific about the reasons
why they need particular information and how they propose to use it (Hogben, 2007)
There are many different types of social networking sites depending on the various
types of content shared, uses and the type of people and language. The ability to list
the connections of a user on social networking sites is one of the standout features of
the site (Boyd and Ellison, 2007).
26
3.0 Analysis
3.1 Reasons and motivations for cyber criminals
The value of information has never been more than what it is now in the era of Web 2.0 and
the Internet. The whistle-blowing website by Julian Assange, WikiLeaks proved that the
value of information is never to be underestimated in todays world, whether it is corporate or
government information. Even personal information is very highly valued by companies and
telemarketers to further add to their database to help specifically target and deliver custom
content to their customers
The users are generally very careless with their personal identifiable information (PII) on
social networking sites, a report by Consumer Report (2010) said that nearly 40 per cent of
users surveyed had displayed their information such as birth date, while more than 25 per
cent of users with children had posted some or other details of their children which could be
used by paedophiles to disastrous effects. Cyber criminals have never had it easier to plan
their next attack with so much of information available on the Internet and it is not just the
cyber criminals and hackers that stand to gain, due to the habit of people posting their
vacation plans on sites, plus sites and features like FourSquare and Facebooks Places even
robbers and thieves who follow users on the Web find it easy to search for their next home to
loot.
The reasons do not end there itself, the popularity of social networking sites amongst people
of all ages and genders and nationality coupled with the easy distribution and cheap cost that
comes with the social networking sites means that cyber criminals are beginning to prefer
social networking sites more than any other medium to spread their chaos (Walsh, 2011)
The digital age of today comes with a paradox, that of accepting wholesome changes and
getting the latest developments with just a mouse click, however it comes at the expense of
losing the identity and privacy of oneself, besides opening oneself to a multitude of attacks
(John, 2010) It is this internal conflict and chaos that the cyber criminals are exploiting to
good effect for their own good
27
3.2 Threats on social networking sites
While working on a thesis that involves creating user awareness, it is important to take a look
at some of the threats involved in social networking sites. There are many threats that need to
be understood and analysed to help create an awareness of the issue at hand and develop a
proper solution/remedy to the threat
3.2.1 Cross Site Scripting (XSS)
Cross site scripting attacks involve the injection of malicious scripts/code into an authentic
and otherwise unharmful website so as to steal browser information like cookies, session
tokens etc. (OWASP, 2010). XSS prevails primarily because of invalidated user input and
poor website design methods, which causes the hacker to easily inject their own code into the
site and extract some data
Social networking sites are at risk against XSS attacks for precisely the same reason, i.e. the
presence of invalidated input or code. The risk of social networking sites getting affected by
XSS attacks is much higher due to the use of unverified third party applications (Hogben,
2007).Basically it means that users are at risk of losing a lot of personal information if they
use any of those applications from third party vendors which contains code that can carry out
a XSS attack. One of the very first examples of a XSS attack on a social networking site was
the infamous Samy worm of 2005 that lead to MySpace shutting down their site embarrassed
after being exposed of security flaws by a teenager (Mook, 2005). However while this did not
have any serious security implications except denial of service to MySpace users due to the
site being down for maintenance, not all XSS attacks can be termed as nave and harmless.
In the past year, Twitter has said to have been affected by XSS based attacks which exploit a
JavaScript code for mouse over action which saw users who even hovered their mouse over a
link having to deal with a pop-up window or a third party website (Sophos, 2011). A
Kaspersky security expert also found a similar XSS based vulnerability on the Russian social
networking site Vkontakte (Antukh, 2010).
28
Reasons for success on social networking sites
There are many reasons why XSS attacks are so successful, with some of the reasons being
that the criteria needed for XSS attacks to occur exist on 80 per cent of the websites, they are
more likely to occur on content driven websites and lastly can propagate with the help of
third party applications and widgets (Grossman, 2006). On close look one might find that the
reasons as mentioned by Grossman (2006) also happen to be some of the features of social
networking sites vis--vis content driven material and third party widgets and applications.
Therefore there is a greater chance that XSS based attacks can be successful on social
networking sites and that cyber criminals deliberately keep this in mind while choosing the
their target.
How to avoid the threat
There is nothing much user can do to combat this kind of threat up front other than the fact to
not click on suspicious looking links/shortened links. Majority of the work needs to be done
by the social networking sites to lessen the impact of the threat. Due to the fact that XSS
attacks do not need browser or operating system vulnerabilities (OWASP, 2010), end-user
security like anti-virus and anti-malware wont work
Social networking sites need to have stricter input validation methods especially in scenarios
where user input is required. Third party applications need to be verified and vetted against
proper guidelines.
Having an updated anti-virus/anti-spyware
At the end user having an anti-virus could mean that the browsers are sometimes protected by
some variants of the attacks, although because XSS scripts do not really rely on browsers and
operating systems, the effectiveness of anti-virus can be questioned. Although in the case of
XSS attacks which includes a hidden payload or a spyware having a fully updated anti-virus
can help the user mitigate the damage to a certain extent.
Limitations
Most social networking sites earn their revenue from advertising and sponsorship from other
companies and brands. The companies in return would want personal information on users to
better help them, as a result many social networking sites have known to share highly
personal information with companies in exchange of sponsorship and revenue. Also due to
29
the high number of third party applications being developed, social networking sites could
make a case by arguing that it becomes impossible to vet all the applications and once in a
while it is possible for a rogue application to pass through unnoticed
3.2.2 Phishing
Phishing is the means of acquiring personal information from a user by masquerading or

impersonating as another authentic site/system/entity. There are many ways in which
phishing attacks are carried out some of the ways including through sending fake emails,
using social engineering skills to impersonate someone in a position of power, redirecting
web traffic to another site etc.
Examples of phishing scams on social network sites are many with the most recent one
involving Twitter which contained a tweet mentioning a user in a video, upon clicking the
link, the user would be redirected to a fake website designed to look like Twitter and the
users login credentials are harvested, when the user logs in(Cashmore, 2010).
Reasons for success on social networking sites
The rise of context aware phishing means that cyber criminals are becoming more and more
aware and are using highly advanced social engineering methods to lure a user into giving
their information away. Jagatic et al. (2007) devised a study which proved that users are more
likely to respond to an otherwise fake email if it is shown to originate from a known source or
friend. Social networking sites have a lot of scope for these attacks to work because of the
nave users inability to understand many of the features like password resetting, account
changes etc.
For example, a mail supposed to be originating from the social networking site could inform
the user that due to some maintenance work, the site needs to reset their password. The user
goes ahead and gives the password without even thinking twice that most social networking
sites wont ask for passwords through email.
Phishing sites are smartly built around the same lines as the actual social networking sites
that are being spoofed to trick the users. Even the fake sites domain name is such that there is
30
only a slight spelling difference between the actual site and the fake site. For example, the
following web site opened up while just entering an extra U while typing YouTube
Figure 3
The nave user could very well think that he/she genuinely won something and would
proceed to filling in and giving away information.
How to avoid the threat
Always double check

The user should always double check the address he/she is entering on their address bar. If
the user is not very good at typing or has some vision problems, it is always advisable for
them to bookmark the important pages/sites and access them from them, instead of typing
them manually
Look for the padlock
While most phishing sites can fake the design of a site, they cannot often fake the security
icon at the bottom of the page which tells us about the security of the connection. All login
required sites, these days have the padlock sign at the bottom of the page (Figure 4).
31
Figure 4: Look out for the padlock
Also ensure that after logging successfully that the address bar reflects the https (HTTP
secure) connection instead of the http. Most social networking sites, has the option of
enabling this secure connection (Figure 5) though by default the connection is always http
Figure 5. Secure your connection

Alternatively it is a good idea, to have a fully updated anti-virus with browser built in
functionalities that can inform the users if they fail to spot something malicious (Figure 6)
Figure 6. Use an updated anti-virus
32
Inform the user

If the site is thinking of making some genuine domain or login changes, it would be better to
inform the user beforehand that in the coming few weeks/days there could be a login
page/domain page change. Assuring and informing the user of any design change/policy
change is always a good way to protect the user but also to gain their trust and spare them
some confusion.
Factors hindering the solutions
In some extreme cases, by using JavaScript and images, even the address bar is faked to
actually show the right address. In cases like these, the proper judgement of the user should
be able to save them. Having a proper anti-virus could save the users from this problem as
well.
Unwavering trust in known contacts and friends could mean that users are very vulnerable to
smartly designed phishing attacks (Jagatic et al., 2007). However verbal confirmation from
the friend/contact through telephone or face to face about the contents of a suspicious email
could solve this problem as well.
3.2.3 Location tagging and loss of locational privacy
Location tagging social networking sites enabled the idea of allowing users to tag into places
that they visit. In addition to just tagging themselves or a friend in a place, users can review a
place; add their trips and photos to a place that they check-in to (Erlich, 2010). foursquare,
Gowalla, Georillas, Aka-Aki are some of the examples of location based social networking
sites that are used by users nowadays. Even non-location based sites like Facebook had once
tapped into the potential of geo-tagging and had introduced their very own feature called
Places which allowed users to check in to places on Facebook and update to their status about
the same. Twitter followed suit in the year 2010 with its own location tagging features (TG
Daily, 2010)
However what people do not fully understand is that there are lots of risks involved with
location tagging, some of the risks in fact can be considered to be more threatening and
dangerous than just spamming or malware. By location tagging, users are opening themselves
33
to the risk of stalking, robbery and in some extreme and unfortunate cases even death. It is
important for the users to know that sharing of such information can be risky to not only
ones own health but also to their own family and friends.
Reasons for success
Location based tagging sites offer something more than just the ability to tag users to places,
new and supporting features by sites like FourSquare enables the users to redeem their checkins for badges and privileges, Gowala allows user to give their tips/review and share their
photos after checking in (Erlich, 2010). The users are tempted by the promotional schemes
and the added benefits that they are being tempted with. It is natural for any human being if
he/she knows that they are going to get their fourth trip free after having visited the same
place three times before. And in the case of these location based sites, visiting a place does
not mean so much as going into a place but also about checking-in digitally.
Compared to the riches that they are getting, the users do not care too much about their
privacy being put at stake and would rather take the points any days. After scrapping off their
earlier Places features, Facebook has come back with their new similar feature called Nearby
which allows users to tag their locations through check-ins but also through the option of
location tagging pictures taken, Facebook quite utilised the feature of location tagging their
photos which later helped Facebook retain its user base. Examples like the Twitter Places and
Facebook Nearby are prime reminders of the general flexibility that social networking sites
provide not only for users but also in terms of scope for which a cyber-criminal to exploit to
their advantage.
How to protect your location privacy
Do not check in to vulnerable places

The first rule which as a user of location tagging sites one needs to know is to stop checking
in to places where there is a lot of people around like stadiums, malls, airport etc. There is a
greater risk because if someones been stalking with intent to cause any harm to the user or
his family, then such crowded locations can prove perfect for them. Also as a general rule it
is always best to not check in to any places using your mobile phones if you have children
and family along with you, especially when checking in to places like zoos, kid centres,
34
theatres etc., where there are more chances of a paedophile being on the lookout for a
wandering child.
Ideally it is best not to use geo - tagging features especially if they are part of a social
networking site like Facebook or Twitter, keeping in mind that these sites and their primary
features do not include geo -tagging and the fact that these sites are more popular and are
susceptible to more number of people tracking a user.
Tweak your visibility settings
While this solution remains central to all most of the problems involved in social networking
sites, it is more important in this problem. Because in a general scenario, for a thief, being
able to see that Alice lives in Tampa Bay, Florida would make little difference in terms of
causing too much damage, but if they decide to co-relate her profile across other social
networking sites and sees her Gowalla check in saying she is in Spain, could potentially
mean that she is away from her home. Imagine what implications it could have if she has
listed her family as a 13 year old cousin, who through previous posts have understood that the
cousin lives with Alice
Context/information sensitive settings and requirements
Social networking sites could include context sensitive privacy settings, i.e. if the user
decides to list her under-age kids/friends as their contacts, then automatically they should be
disabled from tagging them in places, pictures or locations
Drawback: Users could feel that this takes the power of designing and filling out their own
profile and would argue that it takes away the fun away. Many users wouldnt like the social
networking site taking decisions on their behalf. Also this could lead to people hiding and
faking information on the site. Social networking sites are very likely to adopt such a setting
unless there is some legal and governmental requirement that will ask them to do so.
Factors hindering the solution
Depends on the mentality of the user, whether they are willing to make those privacy changes
which could mean hiding many of their information from public view thus potentially
ensuring that they might lose out on making new contacts. Checking in to places is again
35
something which users more out of a need of peer pressure than anything else and the user
has to have a better understanding of the implications if they have to stop doing that.
3.2.4 Identity theft
It is common for users to give away way too much information on social networking sites, in
fact it is possible to give away enough information on the Internet, that for a smart impostor
who is following and creating a user database it is possible go ahead and impersonate the
person in real life and on the social networking sites. Personally Identifiable Information(PII)
can be defined as data that can be used to uniquely identify a person, data such as name,
biometric information, email, telephone number, social security number (TechTarget , 2011).
Some of the primary information shared on social networking sites consist of PII. In countries
like US, social security number is used amongst all other data as the single most important
data about an individual and every citizen of the US values their SSN more than any other
data. In many of the businesses and applications, SSN is used to verify a person for who
he/she is The study by Acquisti and Gross(2009) have already shown the shortcomings of
sharing information like date of birth which can then be used to guess someones SSN with
decent enough accuracy
Identity theft could lead to many problems like fraud, money laundering, untraceable crimes
etc. In the UK itself in the first six months of 2011, there were at least 111,504 frauds
reported which in itself was a 10 per cent increase from the previous year (CIFAS, 2011).
The frauds included all sorts of fraud included application fraud, asset conversion fraud and
many other frauds which can to loss of property and money. (Figure 14.) While none of those
frauds can be attributed to social networking related breaches of data, what can be seen
clearly is that identity theft is rampant and growing, users must be wary of that fact before
indulging in casual social networking activities
36
Figure 7: Source: CIFAS (2011)
Reasons for success
The reasons why social networking sites are such a good target for identity thieves is due to
the fact that scourging social networking profiles for data is a painless, no investment
operation with hardly any infrastructure needed except a PC/laptop and a social networking
account. The lax security habits of users means that the cyber criminals can create an
information database which include details like their name, age, address but also of data like
lifestyle choices, spending and shopping habits and in some cases even monthly income
range. This information can then be used to assist the cybercriminal in credit card frauds but
also in social engineering attacks.
How to protect against identity theft
Minimum information sharing

As explained earlier, the solution of sharing minimum information is essential to avoid most
threats that can occur from social networking sites. Sharing minimum information means that
the cybercriminal really hasnt much to use information and therefore cannot create a user
database which can be used to good effect
37
The importance of reading a privacy policy

It is always important to read the privacy policy of not only social networking sites but for
Web service account that you are signing up for including email accounts, e-commerce based
websites, blogs. Privacy policies clearly mention and specify the site is going to use the
information that you are providing them including if they will be sharing that information
with third party partner websites and companies. It is also important to be aware of your
rights and procedures in case you find that the data supplied by you is being misused by the
site. Social networking sites in the past have known to have suffered cases of data breaches
Provide information only where mandatory
A better alternative to sharing minimal information on social networking sites is to actually
provide it with less information while signing up for it. This way as a user you dont have to
worry about adjusting privacy settings according to the type of users on your contact list.
Many sites do not require every single piece of information while signing up, the ones needed
are always marked mandatory and successful registration is never possible without giving
them. However it is up to the user whether they want to give away any additional personal
information afterwards. It is quite understandable that the social networking sites after
creation of the account will keep reminding you of filling out your entire profile to help us
find your friends quicker, but it is an option which can always be turned down and the social
networking sites wont close your account if you dont do so.
The author was able to give minimum information while registering for an account on Twitter
but still was managed to get enough followers by either searching for them with the help of
email ID and name.
Highlight the important points in a privacy policy
Social networking sites can make it easier for a user if they highlight the relevant points of a
privacy policy at the time of signing up/registering. The sites must inform the user if there is
any changes made to the policy as well. Gaining the trust of the user is imperative in the era
of Web 2.0 as cyber criminals are often quick to exploit user confusion and chaos.
38
Lampe, Ellison and Steinfield (2007) have already stressed on the relationship between
having a well filled out profile and the chances of creating connections. Users will always
want a filled out profile not only because they would want to find more friends/contacts but it
is also helps creating more social capital (Pfeil at al., 2009). Users should always use the
option of finding their friends and contacts by searching them by using their email address
instead of looking for them otherwise using name, location etc. The more the users do this,
the more users will feel tempted to fill out every bit of information to be spotted by others.
On the part of social networking sites often reminding users about filling out complete
profile, it is understandable as the sites stand to gain a lot of advertising and revenue if they
have more information about users which can then be used to create user and need specific
product placements and promotional schemes
3.2.5 Facial recognition
As of September 2010, there were 5 billion photos uploaded and shared by Flickr, the popular
photo sharing site, which means there is an average of 130 million photos uploaded every
month on the site (Sheppard, 2010) while more than 3 million photos are uploaded on
Facebook every month and based on that estimate, 36 billion plus photos will be uploaded per
year (Pingdom, 2010). This just shows the phenomenal number of content that is being
circulated around the Internet, especially on social networking sites. What this also means is
that social networking sites can have a wide range of pictures of users that can be used by
cyber criminals to identify a user precisely. The Internet as it started out with chat and
message boards was to be used as an anonymous tool where people from far corners of the
world can interact with each other without having a face, however these days it has become
so much more easier to identify a face with an IP/website etc. In fact it is so possible these
days to accurately co-relate various pictures of somebody online with the pictures from their
real life from web cams, street cams etc..(Acquisti, Gross, Stutzman, 2011). The study says
that when users upload and tag photos of themselves and their friends/family it becomes that
much more easier for someone to link a name to the faces where otherwise total anonymity
would have been expected.
39
This study only raises the question and logic behind tagging photos on social networking
sites, in fact some users are so nave that they wouldnt mind tagging their identities even to
photos in which they are not present.
Reasons for success
The media content driven nature of social networking sites means that it becomes imperative
for users to upload content that involves pictures and videos. Once again, the figures provided
by Sheppard (2010) and Pingdom (2010) have only proved of the sheer amount of
information, pictures in this case, that cyber criminals can work with. With the help of cloud
computing, in the near future, the processing and running time required for executing such
facial recognition technology on a mass scale would be lesser (Acquisti, Gross, Stutzman,
2011) and would also cost significantly less
How to protect from facial recognition
Stop oversharing
Again it is one of the important rules to follow to preserve your privacy, oversharing should
be avoided. Another important rule to follow is to stop sharing pictures which are more
sensitive and contain more information than some of the other pictures. While it is quite
impossible to actually ask a user to stop uploading any pictures at all, a user can carefully
choose the right pictures to be shared and uploaded. For example, it is never advisable to
share too many pictures of children on social networking sites as with the help of facial
recognition technology, it becomes too easy for paedophiles and other criminals to target the
children. Also it is always important to remember to not mix your professional and personal
on social networking sites especially through pictures. Do not share pictures from your work
place if you are working at some high end company and at the same time do not share your
weekend parties with your office colleagues
Its all about privacy settings
The second most important rule needed to be followed on social networking sites is to ensure
that only the right people see your content by adjusting your privacy settings. Many a times,
people can get away with sharing content that can be deemed potentially harmful, if only they
40
share it with the right contacts and friends. Social networking sites on their part could ensure
safety could ensure that automatic tagging of photos should not be enabled by default and
such decisions must be left at the discretion of the user. Recent events that happened with
Facebook and its facial recognition technology shouldnt be repeated (Ducklin, 2010, Cluley,
2011)
When it comes to matters like oversharing, user perception of security and its implications
has to be factored in. Factors hindering the solution therefore are the user and his mentality.
The social networking sites on their part must ensure that Facebook type incidents should not
occur(Cluley, 2011) because not only it exposes the details of a user unknowingly but it also
decreases the trust a user has on social networking sites and their ability to protect their
account and also with their account. It is due to such bad practice that users follow poor
security measures as they tend to follow the example someone in a higher position does, in
this case the social networking site.
3.2.6 Real life threats
In addition to cyber threats like malware, worms, viruses, it is perfectly possible for a user to
be under threat from real life threats which could endanger his/her property, money, psyche,
reputation and in some cases even life. In the past real life crimes like bullying, stalking,
robbery and blackmailing/kidnapping have happened or have been made possible due to
social networking sites. In the recent riots that took place across the UK, many of the rioters
were alleged to organise their acts of crime using the help of Blackberry messengers and to a
certain extent, social networking sites like Facebook and Twitter (Bright, 2011). Although
this example cannot be attributed to lack of security, but is just an example of how people are
using the wide spread popularity of social networking sites to further perpetrate crimes.
41
Safety of children and the growing worries
Incidents like bullying and sexual harassment are on the rise in schools among teens who
really are immature to take decisions about their profile content and who they share the
information with. Livingstone, Olafsson and Staksrud (2011) have surveyed young children
around Europe about their social networking usage and some of the facts that were found out
can be summarised as follows:
Proportion of kids who use the Internet to have a social networking profile
Age Group: 9-12 year old: 33% and over
Age Group: 13-16 year old: 75%
Proportion of 9-12 year kids to set profile view to public : 25%
Proportion of the kids who have set profile to public to display information like
telephone number, address : 20%
Most popular social networking site amongst kids : Facebook 57 % of kids
Most social networking sites have an age limit for children to join social networking sites,
with the majority of the sites setting the limit at 13 or older. However with no mechanism in
place to cross check the age supplied by the users, it is often found out that kids lie about
their age for registering on social networking sites. Livingstone, Olafsson and Staksrud(2011)
have analysed the various social networking sites and the age limits required and found out
that quite a lot of the under age kids lie about their age to get into social networking sites. A
complete list of the age limits and the proportion of kids who lie on those social networking
sites can be found in Figure 8.
42
Figure 8: Livingstone, Olafsson and Staksrud (2011) Children with a profile on a particular
SNS who display an internet age, by age.
Exposure to inappropriate content
It is not only the privacy issues that are a hindrance to children being on social networking
sites but also the fact that they can be exposed to inappropriate content on the social
networking sites. The children are at an age where they might not be able to process that
information and can have irreversible, negative and long-lasting effects on the children.
Norton (2009) have found that for the year 2009, sex was the fourth most searched word for
kids between the age group of 8-12
43
There needs to be a greater awareness amongst not only the parents but also amongst the
social networking sites to ensure that kids do not flout the rules while registering on social
networking sites and that they do not fall victim to cyber bullying, come in touch with any
sort of material that can be considered harmful for their age.
Reasons for success
The social networking sites popularity is one of the main reasons why real life threats like
stalking, bullying, robbery etc. are growing .Barrett (2007) says that in the UK on social
networking sites almost 30 per cent admitted to searching for their former
boyfriends/girlfriends and partners out of the surveyed 2000 people, while nearly 33 per cent
searched for some information on their bosses, colleagues or job candidates. Basically there
is a culture of stalking and following each others life that the social networking sites seems
to be cultivating. Depending on the nature of an individual, such behaviour to stalk and track
someone could lead to jealousy, anger and leads to many real life problems.
Faceless criminal
Just like in the previous examples, for a stalker or a paedophile, the social networking sites
offer a sense of anonymity and cover behind which they can remain hidden and undetected
and still follow someone. In the olden days, to stalk someone and keep track of their locations
and whereabouts, the stalker had to physically follow the victim wherever they go. This
meant that there was a greater chance of the stalker/criminal being caught because of his
coming out in the open. However these days, all that a criminal is a computer and an Internet
connection and they can stalk and follow any victim at will without even getting up from
their desks. Potentially, the criminals online have now become faceless and nameless,
identifying them using traditional means of Wanted posters and pamphlets have now gone
away. The criminal could be just an average every day guy who can walk freely amongst the
millions without the fear of being caught.
44
How to prevent the situations
Parents: Keep a watch on your kids

Just like when a kid wanders off while playing in a playground, the parent has to follow the
kid and keep an eye on the kid, similarly it is important for parents to keep an eye on their
kids and their wanderings when it comes to social networking sites. If users have their kids
on social networking sites it is always important to be on their friend/contact list, although
many kids especially teenagers wouldnt agree to their parents being on their network.
Educating your kids about social networking etiquettes and responsible behaviour is essential
while at the same time the parents themselves should lead by example in terms of their online
behaviour. Parents should check that kids below 13 should not have social networking sites
and that if they do have one, to ask them to delete the account promptly.
Stricter criteria for kids joining social networking sites

Social networking sites must ensure some tougher rules for kids opening an account on social
networking sites. The social networking sites should ensure that for an under-age child to
open an account there should be at least 3-4 adults who are already members on the site and
must confirm the kids age as specified. Social networking accounts must also bring in some
legislation as to have the kids appoint an adult from their friend/contact list as guardian who
would keep a watch on the kids behaviour. The sites should ensure default public view for
the appointed adult with regards to the visibility of the profile.
Let them join sites made for them
There are many social networking sites for kids under the age of 13 which can be considered
safe and perfect in terms of content and the fact that these sites are specifically designed for
kids under the age of 13. Popular sites for kids include Kidzui, FaceChipz, Kidzworld and
Club Penguin
Know whos on your list and whos not
While it will become obvious and overstating the same thing again and again, oversharing
should be avoided. In addition, when it comes to matters like problems like a relationship
45
fight, a fight with a colleague, it is always important to ensure that if those people are on your
list, to keep in mind the very same fact. Future behavior on social networking sites should
always be kept in mind that those people are in your list and that the bitter feelings existing
could surface anytime. It is always best to either delete them from your list or to ensure to set
a different visibility setting for them.
In the case of avoiding thefts and robberies it is always essential to not share your vacation
plans and tag yourselves in places.
Forcing restrictions and banning social networking sites in schools and for kids could have
the reverse effect and would make the kids lie more about their age online. This is a very
sensitive topic as social networking sites wouldnt mind children opening accounts on social
networking sites as it often brings in extra revenue and advertising centred around youth
products and companies. Besides it could be difficult for social networking sites to trust the
legitimacy of the appointed guardian as well(might as well be a fake profile created by the
child themselves).
On the part of parents following kids on social networking sites could mean that the kids
could be made fun in real life by their friends and could lead to more problems for the kids
like bullying and inferiority complex
3.3 Sources of threats on social networking sites

For creating awareness it is important to understand where threats can originate from on
social networking sites, by being able to do that, it becomes a bit easier to specifically target a
subset of users or the source to better improve a particular situation that happens due to those
threats. It can be said that depending on the sources from where a threat can originate it is
possible to categorize those threats into the following four categories:
a) Threats from known contacts and friends
46
b) Threats caused by self due to ignorance and apathy

c) Threats from other sources including third-party applications and vendors
3.3.1 Threats from known contacts and friends
One of the biggest mistakes a user can make is assuming that they are safe and have virtually
nothing to fear from their own contacts and friends, it is only the strangers and the bad guys
that need to be worried about. However this assumption has often turned out to be wrong as
the human element is often the weakest link in ensuring perfect security (Lineberry, 2007).
Get Safe Online (2007) have found that in the UK, 13 per cent of people posted information
and content about others often without their consent, with the majority of these malpractices
being done by the younger generation of the users in the age bracket of 18-24. This just goes
to show the amount of risk a safe user can be from potentially his/her friends and contacts,
whom the user sees as being trustworthy and safe.
Another concept which people often overlook is the friends of friends option on most social
networking sites. Alice might have the most perfect security settings for strangers and the
outside world, but it could be possible that a friend of Bob, who happens to be Alices friend,
could view and see some of the profile of Alice just because Bob happens to be a mutual
friend of the two.
Threats which can occur from known friends and contacts incorporate spamming; click
jacking, part of a scam or survey or all of the three. All most of all these threats can lead to a
variety of problems including identity thefts, becoming part of a botnet, money laundering,
cyber bullying and stalking etc.
1) Spam
Spam and other malicious content generated by cyber criminals is such that they
always target the weakness in a persons ability to accurately judge what is right and
what is wrong in the wide and confusing world of the Internet. It is not unusual these
days to lure a user into clicking on links promising expensive gadgets, lottery
47
winnings or of videos containing gruesome/strange/luring material. The curiosity of a

user on the Internet can be quite rightly compared to that of a child during their early
ages. In fact TrendMicro (2011) in its report says that curiosity and imposition are
very useful in tricking users and is often used by cyber criminals to good effect. Spam
links often contain promising deals for the user like an iPhone, on clicking the link the
user is either taken to a different site or the spam gets copied onto the users
profile/page
Examples of spam related messages are of this nature:
Alice sees the following message on her profile which says her friend Bob clicked on
a link and won an iPhone. Once Alice clicks on the link, she is taken to a bogus site
where she will be asked to give away her personal information including her email
ID, personal telephone number etc. The spammers then use the obtained information
to further generate and spread spam to the users inbox.
Real Life Example
A spam detected by Symantec asks the users to complete a survey about Facebook
features, upon successful completion of the survey the user is told that they have won
a prize and that for the prize to be delivered to them, they will require your personal
details including name, address and gender (Patil, 2010). Figures 9 and 10 show the
spam site and the subsequent page asking the user of the data
48
Figure 9.
49
Figure 10.
2) Tagging
It is one of the most user attractive features of social networking sites, i.e. the ability
of users to tag not only themselves but also others in whatever they share on social
networking sites.
Social networking sites these days provide users with the ability to tag themselves
into photos, videos, posts and in cases of sites like FourSquare even into places that
50
they visit or go to. If tagging photos and videos werent scary enough definitely
tagging locations where you visited has to get a lot of people worried.
As discussed earlier users often tend to overlook the mutual friends or the friends of
friends concept and tag their friends thinking that no harm can happen as they trust
everyone in their friend list, however most of the time, that is far from the truth with
many more users actually seeing the content than they would have wanted to.
Also, due to the fact that not every user has the proper security settings what this
could essentially mean is that even those who have shared minimal information of
theirs including photos and videos could now be viewed by everyone. If the user who
has tagged their photos has a public profile then it could mean that those photos could
be viewed by someone who is not even on any social networking site on which the
said photo was shared. The users profile could be easily found out by just searching
for their name on the Internet and with the profile also the photo albums.
This is one of the prime examples of where even after ensuring that as a user who is
following the proper guidelines including sharing information and content, the users
safety could be under threat because of a careless mistake of some of their contacts.
This case highlights the importance of spreading and teaching what you have
followed and learned to others and asking them to do the same. Spreading the
knowledge must be the watchword.
3) Status updates and posts/communication
Slightly similar to the problem of tagging, inappropriate status updates by friends and
contacts could often give away vital information about a user, information which they
otherwise wouldnt have wanted to give away. In some social networking sites like
Facebook and Twitter you can tag other users on your list. As a result if a user
skipped work to go for a match, and one of his friends updated the same on his feed,
then if the company chooses to go through the feeds of the other user who also happen
to be on the companys list, then the first user could be in trouble.
51
Remedies and solutions to the problem
As discussed, users often make the mistake of placing too much trust on their friends
and contacts, a decision which then proves a bad one for them later. There are various
solutions to this particular problem.
1) Always be cautious
A good rule to remember while coming across spam links on social networks is to not
trust anything or anyone (user accounts can be hacked). Users must always ensure to
double check with the person in question in real life before proceeding on any of their
online messages or advice. The same applies for links advertising promotional
schemes, it is a good thing to remember that such things are never true and always are
made up. The Manhattan Police Department (2010) on its Facebook page has this to
say about the countless promotional schemes going around on the site: If it is too
good to be true, it probably is (Fig. 11)
Figure 11: Manhattan Police Department (see References)

The role of a user should not end at just not clicking on the spam containing but also
to report them. Most sites have an option of reporting spam or inappropriate content.
52
If the content seems to be generated from a known friend/users side, it is also

important to let them know because in cases like these, the user is not aware of the
changes on their profile.
Success Chances: The viability of this solution being used and getting a good success
is mixed and depends and varies from user to user. While a user can be taught certain
things, there is the element of human surprise and intrigue that cannot be possibly
estimated or factored. While a user can be taught over time and some practice not to
click on links containing promotional details, it is very difficult to predict if a user
wont fall victim to contents that are specific or important to them. For example, a
teenager is more likely to click on link containing news of the death of her favourite
artist than a user of some other age. Curiosity of the user is always raised when it
comes to things that they like as opposed to something they dont like
Overall, though this solution is a very good one, and can have a lot of positive effects
if the site shows some interest in creating more awareness and making some minor
changes
Ideal solution: An ideal fix to the problem can be achieved if the social networking
sites incorporate changes in their design to assign a sign/symbol of trust to every
authentic and safe content that is shared on the site
Existing solution: Most social networking sites have an option of reporting spam and
other malicious unwanted content.
2) See and make others see
The issue of spams can also be solved if as a user, one is more proactive of security
issues and decides to teach others in their contact list of the same. The solution is
simple and requires minimum effort. The user can make use of the social networking
site to make the other users aware by sharing a post, status informing of some new
scams/issues that they are aware of the same (Fig. 12)
53
Figure 12: Teach others
Success Chances: The chances of the solution being a viable one is very high, the
user requires minimum effort and as the user themselves takes it upon them to fix and
correct the mistakes, it takes a lot of load off the sites. Even if one user decides to do
the awareness post/status and subsequently every user does the same on every other
non-mutual network, the chances of the message being passed around the site is very
high and maximum attention to the problem can be ensured.
Ideal solution: The same as the previous one. The social networking site should
incorporate some changes
Existing solution: Spam reporting buttons and pages, same as previous ones.
3) Do It Yourself
When tagged in photos and videos, a user who doesnt want to be seen in them, can
actively untag them or ask the original uploader to remove the photos and videos. If
asking for your photos to be removed can be rude and demanding of someone, a user
can go and fine tune the privacy settings provided. A user can change the privacy
settings of their photos albums/videos to make sure that no one or only a select few
can see their tagged photos.
Alternatively a user can create a list based on their friends, e.g. friends, family, work
and choose which list of contacts can see what content and which list cannot.
54
Success Chance: Again, the measure has a very good chance of success as it involves
minimum effort and makes the user more aware and responsible. Often as a user one
can get lax and relaxed if all the work is done by the social networking sites to
provide security and the user doesnt do anything.
Figure 13: Adjust privacy settings
Ideal solution: In addition to the user tweaking their account settings, the social
networking site can remind users from time to time if they dont have the
recommended settings and are sharing too much personal information with one.
Just like in the case of while selecting a good password, the site can recommend good
settings to the user on their settings page. Facebook is one site that currently has this
feature (Fig. 14)
55
Figure 14: Dont be afraid to make changes if necessary
Existing solution: The settings provided by the social networking sites along with
the option to untag oneself from photos/videos are the only existing solutions to this
problem
3.3.2 Threats caused by self due to ignorance or neglect
Oversharing
On close introspection one might see that the threats caused by self and threats are almost the
same because of the continuing theme of human nature and due to the fact that human errors
are always expected. However to differentiate the two, one can argue that threats caused by
self can be attributed more to ignorance and lack of knowledge as opposed to anything else. It
is possible to further classify this set of users into under-age kids, teens and their parents, new
users.
Users tend to not go into the details of the various policies and measures and would rather
like to go about their business online instead of bothering about them as many think it is only
being used as a requirement by the sites in case of any legal complications or as a formality A
case in point is the ignorance caused by first year students in a study conducted by Lawler
and Molluzzo (2011). In the study conducted to find out the first year students knowledge of
privacy and information sharing policies of various social networking sites, the majority of
56
the respondents did not know the information they were sharing with. It was found out in the
report that more than 60 per cent of the students do not read the privacy policy of the sites.
Lawler and Molluzzo (2011) feel that this could be due to variety of reasons including blind
faith in the site to protect their privacy, disregard for privacy, not being able to understand the
privacy policy which is often filled with jargon
The point raised by Lawler and Molluzzo is a very valid one as often the ignorant users may
not be ignorant about issues in real life, but on the Internet they tend to believe that
everything is either over exaggerated, especially security and its implications. A certain set of
users also believe that as users they are only meant to use the system and it is only the
responsibility of the site to take care of the security. And it goes without saying that they
often tend to not only put themselves at risk but also their contacts and friends.
Besides giving away too much information on social networking sites via their profile
information, users also end up sharing too much information through their posts, tweets,
photos and videos uploaded, location updates and sometimes by using unverified
applications. Status updates informing of a vacation out of town, a pay rise received on job,
irresponsible behaviour, photos of children, their names and details are all examples of
oversharing on social networking sites practiced by many users. Indulging in such
irresponsible behaviour can lead to exposing yourself to many dangers including robbery,
kidnapping, losing ones job and personal relationships breaking down.
Threats
Spam
Phishing
Identity theft
Becoming part of a botnet
Malware and worm being downloaded
Real life crimes like stalking, bullying, robbery, child abuse
Real Life Example

A 16 year old girl was sacked from her job when she complained about her menial job on
Facebook over two status updates (Levy, 2009). The company with she was working had
been monitoring her comments on Facebook as is the norm with most companies these days.
57
So it is always important for users to think twice before they say or write something about
their job on social networking sites
On the Internet, less is always good

As a rule, it is always good to remember that it is never a good idea to share too much
information on the Internet especially if it concerns ones family and friends. Learning what
to share and what not to share must be a personal matter and often varies from person to
person. Greater awareness of the same can be bought out by various medium, the social
networking site themselves should take a lead in this and should include a daily/weekly news
feed where certain threats are being highlighted and the reason why those threats took place.
Another idea or thought process that should be inculcated in users is that of how different
information could have different implications on different users. For example, Alice who has
her office colleagues on her contact list would find it easy risky if she shares a post abusing
her boss, however Bob who hasnt added her office colleagues and has the tightest of security
settings would get away with abusing his boss. Information shared must be context and
situation sensitive and every user must know what is good for them and what is not.
Success Chance: The success of the solution depends a lot on the user and the ability to
understand what is right and what is wrong. The probability of the site themselves
highlighting real life examples is not a feasible one on the part of the site as it would seem
that the site seemed to be working on a negative note by showcasing the wrong aspects. From
an operational sense also it would make no sense as the sites primary job is not that of a
crime reporting site.
Inform and empower the user
Huang (2008) is correct by saying that users wont take their privacy seriously and make
correct decisions if they are not aware of what is at stake and what is not when it comes to
their security. Therefore a good solution would be to make the users aware of what they are
sharing and to exactly how many people on their network, on their site and on the Internet as
a whole. For example if a user is uploading a picture of his child on the site, depending on the
users current privacy settings, the social networking site could inform the user of potentially
58
the number of users who will be able to view that picture. Also, an additional tweak that can
help the user is to give them the option to set a privacy setting for almost every single content
they share each time instead of the current situation where the user has to go to a different
page for changing his/her security setting and the change is a one-time change which will act
to all of his selected options instead of one
Facebook recently has decided to do the same after taking a cue from Google+ perhaps in
fear of losing some of its user to the newer site (Sengupta, 2011)
Success Chance: The success of this solution can be pretty high as the users will now get to
know what the implications of their actions can be. An average user would be always more
interested in knowing the details of his/her information being viewed and shared by people.
Besides every user will feel special and cared for, as from the perspective of the site it would
mean that every user matters and that the site can cater to every single individuals need.
Facebooks new privacy feature also gives the user much more control and granularity, with
which the user can further fine tune their settings rather than just having one global setting for
every information.
3.3.3 Threats from other sources including third-party applications and vendors
In many cases, the users can do everything in their capability but sometimes some new or
unforeseen attacks could mean that they are not as safe as they would think they are.
Sometimes, the social networking site itself rolls in interface or design changes that can catch
an average user unaware. Facebook users were in for a shock when without letting them
know the social networking site went ahead and enabled face recognition technology (Cluley,
2011), something which they had promised to roll out a few months before, to enable
automated photo tagging (Ducklin, 2010). However while users expected an official
announcement before enabling the changes, Facebook went ahead and slowly made the
changes without informing the users. This meant that even someone who was a nonFacebook user who had his/her picture in a Facebook users album was tagged and therefore
easy to identify online.
Another example of Facebook being under the spotlight over privacy breach was when its
Application Programming Interface (API) was accused of sharing user information with third
party applications and vendors. The API is a feature which accesses ones information and
59
uses that same information to deliver custom content to the user tailored to their specific
needs. The API allows Facebook users to add context to the applications by making use of
their profile data (Programmable Web, 2010). And to top it all, Facebook does not verify the
applications and its designers, which means that users are more than right to feel that their
information can be misused by not only third party applications but also potentially by cyber
criminals.
Then in some cases like the Samy worm of MySpace, users were denied service for a few
hours although it was no fault of theirs.
The problem of third party applications stealing information can be solved if the social
networking sites authenticate and review the applications being designed. Apple always
ensures that they test every application developed for their devices and system by having a
walled environment where only applications that are properly tested can be allowed to
execute (Paul, 2011). Although to be honest, when Apple started their own iTunes based
social networking service called Ping which failed to create too much of a buzz because of
the fact that they werent effective enough to control spam and fake accounts.
All being said and done, just like in every other problem the user has a role to play in the
solution. In the case of rogue applications and services, it is up to the user to use his better
judgement and not use those applications
Social networking sites must ensure that they have properly tested other aspects of their
design and coding to ensure attacks which exploit user input and SQL injection do not
succeed.
60
3.4 Types of threats on social networking sites
From the previous three sub-sections in this chapter, it is easy to identify that the threats that
exist on social networking sites attack and target different vectors. Therefore one can see that
in terms of the target area, one can differentiate threats into four types essentially:
1) Privacy related threats
These types of threats target the privacy of an individual and collect valuable information
which can be used for a variety of purposes. In todays cloud computing enabled world, using
advanced data mining methods coupled with the low cost of data storage, cyber criminals are
able to create a digital dossier of every user with information collected from various social
networking sites on the Web (Hasib, 2009). Cross site scripting attacks, facial recognition,
location tagging etc. are all examples of this type of threat.
Cyber criminals: The type of cyber criminals included in such type of threats could be
anybody from a petty thief looking for a house to rob to a government spy who is on his/her
espionage duty. Paedophiles and sex offenders are also often included in the type of criminals
who would want to invade on a users privacy for their personal means.
2) Payload/drive-by download related threats
Traditional threats like virus, worms and other malware related vectors are examples of
threats on social networking sites in which the cybercriminal tends to introduce some content
or payload into the users profile, private workstation with intent to destroy, obtain or spy on
information that the user has to give. In some examples like the Samy worm, the creator just
used it to boost his ratings and not for any harmful purpose as such.
Cyber criminals: Hackers and malware writers are the main culprits in this type of threat
related incidents. Novice script kiddies and n00bz are also sometimes involved in these
threats more often for their own fun than in causing any serious harm. Often hacktivists are
known to malign the pages and profiles of their political adversaries to get their message
across.
61
3) Identity related threats
Phishing is perhaps the biggest example of an identity related threat in which the focus is to
get a users login credentials which can then be used for many purposes depending on the
fancy of the cybercriminal. Identity theft could lead to serious problems for the user in
question and could lead to loss of money, property, getting framed in wrong cases etc. for the
user. The criminals involved in phishing often use techniques as varied and different as social
engineering, shoulder surfing, dumpster diving, XSS based attacks to get the login credentials
of the user.
Cyber criminals: Mostly hard-core identity thieves and cyber criminals who live off by
stealing the identity of nave and unsuspecting users on the Internet. The cyber criminals are
sometimes part of bigger mafia that harvests user IDs and data to often create a botnet which
can then be used to cause all sorts of problems
4) Real life threats
The type of threats included under this category can include stalking, bullying, paedophilia,
murder, espionage and spying etc. These crimes are carried out in real life but are planned
and executed often with the help of online data gathered not only from social networking
sites but also through blogs, e-commerce sites.
Standout feature: Of all the threats, this is the only threat where mortal danger is at its
highest and hence could be considered as one of the more serious of the four types.
Criminals: The culprits in this type of threat could vary from jilted lovers to paedophiles,
from robbers to teenage bullies. Though this type of threat involves social networking sites,
the people committing may not necessarily have the best knowledge of the Internet and its
workings, unlike a hacker or a malware writer.
62
3.5 Chapter Summary
From the analysis done of the threats in this chapter, one can compute a table (Table.1)
containing the threats and the solutions which can solve those threats. From the table it is
quite clear that the solutions which can solve majority of the problems include avoid
oversharing and tweaking/changing privacy settings to what is safe for the user. In most
cases, if the user is the type who chooses his friends/contacts wisely and his/her friends
likewise choose only the right friends, then the privacy settings that can be assumed best and
safe would be the one which shows the information only to your friends.
There are a few threats that can be solved if the social networking sites decides to incorporate
some minor policy or design changes then those threats can be tackled. Although it is
important to remember that social networking sites alone cannot make changes and expect
the user to not do anything on their part. Considering the thesis revolves around the topic of
creating user awareness, one can ignore the role of social networking sites for now.
If safest privacy settings and safest information were to be considered as two variables (for
the sake of this argument), then it is safe to say that the best and correct values for those two
variables can be as shown below.
Safest privacy settings: Visible to friends
Safest information that can be shared: Name, display picture, email ID.
To summarise the chapter one can say that the safest privacy settings and the safest shared
information are two variables dependant of each other such that having one in place can
ensure that the other can be neglected and vice-a-versa, although it is always advisable to
ensure that the both the variables are kept at their optimal value to ensure better security.
For example, if Alice decides to set her privacy settings as visible to everyone or public, but
if she shares minimal information with the world, then she has nothing to worry about in
terms of threats. Likewise if she shares a lot of personal information and content on her
profile pages but has the tightest security settings in which only her carefully chosen friends
can see those information and content, then again it is safe to argue that Alice can remain
relatively safe from most threats on social networking sites.
63
Solutions
Threats
Avoid
Tweak
privacy Anti-virus/ user Changes in site
oversharing
settings
system changes
policy,
design
etc.
XSS
Phishing
Location
Identity theft
Facial
tagging
recognition
Real life threats
Table 1. Table of threats versus solutions
4.0 Game design, scenarios and research methodology
4.1 Rationale behind the game
The idea behind the game for having a quiz based format was to further make the users
ensure that while it is an awareness game it is also important to learn something new from the
game. The main purpose behind such a situation based quiz game meant that unlike a poster
or an ad campaign, the user was made to go through a real life like situation wherein he/she
had to make decisions as one would so in real life Yet at the same time, due to the quiz based
nature of the game, the user felt the need to learn the things being taught. The results in the
game only further illustrated this point that users were quick learners and made less mistakes
if they were given an example of what they were being taught.
The game was designed by keeping in mind, the two types of learning categories, visual
learning and learning through the intellect (Vester, 1998). The questions and the choice of
64
answers represented the visual learning part while the decisions the user had to make
represented the learning through intellect.
4.2 General Format of the game
Quiz Based format, with various formats of questions like multiple choice questions, fill in
the blanks, select an area (hotspot) etc.
Number of Questions
There will be 8 questions which will test the participant of their knowledge of social
networking sites.
Game Setup/Gameplay
The game has been based around a fictional and make believe character called Freddie, who
is new to the world of social networking. The participant has been chosen to make decisions
in the form of answers to the game which will help Freddie out in his venture into social
networking sites
Users are expected to chose an answer from out of multiple options provided to them, in one
scenario the user is expected to fill in the right answer by typing it in a box provided. The
standard response mechanism used in the game is that of the users keyboard and mouse. No
other interaction or device is required to take part in the game
Incentives provided for playing the game
As such no incentive is provided to take part in this game other than a screen at the end of the
game informing the user of his/her score at the end of the game before the questionnaire.
However the scope of the game could be changed to include more incentives and a reward
system. The limitations with regards to this aspect is discussed in the Chapter 6.
Requirements for the game
65
Flash supported web browser including Mozilla Firefox, Google Chrome, Safari, Internet
Explorer 8 and upwards
Time required for completing the game
May vary from participant to participant and how quickly they are able to answer the
questions and move on. An average estimate can be put between 8-10 minutes
At the end of the game, the participants will be asked for some information like their gender
and the age group. The information will be asked for demographic analysis.
Also, there will be a questionnaire in the form of yes or no questions and Likert scale wherein
the participant will be asked for the feedback on the game and some additional information
about the background of the user and the mentality. The information to later evaluate the
success of the game
Development of the game

The game was designed using a software called Articulate Quizmaker 09 and was developed
in Flash.
Hosting of the game
The game was hosted on a learning management system called Articulate Online and the site
has full support for SCORM based score tracking and reporting. Participants were given a
link to the site where the game was hosted and were asked to go to the address to play the
game.
4.3 Game Scenarios and the threats covered
It is possible to divide the game into three distinct scenarios/situations which a user might
come across in their daily life on social networking sites. As previously explained
participants in the game are expected to help an imaginary character named Freddie, who is
66
new to the world of social networking sites and therefore doesnt know what to do in certain
situations.
Scenario 1: Passwords and its implications
Scenario 1 contained the theme of passwords and its implications; this scenario has 3
questions based on it.
Importance of passwords and the need for password awareness
Having a strong password is a very practice of information security let alone social
networking security. A good password ensures that the cyber criminals cannot easily guess
thee passwords by either brute-forcing and/or dictionary based attacks. Social networking
sites and blogs has meant that user information especially email ID is easily available. All a
cyber-criminal then has to do is try out various passwords for each email ID that they can
harvest from the Web. The smaller and easier a password, the cybercriminal will be able to
hack the password much more quickly and with less effort.
The hack attack on Gawker websites yielded around 188,000 passwords out of which it was
shown that the top five most commonly used passwords included weak passwords like
123456, password, 12345678, lifehack and qwerty (Broida, 2010). Another common mistake
which users make is use the same password for more than one account and not change the
password for a long time. By doing so, the user is again putting himself/herself at risk of a
brute force attack. Plus, by ensuring the same password for every possible account, the user is
putting himself/herself at grave risk of compromising the security of all his accounts instead
of just one if it was the case with a single password for every account.
Question 1:
The first question tests the users awareness of what a good password should be like. The
participant has to choose a password from four options given containing passwords of
varying strengths and combinations. In the question, the participant is shown to help Freddie
choose a password for his new social network account, thus reiterating the value of having a
strong password.
The options as answers for the participant are he11o123 , Pa55W0rd!=nu11, abc1234,
25Jan90(shown as having importance of being the birthday of Freddie)
67
Feedback Given : Right Answer

The participant is congratulated for the right and correct choice and as a final advice has been
asked to tell Freddie to keep the password safe with him and not to share it with anybody
This feedback teaches the participant something new even after they got the answer right, this
reiterates in the participant the lesson that learning is a never under process and there is
always more to learn and be aware of.
\Feedback Given: Wrong Answer
The user is warned in depth of choosing a wrong password. In this feedback, the emphasis is
on the user and not on Freddie. The user is given an explanation on why his/her chosen
password is not strong enough using the site Password Meter and the weightage the site gave
to each of the passwords depending on their strength
Question 2:
The second question asks the user whether it is a good idea to use the same password,
especially if the password also happens to be the password of their primary email account.
The user in the game is asked to make this decision on behalf of Freddie, who is thinking of
using the same password for all of his social networking accounts.
The user has to answer from selecting one of the two options: Yes or No.
The user is advised that it is never a good idea to set the same password and is being repeated
with the consequences of having all of your accounts compromised in the event of the
password being stolen or guessed.
Feedback Given: Wrong Answer
The feedback given is almost similar in nature to the right answer feedback , except with one
additional rule being taught, that of not having the same user ID/password combination for all
of the accounts on the Internet
Question 3:
In the third and final question in Scenario 1, the user is being asked whether it is a good idea
to not change a password for too long and sticking with the same password. The question is
68
asked in the context of Freddie who has a friend who changes his password every 2-3 weeks.
By setting this example, the user is being taught to follow the good practices of your fellow
friends, colleagues, family members etc. The answer is again to be chosen from an option of
Yes and No
The feedback is given in the form of positive praise by saying that Freddie can learn a lot
from the user and his good practices. The user is then taught that changing his/her password
every 2-3 weeks, ideally the user is being made immune against a dictionary attack/brute
force attack
The feedback given is again similar to the feedback when the right answer is given, the only
difference is the user is that users can click on a hyper link to a Wiki page about dictionary
and brute force attacks. The user is made aware of the hyper linked text by having it
underlined and highlighted very much like an actual link on the Internet (Figure 15.). By
using an image, the user is also been made aware it is possible to get away with a weakish
password like he11o123 if the user is ready to change it every 2-3 weeks. This was again
done to ensure that the user is learning new and additional things as often as possible.
69
Figure 15. The use of hyperlinks to encourage the user to further learn more about a topic
Threats covered in Scenario 1
The lesson that the user are made aware through scenario 1 is that users often are too casual
in choosing their passwords. Having good privacy settings could mean for nothing if the
cybercriminal is able to crack the password and gain first-hand information logged in as the
user itself. Having a good password will prevent threats like identity theft and real life
crimes like bullying and harassing through logging into someones profile and defacing the
profile
Scenario 2: Phishing and identity theft protection
Scenario 2 consists of just one question and tackles the problem of phishing mails, especially
emails that seems to originate from authentic sources. The user is also made aware of
phishing sites that look very much similar to the actual site in the feedback of this question.
70
Question 4:
In the question, the user is been told of an incident where Freddie receives an email
supposedly from one of his social networking sites asking him to send his password back to
them. Freddie is quite upbeat as the email also contains the logo of the social networking site
and feels that the email is genuine. The user is asked to help Freddie out with this
conundrum. The answer is again in two options of Yes and No with regards to Freddie
emailing his password back
Feedback Given: Right Answer
The user is given praised for giving the right answer and has been told not to give away the
password to anyone on the Internet , not even to anyone who asks for it. Freddie is then
shown asking whether he should not share his password on MySpace with the guy who
promised him more friends if he did so. This is to reinforce to the user that various social
engineering methods exist on social networking sites, one of them being asked to share some
detail in return for some bonus points, extra friends, more likes etc.
The user is being told not to give away his/her password and being told quite clearly that
social networking sites wont ask for a users password through email. Also to alert the
wrong users who are more likely to also fall prey to phishing sites, an example of a fake
Twitter page is shown which can be loaded by just typing an extra T carelessly. The site
looks almost similar to the actual Twitter page. The user has been told to be careful while
typing in addresses and always double check before hitting enter or clicking
The threats covered in Scenario 2 include phishing and identity theft related scenes. The
user is also made aware that there are some mistakes which are caused by self due to
ignorance and casual attitude while surfing the Internet online. It is always better to be safe
than sorry
71
Scenario 3: Oversharing and privacy settings
Scenario 3 has two questions that concerns oversharing and privacy settings, the two
questions were clubbed into one scenario because the argument and the conclusion derived at
the end of Section 3.5 which proves that it is essential for at least one of the two variables to
be set so as to ensure the other variable can be neglected and thus limiting the damage
occurred as well.
Users are being tried to make aware that if they want to share too much information on their
social networking profile then it is always advisable that they tweak their privacy settings to
ensure that only the right people are able to see that information.
Question 5:
Giving a more real life example, in this question, the user is shown Freddies Facebook
profile and the information contained in it, the user is then asked to point out which
information Freddie is better off not sharing to the public. Freddies profile includes details
such as work, about me, school, address, telephone number, gender and sexual preferences.
Using a hotspot technology, the user is asked to click on the information which he/she feels
Freddie should not share with the public (those not including his friends/contacts)
Feedback Given: Right Answer
On giving the right answer the user is told not to share personal information on social
networking sites which includes information like address, email IDs, birth dates and in some
cases, information like sexual preferences and political views as well. The user is advised that
if he/she wishes to share such information it is important to change their privacy settings. In
some cases, setting the privacy to default could mean that even non-members of a social
networking site can search for someone on Google by typing their name (Figure 16)
On a final note the user is advised that it is not necessary to fill in every bit of information
while signing up for a social networking site.
Starting from Question 5 due to the nature of the question and the importance of making the
user aware of the answer and the consequences, the feedback given for both a right answer
and a wrong answer are the same.
72
Figure 16: Change the privacy settings
Question 6:
Building the theme from the last question, the user is told that Freddie obviously needs some
help with the sharing of information on his profile. In this question, the user is therefore
asked what they think would be appropriate information for Freddie to share with his
friends/contact list only and by no one else. The user is given multiple options to choose
including information like tagged photos and videos of Freddie, status updates, birth dates
etc. This question tests whether the user was able to understand and implement the feedback
given after the previous feedback
Feedback Given
The user is advised to share minimal information with others on social networking sites, the
user is also told of the benefits that the user stands to gain but also his/her friends and
contacts who will also be in turn be hidden if the right privacy settings are being put to use by
the user. The user is being taught to be responsible by asking them to always double check
with their friends and contacts when they are tagging or sharing content which also includes
73
them, as often many people dont like being tagged in photos and videos where they would
rather be not tagged.
The threats covered in Scenario 3 include location tagging, identity theft, facial
recognition, real life threats like stalking etc. In addition with the help of Scenario 3
awareness was being able to be raised about the threats caused by others including friends
and contacts
Scenario 4: Privacy Policy
In this scenario, an attempt was made to raise awareness about the users right to know about
the way his/her information is being used by the social networking site and third party
affiliates of the sites. Users often are clueless about the way their information is being used,
stored and processed by the sites, some sites often even keep information long after the user
has deleted his account on the particular social networking site (Hasib, 2009).
Question 7:
In the question, users are informed of how Freddie has fears that his information is being
misused by his social networking sites and possibly even being sold to some affiliate brand.
Freddie needless to say is worried and would want to know how his data is being used by the
site. The user is then asked what document he should read on the social networking site that
will explain to him about the situation. The users are asked to enter their answer into a blank
box, a hint has been provided for users who would tend to know the right answer but not
completely.
Feedback Given
In the feedback the user has been sympathized with by saying that it is not always possible to
read through every single bit of information that is written on the privacy policy type
statements. However the user is advised to only go through certain points that include
sections like how your information is stored on the site, the measures the site takes to protect
that information, what to do if the user is not willing to share his information etc. By
understanding the users predicament in reading through pages and pages of information and
jargon involved in a privacy policy, the users are made aware that the creators of the game
are human just like them and mistakes tend to happen often.
74

Many privacy related and data breach type threats can be avoided if the feedback in Scenario
4 is to be followed. Also Scenario 4 helps the user to avoid situations where the threats are
from third party applications and the site itself
Scenario 5: Child Protection on Social Networking Websites
The fifth and last scenario in the game involved the often neglected but nonetheless important
issue of child protection on social networking sites and the Web in general. The question
looks at the default privacy settings being enabled on social networking sites when it comes
to under age children which are required by the law
Question 8:
In the question, using Freddies 13 year old cousins example, there has been an attempt to
not only make the user aware of some of the default privacy settings to be enabled by the site
but also brings attention to the fact that under-age children often lie about their age on social
networking sites. The final question is again in the form of a Yes or No type answer
Feedback given
In the feedback , the user is advised to ensure that no kid under the age of 18 can be searched
by their name on social networking sites as new legislations require the social networking
sites to make sure that kids under 18 cannot be searched on social networking sites by their
name. The users are given the responsibility to alert the parents of the kids who are lying
about their age on social networking sites. This way the game ensures that the users get to do
their bit in real life and create awareness for others.
The threats covered include many real life threats like bullying, paedophilia, stalking, kids
being exposed to inappropriate content etc. Scenario 5 is not only helpful for raising
awareness on the parts of the parents and adults but also on the part of the kids as well,
although the target audience of the game being designed was adults
75
4.4 Research methodology
Sample Size
The game for its analysis and evaluation purpose was to be played by 30 individuals. The 30
individuals chosen were all above the age of 18 and the game would only proceed if the user
agreed to be an adult.
Getting the sample size to play the game
The game was hosted on the site called Articulate Online, wherein the author had an account
with administrator privileges. Once the sample size of 30 was determined, each of those
participants were sent a mail with the link to the site and the consent form. Before playing the
game , participants were to go through the consent form and agree to the data usage
conditions and the reasons why the data was collected. The participants if willing to
participate had to sign and send the consent form back to the author. The game again
contained various rules and regulations and the user has to agree to allow all of them before
proceeding with the game
Data collection, analysis and storage
The Articulate Online site is a learning management system (LMS) site where user tracking
and report generation enables score following and analysis. The results can be viewed in user
defined formats and it is up to the will of the administrator to decide the reports he/she choses
to see (Figure 17).The reports can be arranged and viewed by answers given, player scoring
patterns etc. There is also an option of selecting a custom report for the results depending on
the various needs of an administrator (Figure 18)
The result is stored in the site itself and as such the data remains safe and protected as access
to the backend of the site is regulated by the administrator user ID and password. The
76
participants in the game need not know any user ID and password and can start playing the
game from the link to be emailed to them. The results can be exported in .CSV formats
Figure 17. Options in which the report can be viewed
Figure 18. Custom report options
4.5 Chapter Summary
In this chapter, we saw that the game titled Help Freddie has basically been divided into 5
scenarios that tackle a variety of social networking awareness issues and threats like privacy,
identity threat, phishing etc. In the next chapter, a detailed analysis of the results of the game
and its implications will be discussed.
77
5.0 Analysis of the game results and evaluation
5.1 Question wise breakdown of the score
Question 1: Password Strength
Right answer: Pa55w0rd!=nu11

Number of participants who got it right: 17 (out of 30)
Question 1
Right
Wrong
Question 2: Same password for all accounts
Right Answer: No
78
Question 2
Right
Wrong
Question 3: One single password for the rest of life
Right Answer: No
Question 3
Right
Wrong
Question 4:Email from social networking site
Right Answer: No, Freddie shouldnt email them his password

79
Question 4
Right
Wrong
Question 5: Profile information that needs to be hidden from public view
Right Answer: Clicking on the area inside the red marking

Question 5
Right
Wrong
Question 6: Profile Information details
Right Answer: All the options circled in the above diagram (To get the answer correct, the
participant must select all of them)
80
Question 6
Right
Wrong
Question7: Privacy Policy
Right Answer: Privacy Policy or privacy policy

Question 7
Right
Wrong
81
Question 8:Under-age profile search
Right Answer: Yes, Freddies cousin is lying about something

Question 8
Right
Wrong
5.2 Questionnaire Results

1) Gender: Male or Female
Gender
Male
Female
82
2) Age Group
Age Group
18-24
25-34
35-44
45-54
3) Have come across such awareness based game before
Users who have played such a game

before
Yes
No
83
4) Whether participants read the feedback only if their answers were wrong
Whether participants read the

feedback only if answer is wrong
Yes
Read it even after the
anser is right
Didn't read irrespective of
the answer
5) On which social networking sites do participants have an account in
Accounts on social networking sites

Facebook
Only Facebook
Twitter
Myspace
Orkut
LinkedIn
Google+
Bebo
Other
6) Opinions on the Quiz
a) Better way to learn about awareness than a video or a conference

84
Better way to learn about awareness

than a video or a seminar
Strongly disagree
Disagree
Neutral
Agree
Strongly Agree
b)
am
very
good
with
computers/social
(Knowledge about computers and Social networking sites)
Response to the question whether

users were good with computers and
social networking sites
Strongly disagree
Disagree
Neutral
Agree
Strongly Agree
c) I find it easy to find information about security issues as discussed in the game
85
sites

users find it easy to find information
about similar security issues
Strongly disagree
Disagree
Neutral
Agree
Strongly Agree
d) I know where to look within a particular social networking site for information

users know where to look within a
socail networking site for information
on issues
Strongly disagree
Disagree
Neutral
Agree
Strongly Agree
e) Whether users will teach the new information learned in the game to their
friends/colleagues/family
86

users will teach the new aspects
learned in this game to their
friends/family/colleagues
Strongly disagree
Disagree
Neutral
Agree
Strongly Agree
5.3 Analysis in depth
The subsection will take a closer look at some of the more substantial findings in the effort
made to create user awareness and educate the users about the social networking sites.
Scenario based results
Scenario 1: Password Awareness
Scenario 1 contained three questions and 51 per cent of the users were able to get the
questions in this scenario right, with Question1 being answered correctly by 56.66% of the
users, while only 46.66 % of the users were able to get Questions 2 and 3 right.
Question1 was about selecting a strong password and 18 out of the 30 people had chosen the
right password as Pa55W0rd!=nu11
Even amongst the users who got the answers wrong, 8 of them chose what can be considered
as the second best password out of the four i.e. he110123.
The percentage of answers given by the users is as can be seen from Figure 19.
87
Figure 19: Proportion of users who gave answers to Question 1

This is a good sign considering that although 43% of the people chose the wrong password,
even out of the wrong password, the users chose a password which is comparatively stronger
than the other three.
Question 2 was about deciding whether it is safe to use the same password for every account
especially if the same password happens to be your email ID. In a statistic showing poor
awareness 14 of the 30 user said that it is not okay to do so, while the remaining 16 said it is
fine if the same password is used. There is a room for improvement with regards to this area
of security.
Users show a lack of awareness in Question 3 as the same proportion of people have
managed to get the answer wrong in this one. 47 per cent gave the right answer while almost
53 per cent of the users felt that it is alright to have one single password throughout the
duration of an account and never change it at all..
88
Level of awareness
The level of awareness shown by the users in this Scenario of password protection seems to
be scarce and there is a definite scope for more improvement in this area. Social networking
sites can highlight this issue by targeting the users with weak passwords during account
registration and give them timely reminders to keep changing the password once every month
or so
Final Verdict: Users should have better password usage schemes including having a strong
password, with different passwords for different accounts and indulge in the practice of
changing passwords every now and then.
Scenario 2: Phishing and identity theft protection
Scenario 2 involved just one question which tested the users knowledge of being able to
differentiate a phishing mail from an authentic mail, therefore tested them to see if they are
alert enough to stay away from phishing based scams and sites.
In a very positive note one can see that majority of the users gave the right answer proving
that the users can actually differentiate a phishing based message. 87% of the users said that
Freddie should not send his password to the bogus site masquerading as his social networking
site, while just 4 out of the 30 seem to think that the mail was authentic and supposed to be
originating from the site only.
Level of awareness
The level of awareness shown by the users with regards to identifying phishing type emails
and sites can be said as more than satisfactory. With the majority of the users seemingly
aware of the threat, it can be said that creating more awareness is easy as the users who
already know about the problem can educate their friends/contacts and family.
Final Verdict: Social networking sites must keep reminding the users about the threats of
spoofed versions of their sites. The sites should also inform the user of any login changes or
layout changes beforehand so that the user does not get confused between a phishing site and
the actual changed site.
89
Scenario 3:Oversharing and privacy settings
Scenario 3 which focussed on the problems of oversharing and the use of privacy settings had
two questions.
The first question(Question 5 overall) in Scenario 3 tested the users knowledge of what
information should be shared and what should not be shared among the general public. After
looking at the results, it is fair to say that 80 per cent of the users know what is right to be
shared and what is wrong. In the question, Freddie had openly listed his telephone number
and address to be viewed by anyone even those not including his friends and barring just 6 of
the 30 users, the others had realised that this is not a very safe practice and Freddie should not
do so.
The second question(Question 6 overall) in this scenario worked on from the previous
question and set users the task of deciding what content is not to safe to share like telephone
numbers and address. 21 out of the 30 respondents knew what information should be shared
with your friends only and not with strangers . Not strangely enough 18 of the 24 users who
gave the correct answer to the previous question were also able to answer this one accurately
as well, implying that awareness can be created and people respond better if we are able to
link pieces and logical steps together while creating awareness and explaining. The relation
between those who gave right answers for Questions 5 and Questions 6 can be explained as in
Figure 20.
90
Figure 20 : Number of users who answered Question 5 correctly: 24, out of which the
number of users who answered Question 6 also correctly: 18
Level of awareness
The level of awareness around Scenario 3 can be deemed as satisfactory, besides the fact that
3/4th of the users who got Question 5 correctly also got Question 6 correctly, which proves
that the user is able to relate some of the information being presented to them and that they
are learning and putting into practice what was taught in the previous question/slide. Again
due to the higher ratio of users giving the right answer one can be rest assured that the task of
creating awareness for the other users is not a problem as the right users can be counted to
spread the information around.
Final Verdict: Social networking sites must include a program of rewarding profiles and
users with exemplary security settings and use them as a model for teaching the other users in
that particular users network. This will work in two ways as the user will feel happy for
91
being appreciated for his good work and at the same time, the user will then assume some of
the responsibilities of creating awareness and raising the standards of other users.
Scenario 4:Privacy Policy
Scenario 4 contains one question which tests the knowledge of the user with regards to
privacy policies and what it is all about.
Users were asked what document they must go through to ensure that the information that
they share on social networking sites is not being misused by the site and being sold to a
business partner. The correct answer was Privacy Policy and provisions were made in the
design of the game to accept spelling variants of the terms with lowercase characters and
mixed case as well. However even with the option of flexible answers and a hint provided
only 33 per cent of the users were able to get this answer right. Although of the 20 people
who answered wrongly 13 of them had the term privacy in their answer in some or the other
form, one user even had terms of conditions as an answer, which contextually speaking is not
too far from being right.
Level of awareness
The level of awareness shown by the users in Scenario 4 can be deemed as poor and could
definitely improve a lot . The reasons for such a huge majority of users getting the answers
wrong could also be perhaps because of the nature of the question and the way the user had to
answer by themselves rather than selecting from multiple options. As discussed 65 % of the
users who had answered wrongly had managed to guess the word privacy accurately which
definitely shows us that users are not as unknown to the concept of privacy policy and data
protection as the figures would tell you.
Final Verdict: Reading through the monotonous pages can be gruelling and boring and the
users are often right in skipping through privacy policy, but it is very important to know of
some of the finer points of the privacy policy. Also it is always important to know exactly
which third party apps are installed/part of your social networking sites and what information
they are accessing, The social networking sites should try bringing in a much more concise
version of privacy policy which touches all the important points, this version can then be
made to be read by users at the time of registration/signing up
92
Scenario 5: Child Protection on Social Networking Websites
The final scenario in the game involves just one question and is about child protection
techniques, the question was included keeping in mind the growing number of teens/underage
kids on social networking sites. Even though every user may not have a kid of their own but
would at least know someone who has a kid who is on social networking sites. An average of
8 users out of 10 users were able to get the right answer to the question. The question was
about how kids often lie about their age on social networking sites so as to open an account
and make new friends.
Level of awareness
The level of awareness shown by the users in tackling the situation of young kids lying about
their age online and the know-how of the general restrictions made by social networking sites
when it comes to accessing information about under age kids is commendable indeed. The
users must ensure that they do report any mischievous accounts to either the rightful
guardian/parent of the kid or to the social networking site itself. By just being aware of the
facts and turning a blind eye towards real life incidents should not be done.
Final Verdict: Social networking sites and parents both have an important role to play to
protect young children online. It is best that the social networking sites and parents should
work together in trying to combat some of the problems and dangers that lurk around on
social networking sites. Parents should be watchful of kids yet teach them about the various
problems that can exist and how to avoid them by setting an example themselves. Social
networking sites on their part must work hard to ensure tighter regulations and strict age
checking policies before allowing kids to sign up for their services.
Important points
Users have the ability to link situations and developments, therefore in awareness
campaigns and teachings, there should be an emphasis on letting the user link and corelate what they are seeing and learning. Awareness campaigns should be followed by
a little practical and hands on experience session where if possible the user should be
93
tested for what he/she just learned. In traditional learning methods this has helped the
students better understand and retain the information for a longer period of time.
Users are still unaware of their privacy options and rights to information disclosure.
Making the user alert to these very same facts will go a long way in ensuring the loss
of information. By making every single user aware and protective of his/her very own
information could also mean that the users in due time will learn the value of others
information as well.
The matter of password awareness will prove handy for a user not only for the safety
of his/her own social networking accounts but also of the organization or company
they might be working for. Information security often revolves around having good
password ethics and maintenance. Awareness about the same can be said to be poor
and needs improvements after going through the results of the game
5.4 Evaluation of the game
Questionnaire analysis
Demographic structure
The number of male respondents to the game was more than the number of female
respondents with the number of male respondents being 17 while the female respondents
being 13. The number of young people taking part in the game was also more, with 60 % of
the respondents falling in the age group of 18-24 followed by middle aged people (35-44)
making up 20% of the sample size of 30 people.
New Concept
One of the questions that was asked to the users was whether they had come across such
awareness creating game before on the same topic. A staggering 80 per cent of the users had
never come across such a game before , while just 6 out of the 30 said that they had played
such an awareness raising game before this. In fact the users who did say that they have come
across such a game before were also one of the highest and better scorers amongst the users.
94
The six users who said that they have played such an awareness based game before averaged
83.33 % in their individual tests while the remaining users averaging a paltry 27.60 %
individually amongst them. This can be used to say that perhaps the user who played the
game were more aware of the threats involved in social networking sites and hence more
prepared and knowledgeable than the others. This proves that awareness schemes like the
game developed in the thesis are useful and can be used to spread knowledge.
Reluctant and uncaring users
The users were asked whether they take the pains to read the feedback provided after each
question and under what circumstances. The results obtained from the question can be
summarised in Table 3 as shown below
Option chosen
Did
not
irrespective
read Read it even after the Read it only if the

of
the answer is right
answer is wrong
answer
Percentage
66.67%
26.66%
6.67%
Out of 30
20
Table 3:Table of user attitude towards the feedback

The table showed that majority of the user did not read the feedback either ways even if their
answer was wrong or right, while 6.67% read it only when their answer is wrong. The
interesting fact is the figure of people who read it even after their answer was right was
higher than the people who read it only after their answer was wrong.
Interesting fact is that out of the people who had earlier said that they had come across a
similar awareness based game, half of them did not read the feedback irrespective of the
answer, while one of them said that he/she reads the feedback even after the answer is right.
This proves that a certain section of the people who had played similar game before were
beginning to get cocky about their knowledge and felt the need to skip through those
feedback stages.
Channel the right attitude
The attitude of the experienced user so to speak in this scenario must be kept in mind while
designing feedback and suggestions during awareness based games. The overconfidence of
95
the experienced user should be channelled and put to better use in educating other less
experienced and new users.
Facebook triumphs again
Towards the end of the questionnaire just to get a general feel of the user preferences and
choices, the users were asked to choose from a list the social networking sites on which they
have an account. It came as no surprise that Facebook was on top with all 30 of the
participants having an account on Facebook, in fact of the two respondents only had a
presence in one account and that being Facebook. Twitter and MySpace werent too bad
either though not as bad as Bebo who had no representatives in the survey, with newly
opened Google+ having only one user out of the thirty surveyed. The following facts were
also established in addition to individual site dominance.
People with account in only two social networking sites :15
People with accounts in 3 social networking sites: 8
People with accounts in more than 3 sites: 6
Therefore one can say that on an average majority of the users at least have two social
networking sites.
Facebook centric plans
While many would say that they knew that Facebook had the highest audience, the study
conducted proves that while creating an awareness program or scheme, it would be okay if
we devised according to the way Facebook works and the various settings and tweaks central
to it. Due to the vast amount of users on Facebook it is okay if Facebook related settings and
problems can be discussed as users can relate to it and the equivalent setting for another site
can be applied afterwards. Basically Facebook can be used as the framework for explaining
security concepts and plan nee solutions. During parts of the thesis, the author has followed
the same ideology and have analysed the situations and even developed game scenarios using
Facebooks functionality.
Opinions on the quiz
96
Half of the surveyed users have agreed that this way of creating awareness was better than
many of the other methods like attending a seminar or watching a video. While around 14%
disagreed to the notion saying that perhaps the seminar and video method is better. Around
37% of the users were neither here nor there when asked to choose whether the game was a
better way to create awareness.
Moderate success achieved
In terms of the aim of the game being ensuring that the user will enjoy and look forward to
such games more than a lecture on security awareness, one can say that the aim has been
achieved. 15 out of the 30 have said that this method is better than other means like video and
conferencing
It came as no surprise that people who agreed or strongly agreed that they have good
knowledge of the way computers and social networking sites work were some of the higher
scorers in the quiz with an average score of 69.64 %
This proves that people who have a technical background or a general idea of the way
computers and the Internet works are less at risk online than say someone who isnt so good
with computers and Internet.
In the next question as well, it doesnt come as a surprise that users who said that they find it
difficult to find information on the Internet related to such security threats are some of the
low scorers in the game.
Lastly, one out of three users surveyed said that if they found something new in this game
they will go ahead and teach it to their friends and contacts alike. 13 out of the 30 however
took a neutral stance with regards to teaching others, this could perhaps be down to the fact
that users sometimes dont like sharing experiences which happened to them or are related
them. So it could be possible that out of the 13 who said they were neutral on the topic,
maybe some of them could have had some past experiences which they dont want to recall
by advising others on the same topic.
97
5.5 Chapter Summary
In this chapter, there were a couple of key findings that can be summarised as follows:
Users must be given more responsibility when it comes to creating awareness

amongst each others. Users who had come across a similar awareness related game
were some of the higher scorers in the game, hence proving that not only being aware
of a threat makes you more knowledgeable but also you tend to be in a position to
teach others the same.
There is still a certain amount of ignorance when it comes to the principles of

password protection and usage. It is one of the most basic security mechanisms not
only for social networking sites but even for information security in general and
therefore must be ensured to be taken better care of.
Users react better if they are made aware of a certain knowledge by linking it with
something , besides if a user is given a chance to actually test his newly gained
knowledge by putting it into practice straightaway, the chances of the user doing good
in that test is more but also the chances of the user retaining that information for a
longer period of time.
Sometimes it is possible for a user to get overconfident if he/she seems to be over

familiar with a concept and idea, but however instead of letting that attitude stand and
rot one must channel the right attitude into ensuring that the user becomes an example
for less fortunate users and help those users learn. Being given a sense of
responsibility is sometimes enough to get the best out of someone.
A positive response was received with regards to the concept of using a game to
create awareness as half of the users taking part in the game felt that the idea was a
better one than creating awareness on the same issue using a seminar or video
98
6.0 Conclusions and Future work
Due to the growing influence of social networking sites and the various issues that go with it,
social networking sites will remain a favourite topic of research amongst many. Every single
research that has been carried out on social networking sites before this have enabled the
world to know more about the social networking sites, its users, the various threats involved
in it and the what the future holds for it.
This thesis was a similar attempt on trying to understand and discuss some of the threats
involved in social networking sites. By understanding the threats, one was able to come up
with various solutions for them. The threats were identified and ways were found to create
awareness about them. The game was then designed keeping in mind some of the bigger
threats discussed and the focus of the game was to create awareness about the threats by
using some of the solution discussed in the various sub-sections of Section 3. The
development of the game was meant to be an important part of this thesis as it would help the
users in raising awareness. Once the game was designed, the focus shifted on evaluating the
results of the game and see whether there were able to raise any awareness on the part of the
user. As analysed in Chapter 5.3 and 5.4, the game was able to create some amount of
difference and the users seemed to moderately think that the game was an alternate and better
way of creating awareness (Section 5.4, Opinions on the quiz sub-section). Overall the thesis
was able to go through the aims and objectives it was supposed with respect to the working
and the analysis. There were a few shortcomings which will be promptly discussed in the
next section. To conclude one can say that educating users about security in general, forget
social networking security will remain an on-going process and that for it to be a success both
the user and the social networking sites have to make many efforts.
99
6.1 Limitations of the work
A brief attempt will be made to understand how the game could have been better by
discussing its limitations with respect to aspects like the development of the game, its format
and implementation.
Development of the game
The development of the game with respect to its design and game play could have been much
better. More Flash based animations could have been used to make the game a little bit more
fun especially if in the future such awareness based games need to be targeted at a younger
audience.
Format of the game
The game at present was developed in the format of a quiz, the idea behind the format being
that this way it would be more useful to create awareness among the users due to a question
answer format. In the future, the game and its format could be much enhanced. Even while
developing a quiz based format, the questions and scenarios in the game could have more
interactive options.
Rewards and Appraisal in the game
The way the users are rewarded after the game could have been better. Like for example,
users could be given some points or a virtual badge that they can then display or use on their
actual social networking profiles. This way the good users can educate their friends and
contacts of how they are a good example of security. This will cultivate an environment of
learning from one another and give a sense of responsibility to the user.
The development of the game with respect to its design and game play could have been much
better. The time constraints developed during the course of the thesis meant that the game had
to suffer a lot in terms of its face value and user friendliness. The game could have been more
fun and interactive than it is at present. Also due to the fact that user attention was to be kept
during the entire game, the length of the game had to be shortened and many of the scenarios
had to be left out. More Flash based animations could have been used to develop a real life
100
social networking site simulating game wherein the user will then have to go through the
motions of an everyday social networking site. Time constraint on the game being sent out
and the results being needed to be submitted in the thesis meant that proper demographical
analysis of the results were not possible.
6.2 Scope for Future work
There is definitely a lot of potential for future work on this particular thesis and the
development of the game. In Section 5.4 New Concept sub-section there are signs that not
many users are familiar with raising concept through the use of a game and that users will
find it interesting and worth giving it a try again if such an attempt is made. Also in section
5.4 Opinions on the quiz sub-section, the users have responded kindly to the fact that this
concept of raising awareness through interactive game based medium can be better and much
fun than current means. Therefore there is definitely scope for future work as new and new
trends are also emerging every day. Not to mention Googles foray into the world of social
networking sites with Google+ means that there is not only a new site for users to explore but
also for cyber criminals to exploit and take advantages of any unfixed bugs due to the beta
nature of the site.
References:
101
Academia (2011). About Academia.edu [online] Available at : http://academia.edu/about

[Accessed on 9 July 2011]
Acquisti, A., Gross, R.(2009). Predicting social security numbers from public data.
Proceedings of the National Academy of Sciences of the United States of America, 106(27)
pp.10975-109780.
Acquisti, A., Gross, R., Stutzman,F.(2011). Faces of Facebook: Privacy in the age of
augmented reality. (Draft Version) BlackHat USA 2011
Anderson, P. (2007). What is Web 2.0? Ideas, technologies and implications for education.
Proceedings of the JISC Technology and Standards Watch, Feb 2007. [online] Available at:
http://www.jisc.ac.uk/media/documents/techwatch/tsw0701b.pdf [Accessed on 16 June 2011]
Antukh, A.(2010). XSS Vulnerabilities in Russian Social Networking Site VKontakte [online]
Available
at
http://www.securelist.com/en/blog/414/XSS_Vulnerabilities_in_Russian_Social_Networking
_Site_VKontakte [Accessed on 25 July 2011]
Backstrom, L., Huttenlocher, D., Kleinberg, J., Lan, X. (2006). Group formation in large
social networks: Membership, growth, and evolution. Proceedings of 12th International
Conference on Knowledge Discovery in Data Mining, New York, USA, pp. 44-54.
Barrett, D.(2007). Crime risk warning to users of social networking sites [online] Available
at:
http://www.independent.co.uk/news/uk/crime/crime-risk-warning-to-users-of-social-
networking-sites-400062.html [Accessed on 7 August 2011]
BBC News (2007). Facebook costs businesses dear. BBC News [online] (last updated 11:40
GMT on 11th September 2007) Available at: http://news.bbc.co.uk/1/hi/6989100.stm
[Accessed on 8 July 2011]
102
Bausch, S., Han, L. (2006). Social Networking Sites Grow 47 Percent, Year After Year,
Reaching 45 Percent of Web Users, According To Nielsen//Net ratings [online] Available at:
http://www.nielsen-online.com/pr/pr_060511.pdf [Accessed on 7 July 2011]
Boyd, D.M., Ellison, N.B. (2007). Social network sites: Definition, history, and scholarship.
Journal of Computer-Mediated Communication, 13(1), article 11.
Bright, P. (2011). How the London riots showed us two sides of social networking [online]
Available
at
http://arstechnica.com/tech-policy/news/2011/08/the-two-sides-of-social-
networking-on-display-in-the-london-riots.ars [Accessed on 21 August 2011]
Broida,
R.(2010).
Password
Choices
[online]
Available
at
http://www.bnet.com/blog/businesstips/the-gawker-leak-how-to-protect-your-business-frompoor-password-choices/9976 [Accessed on July 16 2011]
Cashmore, P.(2010). Twitter Phishing Attack spreading via Direct Message [WARNING] [online]
Available at : http://mashable.com/2010/02/20/twitter-phishing-attack/ [Accessed on 23
August 2011]
CIFAS(2011). Fraudscape Depicting the UKs fraud landscape [online] Available at :

https://www.cifas.org.uk/secure/contentPORT/uploads/documents/CIFAS%20Reports/CIFA
S_Fraudscape_2011.pdf [Accessed on 31 July 2011]
Coleman, D.(2009). Social Networks Around The World [online] Available at:
http://www.readwriteweb.com/archives/post_2.php [Accessed on 19 July 2011]
Consumer Reports (2010). Social insecurity. What millions of online users don't know can
hurt
them
[online]
Available
http://www.consumerreports.org/cro/magazine-
archive/2010/june/electronics-computers/social-insecurity/overview/index.htm [Accessed on
24 June 2011]
103
Christofides, E., Muise, A., Desmarais, S. (2011). Hey Mom, Whats on Your Facebook?
Comparing Facebook Disclosure and Privacy in Adolescents and Adults. Social
Psychological and Personality Science. May 17, 2011 1948550611408619, first published on
May 17, 2011 doi:10.1177/1948550611408619
Cluley, G.(2011). Facebook changes privacy settings for millions of users - facial recognition
is enabled [online] Available at: http://nakedsecurity.sophos.com/2011/06/07/facebookprivacy-settings-facial-recognition-enabled/ [Accessed on 29 June 2011]
comScore(2009). Social Networking Sites Account for More than 20 Percent of All U.S.
Online Display Ad Impressions, According to comScore Ad Metrix.Press Release, 1
September, 2009.
comScore(2011). The comScore 2010 European Digital Year in Review. comScore Inc.
Donath, J., Boyd, D. (2004). Public displays of connections. BT Journal, 22(4).
Dryza, K.(2009). Hub Culture: For those who see the world on a global basis [online]
Available at : http://davidreport.com/200906/hub-culture-for-those-who-see-the-world-on-aglobal-basis/ [Accessed on 5 July 2011]
Ducklin, P. (2010). Automatic photo tagging: Facebook friendships get creepier [online]
Available at: http://nakedsecurity.sophos.com/2010/12/17/facebook-friendships-get-creepier/
[Accessed on 29 June 2011]
Dwyer, C. (2007). Digital relationships in the MySpace generation: results from a

qualitative study. In: Proceedings of the 40th Hawaii International Conference
on System Sciences (HICSS), Hawaii, 2007.
Erlich, Y-D (2010). Beyond the Check-In: Where location-based networks should go next
[online] Available at : http://mashable.com/2010/07/01/location-social-media/ [Accessed on 9
August 2011]
104
Everett, C. (2009). Social networking - a risk to information security? [online] Available at:
http://www.infosecurity-magazine.com/view/2503/social-networking-a-risk-to-informationsecurity/ [Accessed on 17 June 2011]
Francisco, B (2006). Social networks vs. dating sites Commentary: Fragmenting may save
online dating sites [online] Available at : http://www.marketwatch.com/story/dating-sites-vssocial-networks [Accessed on 7 July 2011]
Friedkin, N., Johnsen, E. (1999) Social influence networks and opinion change. Advances in
Group Processes, vol. 16, pp. 129.
Gaudin, S. (2011) Social networks credited with role in toppling Egypt's Mubarak
Activists used Facebook, Twitter, YouTube to mobilize during protests [online] Available at:
http://www.computerworld.com/s/article/9209159/Social_networks_credited_with_role_in_toppli
ng_Egypt_s_Mubarak [Accessed on 12 August 2011]
Gill, C.(2010). The Facebook crime wave hits 100,000 in the last five years. Daily Mail,
[online]
(Last
updated
7:59
AM
on
14th
December
2010)
Available
at:
http://www.dailymail.co.uk/news/article-1338223/Facebook-crime-rises-540-cent-3-yearspolice-chiefs-16-forces-reveal.html [Accessed on 18 July 2011]
Get Safe Online (2007). Press release #8: Social networkers and wireless networks users
provide
"rich
pickings"
for
criminals
[online]
Available
at
http://www.getsafeonline.org/nqcontent.cfm?a_id=1469 [Accessed on 12 July 2011]
Grossman, J. (2006). CROSS-SITE SCRIPTING WORMS AND VIRUSES

The Impending Threat and the Best Defense [online] Available at : http://www.netsecurity.org/dl/articles/WHXSSThreats.pdf [Accessed on 25 July 2011]
Haythornthwaite, C. (2005). Social networks and Internet connectivity effects. Information,

Communication, & Society, 8 (2), 125-147.
105
Hasib, A.A., (2009). Threats of Online Social Networks. International Journal of Computer
Science and Network Security, 9(11), pp.288-293
Hogben, G., (2007). Security Issues and Recommendations for Online Social Networks.
ENISA Position Paper No.1
Huang, L.(2008). Protecting the Wilfully Ignorant. Newsweek(Atlantic Edition), 151(12),

pp.12
HubCulture (2010). Ven Now
Includes
Carbon Futures
[online]
Available at:
http://www.hubculture.com/groups/237/news/486/ [Accessed on 8 August 2011]
Hudson Horizons(2011). Types of Social Networking Websites [online] Available at:

http://www.hudsonhorizons.com/Custom-Website-Solutions/Social-Networking/Types-ofSocial-Networks.htm [Accessed on 31 July 2011]
John,N.(2010). Does WikiLeaks have any privacy issues? [online] Available at:
http://privacy.sociothink.com/?p=110 [Accessed on 16 July 2011]
Jagatic, T.N., Johnson, N.A.,Jakobbson, M., Menczer, F. (2007). Social Phishing.

Communications of the ACM,50(10)
Kabay, M.E. (1993). Social Psychology and INFOSEC. The Risks Digest, 15(16)
King, R.(2006). CEO Guide to Technology: Social NetworksWhos Harnessing Social

Networks?
BusinessWeek.
[online]
Available
at:
http://images.businessweek.com/ss/06/09/ceo_socnet/source/1.htm [Accessed on 24 June

2011]
106
Lai. E. (2005). Teen uses worm to boost ratings on MySpace.com [online] Available at:
http://www.computerworld.com/s/article/105484/Teen_uses_worm_to_boost_ratings_on_My
Space.com [Accessed on 19 June 2011]
Lampe, C., Ellison, N., & Steinfield, C. (2007). A familiar Face(book): Profile elements as
signals in an online social network. Proceedings of the SIGCHI Conference on Human
Factors in Computing Systems (pp. 435-444). New York: ACM Press.
Lawler, P.J., Molluzzo, C.J.(2011). A survey of first-year college student perceptions of

privacy in social networking. Journal Of Computing Sciences in College. 26 (3), p36-41.
[accessed on 28 January 2011]
Leitner, P., Grechenig, T. (2008). Social Networking Sphere: A Snapshot Of Trends,

Functionalities and Revenue Models. Proceedings of the IADIS International Conference on
Web based communities 2008. Amsterdam, The Netherlands, 24-26 July 2008.
Levy, A.(2009). Teenage office worker sacked for moaning on Facebook about her 'totally
boring' job [online] (last updated at 8:09 PM on 26 February)
Available at :
http://www.dailymail.co.uk/news/article-1155971/Teenage-office-worker-sacked-moaningFacebook-totally-boring-job.html
[Accessed
on
August
2011]
Lippa, R.A.(1990). Introduction to Social Psychology. Wadsworth

(Belmont, CA). ISBN 0-534-11772-4.
Lineberry, S.(2007). The Human Element: The Weakest Link in Information Security
[online]
Available
at
http://www.journalofaccountancy.com/Issues/2007/Nov/TheHumanElementTheWeakestLink
InInformationSecurity.htm [Accessed on 12 August 2011]
LiveJournal(1999).How did LiveJournal get started? Who runs it now?[online] (last updated
on
23rd
November
2010)
Available
at:
http://www.livejournal.com/support/faqbrowse.bml?faqid=4&view=full [Accessed on 18
June 2011]
107
Livingstone, S., lafsson, K., Staksrud, E. (2011) Social networking, age and privacy. EU
Kids Online, London, UK.
LSIS(2011). Calderdale College: Using social networking sites in teaching and learning
[online] Available at : http://www.excellencegateway.org.uk/page.aspx?o=157204 [Accessed
on 25 August 2011]
Lyon, D. (1997) Cyberspace sociality. Controversies over computer-mediated relationships,

in Loader, B.D. (Ed.): The Governance of Cyberspace, Routledge, London, UK.
McDowell, M. (2006). Staying Safe on Social Network Sites. [online] Available at:
http://www.us-cert.gov/cas/tips/ST06-003.html [Accessed on 21 June 2011]
Manhattan Police Department(2010) Facebook Scam-Please remember...if it seems too good

to
be
true,
it
probably
is!
[online]
Available
at
https://www.facebook.com/note.php?note_id=434597650328 [Accessed on 21 July 2011]
Mitnick, K.D., Simon, W.L. (2002). The art of deception: Controlling the Human Element of
Security.California:Wiley and Sons
Mook, N.(2005). Cross-Site Scripting Worm Hits MySpace [online] Available :

http://betanews.com/2005/10/13/cross-site-scripting-worm-hits-myspace/ [Accessed on 7
August 2011]
Nations, D. (2011). Pet Social Networks A List of Social Networks for Pet Lovers [online]
Available
at:
http://webtrends.about.com/od/socialnetworks/tp/pet-social-networks.htm
Network World(2010).
Top 10 Social Networking Threats [online] Available at:
http://www.networkworld.com/news/2010/071210-social-network-threats.html?page=1
108
Nielsen
(2009).
Global
Faces
and
Networked
Places
[online]
Available
at:
http://blog.nielsen.com/nielsenwire/wpcontent/uploads/2009/03/nielsen_globalfaces_mar09.pdf [Accessed on 20 June 2011]
Norton
(2009).
Kids
Top
100
Searches
of
2009
[online]
Available
at:
http://onlinefamilyinfo.norton.com/articles/kidsearches_2009.php/ [Accessed on 31 July

2011]
OWASP (2010). Cross-site Scripting (XSS) [online] (last updated at 00:36 on 20th October
2010) Available at : https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [Accessed
on 23 May 2011]
Patil,S. (2010). Fake Survey Seeking Opinions on Social Networking Features [online]
Available at : http://www.symantec.com/connect/blogs/fake-survey-seeking-opinions-socialnetworking-features [Accessed on 23 July 2011]
Paul,
I.
(2011).
Can
Facebook
learn
from
Apple
[online]
Available
at
http://www.pcworld.com/article/216991/can_facebook_learn_from_apple.html [Accessed on
17 July 2011]
Pingdom (2010). Exploring the software behind Facebook, the worlds largest site [online]
Available
at
http://royal.pingdom.com/2010/06/18/the-software-behind-facebook/
[Accessed
on
Programmable
Web(2010).
Facebook
August
API
[online]
2011]
Available
at
http://www.programmableweb.com/api/facebook [Accessed on 23 June 2011]
Rasmussen , G.T. (2005) Building a Security Awareness Program - Addressing The Threat
From
Within
-.
CyberGuard
Corporation.
[online]
Available
at:
http://www.gideonrasmussen.com/article-01.html [Accessed on 12 June 2011]
Rosedale, P.(2011) Philip Rosedale, Creator of Second Life [video online] Available at :
http://www.youtube.com/watch?v=C04wwLjJ0os [Accessed on 23 July 2011]
109
Ryze (2011). About Ryze [online] Available at: http://www.ryze.com/faq.php [Accessed on

19 June 2011]
Sengupta, S.(2011). New Control over privacy on Facebook [online] Available at :

http://www.nytimes.com/2011/08/24/technology/facebook-aims-to-simplify-its-privacysettings.html?_r=1&ref=todayspaper
Serrat,
O.
(2009).
Social
[Accessed
Network
on
Analysis
24
August
[online]
2011]
Available
at:
http://www.adb.org/Documents/Information/Knowledge-Solutions/Social-NetworkAnalysis.pdf [Accessed on 2 July 2011]
Sharma, P. (2011). Core Characteristics of Web 2.0 services [online] Available at :

http://www.techpluto.com/web-20-services/ [Accessed on 10 July 2011]
Sheppard,
Z.(2010).
Flickr
blog
5,000,000,000
[online]
Available
at
http://blog.flickr.net/en/2010/09/19/5000000000/ [Accessed on 12 August 2011]
Shin, D-H., (2010). The effects of trust, security and privacy in social networking: A security
based approach to understand the pattern of adoption. Interacting with Computers. 22, p428438
Sophos (2007). Sophos Facebook ID probe shows 41% of users happy to reveal all to
potential
identity
thieves
[online]
Available
at
http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html [accessed on 21
January 2011]
Sophos
(2011).
Sophos
Security
Threat
Report
2011
[online]
Available
at:
http://www.sophos.com/medialibrary/Gated%20Assets/white%20papers/sophossecuritythreat
report2011wpna.pdf [Accessed on 15 August 2011]
110
Stanford GSB (2010). Social Networks Impact the Drugs Physicians Prescribe [online]
Available at: http://www.gsb.stanford.edu/news/research/mktg_nair_drugs.shtml [Accessed
on 7 August 2011]
Tavilla, E.(2011). Western Europe Social Network Usage. eMarketer Inc.
TechTarget (2011). Personally identifiable information. [online] (last updated on January

2008) Available at : http://searchfinancialsecurity.techtarget.com/definition/personallyidentifiable-information [Accessed on 8 August 2011]
TG
Daily
(2010).
Twitter
adds
location
tagging
[online]
Available
at
http://www.tgdaily.com/software-features/50212-twitter-adds-location-tagging [Accessed on
17 July 2011]
TrendMicro(2011).
February
2011
Threat
Roundup
[online]
Available
at
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/14_february
_2011_threat_roundup__030811_.pdf [Accessed on 6 August 2011]
Turkle, S. (1995). Life on the screen: Identity in the age of the Internet. New York: Simon &
Schuster
USA.Gov(2011). Social Networks and Government [online] (last updated on 15th July 2011)
Available at : http://www.usa.gov/webcontent/technology/social_networks.shtml [Accessed
on 22 July 2011]
Vester, F.(1998). Denken, Lernen, Vergessen. German DTV Paperback
Wallop, H. (2011). Japan Earthquake: How Twitter and Facebook helped. The Telegraph.
[online]
Available
at:
http://www.telegraph.co.uk/technology/twitter/8379101/Japan-
earthquake-how-Twitter-and-Facebook-helped.html [Accessed on 20 June 2011]
111
Walsh, M. (2009). eMarketer:U.S. Social Network Users to grow 44% by 2013.

[online]Available
at:
http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=100485
Walsh, S. (2011). Top 5 Reasons Why Spammers Love Social Networking [online]
Available:
http://www.allspammedup.com/2011/08/top-5-reasons-why-spammers-love-
social-networking/ [Accessed on 5 August 2011]
Wilson, M., Hash, J. (2003). Building an Information Technology Security Awareness and
Training Program. NIST Special Publications 800-50
Wellman, B. and Gulia, M. (1995) Virtual communities as communities: net surfers dont
ride alone, in Smith, M. and Kollock, P. (Eds.): Communities in Cyberspace, Routledge,
London, UK.
Wondracek, G., Holz, T., Kirda, E., Krueguel, C., (2010). A Practical Attack to Deanonymize Social Network Users. 2010 IEEE Symposium on Security and Privacy(SP).p
223-238. doi: 10.1109/SP.2010.21
Yenisey, M.M., Ozok, A.A., Salvendy, G., (2005). Perceived security determinants in ecommerce among Turkish University students. Behaviour and Information Technology.
24(4), p259-274.
Zang, L., Tu, W.(2009). Six Degrees of Separation in Online Society. In: Proceedings of Web
Sci09:Society On-Line. 18-20 March,2009,Athens,Greece
112
APPENDIX 1
Question Screenshots
Question 1:
Question 2:
113
Question 3:
Question 4:
Question 5:
114
Question 6:
Question 7:
115
Question 8:
116
APPENDIX 2
Source Code for the game in JavaScript format
/********************************************************/
// Chico.js
/********************************************************/
// Results Screen vars

var g_strPlayer = "chico";
var g_arrResults = new Array();
var g_oQuizResults = new Object();
g_oQuizResults.oOptions = new Object();
// Browser Sniffing
var IE = ((document.all)&&(navigator.appVersion.indexOf("MSIE")!=-1))
? true : false;
var IE6 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 6.")!=-1)) ? true : false;
var FF = (navigator.userAgent.indexOf("Firefox")!=-1) ? true : false;

var Opera = (navigator.userAgent.indexOf("Opera")!=-1) ? true : false;
var
IESP2
((window.navigator.userAgent.indexOf("MSIE"))
window.navigator.userAgent.indexOf("SV1")
&&
>
window.navigator.userAgent.indexOf("MSIE"));
var
Safari3
(navigator.appVersion.indexOf("Safari")
&&
navigator.appVersion.indexOf("Version/3"));
var
NS6plus
(parseFloat(navigator.appVersion)
navigator.appName.indexOf("Netscape")>=0 )? true: false;

var NS7_2Plus = false;
var Mozilla1_7Plus = false;
var g_bLMSPresent = false;
117
>=
&&
// Message Delimitors
var g_strDelim = "|~|";
var g_strInteractionDelim = "|#|";
// Find the version of NS or Mozilla

if (NS6plus)
{
var nPos = 0;
var strUserAgent = navigator.userAgent;
var nReleaseDate = 0;
strUserAgent = strUserAgent.toLowerCase();
nPos = strUserAgent.indexOf("gecko/");
if(nPos >= 0)
{
var strTemp = strUserAgent.substr(nPos + 6);
nReleaseDate = parseFloat(strTemp);
}
if (strUserAgent.indexOf("netscape") >= 0)
{
if (nReleaseDate >= 20040804)
{
NS7_2Plus = true;
}
}
else
{
if (nReleaseDate >= 20040616)
{
118
Mozilla1_7Plus = true;
}
}
}
// Operating System Detection

var isLinux = (navigator.userAgent.indexOf("Linux") != -1);
var isWindows = (!isMac && !isLinux)
var isMac = (navigator.appVersion.indexOf("Mac")!=-1) ? true : false;
var g_bUseFSCommand = (!Opera && !isLinux && !isMac);
// LMS Support
if (g_bLMS)
{
document.write("<SCR" + "IPT LANGUAGE='JavaScript1.2' SRC='lms/lms.js'
TYPE='text/javascript'><\/SCR" + "IPT>");
}
if (g_bAOSupport)
{
document.write("<SCR"
"IPT
LANGUAGE='JavaScript1.2'
SRC='"
g_strContentFolder + "/AOComm.js' TYPE='text/javascript'><\/SCR" + "IPT>");

}
function WriteSwfObject(strSwfFile, nWidth, nHeight, strScale, strAlign, strQuality,

strBgColor, bCaptureRC, strFlashVars)
{
var strHtml = "";
var strWMode = "Window";
if (strScale == "show all")

119
{
nWidth = "100%";
nHeight = "100%";
}
// Lets the player know the html container is there

if (strFlashVars == "")
{
strFlashVars += "vHtmlContainer=true";
}
else
{
strFlashVars += "&vHtmlContainer=true";
}
if (bCaptureRC)
{
strFlashVars += "&vCaptureRC=true";
strWMode = "Opaque";
}
// Are we loaded in IE
var bDelim = IE;
if (!IE)
{
if (navigator.plugins["Shockwave Flash"])
{
var
arrTemp
navigator.plugins["Shockwave
Flash"].description.split(" ");
var arrVersion = arrTemp[2].split(".");
if (parseInt(arrVersion[0]) >= 10 && parseInt(arrVersion[1]) >= 2)
120
{
bDelim = true;
}
}
}
strFlashVars += "&vIE=" + bDelim;
// Does the browser support FSCommand

strFlashVars += "&vUseFSCommand=" + g_bUseFSCommand;
// Whether or not we are loaded by an LMS

strFlashVars += "&vLMSPresent=" + g_bLMSPresent;
// Whether or not we are loaded by AO

strFlashVars += "&vAOSupport=" + g_bAOSupport;
// The saved resume data

if (g_bLMSPresent)
{
var strResumeData = lmsAPI.GetDataChunk();
strFlashVars += "&vResumeData=" + encodeURI(strResumeData);

}
var strLocProtocol = location.protocol;
if (strLocProtocol.indexOf("file") >= 0)
{
strLocProtocol = "http:";
}
121
strHtml += "<div style='width:" + nWidth + "; height:" + nHeight + ";' id='fc'>";

strHtml
+=
"<object
codebase='"
classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000'
strLocProtocol
"//fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,79,0'
width='" + nWidth + "' height='" + nHeight + "' align='" + strAlign + "' id='player'>";
strHtml += "<param name='scale' value='" + strScale + "' />";
strHtml += "<param name='movie' value='" + strSwfFile + "' />";
strHtml += "<param name='quality' value='" + strQuality + "' />";
strHtml += "<param name='bgcolor' value='" + strBgColor + "' />";
strHtml += "<param name='flashvars' value='" + strFlashVars + "' />";
strHtml += "<param name='wmode' value='" + strWMode + "'/>";
strHtml += "<embed id='player' name='player' wmode='" + strWMode + "' src='" +
strSwfFile +"' flashvars='" + strFlashVars + "' scale='" + strScale + "' quality='" + strQuality
+ "' bgcolor='" + strBgColor + "' width='" + nWidth + "' height='" + nHeight + "' align='" +
strAlign + "' swLiveConnect='true' type='application/x-shockwave-flash' pluginspage='" +
strLocProtocol + "//www.macromedia.com/go/getflashplayer' />";
strHtml += "</object>";
strHtml += "</div>";
document.write(strHtml);
}
function CloseWindow()
{
top.window.close();
}
function player_DoJSCommand(command, args)

{
var strCommand = command;
var strArgs = ReplaceAll(args, "|$|", "%");
122
player_DoFSCommand(strCommand, strArgs)
}
function ReplaceAll(strTarget, strChar, strNew)

{
var arrRemoved = strTarget.split(strChar);
return arrRemoved.join(strNew);
}
var g_wndLast;
function player_DoFSCommand(command, args)

{
args = String(args);
command = String(command);
var arrArgs = args.split(g_strDelim);
switch (command)
{
case "CC_Restore_Focus":
var bFocus = true;
if (g_wndLast)
{
try
{
if (g_wndLast.document.hasFocus)
{
bFocus = !g_wndLast.document.hasFocus();
}
123
}
catch (e)
{
bFocus = false;
}
}
if (bFocus)
{
player.focus();
}
break;
case "ART_DebugLms":
lmsAPI.ShowDebugWindow();
break;
case "CC_SetInteractionDelim":
g_strInteractionDelim = args;
break;
case "CC_SetDelim":
g_strDelim = args;
break;
case "CC_ZoomImage":
PopZoomImage(arrArgs[0],
arrArgs[1],
arrArgs[2],
arrArgs[4], arrArgs[5], arrArgs[6], arrArgs[7], arrArgs[8], arrArgs[9]);

break;
case "CC_StoreQuestionResult":
124
arrArgs[3],
StoreQuestionResult(parseFloat(arrArgs[0]), arrArgs[1], arrArgs[2],

arrArgs[3], arrArgs[4] ,arrArgs[5], arrArgs[6], arrArgs[7], arrArgs[8], arrArgs[9]);
break;
case "CC_StoreQuizResult":
g_oQuizResults.dtmFinished = new Date();
g_oQuizResults.strResult = arrArgs[0];
g_oQuizResults.strScore = arrArgs[1];
g_oQuizResults.strPassingScore = arrArgs[2];
g_oQuizResults.strMinScore = arrArgs[3];
g_oQuizResults.strMaxScore = arrArgs[4];
g_oQuizResults.strPtScore = arrArgs[5];
g_oQuizResults.strPtMax = arrArgs[6];
g_oQuizResults.strTitle = arrArgs[7];
break;
case "CC_PrintResults":
g_oQuizResults.oOptions.bShowUserScore = (arrArgs[0] == "true");
g_oQuizResults.oOptions.bShowPassingScore
(arrArgs[1]
==
g_oQuizResults.oOptions.bShowShowPassFail
(arrArgs[2]
==
"true");
"true");
g_oQuizResults.oOptions.bShowQuizReview = (arrArgs[3] == "true");
g_oQuizResults.oOptions.strResult = arrArgs[4];
g_oQuizResults.oOptions.strName = arrArgs[5];
g_wndLast = window.open(GetBasePath() + g_strContentFolder +
"/report.html", "Reports")
break;
case "CC_EmailResults":
g_oQuizResults.oOptions.bShowUserScore = (arrArgs[0] == "true");
125
g_oQuizResults.oOptions.bShowPassingScore
(arrArgs[1]
==
g_oQuizResults.oOptions.bShowShowPassFail
(arrArgs[2]
==
"true");
"true");
g_oQuizResults.oOptions.bShowQuizReview = (arrArgs[3] == "true");
g_oQuizResults.oOptions.strResult = arrArgs[4];
g_oQuizResults.oOptions.strName = arrArgs[5];
EmailResults(arrArgs[6]);
break;
case "CC_OpenUrl":
OpenUrl(arrArgs[0], arrArgs[1], arrArgs[2], arrArgs[3], arrArgs[4],
arrArgs[5], arrArgs[6], arrArgs[7],
arrArgs[8],
arrArgs[9],
arrArgs[10],
arrArgs[11],
arrArgs[12], arrArgs[13]);
break;
case "CC_OpenVideo":
OpenVideo(arrArgs[0], arrArgs[1], arrArgs[2], arrArgs[3], arrArgs[4],
arrArgs[5], arrArgs[6], arrArgs[7],
arrArgs[8],
arrArgs[9],
arrArgs[10],
arrArgs[12], arrArgs[13]);
break;
case "CC_ClosePlayer":
if (!g_bLMS)
{
if (FF)
{
setTimeout("CloseWindow()", 100);
}
126
arrArgs[11],
else
{
CloseWindow();
}
}
break;
default:
// alert(command);
break;
}
if (g_bLMS)
{
lms_DoFSCommand(command, args);
}
if (g_bAOSupport)
{
AO_DoFSCommand(command, args)
}
}
////////////////////////////////////////////////////////////////////////////////
// Print Results methods
////////////////////////////////////////////////////////////////////////////////
function
QuestionResult(nQuestionNum,
strQuestion,
strResult,
strCorrectResponse,
strStudentResponse, nPoints, strInteractionId, strObjectiveId, strType, strLatency)

{
if (nPoints < 0)
127
{
nPoints = 0;
}
if (strCorrectResponse == "")
{
strCorrectResponse = " ";
}
this.nQuestionNum = nQuestionNum
this.strQuestion = strQuestion;
this.strCorrectResponse = strCorrectResponse;
this.strStudentResponse = strStudentResponse;
this.strResult = strResult;
this.nPoints = nPoints;
this.bFound = false;
this.dtmFinished = new Date();
this.strInteractionId = strInteractionId;
this.strObjectiveId = strObjectiveId;
this.strType = strType;
this.strLatency = strLatency;
}
function StoreQuestionResult(nQuestionNum, strQuestion, strResult, strCorrectResponse,

strStudentResponse, nPoints, strInteractionId, strObjectiveId, strType, strLatency)
{
var oQuestionResult = new QuestionResult(nQuestionNum, strQuestion, strResult,

strCorrectResponse, strStudentResponse, nPoints, strInteractionId, strObjectiveId, strType,
strLatency);
var nIndex = g_arrResults.length;
// Lets see if we have answered the question before

128
for (var i = 0; i < g_arrResults.length; i++)

{
if (g_arrResults[i].nQuestionNum == oQuestionResult.nQuestionNum &&
strQuestion == g_arrResults[i].strQuestion)
{
nIndex = i;
break;
}
}
g_arrResults[nIndex] = oQuestionResult;
////////////////////////////////////////////////////////////////////////////////
// Gets the base path
////////////////////////////////////////////////////////////////////////////////
function GetBasePath()
{
var strFullPath = document.location.href;
var nPosHash = strFullPath.indexOf("#");
if (nPosHash > 0)
{
strFullPath = strFullPath.substring(0, nPosHash);
}
var nPos1 = -1;
var nPos2 = -1;
nPos1 = strFullPath.lastIndexOf("\\");
129
nPos2 = strFullPath.lastIndexOf("/");
if (nPos2 > nPos1)

{
nPos1 = nPos2;
}
if (nPos1 >= 0)
{
strFullPath = strFullPath.substring(0, nPos1 + 1);
}
return(strFullPath);
}
////////////////////////////////////////////////////////////////////////////////
// Email Results
////////////////////////////////////////////////////////////////////////////////
function EmailResults(strAddress)
{
if (!g_oQuizResults.strTitle)
{
g_oQuizResults.strTitle = "";
}
var g_strSubject = "Quiz Results: " + g_oQuizResults.strTitle;

var strQuizResults = "";
var strMainHeader = " " + g_oQuizResults.strTitle + "\nStatus, Raw Score, Passing
Score, Max Score, Min Score, Time\n";
130
var strLineHeader = "\n\nDate, Time, Score, Interaction ID, Objective Id, Interaction
Type, Student Response, Result, Weight, Latency\n";
var strMainData = "\n";
var strLineData = "\n";
// Status
strMainData += g_oQuizResults.strResult + ",";
// Score
// strMainData += g_oQuizResults.strScore + ",";
// Raw Score
strMainData += g_oQuizResults.strPtScore + ",";
// Passing Score
strMainData
+=
Math.round((g_oQuizResults.strPassingScore/100)
g_oQuizResults.strPtMax) + ",";
// Max Score
strMainData += g_oQuizResults.strPtMax + ",";
// Min Score
strMainData += 0 + ",";
// Time
strMainData += GetTime(g_oQuizResults.dtmFinished);
for (var i = 0; i < g_arrResults.length; i++)

{
//Date
strLineData += GetDate(g_arrResults[i].dtmFinished) + ",";
131
// Time
strLineData += GetTime(g_arrResults[i].dtmFinished) + ",";
// Score
strLineData += g_arrResults[i].nPoints + ",";
// Interaction Id
strLineData += g_arrResults[i].strInteractionId + ",";
// Objective Id
strLineData += g_arrResults[i].strObjectiveId + ",";
// Interaction Type
strLineData += g_arrResults[i].strType + ",";
// Student Response
var strResponse = g_arrResults[i].strStudentResponse;
strResponse = ReplaceAll(strResponse, "'", "%27");
strLineData += strResponse + ",";
// Result
strLineData += g_arrResults[i].strResult + ",";
// Weight
strLineData += "1,";
// Latency
strLineData += g_arrResults[i].strLatency;
strLineData += "\n";
132
strQuizResults = strMainHeader + strMainData + strLineHeader + strLineData;
var sHTML = "";

sHTML += '<FORM id="formQuiz" method="POST" action="mailto:' + strAddress
+ '?subject=' + g_strSubject + '" enctype="text/plain">';
sHTML += '<INPUT TYPE="hidden" NAME="Quiz Results" VALUE=\'' +
strQuizResults + '\'>';
sHTML += '<br><input type="submit"><br>';
sHTML += '</FORM>';
document.getElementById("divEmail").innerHTML = sHTML;
document.getElementById("formQuiz").submit();
}
////////////////////////////////////////////////////////////////////////////////
// Get Time
////////////////////////////////////////////////////////////////////////////////
function GetTime(dtmDate)
{
var strResult = "";
var nHours = dtmDate.getHours();
var strAM = "am";
var nMinutes = dtmDate.getMinutes();
var strMinutes = "" + nMinutes;
var nSeconds = dtmDate.getSeconds();
var strSeconds = "" + nSeconds;
if (nMinutes < 10)

{
strMinutes = "0" + nMinutes;
133
if (nSeconds < 10)

{
strSeconds = "0" + nSeconds;
}
strResult = nHours + ":" + strMinutes + ":" + strSeconds;
return strResult;
}
function GetDate(dtmDate)
{
var strResult = "";
strResult = (dtmDate.getMonth() + 1) + "/" + dtmDate.getDate() + "/" +

dtmDate.getFullYear();
return strResult;
}
////////////////////////////////////////////////////////////////////////////////
// Browser Resize
////////////////////////////////////////////////////////////////////////////////
var g_nWindowWidth = 0;
var g_nWindowHeight = 0;
var g_nSizeInterval = null;
var g_nIntervalCount = 0;
134
function ResizeBrowser(strBrowserSize)
{
switch (strBrowserSize)
{
case "fullscreen":
ResizeFullScreen();
break;
case "optimal":
ResizeOptimal();
break;
}
}
function ResizeFullScreen()
{
top.moveTo(0, 0);
top.window.resizeTo(screen.availWidth, screen.availHeight);
}
function ResizeOptimal()
{
var nFrameWidth = 0;
var nFrameHeight = 0;
var nXPos = GetXPos();
var nYPos = GetYPos();
var bMove = false;
g_nWindowWidth = g_nWidth + 30;

g_nWindowHeight = g_nHeight + 30;
135
if
(screen.availWidth
>
g_nWindowWidth
&&
screen.availHeight
>
g_nWindowHeight)
{
if (GetContentWidth() != g_nWidth || GetContentHeight() != g_nHeight)
{
// First we need to reposition the browser so that it can actually grow to
the appropiate size.
// When positioning, we will overestimate the browser height by 160 if
possible to accomadate the toolbar and statusbar
if (nXPos + g_nWindowWidth > screen.availWidth)
{
bMove = true;
nXPos = screen.availWidth - g_nWindowWidth - 5;
}
if (nYPos + g_nWindowHeight + 160 > screen.availHeight)

{
bMove = true;
nYPos = screen.availHeight - g_nWindowHeight - 165;
}
if (nXPos < 0)
{
nXPos = 0;
}
if (nYPos < 0)
{
nYPos = 0;
}
if (bMove)
136
{
top.window.moveTo(nXPos, nYPos);
}
// Resize the window so we know what the actual size is

top.window.resizeTo(g_nWindowWidth, g_nWindowHeight);
// Since we know the actual browser size, and we can query the cliet
dim, lets get the frame dim
nFrameWidth = (g_nWindowWidth) - GetContentWidth();
nFrameHeight = (g_nWindowHeight) - GetContentHeight();
// Not lets resize it to the correct size

g_nWindowWidth = g_nWidth + nFrameWidth;
g_nWindowHeight = g_nHeight + nFrameHeight;
if (IE)
{
// ok, sometimes there is a third party toolbar that doesn't load
until after we have finish resizing everything, so we will do a check for this (this only seems
to effect IE, FF behaves correctly)
g_nSizeInterval = setInterval(CheckSize, 500);
}
}
}
else
{
// If the screen isn't big enough, we are bailing and defaulting to Full Screen
ResizeFullScreen();
}
137
function CheckSize()
{
var nContentWidth = GetContentWidth();
var nContentHeight = GetContentHeight();
var nFrameWidth = 0;
var nFrameHeight = 0;
g_nIntervalCount++;
if (nContentWidth != g_nWidth || nContentHeight != g_nHeight)

{
nFrameWidth = g_nWindowWidth - nContentWidth;
nFrameHeight = g_nWindowHeight - nContentHeight;
g_nWindowWidth = g_nWidth + nFrameWidth;

g_nWindowHeight = g_nHeight + nFrameHeight;
clearInterval(g_nSizeInterval);
}
if (g_nIntervalCount > 4)
{
clearInterval(g_nSizeInterval);
}
}
function GetContentWidth()
{
138
var nResult = 0;
if (IE || Safari3)
{
nResult = document.body.clientWidth;
}
else
{
nResult = window.innerWidth;
}
return nResult;
}
function GetContentHeight()
{
var nResult = 0;
if (IE || Safari3)
{
nResult = nContentHeight = document.body.clientHeight;
}
else
{
nResult = nContentHeight = window.innerHeight;
}
return nResult
}
function GetXPos()
139
{
var nResult = 0;
if (IE)
{
nResult = window.screenLeft;
}
else
{
nResult = window.screenX;
}
return nResult;
}
function GetYPos()
{
var nResult = 0;
if (IE)
{
nResult = window.screenTop;
}
else
{
nResult = window.screenX;
}
return nResult;
}
140
////////////////////////////////////////////////////////////////////////////////
// Open Url
////////////////////////////////////////////////////////////////////////////////
function
OpenUrl(strUrl,
strUseDefaultControls,
strWindow,
strStatus,
strWindowSize,
strToolbar,
strLocation,
strWidth,
strMenubar,
strHeight,
strScrollbars,
strResizable)
{
var nWndWidth = parseInt(strWidth);

var nWndHeight = parseInt(strHeight);
var bUseDefaultSize = (strWindowSize.toLowerCase() == "default");
var bUseDefaultControls = (strUseDefaultControls.toLowerCase() == "true");
var bFullScreen = (strWindowSize.toLowerCase() == "fullscreen");
strUrl = ReplaceAll(strUrl, "%25", "?");
if (bFullScreen)
{
nWndWidth = screen.availWidth;
nWndHeight = screen.availHeight;
}
else
{
if (nWndWidth > screen.availWidth)
{
}
if (nWndHeight > screen.availHeight)

{
141
}
}
var strOptions = "";

if (!bUseDefaultControls)
{
if (!bUseDefaultSize)
{
strOptions += "width=" + nWndWidth + ", ";
strOptions += "height=" + nWndHeight + ", ";
}
strOptions += "status=" + ((strStatus.toLowerCase() == "true") ? 1 : 0);

strOptions += ", toolbar=" + ((strToolbar.toLowerCase() == "true") ? 1 : 0);
strOptions += ", location=" + ((strLocation.toLowerCase() == "true") ? 1 : 0);
strOptions += ", menubar=" + ((strMenubar.toLowerCase() == "true") ? 1 : 0);
strOptions += ", scrollbars=" + ((strScrollbars.toLowerCase() == "true") ? 1 :
0);
strOptions += ", resizable=" + ((strResizable.toLowerCase() == "true") ? 1 :
0);
}
var oNewWnd;
if (bUseDefaultSize && bUseDefaultControls)

{
g_wndLast = window.open(strUrl, strWindow);
}
else if (bUseDefaultControls)
142
{
if (IE)
{
try
{
oNewWnd
window.open(GetBasePath()
g_strContentFolder + "/blank.html", strWindow);
if (bFullScreen)
{
oNewWnd.moveTo(0, 0);
}
oNewWnd.resizeTo(nWndWidth, nWndHeight);
oNewWnd.document.location = strUrl;
}
catch (e) {};
}
else
{
oNewWnd = window.open(strUrl, strWindow);
oNewWnd.resizeTo(nWndWidth, nWndHeight);
}
g_wndLast = oNewWnd;
}
else
{
try
{
oNewWnd = window.open(strUrl, strWindow, strOptions);
143
g_wndLast = oNewWnd;
}
catch (e) {}
}
if (bFullScreen && !(bUseDefaultControls && IE))

{
try
{
oNewWnd.moveTo(0, 0);
}
catch (e) {};
}
////////////////////////////////////////////////////////////////////////////////
// Video
////////////////////////////////////////////////////////////////////////////////
function OpenVideo(strUrl, strWndWidth, strWndHeight, strVidWidth, strVidHeight,
strDuration, strPlaybar, strAutoPlay,
strStatus, strToolbar, strLocation, strMenubar,
strScrollbars, strResizable)
{
var nWndWidth = parseInt(strWndWidth);
var nWndHeight = parseInt(strWndHeight);
var strSearch = "exUrl=" + strUrl +

"&exWndWidth=" + strWndWidth +
"&exWndHeight=" + strWndHeight +
144
"&exWidth=" + strVidWidth +
"&exHeight=" + strVidHeight +
"&exDuration=" + strDuration +
"&exPlaybar=" + strPlaybar +
"&exAutoPlay=" + strAutoPlay;
if (nWndWidth > screen.availWidth)

{
}
if (nWndHeight > screen.availHeight)

{
}

strOptions += "width=" + nWndWidth;
strOptions += ", height=" + nWndHeight;
strOptions += ", status=" + ((strStatus.toLowerCase() == "true") ? 1 : 0);
strOptions += ", scrollbars=" + ((strScrollbars.toLowerCase() == "true") ? 1 : 0);
strOptions += ", resizable=" + ((strResizable.toLowerCase() == "true") ? 1 : 0);
if (g_wndZoom)
{
try
{
145
g_wndZoom.close()
}
catch (e)
{
}
}
var nXPos = 0;
var nYPos = 0;
var nWidth = screen.availWidth;
var nHeight = screen.availHeight;
if (window.screenX != undefined)
{
nXPos = window.screenX;
nYPos = window.screenY;
nWidth = window.innerWidth;
nHeight = window.innerHeight;
}
else if (window.screenLeft != undefined)
{
nXPos = window.screenLeft;
nYPos = window.screenTop;
nWidth = document.body.offsetWidth;
nHeight = document.body.offsetHeight;
}
strOptions += ", left=" + (nXPos + (nWidth - nWndWidth)/2);

strOptions += ", screenX=" + (nXPos + (nWidth - nWndWidth)/2);
strOptions += ", top=" + (nYPos + (nHeight - nWndHeight)/2);
strOptions += ", screenY=" + (nYPos + (nHeight - nWndHeight)/2);
146
g_wndZoom
window.open(GetBasePath()
g_strContentFolder
"/VideoPlayer.html?" + strSearch, "Video", strOptions);

g_wndLast = g_wndZoom;
}
////////////////////////////////////////////////////////////////////////////////
// Zoom
////////////////////////////////////////////////////////////////////////////////
var g_oZoomInfo = new Object();

var g_wndZoom;
function PopZoomImage(strFileName, nWidth, nHeight, strStatus, strToolbar, strLocation,

strMenubar, strScrollbars, strResizable)
{
var strScroll = "0";
g_oZoomInfo.strContentFolder = g_strContentFolder;
g_oZoomInfo.strFileName = strFileName;
g_oZoomInfo.nWidth = parseInt(nWidth);
g_oZoomInfo.nHeight = parseInt(nHeight);
if (g_oZoomInfo.nWidth > screen.availWidth)

{
g_oZoomInfo.nWidth = screen.availWidth;
strScroll = "1";
}
if (g_oZoomInfo.nHeight > screen.availHeight)

{
g_oZoomInfo.nHeight = screen.availHeight;
147
strScroll = "1";
}

strOptions += "width=" + g_oZoomInfo.nWidth;
strOptions += ", height=" + g_oZoomInfo.nHeight;
strOptions += ", status=" + ((strStatus.toLowerCase() == "true") ? 1 : 0);
strOptions += ", scrollbars=" + ((strScrollbars.toLowerCase() == "true") ? 1 : 0);
strOptions += ", resizable=" + ((strResizable.toLowerCase() == "true") ? 1 : 0);
if (g_wndZoom)
{
try
{
g_wndZoom.close()
}
catch (e)
{
}
}
g_wndZoom = window.open(GetBasePath() + g_strContentFolder + "/zoom.html",

"Zoom", strOptions);
g_wndLast = g_wndZoom;
}
var g_bCloseExecuted = false;

function DoOnClose()
148
{
if (!g_bCloseExecuted)
{
g_bCloseExecuted = true;
if (g_bAOSupport)
{
PostResultsOnUnload()
}
}
}
149

Nair Padmesh PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nair Padmesh PDF

Uploaded by

Copyright:

Available Formats

Educating social networking users

A thesis submitted to the University of Plymouth in partial

School of Computing, Communications and Electronics

Second Supervisors Signature:

Copyright & Legal Notice

Reasons for success ...................................................................................................................... 37

4.2 General Format of the game....................................................................................................... 65

Scenario 4:Privacy Policy ............................................................................................................... 92

1.2 Aims and Objectives

Security and privacy issues in social networking

The extent of the problem

2) Designing and developing an interactive situation-based game that will raise

1.3 Thesis Structure

1.4 Chapter Summary

2.0 Literature Review

Birth Dates revealed 84% of the respondents

Email information(one or more email IDs) 72%

Address or current location 78%

Phone number 23%

Education or workplace details 87%

IM screen names 26%

Another example of an unexpected and seemingly innocuous attack was devised by

2.1.1 Social Network Definitions and Origin

Figure 1 : A social network (King, 2006)

Cyworld (Korean company): 2001

2.1.2 Types of social networking sites

1) Social networking sites based on the audience they cater to

a) Broad-range social networking sites

b) Niche social networking sites

2) Social networking sites based on the type of services provided

a) Business oriented social networking sites

Other examples of medical applications oriented social networking sites include

d) Socio Political applications

f) Academic Social networking sites

h) Location based social networking sites

Social Networking Site

2.1.3 Social Networking Sites and their features

2.2 Summary of the Chapter

Sophos(2007) experiment proved that information sharing on social networking sites

membership information is often enough to completely de-anonymise a user on social

In order to create better awareness it is important to change preconceived schemas if

3.1 Reasons and motivations for cyber criminals

3.2 Threats on social networking sites

Reasons for success on social networking sites

Phishing is the means of acquiring personal information from a user by masquerading or

Always double check

Figure 4: Look out for the padlock

Figure 5. Secure your connection

Figure 6. Use an updated anti-virus

Inform the user

3.2.3 Location tagging and loss of locational privacy

Do not check in to vulnerable places

3.2.4 Identity theft

Figure 7: Source: CIFAS (2011)

Reasons for success

How to protect against identity theft

Minimum information sharing

The importance of reading a privacy policy

Factors hindering the solution

Factors hindering the solution

3.2.6 Real life threats

Safety of children and the growing worries