A Tiered Security System for Mobile Devices

Abstract We have designed a tiered security system for mobile devices where each security tier holds user- defined security triggers and actions. It has a friendly interface that allows users to easily define and configure the different circumstances and actions they need according to context. The system can be set up and activated from any browser or directly on the mobile device itself. When the security system is operated from a Web site or server, its configuration can be readily shared across multiple devices. When operated directly from the mobile device, no server is needed for activation. Many different types of security circumstances and actions can be set up and employed from its tiers. Security circumstances can range from temporary misplacement of a mobile device at home to malicious theft in a hostile region. Security actions can range from ringing a simple alarm to automatically erasing, overwriting, and re-erasing drives.

People and organizations are more likely to provide their computer systems and devices with advanced security systems after they’ve been infected, lost, or stolen, than before. A 1981 study on human judgment and decision-making showed that when people chose between a definite positive result and a stronger but less certain positive result, they chose the definite positive result even though the overall risk was exactly the same for the two choices. But when people chose between a definite negative result and a stronger, but less certain negative result, they chose the less certain negative result even though the two options had the same overall risk1. For example, if a dozen people are given the choice between definitely receiving $250 and a 50 percent chance of receiving $500, they choose the definite $250. But when given the choice between definitely losing $250 and a 50 percent chance of losing $500, they opt for the 50 percent risk of losing the larger amount. The overall risk is the same for both options, but the choice people make differs depending on whether the outcome is positive or negative. This phenomenon of consumer behavior, called the Prospect Theory, is well known to computer security marketing groups. It explains why governments, corporations, and individuals do not invest more heavily in protecting their computer systems and devices. News media regularly circulate information about the tens of millions of cell phones and laptops that are lost and stolen and millions of identity thefts that are performed every year, but they do not convince users and organizations to adequately protect their software and hardware. While most may have some protection, they are often not upgraded regularly, not used, or not used properly. Worldwide expansion in the use of mobile devices has expanded the problems caused by inadequate security. Continuous advancements in the functionality of mobile devices such as smart phones, PDAs, and laptop computers, and the communication between them have given hackers new territory to develop their expertise2, and it is expected that smart phones soon will require the same level of attention to security as desktop computers3. Additionally, as mobile devices become smaller and their memory, their functionality, and the ease of communication between them grows, the number of people using their devices while traveling and telecommuting will continue to increase. This makes the devices and the data they hold more valuable, while at the same time they become more prone to accidental loss and more accessible to intentional theft. The poor usability of the security tools that are available for many mobile devices has been found to make their protection an even bigger problem. Most mobile device security systems are difficult to set up and use and the users of the devices typically are their own system administrators. Consequently, mobile devices that belong to the typical user are less likely to be adequately secured, if at all4. As long as the use and value of mobile devices grow, the need for more sophisticated, easier-to-use security tools will also grow.
To help address these concerns, we designed a security system that helps make it easier for people to protect their mobile computing devices. It is easy to set up and allows users to apply different types of security to different circumstances. It is a tiered protection system where users associate the different types of security with the types of situations in which they are needed. For example, if a user misplaces her laptop at home, she can find it by activating its alarm or using a GPS tracker. If a user accidentally leaves his cell phone in friends’ offices and nobody answers it when he calls, he can trigger it to display a text message that tells them where to reach him when they find it. If a per

…(Full text truncated)…