15 years ago, we learned that Johnny couldn't encrypt...
(or use any security tool, for that matter)
And we were shocked.
And confused.
And, just, sad.
We've spent the years since understanding why.
We've found at least three barriers inhibiting Johnny:
Johnny may not be aware of security threats or security tools.
(What is PGP? Or two-factor authentication?)
Johnny may not be motivated to use these tools to protect himself.
(Who would want to "hack" me?)
Johnny does not have the knowledge to use security tools.
(How would I encrypt e-mail, anyway?)
In other words, Johnny may have low security sensitivity.
We've used this understanding to do better.
1. Awareness: Risks/warnings communication.
2. Motivation: Cooler, faster security tools.
3. Knowledge: Usable interfaces.
But security sensitivity is still low.
What are we missing?
The Effect of Social Influence on Security Sensitivity
Sauvik Das {sauvik@cmu.edu}
Tiffany Hyun-Jin Kim {hyunjin@cmu.edu}
Laura Dabbish {dabbish@cmu.edu}
Jason I. Hong {jasonh@cs.cmu.edu}
Core Observation
Human beings are social creatures, and the decisions we make about security and privacy should be viewed within the context of a social system.
Introduction
We know that social influence is hugely important in the adoption of technology.
Introduction
We know that social influence can be powerfully effective at driving human behavior.
Introduction
Yet, we know little about how social processes affect security sensitivity.
Introduction
To explore this possibility, we set out to answer two questions:
Research Questions
Q1
What role does social influence play in security related behavior changes?
Research Questions > Q1
Q2
How and under what circumstances do people communicate about security and privacy?
Research Questions > Q2
To answer these questions, we conducted an interview study.
Method
We recruited:
19 participants
Age Range: 20—54
A variety of professional backgrounds
7 females
Method > Demographics
For Q1, we asked about specific instances of security related behavior changes.
Method > Semi-Structured Interview
For Q2, we asked about specific conversations they had about privacy or security.
Method > Semi-Structured Interview
3 Major Findings
Finding 1
Social influence often triggered security related behavior changes by modulating security sensitivity.
Finding 1: Behaviors
Almost all of our participants made at least one change because of a social trigger.
Almost half of all security related changes were made because of a social trigger.
Finding 1: Behaviors
What is a social trigger?
Finding 1: Behaviors > Social Triggers
A social process that was explicitly stated to be the root of a behavior change.
Finding 1: Behaviors > Social Triggers
“When I first had a smartphone I didn’t have a code, but then I started using one because everyone around me I guess had a code so I kind of felt a group pressure to also use a code.”—(P6, Male, 29, Programmer)
Finding 1: Behaviors > Social Triggers
“Diversification of passwords. I had the same password for every service so I wanted to pick a stronger password”—(P6, Male, 29, Programmer)
Finding 1: Behaviors > Social Triggers
We found many distinct social triggers, each effective at modulating security sensitivity.
Finding 1: Behaviors > Social Triggers
Observing Friends
Simply observing others use security features convinces people to use those features themselves.
Finding 1: Behaviors > Social Triggers > Observing Friends
“My mother had an iPhone before I did, and she always had the block on hers… I think just because I saw her doing it, it kind of just felt like it was something I had to do too.”—(P3, Female, 22, English Student)
Finding 1: Behaviors > Social Triggers > Observing Friends
“So when I was an undergrad I’ve been using it since then. And this four digit PIN everybody started using it and it was a hype."—(P14, Male, 24, IT Graduate Student)
Finding 1: Behaviors > Social Triggers > Observing Friends
Related to the concept of "social proof"—we look to friends for cues on what to do.
Observing Friends often raised awareness and motivation.
Finding 1: Behaviors > Social Triggers > Observing Friends
Pranks and Demonstrations
Demonstrations of insecure behavior by friends and loved ones.
Finding 1: Behaviors > Social Triggers > Pranks and Demonstrations
“When I was interning…one of my friends and a fellow intern came to my desk and just unlocked my phone. I was surprised...He put it against the sunlight and he saw I guess the smudges my finger left. He just followed the direction. Yeah, he had access to my phone.” —(P18, Male, 20, Engineering student)
Finding 1: Behaviors > Social Triggers > Pranks and Demonstrations
Other demonstrations were not intended to be educational—they were pranks.
Finding 1: Behaviors > Social Triggers > Pranks and Demonstrations
“If I walk out of the room my friends just put up a funny status...or even just look through my messages or something like that... But once that happens, I usually change my password immediately”—(P19, Male, 20, Anthropology student)
Finding 1: Behaviors > Social Triggers > Pranks and Demonstrations
Pranks and demonstrations were very effective at raising motivation.
Finding 1: Behaviors > Social Triggers > Pranks and Demonstrations
Social triggers do not necessarily raise security sensitivity—but they do modulate it.
Finding 1: Behaviors > Social Triggers > Negative Social Proof
“I don't think it will be dangerous...Like, my friends...have a lot of different accounts, the same as me. But they didn't get any trouble. So I think maybe it will not be dangerous.”—(P17, Female, 34, House wife)
Finding 1: Behaviors > Social Triggers > Negative Social Proof
Back to Q1: What role does social influence play in driving security behaviors?
Finding 1: Behaviors > Summary
Social processes play a pivotal role in modulating security sensitivity.
Finding 1: Behaviors > Summary
But, social triggers come from security related interactions or communications, which remain rare.
Finding 1: Behaviors > Summary
“That’s one thing I will never talk about.”—(P11, Male, 54, Chef)
Finding 1: Behaviors > Summary
“It depends on the context. It does become a boring subject.”—(P9, Male, 30, Programmer)
Finding 1: Behaviors > Summary
When do conversations about security or privacy actually occur?
Finding 1: Behaviors > Summary
Finding 2
People did not often communicate about security, but did so primarily to teach or to warn .
Finding 2: Communications
Warnings
Conversations focused on raising awareness of a threat that comes into the attention of the conversation initiator.
Finding 2: Communications > Warnings
Cautionary Tales
A warning-type conversation triggered by a security or privacy breach with the goal of warning friends and loved ones about a threat.
The threat was experienced either directly by the conversation initiator or by someone close.
Finding 2: Communications > Warnings > Cautionary Tales
“When I opened the e-mail, it said that they were...in England and they didn’t have enough money to come back to the States so can you send us some money...I was probably the first to contact them that they were hacked. I’m like, ‘This isn’t right. Something strange’“—(P11, Male, 54, Chef)
Finding 2: Communications > Warnings > Cautionary Tales
Targeted Warnings
Conversations where the initiator issues a warning about potential threats after
observing
others engaging in insecure behavior.
Finding 2: Communications > Warnings > Targeted Warnings
“I was having a conversation with somebody and they were saying, ‘Don’t you have your passcode on there anymore?’ And I said, ‘No, it’s a pain in the butt.’ And they said, ‘Well, it’d probably be a good idea especially if you like leave it lay around on your desk or something like that…’” (P7, Female, 54, Admin. Assistant)
Finding 2: Communications > Warnings > Targeted Warnings
Teachings
Conversations focused on sharing specific information about good security behaviors to solve an immediate problem or avoid a future threat.
Finding 2: Communications > Teachings
Lectures
Generally one-way conversations where the lecturer informs the listener about good security practices.
Often parents to young children, adult children to parents, or managers to employees.
Finding 2: Communications > Teachings > Lectures
“I've told them to also use the same features that I do. Like having screen locks for phones and being more careful about passwords. And not logging into public computers and just leaving them without signing out.”—(P8, Male, 31, Accountant)
Finding 2: Communications > Teachings > Lectures
Social Learning
Conversation about
observed novel security or privacy behaviors or tools.
Observations by novices lead to questions that allow experts or early adopters to boast about their solutions for solving common security problems.
Finding 2: Communications > Teachings > Social Learning
“One of my co-workers told me about the whole algorithm thing...it just helps you I guess have different passwords...I guess you can...change your algorithm, depending on I guess what you want to be in it. But, ever since, I started using it.”—(P18, male, 22 years old)
Finding 2: Communications > Teachings > Social Learning
Social learning conversations are ideal: curious novices willingly receive advice from experts.
Finding 2: Communications > Teachings > Social Learning
Back to Q2: Under what circumstances do people communicate about security and privacy?
Finding 2: Communications > Summary
People communicate about security and privacy to warn and to teach.
Finding 2: Communications > Summary
Thus, conversations about privacy and security tended to be educational experiences.
Finding 2: Communications > Summary
And, these educational conversations often led to heightened security sensitivity.
Finding 2: Communications > Summary
Observability was again a key driving force for security related conversations.
Finding 2: Communications > Summary
Finding 3
The observability of security tool usage was a key enabler of socially triggered behavior change and conversation.
Finding 3: Observability
Unfortunately, security and privacy tools are markedly unobservable (often intentionally).
Finding 3: Observability
Johnny has little social proof that security is important, and thus has little incentive to care about security.
Finding 3: Observability
Conclusion
We presented a retrospective interview study exploring the effects of social processes on modulating security sensitivity.
Conclusion
Our results introduce a typology of social interaction around cybersecurity behavior.
Conclusion
3 Take-Aways
Conclusion > Take-Aways
1. Social processes play a pivotal role in modulating security sensitivity and triggering security related behavior change.
Conclusion > Take-Aways
2. Conversations about security and privacy are rare, but when they occur, they are primarily to warn or to teach.
Conclusion > Take-Aways
3. The observability of security tool usage is a key enabler of socially triggered behavior change and conversation.
Conclusion > Take-Aways
We've long overlooked the social forces driving security sensitivity.
Conclusion
Let's start taking these social considerations into account, to give Johnny a stronger reason to care about security.
Conclusion
Acknowledgements
This work was generously sponsored by the NDSEG fellowship, as well NSF CNS SaTC Award #1347186.
Food for Thought
1. Social processes play a pivotal role in modulating security sensitivity and triggering security related behavior change.
2. Conversations about security and privacy are rare, but when they occur, they are primarily to warn or to teach.
3. The observability of security tool usage is a key enabler of socially triggered behavior change and conversation.
Extra Slides
We've made learning about security more interesting and accessible to raise awareness.
We've built faster, cooler, and flashier security tools to increase motivation.
We've reduced the knowledge barrier by making security tools usable.
The Effect of social influence on security sensitivity
By Sauvik Das
The Effect of social influence on security sensitivity
- 319
