The Effect of Social Influence on Security Sensitivity
Sauvik Das {sauvik@cmu.edu}
Tiffany Hyun-Jin Kim {hyunjin@cmu.edu}
Laura Dabbish {dabbish@cmu.edu}
Jason I. Hong {jasonh@cs.cmu.edu}
Three barriers inhibiting lay people from using security and privacy tools:
They may not be aware of security threats or security tools.
(What is PGP? Or two-factor authentication?)
They may not be motivated to use these tools to protect themselves.
(Who would want to "hack" me?)
They may not have the knowledge to use security tools.
(How would I encrypt e-mail, anyway?)
In other words, they may have low security sensitivity.
We've tried hard to fix this in usable security.
What are we missing?
Core Observation
Human beings are social creatures, and the decisions we make about security and privacy should be viewed within the context of a social system.
We know that social influence is hugely important in the adoption of technology.
We know that social influence can be powerfully effective at driving human behavior.
Yet, we know little about how social processes affect security sensitivity.
To explore this possibility, we set out to answer two questions:
Q1
What role does social influence play in security related behavior changes?
Q2
How and under what circumstances do people communicate about security and privacy?
To answer these questions, we conducted an interview study.
We recruited:
19 participants
Age Range: 20—54
A variety of professional backgrounds
7 females
For Q1, we asked about specific instances of security related behavior changes.
For Q2, we asked about specific conversations they had about privacy or security.
2 Major Findings
Finding 1
Social influence often triggered security related behavior changes by modulating security sensitivity.
Almost all of our participants made at least one change because of a social trigger.
Almost half of all security related changes were made because of a social trigger.
What is a social trigger?
A social process that was explicitly stated to be the root of a behavior change.
“When I first had a smartphone I didn’t have a code, but then I started using one because everyone around me I guess had a code so I kind of felt a group pressure to also use a code.”—(P6, Male, 29, Programmer)
“Diversification of passwords. I had the same password for every service so I wanted to pick a stronger password”—(P6, Male, 29, Programmer)
We found many distinct social triggers, each effective at modulating security sensitivity.
Observing Friends
Simply observing others use security features convinces people to use those features themselves.
“My mother had an iPhone before I did, and she always had the block on hers… I think just because I saw her doing it, it kind of just felt like it was something I had to do too.”—(P3, Female, 22, English Student)
“So when I was an undergrad I’ve been using it since then. And this four digit PIN everybody started using it and it was a hype."—(P14, Male, 24, IT Graduate Student)
Observing Friends often raised awareness and motivation.
Related to the concept of "social proof"—we look to friends for cues on what to do.
Pranks and Demonstrations
Demonstrations of insecure behavior by friends and loved ones.
“If I walk out of the room my friends just put up a funny status...or even just look through my messages or something like that... But once that happens, I usually change my password immediately”—(P19, Male, 20, Anthropology student)
Pranks and demonstrations were very effective at raising motivation.
Back to Q1: What role does social influence play in driving security behaviors?
Social processes play a pivotal role in modulating security sensitivity.
But, social triggers come from security related interactions or communications, which remain rare.
“That’s one thing I will never talk about.”—(P11, Male, 54, Chef)
“It depends on the context. It does become a boring subject.”—(P9, Male, 30, Programmer)
When do conversations about security or privacy actually occur?
Finding 2
People did not often communicate about security, but did so primarily to teach or to warn .
Warnings
Conversations focused on raising awareness of a threat that comes into the attention of the conversation initiator.
Targeted Warnings
Conversations where the initiator issues a warning about potential threats after
observing
others engaging in insecure behavior.
“I was having a conversation with somebody and they were saying, ‘Don’t you have your passcode on there anymore?’ And I said, ‘No, it’s a pain in the butt.’ And they said, ‘Well, it’d probably be a good idea especially if you like leave it lay around on your desk or something like that…’” (P7, Female, 54, Admin. Assistant)
Teachings
Conversations focused on sharing specific information about good security behaviors to solve an immediate problem or avoid a future threat.
Social Learning
Conversation about
observed novel security or privacy behaviors or tools.
Observations by novices lead to questions that allow experts or early adopters to boast about their solutions for solving common security problems.
“One of my co-workers told me about the whole algorithm thing...it just helps you I guess have different passwords...I guess you can...change your algorithm, depending on I guess what you want to be in it. But, ever since, I started using it.”—(P18, male, 22 years old)
Back to Q2: Under what circumstances do people communicate about security and privacy?
People communicate about security and privacy to warn and to teach.
Thus, conversations about privacy and security tended to be educational experiences.
And, these educational conversations often led to heightened security sensitivity.
Observability was again a key driving force for security related conversations.
Discussion & Implications
3 Take-Aways
1. Social processes play a pivotal role in modulating security sensitivity and triggering security related behavior change.
2. Conversations about security and privacy are rare, but when they occur, they are primarily to warn or to teach.
3. The observability of security tool usage is a key enabler of socially triggered behavior change and conversation.
Unfortunately, security and privacy tools are markedly unobservable (often intentionally).
People have little social proof that security is important, and thus has little incentive to care about security.
Acknowledgements
This work was generously sponsored by the NDSEG fellowship, as well NSF CNS SaTC Award #1347186.
Food for Thought
1. Social processes play a pivotal role in modulating security sensitivity and triggering security related behavior change.
2. Conversations about security and privacy are rare, but when they occur, they are primarily to warn or to teach.
3. The observability of security tool usage is a key enabler of socially triggered behavior change and conversation.
“When I was interning…one of my friends and a fellow intern came to my desk and just unlocked my phone. I was surprised...He put it against the sunlight and he saw I guess the smudges my finger left. He just followed the direction. Yeah, he had access to my phone.” —(P18, Male, 20, Engineering student)
Extra Slides
We've made learning about security more interesting and accessible to raise awareness.
We've built faster, cooler, and flashier security tools to increase motivation.
We've reduced the knowledge barrier by making security tools usable.
15 years ago, we learned that Johnny couldn't encrypt...
(or use any security tool, for that matter)
And we were shocked.
And confused.
And, just, sad.
We've used this understanding to do better.
1. Awareness: Risks/warnings communication.
2. Motivation: Cooler, faster security tools.
3. Knowledge: Usable interfaces.
But security sensitivity is still low.
Abbreviated The Effect of social influence on security sensitivity
By Sauvik Das
