Visible to the public Understanding how users process security advice - UMD - July 2015Conflict Detection Enabled

Submitted by Michelle Mazurek on Tue, 06/30/2015 - 11:26am

Public Audience

PI(s): Michelle Mazurek
Researchers: Elissa Redmiles, Amelia Malone

HARD PROBLEM(S) ADDRESSED
Human Behavior

PROJECT SUMMARY

People encounter tremendous amounts of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore, in different circumstances, but the advice they pick is not always the most correct or useful. In this project, we will examine where people encounter security advice, how they evaluate its trustworthiness, and how they decide which advice to follow or reject. We will compare the way users process physical-security advice to the way they process cybersecurity advice. By more scientifically understanding how users interpret the advice they hear, we can try to improve the way advice is disseminated to help users prioritize advice that is actually effective.

 

PUBLICATIONS
How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity. Elissa M. Redmiles, Amelia Malone (University of Maryland), and Michelle L. Mazurek. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2015.

 

ACCOMPLISHMENT HIGHLIGHTS

We developed a protocol for initial formative interviews and received IRB approval. We interviewed our first 10 participants and began preliminary qualitative analysis. Thus far, we are meeting our goals for recruiting participants with broad diversity of ages, ethnicities, and income levels. We have successfully recruited several security-sensitive professionals.

Thus far, we participants have reported a wider variety of cybersecurity than physcial-security advice sources. While family and media are important sources for both, they are less important for cybersecurity. Authority sources like police are replaced with corporate sources like tips from the user’s bank or Apple. (Negative experiences play a small but significant role in both cases.)

Participants are also less confident about whether cybersecurity advice is trustworthy. According to one participant, “plausibility is hard to measure with cybersecurity [advice], so it can be harder to believe.” Within our small sample size, thus far we have observed (unsurprisingly) that participants with a higher tolerance for risk practice fewer security behaviors overall; we also found that while women and older people report more physical security behaviors than others, they do not report more digital security behaviors. It seems that women and older people do not feel they are at special risk online the way they might be in the physical world, a perception which may not be entirely justified.

 

Groups: