Understanding how users process security advice - UMD - October 2015

PI(s): Michelle Mazurek
Researchers: Elissa Redmiles, Amelia Malone

HARD PROBLEM(S) ADDRESSED
Human Behavior

PROJECT SUMMARY

People encounter tremendous amounts of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore in different circumstances. But the advice they pick is not always the most correct or useful. In this project, we will examine where people encounter security advice, how they evaluate its trustworthiness, and how they decide which advice to follow or reject. We will compare the way users process physical-security advice to the way they process cybersecurity advice. By more scientifically understanding how users interpret the advice they hear, we can try to improve the way advice is disseminated to help users prioritize advice that is effective.

PUBLICATIONS
How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity. Elissa M. Redmiles, Amelia Malone (University of Maryland), and Michelle L. Mazurek. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2015.

ACCOMPLISHMENT HIGHLIGHTS

We updated our protocol based on our pilot interviews and on recent findings in related work. We interviewed an additional 16 participants for a total of 26. All 26 interviews were transcribed and in-depth qualitative coding was performed using the MaxQDA tool. We successfully recruited a wide range of ages, ethnicities, and income levels, as well as many several security-sensitive professionals.

Our results indicate that people are generally less confident in assessing the credibility of cybersecurity vs. physical security advice. According to one participant, “plausibility is hard to measure with cybersecurity [advice], so it can be harder to believe.” Corporate/work IT departments turn out to be a significant source of trusted advice. Particpants elect not to follow advice they know about for a variety of reasons, ranging from inconvenience to not understanding why the advice is useful to concerns that the advice will threaten their privacy or is offered as marketing rather than sincerely.

Thus far, it seems that women and older people do not feel they are at special risk online the way they might be in the physical world, a perception which may not be entirely justified.

It's reasonably well known that users don't always apply the most expert-recommended advice, such as using two-factor authentication We have found evidence that users don't use two-factor partially because they unaware of it, partially because they don't understand whether it provides a real benefit, and partially because the prospect of giving out a phone number feels intrusive or threatening.

We are currently finalizing our qualitative analysis and developing associated recommendations.