Understanding how Users Process Security Advice - UMD - July 2016

PI(s): Michelle Mazurek
Researchers: Elissa Redmiles, Wei Bai, Shelby Silverstein, Angel Plane, Rock Stevens, Peter Sutor, Candice Schumann, Amy Malone

HARD PROBLEM(S) ADDRESSED
Human Behavior

PROJECT SUMMARY

People encounter a tremendous amount of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore in different circumstances. But the advice they pick is not always the most correct or useful. In this project, we  examine where people encounter security advice, how they evaluate its trustworthiness, and how they decide which advice to follow or reject. We compare the way users process physical-security advice to the way they process cybersecurity advice. By more scientifically understanding how users interpret the advice they hear, we can try to improve the way advice is disseminated to help users prioritize advice that is effective.

PUBLICATIONS

"I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security." Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. In Proc. IEEE S&P, May 2016.

"How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity." Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2015.

ACCOMPLISHMENT HIGHLIGHTS

Grad student Elissa Redmiles presented our qualitative study at IEEE S&P, a top security conference. In this study, we interviewed 26 participants from a wide range of ages, ethnicities, and income levels, as well as several security-sensitive professionals. Our results indicate that people are generally less confident in assessing the credibility of cybersecurity vs. physical security advice. According to one participant, “plausibility is hard to measure with cybersecurity [advice], so it can be harder to believe.” Corporate/work IT departments turn out to be a significant source of trusted advice. Particpants elect not to follow advice they know about for a variety of reasons, ranging from inconvenience to not understanding why the advice is useful to concerns that the advice will threaten their privacy or is offered as marketing rather than sincerely. The paper received a good response at the conference, including interesting questions during the presentation and many follow-up inquiries.

Grad student Wei Bai presented a poster at SOUPS 2016. This poster discussed our findings that users with stronger web skills behave very slightly more securely than users with weaker web skills, measured via previously validated instruments.

We conducted a large-scale quantitative study to expand and confirm these results. We obtained human-subjects approval from UMD and DoD. We piloted our draft questionnaire using cognitive interviews and finalized the questions. We contracted a sample provider (for a representative sample of U.S. adults), who completed data collection in early April, and completed data analysis in May. This study was submitted to ACM CCS, a top security conference, in late May.

Graduate student Elissa Redmiles received a "data grant" from the Data&Society institute to study security habits of low-SES Americans, in part due to her work on this project. We are using this data in two ways: for comparison with results from our large-scale quantitative survey, and to build a visualization tool that helps software developers recognize the security needs and knowledge gaps of their diverse user base. 

As a project for the PI's Spring 2016 course, five students planned and conducted a participatory design workshop for developing entertaining, relatable educational videos to convince viewers to accept software updates. The goals of this workshop were driven by the results of our qualitative study, that suggest relatable fiction is a strong vehicle for learning security behaviors. This workshop served as a pilot study; a follow-up study that applies participatory design to users recruited in pairs is currently underway. Our goal is to develop a high-quality 5-10 minute storyboard and contract the UMD film club to produce it as a video; we will then evaluate its usefulness for security education.