Understanding how Users Process Security Advice - UMD - October 2016

PI(s): Michelle Mazurek
Researchers: Elissa Redmiles, Wei Bai, Angel Plane, Rock Stevens, Peter Sutor, Candice Schumann, Amy Malone, Sean Kross

HARD PROBLEM(S) ADDRESSED
Human Behavior

PROJECT SUMMARY

People encounter a tremendous amount of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore in different circumstances. But the advice they pick is not always the most correct or useful. In this project, we  examine where people encounter security advice, how they evaluate its trustworthiness, and how they decide which advice to follow or reject. We compare the way users process physical-security advice to the way they process cybersecurity advice. By more scientifically understanding how users interpret the advice they hear, we can try to improve the way advice is disseminated to help users prioritize advice that is effective.

PUBLICATIONS

"How I learned to be secure: A census-representative survey of security advice sources and behavior." Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. In CCS 2016: ACM Conference on Computer and Communications Security. October 2016.

"I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security." Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. In Proc. IEEE S&P, May 2016.

"How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity." Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2015.

ACCOMPLISHMENT HIGHLIGHTS

Grad student Elissa Redmiles presented our qualitative study at IEEE S&P, a top security conference. In this study, we interviewed 26 participants from a wide range of ages, ethnicities, and income levels, as well as several security-sensitive professionals. Our results indicate that people are generally less confident in assessing the credibility of cybersecurity vs. physical security advice. According to one participant, "plausibility is hard to measure with cybersecurity [advice], so it can be harder to believe." Corporate/work IT departments turn out to be a significant source of trusted advice. Particpants elect not to follow advice they know about for a variety of reasons, ranging from inconvenience to not understanding why the advice is useful to concerns that the advice will threaten their privacy or is offered as marketing rather than sincerely. The paper received a good response at the conference, including interesting questions during the presentation and many follow-up inquiries.

We conducted a large-scale quantitative study to expand and confirm these results. We obtained human-subjects approval from UMD and DoD. We piloted our draft questionnaire using cognitive interviews and finalized the questions. We contracted a sample provider (for a representative sample of U.S. adults), who completed data collection in early April, and completed data analysis in May. This study will be published in ACM CCS, a top security conference, in October 2016, where it will be presented by Elissa Redmiles.

Grad student Wei Bai presented a poster at SOUPS 2016. This poster discussed our findings that users with stronger web skills behave very slightly more securely than users with weaker web skills, measured via previously validated instruments.

Graduate student Elissa Redmiles received a "data grant" from the Data&Society institute to study security habits of low-SES Americans, in part due to her work on this project. We are using this data in two ways: for comparison with results from our large-scale quantitative survey, and to build a visualization tool that helps software developers recognize the security needs and knowledge gaps of their diverse user base. For the former, we completed a quantitative analysis of how low-SES users' resources and advice sources correlate with their behavior. We found that when controlling for advice sources, SES does not correlate with outcomes; however, there is a large difference in how low- and high-SES users receive advice. We submitted a paper based on this analysis to CHI 2016, a top HCI conference

Five students planned and conducted participatory design sessions for developing entertaining, relatable educational videos to convince viewers to accept software updates. The goals of this workshop were driven by the results of our qualitative study, that suggest relatable fiction is a strong vehicle for learning security behaviors. Based on the results from the participatory design sessions, we developed a short storyboard and produced a video. We plan to evaluate the video in the next quarter.