Understanding how Users Process Security Advice - UMD - April 2017
PI(s): Michelle Mazurek
Researchers: Elissa Redmiles, Wei Bai, Angel Plane, Rock Stevens, Peter Sutor, Candice Schumann, Amy Malone, Sean Kross, Everest Liu
HARD PROBLEM(S) ADDRESSED
Human Behavior
PROJECT SUMMARY
People encounter a tremendous amount of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore in different circumstances. But the advice they pick is not always the most correct or useful. In this project, we examine how users learn security behaviors and develop and evaluate new interventions for improving user behavior. By more scientifically understanding how users interpret advice and learn behaviors, we can try to increase user security both through new educational interventions and by helping users prioritize and evaluate the advice they receive.
PUBLICATIONS
7. (Industry) Redmiles, E.M., Plane, A., Schumann, C., Sutor, P., Stevens, R., and Mazurek, M.L. Can Edutainment Videos Change Security Behavior? Poster, 2017 UXDC Conference.
6. Redmiles, E.M., Plane, A., Schumann, C., Sutor, P., Stevens, R., and Mazurek, M.L. Can Edutainment Videos Change Security Behavior? Poster, The Network and Distributed System Security Symposium 2017 (NDSS).
5. "Where is the Digital Divide? A Survey of Security, Privacy, and Socioeconomics." Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. To Appear in CHI 2017: ACM Conference on Human Factors in Computing Systems. May 2017.
4. "More skilled internet users behave (a little) more securely." Elissa M. Redmiles, Shelby Silverstein, Wei Bai, and Mazurek, M. L. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2016.
3. "How I learned to be secure: A census-representative survey of security advice sources and behavior." Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. In CCS 2016: ACM Conference on Computer and Communications Security. October 2016.
2. "I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security." Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. In Proc. IEEE S&P, May 2016.
1. "How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity." Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2015.
In Submission:
Redmiles, E.M., Plane, A., Schumann, C., Sutor, P., Stevens, R., and Mazurek, M. Can you entertain users into updating their software? Mixed-Methods Development and Evaluation of a Security Edutainment Video. Paper. USENIX Security (USENIX).
ACCOMPLISHMENT HIGHLIGHTS
Grad student Elissa Redmiles presented a poster on our experimental evaluation of the edutainment video that we developed to educate users about software updates at NDSS 2017, a top security conference, in February [6]; she will also present a poster on this work at an industry conference, UXDC, in April [7]. We submitted a paper regarding the development and evaluation of this edutainment video to USENIX Security 2017.
Based on discussions with Greg Shannon (Chief Scientist at CERT and former Cybersecurity Advisor to the Whitehouse Office of Science and Technology Policy) as a result of our CCS presentation [3], we are conducting a mixed-methods study to evaluate and improve two-factor authentication messages. We conducted interviews with 12 participants regarding their opinions about different, existing, 2FA messages and also asked them to sketch new ones that they feel would make them more likely to enable 2FA. We qualitatively coded the results of this study, and based on these results we iteratively designed and evaluated 6 new 2FA messages via a scenario survey with over 500 respondents. We plan to experimentally evaluate the top three message. We will use a simulator tool that we developed, which invites users to create an account and asks them to log in to that account with some frequency (e.g. 1x per week, 1x per day) in order to be compensated for completing our study. Using the tool, we can vary which 2FA message users see, in order to validate the accuracy of our self-report survey results with real-world behavior. We plan to submit a work-in-progress workshop paper on the intermediary qualitative results of this work to the WAY Workshop on Authentication at SOUPS 2017, and a final version to ACM CHI 2018 (deadline in September). An undergraduate student, Everest Liu, will also present a poster on this work at the annual University of Maryland HCI lab symposium.