This proposal explores opportunities to improve cybersecurity systems by encouraging cooperation and stewardship, whereby people work together for mutually beneficial cybersecurity outcomes. For example, coworkers could provide accountability for one another in keeping their software fully up-to-date, or a trusted expert might remotely configure the security settings on a new laptop for a consenting non-expert. Many existing security systems, by contrast, are not designed to enable or encourage social interaction, a situation that often results in confusion and non-compliance. This proposal will involve studies with people to understand how and when cooperation and stewardship might be beneficial, along with the development of a platform that facilitates the evaluation and construction of such systems. The proposed work work should add to our understanding of how to design and engineer effective real-world cybersecurity systems by incorporating social interaction. Furthermore, this project will provide both undergraduate and graduate students an opportunity to participate in interdisciplinary research. This proposal marries ideas from social psychology, human-computer interaction, and design to tackle a simple and timely question in usable security: How can we create systems that facilitate cooperation and stewardship in end-user cybersecurity systems in order to encourage better cybersecurity behaviors? In the context of this proposal, end-users can be thought of as people who directly interface with a security system to protect their own assets; cooperation in end-user security systems allows people to act collectively towards mutually beneficial security goals or benefit, and, stewardship in end-user security systems allow people to act on behalf of others' security goals or benefit. The union of such cooperative and stewarded systems can be said to be sociopetal, or designed to bring people together. The proposed work will encompass three interacting research thrusts: (i) running group interviews and diary studies to model end-users' day-to-day security activities and how they relate to a broader social context; (ii) developing novel sociopetal cybersecurity systems and evaluating those systems with real user groups; and, (iii) creating and releasing a platform for facilitating the development and evaluation of future sociopetal cybersecurity systems.
CRII: SaTC: Systems That Facilitate Cooperation and Stewardship to Improve End-User Security Behaviors