15 years ago, we learned that Johnny couldn't encrypt...

(or use any security tool, for that matter)

And we were shocked.

And confused.

And, just, sad.

We've spent the years since understanding why.

We've found at least three barriers inhibiting Johnny:

Johnny may not be aware of security threats or security tools.

(What is PGP? Or two-factor authentication?)

Johnny may not be motivated to use these tools to protect himself.

(Who would want to "hack" me?)

Johnny does not have the knowledge to use security tools.

(How would I encrypt e-mail, anyway?)

In other words, Johnny may have low security sensitivity.

We've used this understanding to do better.


1. Awareness: Risks/warnings communication.

2. Motivation: Cooler, faster security tools.

3. Knowledge: Usable interfaces.

But security sensitivity is still low.

What are we missing?

The Effect of Social Influence on Security Sensitivity

Sauvik Das {sauvik@cmu.edu}
Tiffany Hyun-Jin Kim {hyunjin@cmu.edu}
Laura Dabbish {dabbish@cmu.edu}
Jason I. Hong {jasonh@cs.cmu.edu}

Core Observation

Human beings are social creatures, and the decisions we make about security and privacy should be viewed within the context of a social system.

We know that social influence is hugely important in the adoption of technology.

We know that social influence can be powerfully effective at driving human behavior.

Yet, we know little about how social processes affect security sensitivity.

To explore this possibility, we set out to answer two questions:

Q1

What role does social influence play in security related behavior changes?

Q2

How and under what circumstances do people communicate about security and privacy?

To answer these questions, we conducted an interview study.

We recruited:

19 participants

Age Range: 20—54

A variety of professional backgrounds

7 females

For Q1, we asked about specific instances of security related behavior changes.

For Q2, we asked about specific conversations they had about privacy or security.

3 Major Findings

Finding 1

Social influence often triggered security related behavior changes by modulating security sensitivity.

Almost all of our participants made at least one change because of a social trigger.



Almost half of all security related changes were made because of a social trigger.


What is a social trigger?

A social process that was explicitly stated to be the root of a behavior change.

“When I first had a smartphone I didn’t have a code, but then I started using one because everyone around me I guess had a code so I kind of felt a group pressure to also use a code.”—(P6, Male, 29, Programmer)
“Diversification of passwords. I had the same password for every service so I wanted to pick a stronger password”—(P6, Male, 29, Programmer)

We found many distinct social triggers, each effective at modulating security sensitivity.

Observing Friends

Simply observing others use security features convinces people to use those features themselves.
“My mother had an iPhone before I did, and she always had the block on hers… I think just because I saw her doing it, it kind of just felt like it was something I had to do too.”—(P3, Female, 22, English Student)
“So when I was an undergrad I’ve been using it since then. And this four digit PIN everybody started using it and it was a hype."—(P14, Male, 24, IT Graduate Student)

Related to the concept of "social proof"—we look to friends for cues on what to do.



Observing Friends often raised awareness and motivation.

Pranks and Demonstrations

Demonstrations of insecure behavior by friends and loved ones.

“When I was interning…one of my friends and a fellow intern came to my desk and just unlocked my  phone. I was surprised...He put it against the sunlight and he saw I guess the smudges my finger left. He just followed the direction. Yeah, he had access to my phone.” —(P18, Male, 20, Engineering student)

Other demonstrations were not intended to be educational—they were pranks.

“If I walk out of the room my friends just put up a funny status...or even just look through my messages or something like that... But once that happens, I usually change my password immediately”—(P19, Male, 20, Anthropology student) 

Pranks and demonstrations were very effective at raising motivation.

Social triggers do not necessarily raise security sensitivity—but they do modulate it.

“I don't think it will be dangerous...Like, my friends...have a lot of different accounts, the same as me. But they didn't get any trouble. So I think maybe it will not be dangerous.”—(P17, Female, 34, House wife) 

Back to Q1: What role does social influence play in driving security behaviors?

Social processes play a pivotal role in modulating security sensitivity.


But, social triggers come from security related interactions or communications, which remain rare.

“That’s one thing I will never talk about.”—(P11, Male, 54, Chef)
“It depends on the context. It does become a boring subject.”—(P9, Male, 30, Programmer)

When do conversations about security or privacy actually occur?

Finding 2

People did not often communicate about security, but did so primarily to teach or to warn .

Warnings

Conversations focused on raising awareness of a threat  that comes into the attention of the conversation initiator.

Cautionary Tales

A warning-type conversation triggered by a security or privacy breach with the goal of warning friends and loved ones about a threat.


The threat was experienced either directly by the conversation initiator or by someone close.

“When I opened the e-mail, it said that they were...in England and they didn’t have enough money to come back to the States so can you send us some money...I was probably the first to contact them that they were hacked. I’m like, ‘This isn’t right. Something strange’“—(P11, Male, 54, Chef)

Targeted Warnings

Conversations where the initiator issues a warning about potential threats after observing others engaging in insecure behavior.
“I was having a conversation with somebody and they were saying, ‘Don’t you have your passcode on there anymore?’ And I said, ‘No, it’s a pain in the butt.’ And they said, ‘Well, it’d probably be a good idea especially if you like leave it lay around on your desk or something like that…’” (P7, Female, 54, Admin. Assistant) 

Teachings

Conversations focused on sharing  specific information about good security behaviors  to solve an immediate problem or avoid a future threat.

Lectures

Generally one-way conversations where the lecturer informs the listener about good security practices.


Often parents to young children, adult children to parents, or managers to employees.

I've told them to also use the same features that I do. Like having screen locks for phones and being more careful about passwords. And not logging into public computers and just leaving them without signing out.”—(P8, Male, 31, Accountant)

Social Learning

Conversation about observed novel security or privacy behaviors or tools. 

Observations by novices lead to questions that allow experts or early adopters to boast about their solutions for solving common security problems.
One of my co-workers told me about the whole algorithm thing...it just helps you I guess have different passwords...I guess you can...change your algorithm, depending on I guess what you want to be in it. But, ever since, I started using it.”—(P18, male, 22 years old) 

Social learning conversations are ideal: curious novices willingly receive advice from experts.


Back to Q2: Under what circumstances do people communicate about security and privacy?


People communicate about security and privacy to warn and to teach.

Thus, conversations about privacy and security tended to be educational experiences.

And, these educational conversations often led to heightened security sensitivity.

Observability was again a key driving force for security related conversations.


Finding 3

The observability of security tool usage was a key enabler of socially triggered behavior change and conversation.


Unfortunately, security and privacy tools are markedly unobservable (often intentionally).

Johnny has little social proof that security is important, and thus has little incentive to care about security.

Conclusion

We presented a retrospective interview study exploring the effects of social processes on modulating security sensitivity.  

Our results introduce a typology of social interaction around cybersecurity behavior.

3 Take-Aways

1. Social processes play a pivotal role in modulating security sensitivity and triggering security related behavior change.

2. Conversations about security and privacy are rare, but when they occur, they are primarily to warn or to teach.

3. The observability of security tool usage is a key enabler of socially triggered behavior change and conversation.

We've long overlooked the social forces driving security sensitivity.

Let's start taking these social considerations into account, to give Johnny a stronger reason to care about security.


Food for Thought

1. Social processes play a pivotal role in modulating security sensitivity and triggering security related behavior change.

2. Conversations about security and privacy are rare, but when they occur, they are primarily to warn or to teach.


3. The observability of security tool usage is a key enabler of socially triggered behavior change and conversation.

Extra Slides

We've made learning about security more interesting and accessible to raise awareness.

We've built faster, cooler, and flashier security tools to increase motivation.

We've reduced the knowledge barrier by making security tools usable.