The Effect of Social Influence on Security Sensitivity

an impressive effort at raising the general populace's security sensitivity—the awareness of, motivation to use, and knowledge of how to use security and privacy tools—much security advice is ignored and many security tools remain underutilized. Part of the problem may be that we do not yet understand the social processes underlying people's decisions to (1) disseminate information about security and privacy and (2) actually modify their security behaviors (e.g., adopt a new security tool or practice). To that end, we report on a retrospective interview study examining the role of social influence—or, our ability to affect the behaviors and perceptions of others with our own words and actions—in people's decisions to change their security behaviors, as well as the nature of and reasons for their discussions about security. We found that social processes played a major role in a large number of privacy and security-related behavior changes reported by our sample, probably because these processes were effective at raising security sensitivity. We also found that conversations about security were most often driven by the desire to warn or protect others from immediate novel threats observed or experienced, or to gather information about solving an experienced problem. Furthermore, the observability of security feature usage was a key enabler of socially triggered behavior change—both in encouraging the spread of positive behaviors and in discouraging negative behaviors.

[1]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[2]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[3]  Martina Angela Sasse,et al.  Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery , 2003 .

[4]  Noah J. Goldstein,et al.  A Room with a Viewpoint: Using Social Norms to Motivate Environmental Conservation in Hotels , 2008 .

[5]  Paul Dourish,et al.  Social navigation as a model for usable security , 2005, SOUPS '05.

[6]  L. J. Chapman Illusory correlation in observational report. , 1967 .

[7]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[8]  K. Meier,et al.  Influence , 2012 .

[9]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[10]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[11]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[12]  Noah J. Goldstein,et al.  Social influence: compliance and conformity. , 2004, Annual review of psychology.

[13]  Noah J. Goldstein,et al.  The Constructive, Destructive, and Reconstructive Power of Social Norms , 2007, Psychological science.

[14]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[15]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[16]  Jeffrey M. Stanton,et al.  Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices , 2004, AMCIS.

[17]  Alessandro Acquisti,et al.  Privacy Attitudes and Privacy Behavior - Losses, Gains, and Hyperbolic Discounting , 2004, Economics of Information Security.

[18]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[19]  S. Milgram,et al.  Note on the drawing power of crowds of different size. , 1969 .

[20]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[21]  Debin Gao,et al.  OTO: online trust oracle for user-centric trust establishment , 2012, CCS '12.

[22]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[23]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[24]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[25]  James Patterson,et al.  You've been warned... , 2006, BMJ : British Medical Journal.

[26]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[27]  Paul C. van Oorschot,et al.  Passwords: If We're So Smart, Why Are We Still Using Them? , 2009, Financial Cryptography.

[28]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[29]  A Bandura,et al.  Vicarious extinction of avoidance behavior. , 1967, Journal of personality and social psychology.

[30]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[31]  K. Weick,et al.  Organizing and the Process of Sensemaking , 2005 .

[32]  Edward W. Felten,et al.  Secrecy, flagging, and paranoia: adoption criteria in encrypted email , 2006, CHI.

[33]  E. Rogers,et al.  Diffusion of innovations , 1964, Encyclopedia of Sport Management.

[34]  Nicolas Christin,et al.  Please Continue to Hold: An Empirical Study on User Tolerance of Security Delays , 2010, WEIS.

[35]  이훈,et al.  지각된 유용성(Perceived Usefulness)의 영향분석 , 2004 .

[36]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.