Identifying patterns in informal sources of security information

Computer users have access to computer security information from many different sources, but few people receive explicit computer security training. Despite this lack of formal education, users regularly make many important security decisions, such as “Should I click on this potentially shady link?” or “Should I enter my password into this form?” For these decisions, much knowledge comes from incidental and informal learning. To better understand differences in the security-related information available to users for such learning, we compared three informal sources of computer security information: news articles, web pages containing computer security advice, and stories about the experiences of friends and family. Using a Latent Dirichlet Allocation topic model, we found that security information from peers usually focuses on who conducts attacks, information containing expertise focuses instead on how attacks are conducted, and information from the news focuses on the consequences of attacks. These differences may prevent users from understanding the persistence and frequency of seemingly mundane threats (viruses, phishing), or from associating protective measures with the generalized threats the users are concerned about (hackers). Our findings highlight the potential for sources of informal security education to create patterns in user knowledge that affect their ability to make good security decisions.

[1]  Steven Furnell,et al.  Security literacy: the missing link in today's online society? , 2014 .

[2]  Justin Grimmer,et al.  Elevated threat levels and decreased expectations: How democracy handles terrorist threats , 2013 .

[3]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[4]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[5]  Robert LaRose,et al.  Online safety begins with you and me: Convincing Internet users to protect themselves , 2015, Comput. Hum. Behav..

[6]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[7]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[8]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[9]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[10]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[11]  Daniel Romer,et al.  Television News and the Cultivation of Fear of Crime , 2003 .

[12]  Mary Ellen Zurko User-centered security: stepping up to the grand challenge , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[13]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[14]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[15]  Rick Wash,et al.  Influencing mental models of security: a research agenda , 2011, NSPW '11.

[16]  David B. Dunson,et al.  Probabilistic topic models , 2011, KDD '11 Tutorials.

[17]  Mathieu Bastian,et al.  Gephi: An Open Source Software for Exploring and Manipulating Networks , 2009, ICWSM.

[18]  Michael I. Jordan,et al.  Latent Dirichlet Allocation , 2001, J. Mach. Learn. Res..

[19]  Dragomir R. Radev,et al.  How to Analyze Political Attention with Minimal Assumptions and Costs , 2010 .

[20]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[21]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[22]  Benjamin L. Schooley,et al.  Exploring the Effect of Knowledge Transfer Practices on User Compliance to IS Security Practices , 2014, Int. J. Knowl. Manag..

[23]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[24]  D. Shanks IMPLICIT LEARNING AND TACIT KNOWLEDGE - AN ESSAY ON THE COGNITIVE UNCONSCIOUS - REBER,A , 1995 .

[25]  P. Carayon,et al.  Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists. , 2007, Applied ergonomics.

[26]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.

[27]  Ronald L. Breiger,et al.  Graphing the grammar of motives in National Security Strategies: Cultural interpretation, automated text analysis and the drama of global politics , 2013 .

[28]  Jeremy A. Hansen,et al.  Human Aspects of Information Security, Privacy, and Trust , 2013, Lecture Notes in Computer Science.

[29]  Richard A. Swanson,et al.  The Foundations of Performance Improvement and Implications for Practice , 1999 .

[30]  Petko Bogdanov,et al.  Introduction—Topic models: What they are and why they matter , 2013 .

[31]  Justin Grimmer,et al.  A Bayesian Hierarchical Topic Model for Political Texts: Measuring Expressed Agendas in Senate Press Releases , 2010, Political Analysis.

[32]  S. Thompson Social Learning Theory , 2008 .

[33]  Matthew L. Jockers,et al.  Significant themes in 19th-century literature , 2013 .

[34]  A. Bandura Human agency in social cognitive theory. , 1989, The American psychologist.

[35]  Noah J. Goldstein,et al.  A Room with a Viewpoint: Using Social Norms to Motivate Environmental Conservation in Hotels , 2008 .

[36]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[37]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[38]  R. Cialdini Influence: The Psychology of Persuasion , 1993 .

[39]  I. Miller,et al.  Rebellion, crime and violence in Qing China, 1722–1911: A topic modeling approach , 2013 .

[40]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[41]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[42]  Steven Furnell,et al.  Assessing the security perceptions of personal Internet users , 2007, Comput. Secur..

[43]  Yee-Yin Choong,et al.  Basing Cybersecurity Training on User Perceptions , 2012, IEEE Security & Privacy.

[44]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[45]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[46]  Mary Frances Theofanos,et al.  Privacy and Security in the Brave New World: The Use of Multiple Mental Models , 2015, HCI.

[47]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[48]  Terrance Goan A cop on the beat: collecting and appraising intrusion evidence , 1999, CACM.

[49]  Laura A. Dabbish,et al.  "My Data Just Goes Everywhere: " User Mental Models of the Internet and Implications for Privacy and Security , 2015, SOUPS.

[50]  John R. Bender,et al.  Reporting For The Media , 1996 .

[51]  Cristine H Legare,et al.  Concepts and folk theories. , 2011, Annual review of anthropology.

[52]  John A. Clark,et al.  F for fake: four studies on how we fall for phish , 2011, CHI.

[53]  L. Jean Camp,et al.  Mental Models of Computer Security Risks , 2007, WEIS.

[54]  Rick Wash,et al.  Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences , 2014, SOUPS.

[55]  Calvin Burns,et al.  'Cyber Gurus': A rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection , 2015, Gov. Inf. Q..

[56]  M. Angela Sasse,et al.  "Comply or Die" Is Dead: Long Live Security-Aware Principal Agents , 2013, Financial Cryptography Workshops.

[57]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[58]  Karen E. Watkins,et al.  Informal and Incidental Learning , 2001 .

[59]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[60]  Tabitha L. James,et al.  Determining the antecedents of digital security practices in the general public dimension , 2013, Information Technology and Management.

[61]  M. Eraut,et al.  Informal learning in the workplace , 2004 .

[62]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[63]  Laura A. Dabbish,et al.  The Effect of Social Influence on Security Sensitivity , 2014, SOUPS.

[64]  Daniel S. Hain,et al.  Mapping the (R-)Evolution of Technological Fields -- A Semantic Network Approach , 2014, SocInfo.

[65]  Kathleen D. Vohs,et al.  Gossip as Cultural Learning , 2004 .

[66]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[67]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[68]  V. Marsick,et al.  The Nature and Need for Informal Learning , 1999 .

[69]  Florian Arendt,et al.  Cultivation Effects of a Newspaper on Reality Estimates and Explicit and Implicit Attitudes , 2010, J. Media Psychol. Theor. Methods Appl..