The Role of Instructional Design in Persuasion: A Comics Approach for Improving Cybersecurity

Abstract Although computer security technologies are the first line of defense to secure users, their success is dependent on individuals’ behavior. It is therefore necessary to persuade users to practice good computer security. This interview analysis of users’ conceptualization of security password guessing attacks, antivirus protection, and mobile online privacy shows that poor understanding of security threats influences users’ motivation and ability to practice safe behaviors. An online interactive comic series called Secure Comics was designed and developed based on instructional design principles to address this problem. An eye-tracking experiment suggests that the graphical and interactive components of the comics direct users’ attention and facilitate comprehension of the information. In the evaluations of Secure Comics, results from several user studies show that the comics improve understanding and motivate positive changes in security management behavior. The implication of the findings to better understand the role of instructional design and persuasion in education technology are discussed.

[1]  Morten Aagaard,et al.  The Application of Persuasive Technology to educational settings: Some theoretical from the HANDS Project , 2010 .

[2]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[3]  R. Biddle,et al.  A Review of Humor for Computer Games: Play, Laugh and More , 2009 .

[4]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.

[5]  Steven Hsu,et al.  A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings , 2011, SOUPS.

[6]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[7]  J. Bransford,et al.  How People Learn: Bridging Research and Practice , 2013 .

[8]  Gerald Friedland,et al.  Cybercasing the Joint: On the Privacy Implications of Geo-Tagging , 2010, HotSec.

[9]  Richard E. Mayer,et al.  Multimedia learning in an interactive self-explaining environment: What works in the design of agent , 2003 .

[10]  Barbara S. Chaparro,et al.  Password Security: What Users Know and What They Actually Do , 2006 .

[11]  Richard E. Mayer,et al.  The Cambridge Handbook of Multimedia Learning: Principles for Reducing Extraneous Processing in Multimedia Learning : Coherence, Signaling, Redundancy, Spatial Contiguity, and Temporal Contiguity Principles , 2005 .

[12]  Leslie J. Briggs,et al.  Principles of Instructional Design , 1974 .

[13]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[14]  R. Atkinson Optimizing learning from examples using animated pedagogical agents. , 2002 .

[15]  S. Wade Research on Importance and Interest: Implications for Curriculum Development and Future Research , 2001 .

[16]  Richard E. Mayer,et al.  Signaling as a Cognitive Guide in Multimedia Learning , 2001 .

[17]  Jeffrey O. Kephart,et al.  Biologically Inspired Defenses Against Computer Viruses , 1995, IJCAI.

[18]  R. Young Surrogates and mappings: two kinds of conceptual models for interactive , 1983 .

[19]  Tadayoshi Kohno,et al.  Control-Alt-Hack™: a card game for computer security outreach and education (abstract only) , 2013, SIGCSE '13.

[20]  Sree Hari Krishnan Parthasarathi,et al.  Exploiting innocuous activity for correlating users across sites , 2013, WWW.

[21]  Robert Biddle,et al.  Stop Clicking on "Update Later": Persuading Users They Need Up-to-Date Antivirus Protection , 2014, PERSUASIVE.

[22]  Robert Biddle,et al.  Auction Hero: The Design of a Game to Learn and Teach about Computer Security , 2011 .

[23]  Robert K Branson,et al.  Interservice Procedures for Instructional Systems Development. Executive Summary and Model , 1975 .

[24]  Stefan Gorling,et al.  The Myth of User Education , 2006 .

[25]  Michael J. Green,et al.  Graphic medicine: use of comics in medical education and patient care , 2010, BMJ : British Medical Journal.

[26]  Lorrie Faith Cranor,et al.  "Little brothers watching you": raising awareness of data leaks on smartphones , 2013, SOUPS.

[27]  E. Rogers,et al.  Entertainment-Education: A Communication Strategy for Social Change , 1999 .

[28]  A. Paivio Dual coding theory: Retrospect and current status. , 1991 .

[29]  Clifford Nass,et al.  The media equation - how people treat computers, television, and new media like real people and places , 1996 .

[30]  S. Chiasson,et al.  Using Comics to Teach Users About Mobile Online Privacy , 2014 .

[31]  A. Nijholt Embodied Agents: A New Impetus to Humor Research , 2002 .

[32]  Alessandro Vespignani,et al.  Epidemic spreading in scale-free networks. , 2000, Physical review letters.

[33]  B. Rittle-Johnson,et al.  Conceptual and Procedural Knowledge of Mathematics : Does One Lead to the Other ? , 2004 .

[34]  R. Mayer,et al.  The instructive animation: helping students build connections between words and pictures in multimedia learning , 1992 .

[35]  Ruth Colvin Clark,et al.  Developing Technical Training: A Structured Approach for the Development of Classroom and Computer-Based Instructional Materials , 1989 .

[36]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[37]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[38]  Gerald Friedland,et al.  Sherlock holmes' evil twin: on the impact of global inference for online privacy , 2011, NSPW '11.

[39]  Mark W. Newman,et al.  The Work to Make a Home Network Work , 2005, ECSCW.

[40]  David Richard Moore,et al.  E-Learning and the Science of Instruction: Proven Guidelines for Consumers and Designers of Multimedia Learning , 2006 .

[41]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[42]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[43]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[44]  B. J. Fogg,et al.  Persuasive technology: using computers to change what we think and do , 2002, UBIQ.

[45]  R. Schmidt,et al.  New Conceptualizations of Practice: Common Principles in Three Paradigms Suggest New Concepts for Training , 1992 .

[46]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[47]  Robert Biddle,et al.  Password advice shouldn't be boring: Visualizing password guessing attacks , 2013, 2013 APWG eCrime Researchers Summit.

[48]  Larry Ambrose,et al.  The power of feedback. , 2002, Healthcare executive.

[49]  W. H. F. Barnes The Nature of Explanation , 1944, Nature.

[50]  Jae-Won Moon Reflection in Learning and Professional Development: Theory and Practice , 2005 .

[51]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[52]  A. Strauss,et al.  Grounded theory , 2017 .

[53]  Richard E. Boyatzis,et al.  Transforming Qualitative Information: Thematic Analysis and Code Development , 1998 .

[54]  J. Brophy,et al.  Conceptualizing student motivation , 1983 .

[55]  Will Eisner,et al.  Comics & sequential art , 1990 .

[56]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[57]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[58]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[59]  A. J. Stramaski Review of: Cancer Vixen: A True Story; by Marissa Acocella Marchetto; New York: Alfred A. Knopf; 2006 , 2015 .

[60]  Martin Reisslein,et al.  Using Virtual Peers to Guide Visual Attention During Learning , 2010, J. Media Psychol. Theor. Methods Appl..

[61]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[62]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[63]  Valérie Gyselinck,et al.  The role of illustrations in text comprehension: What, when, for whom, and why? , 1999 .

[64]  C. Lartigue,et al.  Learning from education to communicate science as a good story. , 2004, Endeavour.

[65]  K. Scherer,et al.  How Seductive Details Do Their Damage : A Theory of Cognitive Interest in Science Learning , 2004 .

[66]  Merrill Warkentin,et al.  Introducing the Check-Off Password System (COPS): An Advancement in User Authentication Methods and Information Security , 2004, J. Organ. End User Comput..

[67]  R. Mayer,et al.  When learning is just a click away: Does simple user interaction foster deeper understanding of multimedia messages? , 2001 .

[68]  Alfred Bork,et al.  Multimedia in Learning , 2001 .

[69]  Mary Beth Rosson,et al.  Looking for trouble: understanding end-user security management , 2007, CHIMIT '07.

[70]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[71]  John R. Anderson,et al.  Cognitive Tutors: Lessons Learned , 1995 .

[72]  Daniel J. Sanok An analysis of how antivirus methodologies are utilized in protecting computers from malicious code , 2005, InfoSecCD '05.

[73]  R. Garner Humor in Pedagogy: How Ha-Ha can Lead to Aha! , 2006 .

[74]  John T. Cacioppo,et al.  The Elaboration Likelihood Model of Persuasion , 1986, Advances in Experimental Social Psychology.