A Typology of Perceived Triggers for End-User Security and Privacy Behaviors

What triggers end-user security and privacy (S&P) behaviors? How do those triggers vary across individuals? When and how do people share their S&P behavior changes? Prior work, in usable security and persuasive design, suggests that answering these questions is critical if we are to design systems that encourage pro-S&P behaviors. Accordingly, we asked 852 online survey respondents about their most recent S&P behaviors (n = 1947), what led up to those behaviors, and if they shared those behaviors. We found that social “triggers”, where people interacted with or observed others, were most common, followed by proactive triggers, where people acted absent of an external stimulus, and lastly by forced triggers, where people were forced to act. People from different age groups, nationalities, and levels of security behavioral intention (SBI) all varied in which triggers were dominant. Most importantly, people with low-to-medium SBI most commonly reported social triggers. Furthermore, participants were four times more likely to share their behavior changes with others when they, themselves, reported a social trigger.

[1]  Sauvik Das Social cybersecurity: Understanding and leveraging social influence to increase security sensitivity , 2016, it Inf. Technol..

[2]  Donald A. Norman,et al.  User-centered systems design , 1986 .

[3]  Kenneth. A . . Smith Americans and Cybersecurity , 2016 .

[4]  Yang Wang,et al.  "I regretted the minute I pressed share": a qualitative study of regrets on Facebook , 2011, SOUPS.

[5]  Cormac Herley,et al.  Unfalsifiability of security claims , 2016, Proceedings of the National Academy of Sciences.

[6]  Grzergor Milka,et al.  Anatomy of Account Takeover , 2018 .

[7]  John M. Blythe,et al.  Personality and Social Framing in Privacy Decision-Making: A Study on Cookie Acceptance , 2016, Front. Psychol..

[8]  Laura A. Dabbish,et al.  Privacy Attitudes of Mechanical Turk Workers and the U.S. Public , 2014, SOUPS.

[9]  Elissa M. Redmiles,et al.  How Well Do My Results Generalize? Comparing Security and Privacy Survey Results from MTurk, Web, and Telephone Samples , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[10]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[11]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[12]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[13]  Martina Angela Sasse,et al.  Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery , 2003 .

[14]  James Nicholson,et al.  Can we fight social engineering attacks by social means? Assessing social salience as a means to improve phish detection , 2017, SOUPS.

[15]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[16]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[17]  Elissa M. Redmiles,et al.  I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[18]  Lorrie Faith Cranor,et al.  The post that wasn't: exploring self-censorship on facebook , 2013, CSCW.

[19]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[20]  T. Hothorn,et al.  Simultaneous Inference in General Parametric Models , 2008, Biometrical journal. Biometrische Zeitschrift.

[21]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[22]  Laura A. Dabbish,et al.  The Effect of Social Influence on Security Sensitivity , 2014, SOUPS.

[23]  Jason I. Hong,et al.  Exploring capturable everyday memory for autobiographical authentication , 2013, UbiComp.

[24]  Martin Ortlieb,et al.  Expert and Non-Expert Attitudes towards (Secure) Instant Messaging , 2016, SOUPS.

[25]  Jeffrey M. Stanton,et al.  Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices , 2004, AMCIS.

[26]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[27]  Laura A. Dabbish,et al.  The Role of Social Influence in Security Feature Adoption , 2015, CSCW.

[28]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[29]  Alessandro Acquisti,et al.  Privacy Attitudes and Privacy Behavior - Losses, Gains, and Hyperbolic Discounting , 2004, Economics of Information Security.

[30]  Laura A. Dabbish,et al.  Breaking! A Typology of Security and Privacy News and How It's Shared , 2018, CHI.

[31]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[32]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[33]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[34]  Paul Dourish,et al.  Social navigation as a model for usable security , 2005, SOUPS '05.

[35]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[36]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[37]  Mary Ellen Zurko,et al.  Someone to watch over me , 2012, NSPW '12.

[38]  Amar Cheema,et al.  Data collection in a flat world: the strengths and weaknesses of mechanical turk samples , 2013 .

[39]  Elissa M. Redmiles,et al.  How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior , 2016, CCS.

[40]  Nicolas Christin,et al.  Please Continue to Hold: An Empirical Study on User Tolerance of Security Delays , 2010, WEIS.

[41]  Edward W. Felten,et al.  Secrecy, flagging, and paranoia: adoption criteria in encrypted email , 2006, CHI.

[42]  Laura A. Dabbish,et al.  Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation , 2014, CCS.

[43]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[44]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.