Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation

One of the largest outstanding problems in computer security is the need for higher awareness and use of available security tools. One promising but largely unexplored approach is to use social proof: by showing people that their friends use security features, they may be more inclined to explore those features, too. To explore the efficacy of this approach, we showed 50,000 people who use Facebook one of 8 security announcements'7 variations of social proof and 1 non-social control-to increase the exploration and adoption of three security features: Login Notifications, Login Approvals, and Trusted Contacts. Our results indicated that simply showing people the number of their friends that used security features was most effective, and drove 37% more viewers to explore the promoted security features compared to the non-social announcement (thus, raising awareness). In turn, as social announcements drove more people to explore security features, more people who saw social announcements adopted those features, too. However, among those who explored the promoted features, there was no difference in the adoption rate of those who viewed a social versus a non-social announcement. In a follow up survey, we confirmed that the social announcements raised viewer's awareness of available security features.

[1]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[2]  Jason I. Hong,et al.  Exploring capturable everyday memory for autobiographical authentication , 2013, UbiComp.

[3]  Adam D. I. Kramer The spread of emotion via facebook , 2012, CHI.

[4]  A Bandura,et al.  Vicarious extinction of avoidance behavior. , 1967, Journal of personality and social psychology.

[5]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[6]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[7]  Martina Angela Sasse,et al.  Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery , 2003 .

[8]  Noah J. Goldstein,et al.  The Constructive, Destructive, and Reconstructive Power of Social Norms , 2007, Psychological science.

[9]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[10]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[11]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[12]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[13]  James Patterson,et al.  You've been warned... , 2006, BMJ : British Medical Journal.

[14]  R. Cialdini,et al.  Reciprocal Concessions Procedure for Inducing Compliance: The Door-in-the-Face Technique , 1975 .

[15]  Noah J. Goldstein,et al.  A Room with a Viewpoint: Using Social Norms to Motivate Environmental Conservation in Hotels , 2008 .

[16]  Cameron Marlow,et al.  Feed me: motivating newcomer contribution in social network sites , 2009, CHI.

[17]  S. Milgram,et al.  Note on the drawing power of crowds of different size. , 1969 .

[18]  Cameron Marlow,et al.  A 61-million-person experiment in social influence and political mobilization , 2012, Nature.

[19]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[20]  E. Rogers,et al.  Diffusion of innovations , 1964, Encyclopedia of Sport Management.

[21]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[22]  J. Hardin,et al.  Generalized Linear Models and Extensions , 2001 .

[23]  Laura A. Dabbish,et al.  The Effect of Social Influence on Security Sensitivity , 2014, SOUPS.

[24]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[25]  Paul Dourish,et al.  Social navigation as a model for usable security , 2005, SOUPS '05.

[26]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[27]  K. Meier,et al.  Influence , 2012 .