Weighing Context and Trade-offs: How Suburban Adults Selected Their Online Security Posture

Understanding how people behave when faced with complex security situations is essential to designing usable security tools. To better understand users’ perceptions of their digital lives and how they managed their online security posture, we conducted a series of 23 semi-structured interviews with mostly middle-aged parents from suburban Washington state. Using a grounded theory methodology, we analyzed the interview data and found that participants chose their security posture based on the immense value the Internet provides and their belief that no combination of technology could make them perfectly safe. Within this context, users have a four-stage process for determining which security measures to adopt: learning, evaluation of risks, estimation of impact, and weighing trade-offs to various coping strategies. Our results also revealed that a majority of participants understand the basic principles of symmetric encryption. We found that participants’ misconceptions related to browser-based TLS indicators lead to insecure behavior, and it is the permanence of encrypted email that causes participants to doubt that it is secure. We conclude with a discussion of possible responses to this research and avenues for future research.

[1]  cmal Massive Hack of 70 Million Prisoner Phone Calls Indicates Violations of Attorney-Client Privilege , 2015 .

[2]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[3]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[4]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[5]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[6]  Robert LaRose,et al.  Keeping our network safe: a model of online protection behaviour , 2008, Behav. Inf. Technol..

[7]  Matthew Smith,et al.  Who's Afraid of Which Bad Wolf? A Survey of IT Security Risk Awareness , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[8]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[9]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[10]  John S. Seiter,et al.  Persuasion: Social Inflence and Compliance Gaining , 2015 .

[11]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[12]  Laura A. Dabbish,et al.  "My Data Just Goes Everywhere: " User Mental Models of the Internet and Implications for Privacy and Security , 2015, SOUPS.

[13]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[14]  K. Witte Fear control and danger control: A test of the extended parallel process model (EPPM) , 1994 .

[15]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[16]  Ritu Agarwal,et al.  Adoption of Electronic Health Records in the Presence of Privacy Concerns: The Elaboration Likelihood Model and Individual Persuasion , 2009, MIS Q..

[17]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[18]  Mohammad Maifi Hasan Khan,et al.  Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice , 2016, SOUPS.

[19]  Nicolas Christin,et al.  Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes , 2016, SOUPS.

[20]  Steven Furnell,et al.  Security beliefs and barriers for novice Internet users , 2008, Comput. Secur..

[21]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[22]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[23]  John T. Cacioppo,et al.  The Elaboration Likelihood Model of Persuasion , 1986, Advances in Experimental Social Psychology.

[24]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[25]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[26]  C. Farn,et al.  Investigating Initial Trust Toward E-tailers from the Elaboration Likelihood Model Perspective , 2006 .

[27]  Daniel Zappala,et al.  "We're on the Same Page": A Usability Study of Secure Email Using Pairs of Novice Users , 2015, CHI.

[28]  Sunny Consolvo,et al.  Rethinking Connection Security Indicators , 2016, SOUPS.

[29]  A. Strauss,et al.  Grounded theory , 2017 .

[30]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[31]  白石 善明,et al.  "Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes"の紹介 , 2013 .

[32]  Sunny Consolvo,et al.  "My religious aunt asked why i was trying to sell her viagra": experiences with account hijacking , 2014, CHI.

[33]  Elissa M. Redmiles,et al.  I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[34]  Ian Goldberg,et al.  SoK: Secure Messaging , 2015, 2015 IEEE Symposium on Security and Privacy.

[35]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[36]  Rick Wash,et al.  Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users , 2015, SOUPS.

[37]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[38]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.