Advice Sources and Selection for Digital Security - UMIACS

I Think Theyrsquore Trying to Tell Me SomethingAdvice Sources and Selection for Digital Security

Elissa M Redmiles Amelia R Malone and Michelle L MazurekDepartment of Computer Science

University of MarylandCollege Park Maryland 20742

eredmilescsumdedu amalone2terpmailumdedu mmazurekcsumdedu

AbstractmdashUsers receive a multitude of digital- and physical-security advice every day Indeed if we implemented all thesecurity advice we received we would never leave our houses oruse the Internet Instead users selectively choose some adviceto accept and some (most) to reject however it is unclearwhether they are effectively prioritizing what is most importantor most useful If we can understand from where and whyusers take security advice we can develop more effective securityinterventions

As a first step we conducted 25 semi-structured interviewsof a demographically broad pool of users These interviewsresulted in several interesting findings (1) participants evaluateddigital-security advice based on the trustworthiness of the advicesource but evaluated physical-security advice based on theirintuitive assessment of the advice content (2) negative-securityevents portrayed in well-crafted fictional narratives with relatablecharacters (such as those shown in TV or movies) may be effectiveteaching tools for both digital- and physical-security behaviorsand (3) participants rejected advice for many reasons includingfinding that the advice contains too much marketing material orthreatens their privacy

I INTRODUCTION

In the United States Computer Emergency Readiness Team(US-CERT) list of advice for home computer users there are 61topics with approximately 500 words of advice per topic [1]This single US-CERT page contains more than 30000 wordsof digital-security advice If people listened to all of thesecurity advice that must be contained in the multitude ofdigital- and physical-security advice sources available todaythey would never leave their houses or use the Internetagain Since people are still leaving their houses and mostcertainly still using the Internet how are they determiningwhich security advice to implement and which to discard Itis important to understand how users learn security behaviorsin order to ensure that the best or most important securitytactics can break through the noise and attract adoption

Previous research related to usersrsquo security behaviors hasprimarily focused on identifying those behaviors and experi-menting with how to change them [2] [3] Other work hasshown the important influence of social factors on securitybehavior [4] [5] Additional work has proposed that userschoose which behaviors to practice based on an analysis ofthe costs and benefits [6] [7]

Despite this past work there has been no comprehensiveanalysis of why users choose to accept and reject digital-

security advice and from what sources they take this adviceNor has there been a direct comparison between the advice-taking behaviors of users in the more well-established domainof physical security with the more recent area of digital secu-rity As a first step toward establishing a deeper understandingof usersrsquo approaches to learning digital-security behaviors wesought to answer the following research questions

Q1) Where or from whom do users learn digital- andphysical-security behaviors

Q2) How do usersrsquo advice sources reasons for accepting orrejecting advice and valuation of advice differ for digitaland physical security

Q3) How do demographics as well as exposure to security-sensitive content and workplace trainings impact theuse of different advice sources or usersrsquo reasons foraccepting or rejecting advice

To address these questions we conducted a semi-structuredinterview study with 25 participants of varied demographicsDuring a 60-minute interview we asked questions designed tohelp participants articulate their digital-security habits at homeas well as where they learned these strategies and why theychose to implement them with the assumption that participantscould in most cases accurately recall their habits and articulatereasons for those habits We also addressed where participantslearned security strategies and why they may reject certainstrategies that they have heard about but choose not employWe explicitly compared this information to the ways thatparticipants learn and process physical-security advice todetermine whether mechanisms that inform physical-securityadvice-taking can be imported to the digital domain

Further we recruited participants in two groups security-sensitive users who handle data governed by a security clear-ance or by HIPAA or FERPA regulations and general userswho do not This allowed us to consider the effect that regularexposure to a data-security mindset has on the ways that usersprocess security advice in their personal (non-work) livesFinally we explored as a case study participantsrsquo reactionsto two-factor authentication which has been identified as ahighly effective but underutilized security tool [8]

We rigorously analyzed this interview data using an iter-ative open-coding process We identified several interestingfindings including

bull Participants evaluate digital-security advice based pri-marily on the trustworthiness of the advice source Thiscontrasts sharply with physical security where the trust-worthiness of the source is less important because usersfeel comfortable independently evaluating the content andvalue of the advice

bull Prior work has identified negative personal experience asa learning tool [3] we find that TV shows and movies thatpresent negative-security events with relatable charactersand clearly defined causes can also be strong motivatorsfor adopting new security behaviors

bull Participants have many more reasons for rejecting bothdigital- and physical-security advice than for acceptingit For digital security in particular these reasons includenot just the obviousmdashthat advice is too complicated orthat the participant is oversaturatedmdashbut also more subtlerationales such as the presence of too much marketingand concerns about privacy

Based on these and other trends extracted from our interviewswe distill recommendations for designing and disseminatingmore effective security advice These recommendations in-clude highlighting information to mitigate user privacy con-cerns for services such as two-factor authentication increasingthe credibility of security advice by removing product-specificreferences to reduce usersrsquo impressions of the advice asmarketing material and replacing corporate security trainingvideos with more relatable fictional vignettes illustrating neg-ative events We believe these guidelines can help securityexperts to magnify the impact of truly important securityadvice

II RELATED WORK

In this section we discuss prior research in four relatedareas examining the factors that influence usersrsquo securitybehaviors determining which security behaviors or recom-mendations are valuable theoretical frameworks for analyzingtechnology adoption and developing or evaluating securityinterventions

A Factors Influencing Security Behaviors

Several researchers have examined how specific factorsinfluence security behaviors Das et al demonstrated theimportance of social influence for example showing usersinformation about their Facebook friendsrsquo security behaviorsmade them more likely to adopt the same behaviors [2] [9]Relatedly Rader et al found that security stories from non-expert peers affect how users think about computer securityand how they make security decisions like whether to click ona link [3] Wash identified ldquofolk modelsrdquo of security such asviewing hackers like digital graffiti artists that influence usersrsquoperceptions of what is and is not dangerous [10] Lastly Raderand Wash together examined how the topics and words usedin three types of security advice may affect userrsquos ability tomake good security decisions [11] Our work broadens thesefindings by explicitly considering a variety of ways social and

otherwise in which users may learn about different securitybehaviors

Security decisions are often framed as economic tradeoffsin which users ignore security best practices due to rationalcost-benefit optimization Herley for example suggests that ifusers were to spend one minute of each day checking URLsto avoid phishing the time cost would be much larger than thecost of the phishing itself [6] To investigate whether users arein fact making rational cost-benefit calculations we examineusersrsquo reported thought processes when accepting and rejectingsecurity advice Further researchers have considered a compli-ance budget the limited time and resources users can spend onsecurity behavior [7] [12] This highlights the importance ofunderstanding how users decide which advice they spend theircompliance budget on so that the most valuable advice canbe designed to rise to the top Although this prior work alsofocuses on why users implement or reject security behaviorsour work differs in a few key ways our study is about homesecurity behaviors whereas Beautement et al addressed onlythe organizational environment [7] relatedly our study drawsfrom a larger and more diverse participant pool and finallywe investigate not only why users reject security behaviorsbut also why they accept or reject advice from a multitude ofsources

Other researchers have considered how demographics affectsecurity and privacy decision-making Howe et al note thatsocioeconomic status and the corresponding belief that onersquosinformation may not be ldquoimportant enough to hackrdquo canaffect security behaviors [5] This paper also notes largedifferences in advice sources between undergraduate and adultpopulations Wash and Rader investigated security beliefsand behaviors among a large representative US sampleand found that more educated users tended to have moresophisticated beliefs but take fewer precautions [13] Othershave investigated how demographic and personality factorsinfluence susceptibility to phishing [14] [15] Rainie et alfound that younger people social media users and thosewho had a prior bad experience were more likely to try tohide their online behavior [4] Based on this prior work werecruited specifically for diversity of age income educationand race Further we recruited for and analyzed the impact ofan additional type of diversity security sensitivity meaningprofessional training to handle confidential or sensitive dataIn addition during our data analysis we coded for participantswho discussed whether their information was important toprotect and whether they had prior negative experiences

Although prior work touches on similar themes to ourknowledge we are the first to comprehensively examine usersrsquoprimary sources of digital security advice in general and whythey choose to accept or reject it Further our work directlycompares digital security to physical security By drawinglessons from each domain we develop design guidelines foreffectively transmitting security information

B Expert Advice and Best Practices

Any attempt to improve the dissemination and adoptionof security advice will of course require decisions aboutwhich advice is relevant and important In recent work Ionet al surveyed more than 200 security experts to determinewhat behaviors they most often practice andor strongly rec-ommend [8] Top suggestions included installing softwareupdates using two-factor authentication and using a pass-word manager Corporate and government help pages fromorganizations such as Microsoft the United States ComputerEmergency Readiness Team and McAfee also provide userswith pieces of top advice including tips for improving thestrength of passwords and encouragement to update softwareregularly [1] [16] [17] These best practices provide insightinto what advice is most valuable to give users in this paperwe address the related but orthogonal problem of how usersreceive and respond to advice and therefore how importantadvice can be disseminated when it is identified

C Theoretical Frameworks

A sizable body of research focuses on theoretical frame-works to explain technological adoption One such theory Dif-fusion of Innovation emphasizes how communication chan-nels and social systems can lead to the introduction of newinnovations into communities over time [18] Applicationsof this theory often require large samples and longitudinaldata [19] In contrast Digital Divide theory suggests thataccess inequality is the most important factor in technologyadoption [20] The application of Digital Divide theory alsorequires longitudinal data in combination with socioeconomicinformation to evaluate technological progress In this small-sample qualitative work we take a theory-agnostic approachto data analysis Follow-up research could be used to establishhow our findings fit within these frameworks

D User Education and Security Interventions

Another large body of work is devoted to analyzing andimproving delivery of security information to users particu-larly in the context of user education and designing securitywarnings For example significant research has examined howto educate users about phishing prevention [21]ndash[25] Therehas also been considerable work addressing the effectivenessof phishing and SSL warnings for browsers [26]ndash[29] bank-ing security warnings [30] and security-warning habituationgenerally [31] Other researchers have considered how bestto nudge users to create stronger passwords [32]ndash[35] andhow to inform them about potentially invasive mobile apppermissions [36]ndash[39] Our work takes an alternate viewrather than focus on how to promote adoption of one specificsecurity behavior we consider why users make the securitydecisions they do where they get their educational materialsand how they evaluate credibility

III METHODOLOGY

To answer our research questions we conducted semi-structured interviews in our laboratory between March and

October 2015 To support generalizable and rigorous qual-itative results we conducted interviews until new themesstopped emerging (25 participants) [40] Our subject pool islarger than the 12-20 interviews suggested by qualitative best-practices literature as such it can provide a strong basisfor both future quantitative work and generalizable designrecommendations [41]

The study was approved by the University of MarylandInstitutional Review Board Below we discuss our recruitmentprocess interview procedure details of our qualitative analy-sis and limitations of our work

A Recruitment

We recruited participants from the Washington DC metroarea via Craiglist postings and by sending emails to neigh-borhood listservs We also distributed emails in public- andprivate-sector organizations with the help of known contacts inthose organizations In addition we posted flyers in Universityof Maryland buildings and emailed university staff membersWe collected demographic information including age genderincome job role zip code and education level from respon-dents in order to ensure a broad diversity of participantsParticipants were compensated $25 for an approximately one-hour interview session

B Procedure

We asked participants to bring a device they use to connectto the Internet for personal use with them to their interviewTwo researchers conducted all of the interviews which tookbetween 40 and 70 minutes We used a semi-structured in-terview protocol in which the interviewer primarily uses astandard list of questions but has discretion to ask follow-upsor skip questions that have already been covered [42] Semi-structured interviews allow researchers to gather informationabout participantsrsquo practices habits and experiences as wellas their opinions and attitudes

During the interview we asked questions about participantsrsquodigital- and physical-security habits as well as where theylearned those habits (Q1 Q2) We also asked participants toldquoact outrdquo their use of technology in a series of scenariosWe asked questions about participantsrsquo behaviors and advicesources for digital-security topics such as device securityincluding password protection and antivirus use web browsingand emailing including two-factor authentication and phishingquestions and online banking and shopping including ques-tions about the participantrsquos banking login process and pay-ment methods (Q1 Q2) We asked similar questions regardingphysical-security topics such as dwelling security includingquestions about locking methods and alarm systems transit(eg car and bike) security with questions similar to thoseasked for dwelling security and personal safety when walkingalone including questions about carrying weapons (Q1 Q2)We validated that our list of digital security topics broadlycovered the same topics as those mentioned as high priorityin Ion et alrsquos recent paper [8]

On each of these topics participants were first asked ageneral open-ended question regarding their security behav-iors for example ldquoHow do you protect your devicesrdquo andthen asked sequentially more specific questions for exampleldquoCan you show me how you access the home screen on yoursmartphonerdquo ldquoHave you always hadnot had a password onyour smartphonerdquo and ldquoAre there other strategies you use forprotecting your devices which you have not mentionedrdquo

Participants were subsequently asked a series of follow-up questions on each topic such as ldquoWhy do you use thisstrategyrdquo (Q2) ldquoHave you ever had a negative experiencewithrdquo (Q1) and ldquoWhere or from whom did you learnthis strategyrdquo (Q1) In addition to questions regarding spe-cific security topics participants were asked more generallyabout where from whom and why they accepted securityadvice as well as about strategies they had considered butnot adopted (Q2) Participants were also asked to comparedigital- and physical-security advice in terms of usefulnessand trustworthiness (Q2) Finally participants were asked tobriefly describe their current or most recent job They werespecifically asked if they handled sensitive data as part of theirjob and if so what kind (Q3)

C Analysis

The interview data was analyzed using an iterative open-coding process [43] Once the two interviewers completedthe interviews they transcribed 17 of the interviews Theremaining eight interviews were transcribed by an externaltranscription service The interviewers then met in personto develop and iteratively update an initial set of codesfor the data Subsequently they independently coded eachinterview incrementally updating the codebook as necessaryand re-coding previously coded interviews This process wasrepeated until all interviews were coded The codes of the twointerviewers were then compared by computing the inter-coderpercent agreement using the ReCal2 software package [44]The inter-coder percent agreement for this study is 75 Thisis a reasonable score for an exploratory semi-structured studywith a large number of codes such as ours [45] Further aftercalculating this percent agreement score the interviewers metto iterate on the codes until they reached 100 agreement onthe final codes for each interview

D Signifying Prevalence

For each finding we state the number of participantswho expressed this sentiment as an indication of prevalenceHowever our results are not quantitative and a participantfailing to mention a particular item for which we coded doesnot imply they disagree with that code rather the participantmay have simply failed to mention it As a result we optednot to use statistical hypothesis tests for comparisons amongparticipants Our results are not necessarily statistically gener-alizable beyond our sample however they suggest many areasfor future work and provide novel contributions to the body ofwork surrounding usersrsquo strategies for learning digital-securitybehaviors

E Limitations

Our study has several limitations common to qualitativeresearch While we asked participants to search their memoryfor answers to our questions they may not have fully doneso or they may have forgotten some information Further weassume that participants are largely able to correctly identifywhich of their behaviors are security behaviors and why theypracticed those behaviors To mitigate satisficing [46] inter-viewers repeatedly prompted participants to give full answersto all questions Participants may also have tired and providedless thorough answers toward the end of the interview andthose who were particularly concerned about the interviewerrsquosperception of them may have altered their answers in orderto not portray themselves as overly secure or insecure [46][47] Additionally the age gender and race of the interviewersmay have introduced some bias into participantsrsquo responsesWe recruited a diverse pool of participants to increase theodds that relevant ideas would be mentioned by at least oneparticipant despite these limitations

IV RESULTS

In this section we detail the results of our study Firstwe will discuss our participantsrsquo demographics and securitysensitivity An overview of these demographics is shown inTable I Second we will address the sources from whichparticipants accept security advice and how these sourcesdiffer across genders and for physical and digital security Asummary of these sources is shown in Figure 1 Third wewill address the different reasons our participants gave foraccepting and rejecting digital- and physical-security advicesome of the differences in these reasons were unanticipatedFourth we address differences between security-sensitive andgeneral participants which imply imply that exposure todigital-security information in the workplace may have effectson advice processing Finally we present a case study on two-factor authentication a behavior found by Ion et al to havehigh security importance but low adoption [8]

A Participants

We recruited 158 potential participants and selected 47 tointerview We selected a balance of men and women as wellas a diversity of age ethnicity and education Of the 47participants selected for interviews 25 attended their interviewappointments

Demographics for our 25 participants are shown in Table IFifty-six percent of our participants are female slightly morefemale than the general US population in 2014 (51) [48]Our sample is somewhat less Hispanic (8 vs 17) andless White (40 vs 62) but more Black (44 vs 13)than the US population [48] We had a proportional numberof Asian participants (8) However the racial makeup ofour sample more closely matched the racial proportions ofthe Washington DC metro area which is 43 White (oursample 40) 46 Black (our sample 44) 10 Hispanic(our sample 8) and 4 Asian (our sample 8) [49] Ourparticipant sample is wealthier than the US population and our

SecID Gender Age Race Educ Income Type

P1 M 31-40 W MS $90-$125k FP2 F 22-30 A BS $50-$70k ndashP3 M 18-22 W SC $90-$125k FP4 F 51-60 W PhD $150k+ SP5 F 22-30 B MS $90-$125k FP6 F 41-50 W MS $30-$50k ndashP7 F 31-40 H MS $70-$90k FP8 F 31-40 B MS $90-$125k ndashP9 M 22-30 W BS $50-$70k SP10 M 22-30 B BS $50-$70k SP11 M 60+ W P $90-$125k CP12 M 41-50 B SC $0-$30k SP13 F 31-40 A MS $0-$30k ndashP14 F 31-40 B SC $90-$125k ndashP15 F 41-50 B Assoc $50-$70k CP16 F 31-40 H HS $0-$30k ndashP17 F 18-22 B HS $0-$30k ndashP18 M 18-22 B HS $0-$30k ndashP19 F 22-30 B MS $50-$70k FP20 F 60+ W PhD $150k+ ndashP21 M 41-50 W PhD $150k+ CP22 M 60+ W SC $90-$125k ndashP23 F 22-30 B Assoc $70-$90k HP24 M 41-50 W BS $30-$50k SP25 M 18-22 B Assoc $70-$90k H

TABLE IPARTICIPANT DEMOGRAPHICS THE COLUMNS SHOW PARTICIPANT

IDENTIFIERS (CODED BY INTERVIEW DATE ORDER) GENDER AGE RACE(WHITE BLACK ASIAN AND HISPANIC) EDUCATION GROSS

HOUSEHOLD INCOME IN 2014 AND SECURITY SENSITIVITY AT WORKTHE ABBREVIATIONS IN THE EDUCATION COLUMN STAND FOR HIGH

SCHOOL GRADUATE SOME COLLEGE BACHELORS DEGREE ASSOCIATESDEGREE MASTERS DEGREE DOCTORAL DEGREE AND PROFESSIONAL

DEGREE (EG MBA JD) THE ABBREVIATIONS FHSCndash IN THESECURITY TYPE COLUMN STAND FOR FERPA HIPAA AND SSN DATAHANDLING THE HOLDING OF A SECURITY CLEARANCE AND NO WORK

WITH SENSITIVE DATA RESPECTIVELY

demographic area 28 of our participants have a householdincome under $50000 whereas 47 of households in thegeneral US population and 401 of households in the DCarea earn less than $50000 per year [49] [50] Our sampleis however representative of the educational attainment inour demographic area 88 of our participants hold a highschool degree or higher compared with 901 per the DCarea census and 60 of our participants hold a Bachelorrsquosdegree or higher compared to 55 in the DC area [49]

B How Security Behaviors Are Learned

Participants reported implementing digital- and physical-security advice from a number of sources While manysources were common to both digital and physical security(media peers family) in this section we emphasize advicesources unique to digital security including IT professionalsthe workplace and providers of participantsrsquo digital services(eg Comcast) Next we discuss a new source of securityinformation fictional portrayals of negative-security eventsthrough TV shows and movies Our findings emphasize and

0 5 10 15 20 25 30

Media

Peers

Family

Negative Experiences

IT Professionals

Workplace

Service Provider

Chart Title

Physical Both DigitalDigitalBothPhysical0 5 10 15 20 25 30

Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title

Physical Both Digital

Service Provider

Media

Peers

Family


IT Professionals

Workplace

Advice Sources

Fig 1 Prevalence of advice sources for digital and physical security

expand prior findings on the importance of negative securitystories for teaching digital security behaviors [3] We thenconsider common sources ndash media family members and peersndash in more detail We examine which specific people andsources in this group our participants considered authoritativeFinally we include an interpretive section discussing gender-based differences in advice sources

Digital Only IT Professionals IT professionals are an in-formation source strictly for digital-security methods (N=12)These professionals can be colleagues in a participantrsquos workenvironment or friends of the participant As we will discussin Section IV-C a participantrsquos belief that a digital-securityadvice source is trustworthy is a primary factor in whetherthey choose to accept the advice it seems that participantsview IT professionals as especially trustworthy ldquoFor personal[digital security advice] I might talk to one of the IT guysabout that I just talk to the one Irsquom most friends withI always try to get information whatrsquos the best interventionwhat do you thinkrdquo comments P15 Further participants mayuse IT professionals to evaluate the trustworthiness of advicethey have seen elsewhere For example P19 says that when sheis looking for new digital-security advice she will ldquotalk to theIT guy at my office Irsquove talked to him a couple of times aboutmy phone and whatever I hear or readrdquo Although participantsmay receive useful advice from colleagues and friends who areIT professionals we hypothesize that this advice may not besufficient For example as P13 notes ldquoMy friends who workin IT they just tell you to change your password as often aspossiblerdquo

Digital Only Workplace In addition to information userssolicit from IT professionals users also receive unsolicitedsecurity advice from their workplaces in the form of newslet-ters IT emails or required trainings Fourteen participantscited receiving this type of advice P4 says for example thatshe learned from work not to click links in emails that claimshe needs to update her password ldquoWe got an email from ITtelling us that never will therersquoll be an email from them thatwould require you to do thatrdquo Similarly P8 pays attention toher security trainings at work ldquoTheyrsquoll do yearly IT securitytraining which is not even necessarily for work but just for

Digital

Physical

0 5 10 15 20 25

Self PeersFamily TV

Types of Negative Experiences and Security Stories

1

Fig 2 Distribution of types of negative experiences from which participantslearned new security behaviors personal events stories told by peers andstories in TV shows or movies

life they talk about things like not sending people moneyover Facebook they also email out updates when thingschange I do actually pay attention to those emails when theysend them like about privacy notice updatingrdquo Further P2says she ldquoalways reads the IT newsletterrdquo put out by herworkplace

Digital Only Service Provider Another source of digitalsecurity information cited by nine participants is the corpora-tions that provide a service to the participant (eg SunTrustBank Apple Verizon) For example P23 comments ldquoI usuallycall my carrier (Comcast) and they have security stuff for yourinternet and theyrsquoll tell me what I can dordquo

Negative Experiences As reported in Rader and Washrsquoswork on security stories negative events described by peersor directly experienced by participants can be strong learningtools [3] In our study we found that 24 participants eitherhad negative experiences themselves or were told storiesof negative-security events by peers which led to behaviorchanges The distribution of the types of negative-securitysituations (events that happened to the participant to theparticipantrsquos friend or that the participant heard about throughTV) on which participants relied is shown in Figure 2 Ourparticipant sample was smaller yet broader than that usedin Rader and Washrsquos work and our results thus confirm thegeneralizability of their findings beyond the college studentpopulation [3]

Participants tend not to learn from security stories told byothers or from events that happen to themselves when they feelthat they or the victim did all they could to prevent the eventwhen they feel that they or the victim placed themselves inharmrsquos way or when they cannot find a cause for the negativeevent For example P2 had a friend who was robbed but didnot change her own behavior ldquobecause I think she took all theprecautions she reasonably could She parked in a brightly litarea and a reasonably safe neighborhoodI donrsquot think thatthere was much[that she could] have changedrdquo P24 and P9have had friends who got viruses but they did not do anythingdifferently afterwards because they felt that the friends werevictimized due to their lack of technical expertise Finally P18comments ldquoI actually think recently someone tried to log intomy email from China and Google sent me an email and Googleblocked it and said it looked strange and I said it was verystrangerdquo but he did not alter his behavior after this incident

Although only four participants cited TV shows specificallyeach strongly recalled stories of negative physical or digitalsecurity-related events happening to characters in those showsThey directly credited these shows with leading to a specificchange in their behavior For example P12 put a passwordon his WiFi network after watching a tech show that showedldquopeople going by houses and WiFi snooping and knockingon peoplersquos doors saying lsquoOh your WiFi is open you needto protect itrsquo shows like that [they] make you thinkrdquo P14had a similar experience watching a movie motivated her toalways check the back seats in her car for a lurking personldquoPeople had mentioned that you should check your back seatsbefore but I never paid attention to it until [this] movierdquo shesays Thus it seems that TV shows or movies may serve asstrong proxies for a negative experience that happens directlyto the user or someone she knows We hypothesize two reasonsfor this (1) while participants often blamed themselves ortheir friends for personality or behavioral flaws that led tosecurity problems they were more likely to give relatablefictional characters or the unknown real victims shown on TVthe benefit of the doubt and (2) TV shows and movies aretypically designed to be vivid realistic and believable thusmaking participants feel that what is happening on the screencould happen to them too

Evaluating Authority in Common Advice Sources Priorwork has identified media family and peers as importantsources of digital-security advice [2] Our results confirmthese findings and offer additional insights into which mediaparticipants feel is most authoritative and how participantsevaluate the expertise of their family and peers

Almost all participants (N=24) reported receiving bothdigital- and physical-security information from media Mediaincluded online articles forums television shows news showsthe radio magazines and advertisements Of the participantswho cited media as an advice source for digital securityfive participants cited a specific technology-oriented resourceas authoritative or trustworthy ldquoSome of the blog[s] I read[are] by computer people those are the most trustworthy Forexample I read Wiredrdquo says P20 In general the technicalsources cited by these participants were CNet Wired BruceSchneierrsquos blog and Mashable [51]ndash[54]

Another common source of digital- and physical-securityadvice are family members (N=21) and peers (N=15) Indescribing why they chose to take security advice from theirfamily members or friends 11 participants said they consultedtheir peer or family member because they considered this per-son an expert For example P1 says he always asks his father-in-law for digital security information because his father-in-law is ldquoa bit of a techie in his spare time Hersquos the one that Igo to for advice and feedback new stuff articles hersquoll sendlinks He knows the best of whatrsquos going onrdquo Interestinglyhowever expert status in our sample was not necessarilydetermined by education or job role (eg IT professionalpolice officer) but rather by participantrsquos perceptions of theldquotech-savvinessrdquo or physical-security expertise of their peer or

family memberP3 says that he purchased anti-virus softwareat his fatherrsquos direction He says hersquos ldquovery tech-savvy andhersquoll say lsquoYou need to get this This is importantrsquo I donrsquotquestion him because hersquos very much in the knowrdquo Whenasked what makes his father lsquotech-savvyrsquo P3 says ldquohersquos alwaysloved computers and all that entails but he doesnrsquot work intechnologyrdquo Further exploration of specific cues leveraged byusers to assess the lsquotech-savvyrsquo or expertise of their friendsfamily and the media could aid researchers in signalingadvice-source trustworthiness which is a primary motivatorfor usersrsquo acceptance of digital-security advice as discussedfurther in IV-C

Gender and Advice Eighteen participants evenly splitbetween men and women cited a man as a source of digital-security advice while only three cited a woman If this trendholds true among a larger population it may be becausemen have historically been overrepresented in technologyand computing fields and thus are considered to be moreauthoritative on that topic [55] Alternatively men may simplyoffer more unsolicited advice in the domain of digital securityor perhaps because women are still underrepresented in IT andcomputing fields there are fewer women who chose to offerdigital-security advice [56]

On the other hand 12 participants cited a woman as asource of physical-security advice compared to three partic-ipants who cited men Eight of these 12 participants whoreceived physical-security advice from women were womenthemselves Historically women have had higher rates ofcrime victimization perceive themselves to be at higher riskof victimization and express greater fear of crime than domen [57] It is probable that women are aware of this gendereddifference in threat levels and perceptions and thus find eachother more relatable sources of advice

C Why Advice is Accepted

What leads users to accept advice from the sources men-tioned above In this section we discuss participantsrsquo reasonsfor accepting security advice We find that the trustworthinessof the advice source is the key metric for digital security Thisfinding may be explained by another of our findings partic-ipants struggle to assess the plausibility and value of digital-security advice In contrast participantsrsquo relative confidencein their assessment of the plausibility of and necessity forphysical-security advice leads them to cite their own evaluationof the advicersquos content as the primary assessment metric inthe physical domain We also in this section compare whichadvice physical or digital participants feel is more usefulandor more trustworthy

Digital-Security Advice Eleven participants used the trust-worthiness of the advice source to determine whether to takedigital-security advice

In the case of media advice participants must determinewhether advice offered by an unknown author is trustworthyParticipants mentioned five heuristics that they use to measurethe trustworthiness of a media advice source including their

knowledge and trust of the advice author other usersrsquo reviewsof the advice how widespread the advice was on variousmedia outlets whether the content of the advice differedstrongly from their current behavior and the simplicity of theadvice All of these heuristics were equally prevalent in ourdata

The first technique mentioned for evaluating media advicesource trustworthiness was to assess the author or media outletproviding the advice P20 notes that her acceptance of adviceldquodepends on the author and how the article is writtenrdquo P22says he finds advice useful ldquoIf I would quote that source tosomeone else like the Washington Post [or another] reputablemedia outlet If itrsquos just some Matt Drudge on the Internetadvising about computer security I would just ignore that morequickly than I saw itrdquo

A second evaluation metric was other usersrsquo reviews of theadvice Two security-sensitive participants one who holds anMS in digital security (P24) and another who handled FERPAdata as an HR file clerk (P10) crowd-sourced their advice andsoftware evaluation P24 comments ldquoI evaluate howto videosand other advice channels via user commentsrdquo Similarly P10says ldquoI look at reviews and the software and the website todecide whether to use the advice or download [software] Ilook at whether it has a good reputationmdashwhether it is popularwith online reviewingrdquo

A third heuristic for advice evaluation was how widespreadacross different media outlets the advice became with the im-plicit assumption that distribution outlets who reprinted a givenpiece of advice had evaluated the sources and information andfound it to be valid P25 comments that he trusts ldquonews thatrsquosbacked up by facts and is across multiple channels becauseif itrsquos not good multiple places wonrsquot pick it uprdquo

A fourth metric for evaluating a media advice-source trust-worthiness was how much the content of the advice differedfrom the participantrsquos current behavior P5 says she took theadvice because ldquoit was the opposite of what I was doing so itautomatically made it seem as though it was more crediblerdquoP2 comments that she took the advice since ldquoit made senseI guess if [my password is] a bit longer itrsquos harder for [amalicious] computer to figure it outrdquo

Finally a fifth heuristic for media advice-source evaluationis the simplicity of the advice P2 adds ldquoIf itrsquos just tips thatyou can implement in your everyday life then the advice feelsmore trustworthyrdquo and P16 wishes that advice ldquowould have abetter setup to say lsquoHere this is what you have to do for stepone step two step threersquo like from Google when theyrsquoresaying that you can [add] privacyrdquo

Participants may rely on the trustworthiness of the advicesource because they are not confident in their own ability toevaluate the content of the advice Indeed P7 says ldquophysicalsecurity is related more to me and my body it makes senseto me whereas with computer security Irsquom securing myselffrom threats that I donrsquot even know anything aboutI knowwhen somebody walks up with a gun that I should be worriedrdquoP12 also notes that the tangibility of physical security canmake personal safety strategies more trustworthy and easier to

Which do you find more useful

Which do you find more trustworthy

0 10 20 30

Digital Advice Physical Advice Equal Digital amp Physical

Participants Opinions of Security Advice

1

Fig 3 Participantsrsquo opinions regarding which security advice digital orphysical is most useful

implement commenting ldquoyou know cyber security is greatbut the people who are doing it are so smart that they can putback doors in it that you donrsquot even know about so sometimesI donrsquot even trust the advicewith physical security I cantouch that or I know someone that I can relate tordquo

That said participantsrsquo ability to accurately judge the trust-worthiness of advice sources may vary As an example of goodadvice P9 learned to use incognito browsing from a friendldquoincognito came out in college and a friend came over andneeded to use gmail and just said look at this and loggedhimself into gmail and didnrsquot need to log me out and it wasusefulrdquo Similarly P15 learned about security alarm systemsldquoyears ago from a friend of mine who had a security alarmbusinessrdquo However P17 mentioned being told less credibleinformation such as the following ldquoA lot of my friends donrsquothave iPhones because this is the term they use lsquoiPhones arehotrsquo Like they attract all the attention to your phone likeanything yoursquore doing illegal it can get caught on your phonelsquocause itrsquos like a hot box iPhone It can be tracked in anytype of way stuff like that I didnrsquot even know that I was likewhoaaaaa it can be tracked If I had known that I wouldnrsquothave gotten an iPhone yeahrdquo

Physical-security advice As participants are more confi-dent in their ability to evaluate the plausibility of physical-security advice content for physical security the advicesource is of lesser importance Only three participants cite thetrustworthiness of a physical-advice source as an importantmetric and those participants also cited this metric for digitalsecurity Instead participants rely on their own assessments ofphysical-security advice to determine whether to implementnew behaviors (N=7) On the subject of plausibility P22 saysabout physical-security advice ldquoif it doesnrsquot pass the smelltest in other words if it just doesnrsquot seem plausible then Idismiss it If itrsquos something that I recognize as making senserdquothen he will consider implementing it

Digital vs Physical Advice Usefulness and TrustFigure 3 shows participantsrsquo assessments of the trustworthi-

ness and usefulness of digital- and physical-security adviceHalf of our participants (N=13) felt that physical-security

advice was more trustworthy overall than digital-security ad-vice Only two participants felt that digital-security advice wasmore trustworthy than physical-security advice The remaining10 participants felt that digital- and physical-security advicewas equally trustworthy We suspect that this was largely be-cause as mentioned above participants find physical-securityadvice easier to mentally evaluate (N=7) P9 comments that

he would probably trust physical-security advice more thandigital-security advice because ldquothere are a lot fewer variablesI trust it more because itrsquos easier to evaluate if itrsquos legitimaterdquoSimilarly P23 says that she trusts physical-security advicemore because it is ldquomore hands on and visual itrsquos in yourface a little bit morerdquo

Relatedly five participants trust physical-security advicemore because they feel it is simpler and easier to implementthan digital-security advice ldquoPhysical-security advice is moretrustworthy because itrsquos more common sense and they donrsquottypically require you to download and install something thatwould be trouble in itselfrdquo comments P20

Participants are more split on which advice digital or phys-ical is more useful Nine participants feel that physical adviceis more useful primarily for the same reasons they foundphysical advice more trustworthy ldquoI can see the relevancein the personal security whereas the computer security againI am trusting that because I have a little icon on the right thatit is doing its job Do I know what it itrsquos doing Nordquo says P7Similarly P3 comments that he finds physical-security advicemore useful because ldquoAgain itrsquos my understanding It justcomes so much more naturallyrdquo

On the other hand the 10 participants who feel that digitaladvice is more useful noted that there are more techniquesavailable for digital than physical security and that they feela higher risk of digital threats To the first point P15 saysldquodigital-security advice is more usefulmdashbecause with digitalI can probably do more research and therersquos more to dothere than the physical Physical you can only do so muchI donrsquot care what I have on me someone can overpower merdquoWith regard to feeling that there is more digital than physicalsecurity risk P11 comments ldquo[I] find digital security moreuseful and more trustworthy because there is so much moreresearch on it and itrsquos so much more pervasiverdquo

D Why Advice is Rejected

While trustworthiness and plausibility are the two mainreasons our participants choose to accept advice there are amultitude of reasons for which they reject it Inconvenience isoften cited as a possible explanation for users rejecting digital-security advice [6] [7] [58] but it was not the most prevalentreason we discovered Our participants related frustrationswith advice content such as the content being too marketing-oriented or less surprisingly too advanced They also rejecteddigital-security advice when they believed that they were notat risk or felt that implementing security measures was nottheir job Figure 4 summarizes the prevalence of these reasonsfor rejecting digital- and physical-security advice Below weprovide further detail on these reasons and compare andcontrast participantsrsquo motivations for rejecting advice in eachdomain

Too Much Marketing Eight participants rejected digital-and physical-security advice because it appears to be moreabout selling a product than about providing advice ldquoI donrsquotdo anything with a price tag attached I could be persuaded todo it if I had a serious problem I did have my identity stolen

Reasons for Rejecting Advice

Lack of Risk

Too Much Marketing

Oversaturation

Too Advanced

Inconvenience 5

7

6

4

4

1

3

4

8

Physical Digital

1

Fig 4 Distribution of reasons participants rejected digital- and physical-security advice

one time but I was able to fix it but Irsquom not one of these peoplewho signs up for [identity theft protection] or something likethatrdquo says P22 Similarly P16 wishes that physical-securityadvice could be more substantive and distributed primarilythrough mechanisms other than advertisements

Irsquom Not At Risk Eight participants rejected physical-security advice as unnecessary due to their low risk profileFor example P24 says ldquo[Irsquove] heard about 24-7 monitoringand crap like that I think itrsquos overkill If everyone [in myneighborhood] was driving fancy cars mayberdquo

Four participants rejected digital-security advice for thesame reason P5 says he does not put a password on hisphone because ldquoI just donrsquot feel I have that much interestingstuff on thererdquo P10 comments that she does not use or lookfor security tactics for her tablet because ldquotherersquos nothingpersonal on the tabletrdquo Similarly P3 does not take securityadvice for browsing because he is ldquonot so concerned aboutbrowsing as opposed to personal financial informationrdquo Theparticipants who cited these feelings for digital security wereof varied incomes and the overall incidence of feelings ofldquounimportancerdquo around digital security was quite low Thisis in contrast to prior work which had proposed that manyusers particularly those with lower incomes might not executesecurity behaviors due to low valuation of their data [5] Onepossible cause for this change is that as technology becomesmore ubiquitous users are becoming more aware of the valueof their data Overall feelings that risk was low and thereforeimplementing a new behavior was unnecessary were morecommon for physical than digital security

Itrsquos Not My Job Eighteen participants rely on the com-panies whose software hardware or services they use tokeep them safe These participants do not seem to be makingexplicit cost-benefit calculations about particular personal be-haviors being redundant to the services provided by these com-panies rather they simply assume that they are not responsiblefor the security of a given system because a corporation theytrust is taking care of it This motivation for rejecting securityadvice was unique to the digital-security domain For example

P8 comments ldquoI had been banking with a bank that I wasnrsquothappy with Then I went to Bank of America which was thisbig bank Irsquom like lsquoOh theyrsquore awesome so I donrsquot have toworry about anything I will be safersquordquo

In addition to trusting corporations to take care of securityfor them participants also rely on browser and device prompts(N=20) software defaults (N=20) and security requirementsimposed by their services (eg your password must be 16characters long) (N=14) to keep them safe For example manyparticipants use a password or passcode to lock their phonebecause the phone prompted them to do so at set-up P2 saysldquoWhen you boot up these phones now they just give youthe optionrdquo Relatedly P4 says she only has passwords orpasscodes on her Mac products because ldquothe Mac productsprompt you to set up the security thingsI never thought aboutit [for the Kindle] I guess it wasnrsquot promptedI would haveto look up how to do it on the Kindlerdquo In addition to promptsparticipants rely on software defaults such as those in anti-virus software to provide security tactics P17 comments thatshe has a script and popup blocker because it ldquowas throughMcAfee and it was automatic Irsquom not really technicalsavvy where I can block stuff andgo into my settings andknow what Irsquom messing withrdquo

Other reasons for rejecting advice Nine participantsstated that they felt oversaturated and lacked the time toimplement the advice they saw even if they thought it wasgood advice P7 says ldquoPart of it is just saturation You get somuch information from so many sources I donrsquot even knowsometimes whatrsquos worth looking atrdquo Additionally P6 notesthat in general he often does not take security advice becausehe has ldquokind of reached a level of donrsquot care Itrsquos so obvious tome that I donrsquot know what I donrsquot know that itrsquos frustrating totry to tease apart what would be helpful and what wouldnrsquotrdquo

The advice may also be too advanced (N=7) too incon-venient (N=6) or participants may feel that no matter whatthey will be hacked (N=11) Even participants who are highlyeducated may reject digital-security advice for being tooadvanced (N=4) P9 holds a computer engineering degree andsays he knows that HTTPS and SSL exist but ldquoI donrsquot evenknow what the acronyms mean I know that some websitesare more secure and others arenrsquot and I donrsquot pay attentionto itrdquo P8 who holds a masterrsquos degree also struggles tounderstand too-complex advice she sometimes rejects adviceldquoDepending on the number of steps and the complexity of itbecause Irsquom not a IT person it can be complex what theyrsquoreasking me to dordquo

Finally a few participants described reasoning that wasless common but still interesting with possible implicationsfor design One participant (P3) noted that he rejects advicebecause he see it in the wrong venue ldquoI see the informationwhile on [public transit] to work and then by the end of theday looking at a computer is the last thing I want to dordquo Wehypothesize that this factor may be important for many userseven though no other participants explicitly mentioned it Afew other participants reported rejecting what they perceived

as good advice for others because they were already confidentin their own behaviors (N=3) P25 notes that having otherstell him how to be digitally secure is pointless because ldquoI dowhat I do based on my own personal feelings and intellectso I donrsquot find it useful but for someone who didnrsquot knowit would be useful Never found any of the advice useful Ijust have my own way of protecting what I do so itrsquos likeif someonersquos telling you how to make a PBampJ sandwich andIrsquom like I know how to do it But if theyrsquore saying somethingdrasticmdashdonrsquot do this this and thismdashthen Irsquoll look at it butusually nordquo

E Security-Sensitive vs General ParticipantsIn addition to differences between participantsrsquo behavior

in the physical- and digital-security domains we also notedpossible differences between participants in our sample whoare and are not security-sensitive We recruited security-sensitive participants to investigate how extra training inhandling confidential or sensitive data at work would affecthow participants process security advice in their personallives Below we discuss some observed trends that appear todifferentiate security-sensitive from general participants givenour qualitative data and limited sample size these findingsmainly serve to suggest directions for further exploration Theprevalence of these differences in our sample is summarizedin Figure 5

Two-Factor Authentication Seven of 15 security-sensitiveparticipants in our study had adopted two-factor authentication(2FA) compared to eight of 10 general participants Fourof these security-sensitive participants cite privacy concernsas a reason for not using 2FA Thus we hypothesize thatsecurity-sensitive users may be less trusting that the servicerequesting 2FA can protect their personal information Par-ticipantsrsquo motivations for accepting and rejecting two-factorauthentication are discussed in more detail in Section IV-FThis potential difference between the privacy concerns ofsecurity-sensitive and general users should be confirmed withadditional quantitative investigation as discussed in Section V

Advice Evaluation Nine of 15 security-sensitive partici-pants cited the trustworthiness of the advice source as theirkey metric for choosing to take digital-security advice com-pared to only two of 10 general participants We suspectthat security-sensitive users may be more discerning aboutadvice because they have been trained to look critically at thedigital information they come across A primary componentof workplace digital-security training is reminders not to trustunknown individuals [59] [60]

Workplace Digital-Security Advice Thirteen out of 15security-sensitive participants took advice from their work-place contrasted with four of 10 regular participants This isperhaps unsurprising given the workplace emphasis on digital-security and regular trainings that occur for security-sensitiveusers

Beliefs About the Utility Digital Security Advice Eightof 15 security-sensitive participants in our sample believed

Which is more useful

General Participants

Sec Sens Participants 9

2

7

8

Physical Digital

Why do you take advice



2

6

8

Simple Salient Other Trust Source

Do you use 2FA



2

7

8

No Yes

Workplace is a source of security information



4

2

6

No Yes

Feelings of Inevitability



6

12

4

No Yes

1Fig 5 Security-sensitive participants in our sample tend to differ fromgeneral participants in their valuation of digital-security advice their reasonsfor taking advice their use of two-factor authentication and some of theiradvice sources

that digital-security advice was more useful than physicalsecurity advice compared to two of 10 general participantsWe speculate this may be related to these participants beingmore frequently reminded to pay attention to digital securityand data sensitivity

Feelings of Inevitability General participants in our sampleexpressed more feelings of inevitability (rsquono matter whatI will be hackedrsquo) than did security-sensitive participantsSix out of 10 general participants expressed these feelingscontrasted with three out of 15 security sensitive participantsWe hypothesize that less formal training may contribute togeneral users having more feelings of powerlessness

F Case Study Two-factor Authentication

As mentioned in Section II-B Ion et al report that useof two-factor authentication (2FA) is one of the top threesecurity behaviors recommended by or used by security ex-perts However only 40 of the non-expert participants in

that study reported using 2FA Our results shed some lighton the reasoning behind usersrsquo acceptance or rejection of thisbehavior

How and Why I Use Two-Factor Authentication Of theparticipants we interviewed more than half reported using2FA (N=14) In our interview questions about 2FA we startedby defining 2FA as ldquoa service where you might put in yourphone number and then be sent a verification coderdquo Given thisdefinition all participants recognized 2FA and were able tosubstantively answer our interview questions on this topic Ofour 14 participants who had used 2FA five used 2FA for somebut not all services for which it is offered These participantsuse 2FA for those services they feel are particularly importantP6 says ldquoIrsquove got 2FA on one thing and that is my insurancecompany I did that because [of a negative experience at myworkplace] I figured that [my insurance] was one of the mostimportant things becauseit covers every aspect in my life Ididnrsquot want anyone to mess with thatrdquo

Alternately participants may only use 2FA on services thatstrongly encourage or force them to do so ldquoI do that withXbox Live they force me to do that I think Google theywant me to do that but I always say laterrdquo comments P12 1

Similarly P14 says ldquoYes at one time Verizon because I havea Verizon email account it asked me to do [2FA] it takes awhile but Irsquove done itit forced me to do itrdquo Of the remainingnine participants who used 2FA two did not understand whatthey were doing P16 comments ldquoYou mean when it asks touse by text or phone call I do that even though I hate doingit because Irsquom trying to figure out what is the purpose but itsays the purpose is your safety and securityrdquo

Why I Donrsquot Use Two-Factor Authentication Elevenparticipants knew about but chose not to use 2FA Five of theseparticipants declined 2FA due to privacy concerns specificallythey worried about giving out their personal phone numberabout GPS tracking based on that phone number and aboutthe service providing 2FArsquos ability to keep their information se-cure For example P13 says ldquoNo [I want] nothing connectedto the phone So the phone is directly connected to the emailI donrsquot feel comfortable to let people in if itrsquos connected tothe email accountrdquo Similarly P3 says ldquoI think I do have that[2FA] capacity I think Irsquove always declined Gmail enablingthat accessBased on what I know about Gmail it just seemedlike giving up too much information to Googlerdquo With regardto protecting the information used for verification P23 saysldquoGoogle has prompted but Irsquove always ignored it because Ithink that someone will get ahold of it Irsquom not saying theywould but Irsquom just always like you know yeahrdquo

In addition to privacy concerns two participants declined touse 2FA due to convenience concerns ldquoTwo years ago at thebeginning of the summer Google introduced 2FA and thiswas an issue because I tried to log in and I didnrsquot get cellservice and I couldnrsquot get the text message to log in and thatwas the last time I tried to change anythingrdquo says P9 And

1Note that XBox Live does not require two-factor authentication but thisparticipant may have misinterpreted the prompt screen as a requirement

two participants declined the service due to not understandingthe purpose of the tool

V DESIGN GUIDELINES

In the following section we make a number of designsuggestions and recommendations for future work While ourdata suggests support for these design suggestions our resultsare qualitative and so have limited generalizability thus futureresearch is recommended to confirm the efficacy and necessityof these designs

Develop Vignettes to Simulate Negative SecurityExperiences As shown both in our results and inRader et alrsquos work negative events experienced by usersor their friends can be key motivators for security behaviorchange [3] However we would prefer that users do notundergo these negative experiences Moreover even if thecost of a negative security event was worth the skills theuser learned there are few ways to artificially create thesenegative security experiences without stressing or harmingusers

Our findings highlight a potential solution to this prob-lemmdashmini-clips training videos or other media designed toartificially create a salient negative-security experience Wefound evidence in our sample that mimicking negative eventsvia a well-crafted fictional narrative with relatable characterscan be very effective We believe that this idea has merit asstories can be ldquoa very powerful way to represent and conveycomplex multi-dimensional ideasrdquo and the efficacy of usingfictional vignettes to improve behavior has been proven inthe organizational development and health-behavior changefields [61] [62]

Our findings suggest three elements that may be importantto the efficacy of such vignettes creating relatable charactersdemonstrating clear causes for negative security events andensuring that characters who fix security problems appeartrustworthy Findings from prior work in the entertainment-education field primarily around health behavior change canhelp inform the creation of relatable characters [63] [64]However further research which will likely draw upon workin the communications psychology and education fields isrequired to determine how to create relatable characters andtrustworthy advisors Many of our participants consideredIT professionals and ldquotech-savvyrdquo individuals amongst theirfriends and family to be trustworthy advice sources Prior workon technology help seeking suggests a number of attributescommon to those who are asked or observed for technologyadvice [65] [66] However a deeper investigation is needed todetermine what will lead users to trust a character portrayed ina vignette as an authoritative source of digital-security advice

Further evaluation of what makes a piece of media trust-worthy will be required in order to a) pursue this designand b) generally indicate trustworthiness for other securityadvice distributed via the media This evaluation may includedrawing upon measures of credibility developed in the masscommunications and marketing fields [67] [68]

Avoid the Perception of Marketing We found that usersreject security advice that contains marketing material there-fore advice that suggests or encourages purchasing a particularproduct or service (especially if associated with the advicesource) reduces credibility and should therefore be avoidedFurther designing digital-security advice that clearly statesthe authorrsquos qualificationsmdashfor example ldquoJohn Smith SeniorSecurity Engineer at Googlerdquo may increase advice credibilityand authenticity

Reassure Users About Privacy Both 2FA and passwordmanagers appear in the top six expert-recommended digi-tal security behaviors [8] our results suggest that privacyconcerns and misunderstandings are at least partially drivinglow adoption of each technique For example with regard topassword managers P7 notes that she does not like ldquothe notionof a machine memorizing my password I donrsquot know whereitrsquos going I donrsquot know who has it and I donrsquot know what ishappening with itrdquo For 2FA we hypothesize that users may beprioritizing the immediate risk of sharing private information(eg phone number) over the long-term risk of compromisinga service (eg email) This is an example of present biasour tendency to prioritize immediate rewards or concerns overlong-term gains [69]

Thus our third recommendation is to clearly explain tousers (and not just in a privacy policy that no users willread) how their personal data such as a phone number for2FA or passwords for a password manager will be protectedMitigating these privacy concerns could provide high-impactbenefits for users

Explore the Effect of Security Sensitivity Our resultssuggest possible differences between security-sensitive andgeneral users such as higher importance placed on digitalsecurity fewer feelings of inevitability and higher relianceon the workplace as a source of digital-security advice Givenour small sample size we were not able to report the generalprevalence of these differences and whether these differencesresult in meaningfully better security behavior The behavioralimpact of workplace security training and sensitive data expo-sure is an important avenue for future exploration

Distribute Advice Via Pre-existing Channels Many ofour participants trust hardware and software companies to keepthem secure without additional intervention other participantsvalued direct advice from those companies Thus corporationssuch as Google Apple Facebook and Comcast are wellpositioned to make a large impact on usersrsquo digital security asalready-trusted sources of perceived credible advice Howeverour results suggest that it may be crucial for these corporationsto make it clear that they are the source of the advice andto avoid the perception of marketing so that users can easilyrecognize the credibility of their information

We also found that participants rely on IT professionalsparticularly those from their workplaces as a source ofcredible digital-security advice even for personal technologyGiven that many IT professionals are already overloaded withrequests we suggest organizations plan to provide them with

extra support and training for this potentially critical but under-acknowledged role Training IT professionals to distribute asmall set of valuable advice as an explicit part of their jobduties could have a strong positive impact on usersrsquo securitybehavior Investigating the feasibility and efficacy of thisapproach is a rich topic for future work

VI SUMMARY

Users must sift through a multitude of security advice todetermine which security behaviors to implement and whichto reject This process of evaluating security tactics based onthe advice of others is multi-faceted and complex In an effortto understand usersrsquo choices we conducted a semi-structuredinterview study of 25 participants with varied demographicsand security sensitivities We asked questions about usersrsquosecurity behaviors how they learned these behaviors and whythey accepted or rejected different behaviors and pieces ofadvice Our analysis of these interviews resulted in three keyfindings

First our findings indicate that users believe they lack theskills to evaluate the content of digital-security advice andmust instead rely on their evaluation of the trustworthinessof the advice source when determining whether to accept theadvice Sources they trust include their workplace providersof their digital services IT professionals family members andfriends Our participants also relied upon media as a sourceof advice but only if it passed an heuristic credibility test

Second we found that users reject security advice for anumber of somewhat surprising reasons including containingtoo much marketing information and threatening usersrsquo senseof privacy Further a majority of participants believed thatsomeone or something else was responsible for their securityin at least one digital domain (eg online banking)

Third we found evidence that vignettes of negative ex-periences in TV shows or movies may be able to changebehavior in a similar manager to negative experiences that aredirectly experienced Thus through further research testingthe efficacy of fictional negative-event vignettes in security-behavior change we may be able to develop a novel highly-effective intervention

ACKNOWLEDGMENTS

Our thanks to Lujo Bauer Yla Tausczik Bethany Tiernanand Bruce Webster Jr for their input and assistance Thismaterial is based upon work supported by the MarylandProcurement Office under contract no H98230-14-C-0137

REFERENCES

[1] ldquoUs-certtipsrdquo [Online] Available httpswwwus-certgovncastips[2] S Das T H Kim L Dabbish and J Hong ldquoThe effect of social

influence on security sensitivityrdquo in Tenth Symposium on Usable Privacyand Security USENIX Association 2014 [Online] Available httpswwwusenixorgconferencesoups2014proceedingspresentationdas

[3] E Rader R Wash and B Brooks ldquoStories as informal lessons aboutsecurityrdquo in Eighth Symposium on Usable Privacy and Security ACM2012 [Online] Available httpdoiacmorg10114523353562335364

[4] L Rainie S Kiesler R Kang and M Madden ldquoAnonymityprivacy and security onlinerdquo Pew Research Center 2013 [Online]Available httpwwwpewinternetorg20130905anonymity-privacy-and-security-online

[5] A E Howe I Ray M Roberts M Urbanska and Z ByrneldquoThe psychology of security for the home computer userrdquo inIEEE Symposium on Security and Privacy IEEE ComputerSociety 2012 [Online] Available httpdblpuni-trierdedbconfspsp2012htmlHoweRRUB12

[6] C Herley ldquoSo long and no thanks for the externalities The rationalrejection of security advice by usersrdquo in New Security ParadigmsWorkshop ACM 2009 [Online] Available httpdoiacmorg10114517190301719050

[7] A Beautement M A Sasse and M Wonham ldquoThe compliancebudget managing security behaviour in organisationsrdquo in 2008workshop on New security paradigms ACM 2009 [Online] Avail-able httpportalacmorgcitationcfmid=15956761595684ampcoll=DLampdl=ACMampCFID=595658384ampCFTOKEN=19488999

[8] I Ion R Reeder and S Consolvo ldquoldquono one canhack my mindrdquo Comparing expert and non-expert securitypracticesrdquo in Eleventh Symposium On Usable Privacy andSecurity USENIX Association 2015 [Online] Available httpswwwusenixorgconferencesoups2015proceedingspresentationion

[9] S Das A D Kramer L A Dabbish and J I HongldquoIncreasing security sensitivity with social proof A large-scaleexperimental confirmationrdquo in SIGSAC Conference on Computerand Communications Security ACM 2014 [Online] Availablehttpdoiacmorg10114526602672660271

[10] R Wash ldquoFolk models of home computer securityrdquo in Sixth Symposiumon Usable Privacy and Security ACM 2010 [Online] Availablehttpcupscscmuedusoups2010proceedingsa11 Walshpdf

[11] E Rader and R Wash ldquoIdentifying patterns in informal sourcesof security informationrdquo Journal of Cybersecurity 2015 [Online]Available httpcybersecurityoxfordjournalsorgcontentearly20151201cybsectyv008

[12] C Herley ldquoMore is not the answerrdquo IEEE Security and Privacymagazine 2014 [Online] Available httpresearchmicrosoftcomappspubsdefaultaspxid=208503

[13] R Wash and E Rader ldquoToo much knowledge securitybeliefs and protective behaviors among united states internetusersrdquo in Eleventh Symposium On Usable Privacy andSecurity USENIX Association 2015 [Online] Available httpswwwusenixorgconferencesoups2015proceedingspresentationwash

[14] T Halevi J Lewis and N Memon ldquoA pilot study of cybersecurity and privacy related behavior and personality traitsrdquo in 22ndInternational Conference on World Wide Web International WorldWide Web Conferences Steering Committee 2013 [Online] Availablehttpdlacmorgcitationcfmid=24877882488034

[15] S Sheng M Holbrook P Kumaraguru L F Cranor and J DownsldquoWho falls for phish A demographic analysis of phishing susceptibilityand effectiveness of interventionsrdquo in SIGCHI Conference on HumanFactors in Computing Systems ACM 2010 [Online] Availablehttpdoiacmorg10114517533261753383

[16] ldquoMicrosoft safety and security centerrdquo [Online] Available httpwwwmicrosoftcomsecuritydefaultaspx

[17] ldquoMcafee security advice centerrdquo [Online] Available httphomemcafeecomadvicecenter

[18] E M Rogers Diffusion of innovations New York Free Press 2003[19] R E Rice and K E Pearce ldquoDivide and diffuse Comparing digital

divide and diffusion of innovations perspectives on mobile phoneadoptionrdquo 2015

[20] P J A van Dijk ldquoThe evolution of the digital divide - thedigital divide turns to inequality of skills and usagerdquo in DigitalEnlightenment Yearbook 2012 J Bus M Crompton M Hildebrandtand G Metakides Eds Amsterdam IOS Press 2012 [Online]Available httpdocutwentenl83918

[21] S Sheng B Magnien P Kumaraguru A Acquisti L F CranorJ Hong and E Nunge ldquoAnti-phishing phil The design and evaluationof a game that teaches people not to fall for phishrdquo in Third Symposiumon Usable Privacy and Security ACM 2007 [Online] Availablehttpdoiacmorg10114512806801280692

[22] N A G Arachchilage and S Love ldquoA game design frameworkfor avoiding phishing attacksrdquo Comput Hum Behav 2013 [Online]Available httpdxdoiorg101016jchb201212018

[23] V Garg L J Camp K Connelly and L Lorenzen-Huber ldquoRiskcommunication design Video vs textrdquo in Privacy EnhancingTechnologies 12th International Symposium PETS 2012 Vigo SpainJuly 11-13 2012 Springer Berlin Heidelberg 2012 [Online]Available httpdxdoiorg101007978-3-642-31680-7 15

[24] S A Robila and J W Ragucci ldquoDonrsquot be a phish Stepsin user educationrdquo in Proceedings of the 11th Annual SIGCSEConference on Innovation and Technology in Computer ScienceEducation New York NY USA ACM 2006 [Online] Availablehttpdoiacmorg10114511401241140187

[25] E Lin S Greenberg E Trotter D Ma and J Aycock ldquoDoes domainhighlighting help people identify phishing sitesrdquo in Proceedingsof the SIGCHI Conference on Human Factors in ComputingSystems New York NY USA ACM 2011 [Online] Availablehttpdoiacmorg10114519789421979244

[26] S Egelman L F Cranor and J Hong ldquoYoursquove been warned Anempirical study of the effectiveness of web browser phishing warningsrdquoin SIGCHI Conference on Human Factors in Computing Systems ACM2008 [Online] Available httpdoiacmorg10114513570541357219

[27] D Akhawe and A P Felt ldquoAlice in warningland A large-scale field study of browser security warning effectivenessrdquo in22nd USENIX Conference on Security Berkeley CA USAUSENIX Association 2013 [Online] Available httpdlacmorgcitationcfmid=25347662534789

[28] J Sunshine S Egelman H Almuhimedi N Atri andL F Cranor ldquoCrying wolf An empirical study of sslwarning effectivenessrdquo in 18th Conference on USENIX SecuritySymposium USENIX Association 2009 [Online] Availablehttpdlacmorgcitationcfmid=18557681855793

[29] M Wu R C Miller and S L Garfinkel ldquoDo security toolbarsactually prevent phishing attacksrdquo in SIGCHI Conference on HumanFactors in Computing Systems ACM 2006 [Online] Availablehttpdoiacmorg10114511247721124863

[30] S E Schechter R Dhamija A Ozment and I Fischer ldquoThe EmperorrsquosNew Security Indicatorsrdquo IEEE Symposium on Security and Privacy2007 [Online] Available httpdlacmorgcitationcfmid=1264196

[31] C Bravo-Lillo S Komanduri L F Cranor R W Reeder M SleeperJ Downs and S Schechter ldquoYour attention please Designingsecurity-decision uis to make genuine risks harder to ignorerdquo in NinthSymposium on Usable Privacy and Security ACM 2013 [Online]Available httpdoiacmorg10114525016042501610

[32] B Ur P G Kelley S Komanduri J Lee M Maass M LMazurek T Passaro R Shay T Vidas L Bauer N Christinand L F Cranor ldquoHow does your password measure up theeffect of strength meters on password creationrdquo in 21st USENIXconference on Security symposium USENIX Association 2012[Online] Available httpswwwusenixorgsystemfilesconferenceusenixsecurity12sec12-final209pdf

[33] M Ciampa ldquoA comparison of password feedback mechanisms and theirimpact on password entropyrdquo Information Management amp ComputerSecurity 2013 [Online] Available httpdxdoiorg101108IMCS-12-2012-0072

[34] M Fujita M Yamada S Arimura Y Ikeya and M Nishigaki ldquoAn at-tempt to memorize strong passwords while playing gamesrdquo in Network-Based Information Systems (NBiS) 2015 18th International Conferenceon September 2015

[35] S Schechter and J Bonneau ldquoLearning assigned secrets forunlocking mobile devicesrdquo in Eleventh Symposium On UsablePrivacy and Security (SOUPS 2015) USENIX AssociationJuly 2015 [Online] Available httpswwwusenixorgconferencesoups2015proceedingspresentationschechter

[36] A P Felt E Ha S Egelman A Haney E Chin and D WagnerldquoAndroid permissions user attention comprehension and behaviorrdquoin Eighth Symposium on Usable Privacy and Security ACM 2012[Online] Available httpcupscscmuedusoups2012proceedingsa3Feltpdf

[37] P G Kelley L F Cranor and N Sadeh ldquoPrivacy as part ofthe app decision-making processrdquo in SIGCHI Conference on HumanFactors in Computing Systems ACM 2013 [Online] Availablehttppatrickgagekelleycompapersandroid-decisionpdf

[38] C S Gates J Chen N Li and R W Proctor ldquoEffective riskcommunication for android appsrdquo IEEE Transactions on Dependableand Secure Computing May 2014

[39] E K Choe J Jung B Lee and K Fisher ldquoNudging peopleaway from privacy-invasive mobile apps through visual framingrdquo inHuman-Computer Interaction INTERACT 2013 Part III P KotzeG Marsden G Lindgaard J Wesson and M Winckler Eds 2013[Online] Available httpdxdoiorg101007978-3-642-40477-1 5

[40] K Charmaz Constructing grounded theory a practical guide throughqualitative analysis London Thousand Oaks Calif Sage Publications2006 [Online] Available httpwwwamazoncomConstructing-Grounded-Theory-Qualitative-Introducingdp0761973532

[41] G Guest A Bunce and L Johnson ldquoHow many interviews areenough An experiment with data saturation and variabilityrdquo FieldMethods 2006

[42] M C Harrell and M A Bradley ldquoData collection methods Semi-structured interviews and focus groupsrdquo DTIC Document Tech Rep2009 [Online] Available httpwwwrandorgcontentdamrandpubstechnical reports2009RAND TR718pdf

[43] A Strauss and J Corbin Basics of qualitative research Procedures andtechniques for developing grounded theory 1998

[44] D G Freelon ldquoRecal Intercoder reliability calculation as a webservicerdquo International Journal of Internet Science 2010

[45] M Lombard J Snyder-Duch and C C Bracken ldquoContent Analysis inMass Communication Assessment and Reporting of IntercoderReliabilityrdquo Human Communication Research 2002 [Online]Available httpdxdoiorg101111j1468-29582002tb00826x

[46] A L Holbrook M C Green and J A Krosnick ldquoTelephone versusFace-to-Face Interviewing of National Probability Samples with LongQuestionnaires Comparisons of Respondent Satisficing and SocialDesirability Response Biasrdquo Public Opinion Quarterly 2003 [Online]Available httppoqoxfordjournalsorgcgicitmgrgca=pubopq67179

[47] R Tourangeau and T Yan ldquoSensitive Questions in Surveysrdquo Psycho-logical Bulletin 2007

[48] ldquoState and county quickfactsrdquo 2015 [Online] Available httpquickfactscensusgovqfdstates00000html

[49] ldquoAmerican community survey 1-year 2013 censusrdquo 2013 [Online]Available httpswwwcensusgovacswwwdatadata-tables-and-toolsindexphp

[50] ldquoHousehold income in the past 12 months 2009-2013 american com-munity survey 5-year estimatesrdquo 2013

[51] ldquoCnetrdquo [Online] Available httpwwwcnetcom[52] ldquoWiredrdquo [Online] Available httpwwwwiredcom[53] ldquoSchneier on securityrdquo [Online] Available httpswwwschneiercom[54] ldquoMashablerdquo [Online] Available httpmashablecom[55] A Fisher and J Margolis ldquoUnlocking the clubhouse The carnegie

mellon experiencerdquo SIGCSE Bull June 2002 [Online] Availablehttpdoiacmorg101145543812543836

[56] L O Campbell M Kepple and C Herlihy ldquoWomen in technologyanunderrepresented populationrdquo in Global Learn 2015 AACE 2015[Online] Available httpwwweditliborgp150902

[57] D C May N E Rader and S Goodrum ldquoA gendered assessment ofthe rsquothreat of victimizationrsquo Examining gender differences in fear ofcrime perceived risk avoidance and defensive behaviorsrdquo CriminalJustice Review 2010 [Online] Available httpcjrsagepubcomcontent352159abstract

[58] J B Hardee R West and C B Mayhorn ldquoTo download or notto download An examination of computer security decision makingrdquointeractions May 2006 [Online] Available httpdoiacmorg10114511258641125887

[59] ldquoThe department of health and human services information systemssecurity awareness trainingrdquo [Online] Available httpwwwhhsgovociosecurityprivacyawarenesstrainingissapdf

[60] ldquoFederal communications commission cyber security planning guiderdquo[Online] Available httpstransitionfccgovcybercyberplannerpdf

[61] D Sole and D G Wilson ldquoStorytelling in Organizations The powerand traps of using stories to share knowledge in organizationsrdquo Trainingand Development 1999

[62] L J Hinyard and M W Kreuter ldquoUsing narrative communication as atool for health behavior change a conceptual theoretical and empiricaloverviewrdquo Health Educ Behav October 2007

[63] S T Murphy L B Frank J S Chatterjee and L Baezconde-GarbanatildquoNarrative versus nonnarrative The role of identification transportationand emotion in reducing health disparitiesrdquo Journal of Communication2013 [Online] Available httpdxdoiorg101111jcom12007

[64] J M Q Johnson K Harrison and B L Quick ldquoUnderstanding theeffectiveness of the entertainment-education strategy An investigation

of how audience involvement message processing and messagedesign influence health information recallrdquo Journal of HealthCommunication 2013 [Online] Available httpdxdoiorg101080108107302012688244

[65] E S Poole M Chetty T Morgan R E Grinter and W KEdwards ldquoComputer help at home Methods and motivationsfor informal technical supportrdquo in Proceedings of the SIGCHIConference on Human Factors in Computing Systems ser CHIrsquo09 New York NY USA ACM 2009 [Online] Availablehttpdoiacmorg10114515187011518816

[66] M B Twidale ldquoOver the shoulder learning Supporting brief informallearningrdquo Comput Supported Coop Work December 2005 [Online]Available httpdxdoiorg101007s10606-005-9007-7

[67] X Hu ldquoAssessing source credibility on social mediamdash an electronicword-of-mouth communication perspectiverdquo PhD dissertation BowlingGreen State University 2015

[68] M Kang ldquoMeasuring social media credibility A study on a measureof blog credibilityrdquo Institute for Public Relations 2009

[69] D Laibson ldquoGolden eggs and hyperbolic discountingrdquo Quarterly Jour-nal of Economics 1997

VII APPENDIX

A Questions

Employmentbull Could you tell me a little bit about what you dobull Do you handle sensitive or private data as part of your

jobndash Could you tell me a little bit more about that data

Digital SecurityDevice Protection

bull How many devices do you use to access the internet forpersonal use

ndash Do you have a smartphone Tablet Multiple com-puters

ndash What type or brand of smartphone or computer (egWindowsMacLinux) do you use

bull Can you show me how you access your devicesndash When was the last time you changed this password

bull Are there any other tactics you use to protect yourdevices

bull Do you use antivirus softwarendash How often do you run the softwarendash Did you install it or did it come with your computerndash Why do you use it

bull Why do you use these strategies for protecting your[phonecomputerdevices] For each strategy ask

ndash When did you start using this strategyndash How do you feel that this strategy works to protect

youndash Why did you choose to use this strategy over using

a different onendash What are you most worried aboutndash Have you ever had a negative experiencendash Do you know anyone who has had a negative expe-

riencendash Are there ever times when you do not choose to use

this strategyndash Where or from whom did you learn this strategy

bull Are there strategies you have considered or heard aboutbut do not use

bull Is there a password on your wireless internet at homendash Did you set up this passwordndash When was the last time you changed this passwordndash Were you prompted to do so

bull Is there a password on your routerbull Are there any other tactics you use to protect your

wireless internetbull Why do you use these strategies for protecting your

wireless internet For each strategy askndash When did you start using this strategyndash How do you feel that this strategy works to protect






bull How secure do you feel your devices and your wirelessinternet are

Internet ActivitiesBrowsing and Emailing

bull Do you browse the internetbull Do you access your email via a web browser (eg

SafariFirefoxChromeInternet Explorer)bull Do you shop online or bank onlinebull Do you do all of these activities on all of your devicesbull Scenario Letrsquos imagine that you have a family mem-

ber (parentspousesiblingchild) with whom you share acomputer You are searching for a surprise birthday giftlets say a necklace for this person and you are usingthe internet to research potential gifts Can you show mewhat you would do to start this project

bull In general how do you stay secure when browsing theinternet or checking your email

ndash When was the last time you changed your emailpasswordlowast Were you prompted to do so

ndash Do you use two-factor authenticationlowast Two-factor authentication is a service where you

might put in your phone number and then be senta verification code

ndash Do you use the privacy settings when browsingndash Do you ever use incognito browsing or private

browsingndash Do you use a script popup or cookie blockerndash How do you treat emails from unknown individuals

ndash Are there any particular precautions you take whendownloading from the internet

bull Are there any other tactics you use when browsing theinternetaccessing your email via the internet

bull Why do you use these strategies for staying secure whilebrowsing the internet or accessing your email For eachstrategy ask







bull How secure do you feel you are when browsing theinternet and accessing your email

Online ShoppingBankingbull Narration Can you please walk me through what you

would do to login to your banking website Now pleasepretend you are exiting the website as if you had justcompleted your banking business

bull How often do you change your password for onlinebanking or shopping accounts

bull Are there any other tactics you use when shopping onlineor doing online banking

ndash Do you always use the same credit cardndash Do you use paypalndash Do you use a single use credit card number

bull Why do you use these strategies for staying secure whileonline shopping or online banking For each strategyask







bull How secure do you feel you are when online shoppingand online banking

General Advicebull Do you store your passwords anywhere

ndash Where do you store themndash In what format do you store themndash Is it password protected or lockedndash Why did you start doing thisndash When did you start doing this

bull Do you ever look for new information or talk to someoneabout tactics such as [what they mention above forsecurity]

ndash Where do you look for this information and withwhom do you talk

bull Do you often see news pieces ads or articles on TV inthe newspaper or online with tips or advice about howto protect yourself online

ndash How do you feel about the information providedndash Are there strategies you have learned from these

sourcesbull What other sources do you consult when seeking security

advicebull Do you see any security advice that you do not take

ndash Why do you not take itbull Do you feel that you have the ability to make yourself

more digitally securebull Whom or what would you say has most influenced your

overall approach to computer security and in what wayPhysical SecurityDwelling Security

bull Do you live in a house or an apartmentndash Do you own your dwellingndash Do you live alone with a partner family or with

roommatesbull Can you walk me through what you do as you leave your

dwellingndash Are there one or two locksndash Is it a hard lock or an electronic lockndash Is that something that came with the building or

something you installedlowast Why did you install the locks

bull Can you walk me through what you do when you prepareto go to bed in the evening and when you return fromyour day of work

bull Are there any other strategies which you have notmentioned that you use to secure your dwelling

ndash Light timersndash Security systemndash Security system or guard dog signs

bull Is there anything that led you to buy or rent in the locationyou did

bull Why do you use these strategies for securing yourdwelling For each strategy ask

ndash When did you start using this strategy

ndash How do you feel that this strategy works to protectyou

ndash Why did you choose to use this strategy over usinga different one

ndash What are you most worried aboutndash Have you ever had a negative experiencendash Do you know anyone who has had a negative expe-


this strategyndash Is this strategy something that is important to you

or something you feel is more important to othermembers of your household who share the dwelling

ndash Why would you say that it is more important to[youother]

ndash Where or from whom did you learn this strategybull Are there strategies you have considered or heard about

but do not usebull How secure do you feel that you are when you are at

homebull How secure do you feel that your belongings are when

you are not homeTransit SecurityCar (if applicable)

bull What is your primary method of transportationbull Do you own or lease your carbull Where is it typically parkedbull Can you walk me through what you do when you get out

of your car once it is parkedndash What do you do if you have to store items in the

carbull Are there any other strategies which you have not

mentioned that you use to protect your vehiclebull Why do you use these strategies for protecting your

vehicle For each strategy askndash When did you start using this strategyndash How do you feel that this strategy works to protect





or something you feel is more important to peoplewith whom you share the car (if applicable)



but do not usebull How secure do you feel that your car is when it is parked

bull How secure do you feel the belongings you have in yourcar are when the car is parked

Bicycle (if applicable)bull Do you own or rent or bikeshare your bicyclebull Where is it typically storedbull Can you walk me through what you do when you get off

your bicycle once it is parked somewherendash What type of lock do you usendash To what object do you lock the bikendash Where do you affix the lock

bull Are there any other strategies which you have notmentioned that you use to protect your bike

bull Why do you use these strategies for securing your bikeFor each strategy ask

ndash When did you start using this strategyndash What are you most worried aboutndash Have you ever had a negative experiencendash Do you know anyone who has had a negative expe-



or something you feel is more important to peoplewith whom you share the bikelowast Why would you say that it is more important to

[youother]ndash Where or from whom did you learn this strategy


bull How secure do you feel that your bike is when it isunattended

Personal Security (walking)bull Where do you tend to walk

ndash Do you walk more than 10 minutes a daybull Are there any particular approaches you take or items

you carry when walking alonebull Have you had any martial artsself defense training

ndash Why did you undergo this training Who adminis-tered the training

bull Why do you use these strategies For each strategy askndash When did you start using this strategyndash How do you feel that this strategy works to protect






bull How secure do you feel you are when walkingGeneral Advice

bull Do you ever look for new information or talk to some-one about tactics such as for protection your [dwellingvehiclebike self other members of your family]


bull Do you often see news pieces ads or articles on TV inthe newspaper or online with tipsadvice social mediaposts chain emails on how to protect your [dwellingvehiclebike self other members of your family]

ndash How do you feel about the information providedndash Are there strategies you have considered or heard

about but do not usebull What other sources do you consult when seeking physical

security advicebull Do you feel that you have the ability to make yourself

more physically securebull Whom or what would you say has most influenced your

overall approach to physical security and in what waybull Would you say that you see more advice about digital

security or about physical securitybull Which security advice digital or physical do you find

more trustworthybull Which more useful

bull Participants evaluate digital-security advice based pri-marily on the trustworthiness of the advice source Thiscontrasts sharply with physical security where the trust-worthiness of the source is less important because usersfeel comfortable independently evaluating the content andvalue of the advice

bull Prior work has identified negative personal experience asa learning tool [3] we find that TV shows and movies thatpresent negative-security events with relatable charactersand clearly defined causes can also be strong motivatorsfor adopting new security behaviors

bull Participants have many more reasons for rejecting bothdigital- and physical-security advice than for acceptingit For digital security in particular these reasons includenot just the obviousmdashthat advice is too complicated orthat the participant is oversaturatedmdashbut also more subtlerationales such as the presence of too much marketingand concerns about privacy

Based on these and other trends extracted from our interviewswe distill recommendations for designing and disseminatingmore effective security advice These recommendations in-clude highlighting information to mitigate user privacy con-cerns for services such as two-factor authentication increasingthe credibility of security advice by removing product-specificreferences to reduce usersrsquo impressions of the advice asmarketing material and replacing corporate security trainingvideos with more relatable fictional vignettes illustrating neg-ative events We believe these guidelines can help securityexperts to magnify the impact of truly important securityadvice

II RELATED WORK

In this section we discuss prior research in four relatedareas examining the factors that influence usersrsquo securitybehaviors determining which security behaviors or recom-mendations are valuable theoretical frameworks for analyzingtechnology adoption and developing or evaluating securityinterventions

A Factors Influencing Security Behaviors

Several researchers have examined how specific factorsinfluence security behaviors Das et al demonstrated theimportance of social influence for example showing usersinformation about their Facebook friendsrsquo security behaviorsmade them more likely to adopt the same behaviors [2] [9]Relatedly Rader et al found that security stories from non-expert peers affect how users think about computer securityand how they make security decisions like whether to click ona link [3] Wash identified ldquofolk modelsrdquo of security such asviewing hackers like digital graffiti artists that influence usersrsquoperceptions of what is and is not dangerous [10] Lastly Raderand Wash together examined how the topics and words usedin three types of security advice may affect userrsquos ability tomake good security decisions [11] Our work broadens thesefindings by explicitly considering a variety of ways social and

otherwise in which users may learn about different securitybehaviors

Security decisions are often framed as economic tradeoffsin which users ignore security best practices due to rationalcost-benefit optimization Herley for example suggests that ifusers were to spend one minute of each day checking URLsto avoid phishing the time cost would be much larger than thecost of the phishing itself [6] To investigate whether users arein fact making rational cost-benefit calculations we examineusersrsquo reported thought processes when accepting and rejectingsecurity advice Further researchers have considered a compli-ance budget the limited time and resources users can spend onsecurity behavior [7] [12] This highlights the importance ofunderstanding how users decide which advice they spend theircompliance budget on so that the most valuable advice canbe designed to rise to the top Although this prior work alsofocuses on why users implement or reject security behaviorsour work differs in a few key ways our study is about homesecurity behaviors whereas Beautement et al addressed onlythe organizational environment [7] relatedly our study drawsfrom a larger and more diverse participant pool and finallywe investigate not only why users reject security behaviorsbut also why they accept or reject advice from a multitude ofsources

Other researchers have considered how demographics affectsecurity and privacy decision-making Howe et al note thatsocioeconomic status and the corresponding belief that onersquosinformation may not be ldquoimportant enough to hackrdquo canaffect security behaviors [5] This paper also notes largedifferences in advice sources between undergraduate and adultpopulations Wash and Rader investigated security beliefsand behaviors among a large representative US sampleand found that more educated users tended to have moresophisticated beliefs but take fewer precautions [13] Othershave investigated how demographic and personality factorsinfluence susceptibility to phishing [14] [15] Rainie et alfound that younger people social media users and thosewho had a prior bad experience were more likely to try tohide their online behavior [4] Based on this prior work werecruited specifically for diversity of age income educationand race Further we recruited for and analyzed the impact ofan additional type of diversity security sensitivity meaningprofessional training to handle confidential or sensitive dataIn addition during our data analysis we coded for participantswho discussed whether their information was important toprotect and whether they had prior negative experiences

Although prior work touches on similar themes to ourknowledge we are the first to comprehensively examine usersrsquoprimary sources of digital security advice in general and whythey choose to accept or reject it Further our work directlycompares digital security to physical security By drawinglessons from each domain we develop design guidelines foreffectively transmitting security information







III METHODOLOGY




A Recruitment


B Procedure





C Analysis




E Limitations


IV RESULTS


A Participants














0 5 10 15 20 25 30

Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title


Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title


Service Provider

Media

Peers

Family


IT Professionals

Workplace

Advice Sources





Digital

Physical

0 5 10 15 20 25

Self PeersFamily TV


1


























0 10 20 30



1
















Lack of Risk

Too Much Marketing

Oversaturation

Too Advanced

Inconvenience 5

7

6

4

4

1

3

4

8

Physical Digital

1





















2

7

8

Physical Digital




2

6

8


Do you use 2FA



2

7

8

No Yes




4

2

6

No Yes




6

12

4

No Yes














V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions
















































































































































III METHODOLOGY




A Recruitment


B Procedure





C Analysis




E Limitations


IV RESULTS


A Participants














0 5 10 15 20 25 30

Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title


Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title


Service Provider

Media

Peers

Family


IT Professionals

Workplace

Advice Sources





Digital

Physical

0 5 10 15 20 25

Self PeersFamily TV


1


























0 10 20 30



1
















Lack of Risk

Too Much Marketing

Oversaturation

Too Advanced

Inconvenience 5

7

6

4

4

1

3

4

8

Physical Digital

1





















2

7

8

Physical Digital




2

6

8


Do you use 2FA



2

7

8

No Yes




4

2

6

No Yes




6

12

4

No Yes














V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions












































































































































C Analysis




E Limitations


IV RESULTS


A Participants














0 5 10 15 20 25 30

Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title


Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title


Service Provider

Media

Peers

Family


IT Professionals

Workplace

Advice Sources





Digital

Physical

0 5 10 15 20 25

Self PeersFamily TV


1


























0 10 20 30



1
















Lack of Risk

Too Much Marketing

Oversaturation

Too Advanced

Inconvenience 5

7

6

4

4

1

3

4

8

Physical Digital

1





















2

7

8

Physical Digital




2

6

8


Do you use 2FA



2

7

8

No Yes




4

2

6

No Yes




6

12

4

No Yes














V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions





















































































































































0 5 10 15 20 25 30

Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title


Media

Peers

Family


IT Professionals

Workplace

Service Provider

Chart Title


Service Provider

Media

Peers

Family


IT Professionals

Workplace

Advice Sources





Digital

Physical

0 5 10 15 20 25

Self PeersFamily TV


1


























0 10 20 30



1
















Lack of Risk

Too Much Marketing

Oversaturation

Too Advanced

Inconvenience 5

7

6

4

4

1

3

4

8

Physical Digital

1





















2

7

8

Physical Digital




2

6

8


Do you use 2FA



2

7

8

No Yes




4

2

6

No Yes




6

12

4

No Yes














V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions










































































































































Digital

Physical

0 5 10 15 20 25

Self PeersFamily TV


1


























0 10 20 30



1
















Lack of Risk

Too Much Marketing

Oversaturation

Too Advanced

Inconvenience 5

7

6

4

4

1

3

4

8

Physical Digital

1





















2

7

8

Physical Digital




2

6

8


Do you use 2FA



2

7

8

No Yes




4

2

6

No Yes




6

12

4

No Yes














V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions


























































































































































0 10 20 30



1
















Lack of Risk

Too Much Marketing

Oversaturation

Too Advanced

Inconvenience 5

7

6

4

4

1

3

4

8

Physical Digital

1





















2

7

8

Physical Digital




2

6

8


Do you use 2FA



2

7

8

No Yes




4

2

6

No Yes




6

12

4

No Yes














V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions











































































































































Lack of Risk

Too Much Marketing

Oversaturation

Too Advanced

Inconvenience 5

7

6

4

4

1

3

4

8

Physical Digital

1





















2

7

8

Physical Digital




2

6

8


Do you use 2FA



2

7

8

No Yes




4

2

6

No Yes




6

12

4

No Yes














V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions




















































































































































2

7

8

Physical Digital




2

6

8


Do you use 2FA



2

7

8

No Yes




4

2

6

No Yes




6

12

4

No Yes














V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions


















































































































































V DESIGN GUIDELINES













VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions

















































































































































VI SUMMARY





ACKNOWLEDGMENTS


REFERENCES




































































VII APPENDIX

A Questions










































































































































































































VII APPENDIX

A Questions










































































































































Advice Sources and Selection for Digital Security - UMIACS

Documents

Transcript of Advice Sources and Selection for Digital Security - UMIACS