Understanding Security Learning & Addressing the Digital Security Divide

Understanding Security Learning & Addressing the Digital Security Divide

Summary

Graph illustrating how many participants in a 25-person interview study used seven different sources for security advice.
Prevalence of advice sources for digital and physical security in our initial 25-participant semi-structured interview study.

Users receive a multitude of digital- and physical-security advice every day. Indeed, if we implemented all the security advice we received, we would never leave our houses or use the Internet. Instead, users selectively choose some advice to accept and some (most) to reject; however, it is unclear whether they are effectively prioritizing what is most important or most useful. If we can understand from where and why different groups of users take security advice, we can develop more effective security interventions.

Research Questions

In order to better understand users’ security advice use and behaviors, we seek to answer the following research questions:

  1. Where or from whom do users learn digital- and physical-security behaviors?
  2. Why do users accept or reject different advice?
  3. How do users’ advice sources, reasons for accepting or rejecting advice, and valuation of advice differ for digital and physical security?
  4.  How do demographics, and exposure to security-sensitive content and workplace training, impact the use of different advice sources or users’ reasons for accepting or rejecting advice?
  5. Do different advice sources lead to stronger intentions to behave securely?
  6. How can we improve security advice and develop more effective learning tools?
  7. What methods can be used to ensure that good security advice is heeded and the credibility of poor advice is reduced?
  8. Can we target advice precisely where it is most needed?

Presentations & Publications

  1. Redmiles, E.M., Kross, S., and Mazurek, M.L. Where is the Digital Divide? Examining the Impact of Socioeconomics on Security and Privacy Outcomes. Technical Report. 2016.
  2. Redmiles, E.M., Kross, S., and Mazurek, M.L. How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior.Paper. ACM Conference on Computer and Communications Security (CCS). 2016. 16% accept rate.
  3. Redmiles, E.M. , Malone, A.R., and Mazurek, M. L. “I Think They’re Trying to Tell Me Something”: Advice Sources and Selection for Digital Security.Paper. IEEE Symposium on Security and Privacy (Oakland). 2016. 13% accept rate.
  4. E.M. Redmiles, Malone, A. and Mazurek, M. L. How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity. Poster. The 11th Symposium on Usable Privacy and Security (SOUPS).

Also presented at the 2015 University of Maryland Security Symposium, the 2016 Science of Security Lablet Quarterly meeting, and the 2015 Human Computer Interaction Laboratory Symposium.

Support

This research is sponsored in part by the National Security Agency as part of a Science of Security lablet. This research is also supported by a Data&Society Data Access Grant.

People

Headshot of Michelle Mazurek Headshot of Elissa Redmiles Headshot of Sean Kross Headshot of Shelby Silverstein  Headshot of Amy Malone
Dr. Michelle Mazurek

Primary Investigator

Elissa Redmiles

Graduate Research Assistant

Sean Kross

Collaborator, Johns Hopkins University

Shelby Silverstein

Undergraduate Research Assistant

Amelia Malone

Former Undergraduate Research Assistant