Connecting Attitudes and Social Influences with Designs for Usable Security and Privacy

Connecting Attitudes and Social Influences with Designs for Usable Security and Privacy Summer School 2024: Usable Security, July 23, 2024 CISPA Helmholtz Center for Information Security, Saarbrücken, Germany, EU

Agenda Problem Overview, Background, and Prior Work SA-6 & SA-13: The Security Attitudes Scales Security and Privacy Acceptance Framework (SPAF) Social Influences on Acceptance and Adoption of Best Practices Mitigating Mobile SMS Phishing, aka “Smishing” Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 2

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 3 Cybersecurity is not just a technical issue or a usability issue - it’s about the larger social-psychological context. Attitudes and social influences are important determinants of cybersecurity behavior adoption. A better understanding of their role in the adoption process can help us to improve the uptake of protective practices. Key Takeaways From This Talk

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 4 Easiest Path is NOT to Follow Strict Security Practices NOT securing devices NOT keeping apps and operating systems up-to-date NOT using good password practices NOT staying alert for malware, phishing, and misinformation Source: https://www.sutterhuskies.com/Page/6159 Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. “My Data Just Goes Everywhere:” User Mental Models of the Internet and Implications for Privacy and Security.; Cori Faklaris, Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. ; Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2015. The Role of Social Influence in Security Feature Adoption. In Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (CSCW ’15), ACM, New York, NY, USA, 1416–1426. DOI:https://doi.org/10.1145/2675133.2675225

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 5 Non-Adoption of Security Practices Increases Risks Global costs of cybercrime in 2023: > USD $8 Trillion Cost for enterprise training: USD $300,000 + 100s of staff hours

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 6 Security Practices Are a ‘Tough Sell’ to Many Users They oblige people to interact with technology that they find “scary,” “confusing” or “dull” (Haney and Lutters, Colnago et al.) They afford abstract and non-absolute protections against specific threats (Kahneman and Tversky, Qu et al., EM Rogers) that may be seen as “inevitable” (Ruoti et al.) They provide solutions to collective problems that the potential adopter may not see as affecting them personally ( Song et al. , Weinstein)

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 7 Security Practices Are a ‘Tough Sell’ to Many Users They oblige people to interact with technology that they find “scary,” “confusing” or “dull” (Haney and Lutters, Colnago et al.) They afford abstract and non-absolute protections against specific threats (Kahneman and Tversky, Qu et al., EM Rogers) that may be seen as “inevitable” (Ruoti et al.) They provide solutions to collective problems that the potential adopter may not see as affecting them personally ( Song et al. , Weinstein) Usability is necessary, but not sufficient to drive adoption. How can we predict and change people’s security behaviors?

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 8 Security Attitudes Social Influences Voluntary Adoption Tech/Usability Factors Acceptance 1 Simple Way of Depicting ‘Reasoned Action’ on Security Fred D. Davis. 1989. Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. The Mississippi quarterly 13, 3: 319–340. https://doi.org/10.2307/249008 ; Martin Fishbein and Icek Ajzen. 2011. Predicting and changing behavior: The reasoned action approach . Psychology Press. Retrieved from https://content.taylorfrancis.com/books/download?dac=C2009-0-04110-3&isbn=9781136874734&format=googlePreviewPdf

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 9 Attitudes Help Us to Connect Mental States + Behaviors Attitudes represent people’s evaluation of objects, groups, events, that is, how they orient to the world around them. A measure (or several measures) of security attitudes allows researchers to examine what leads to different security attitudes, and the effect of these attitudes on intentions and on behavior. Cori Faklaris, Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf SA-6 1-factor Security Attitude scale (SOUPS 2019) SA-13 4-factor Security Attitude inventory (arxiv 2022 )

10 SA-6 is a Six-Item Questionnaire For Security Attitudes Cori Faklaris , Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf Generally, I diligently follow a routine about security practices. I often am interested in articles about security threats. I seek out opportunities to learn about security measures that are relevant to me. I always pay attention to experts’ advice about the steps I need to take to keep my online data and accounts safe. I am extremely knowledgeable about all the steps needed to keep my online data and accounts safe. I am extremely motivated to take all the steps needed to keep my online data and accounts safe. On a scale of 1=Strongly Disagree to 5=Strongly Agree, rate your level of agreement with the following: Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing

11 SA-6 is a Six-Item Questionnaire For Security Attitudes Cori Faklaris , Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf Generally, I diligently follow a routine about security practices. I often am interested in articles about security threats. I seek out opportunities to learn about security measures that are relevant to me. I always pay attention to experts’ advice about the steps I need to take to keep my online data and accounts safe. I am extremely knowledgeable about all the steps needed to keep my online data and accounts safe. I am extremely motivated to take all the steps needed to keep my online data and accounts safe. On a scale of 1=Strongly Disagree to 5=Strongly Agree, rate your level of agreement with the following: Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing TAKE THE QUIZ AT https://bit.ly/sa6quiz

12 SA-6 is a Six-Item Questionnaire For Security Attitudes Cori Faklaris , Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf Generally, I diligently follow a routine about security practices. I often am interested in articles about security threats. I seek out opportunities to learn about security measures that are relevant to me. I always pay attention to experts’ advice about the steps I need to take to keep my online data and accounts safe. I am extremely knowledgeable about all the steps needed to keep my online data and accounts safe. I am extremely motivated to take all the steps needed to keep my online data and accounts safe. On a scale of 1=Strongly Disagree to 5=Strongly Agree, rate your level of agreement with the following: Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing SEE RESPONSES AT https://bit.ly/sa6charts

13 Cori Faklaris , Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing SA-6 Associates with Intentions, Actions, Experiences SA-6 significantly explained 28% of the variance in security behavior intention (p<.01), and 15.8% of the variance in security actions in the past week (p<.01). SA-6 was higher among those who reported frequent exposure to security breaches, either personally or through media exposure, and who had higher scores for internet know-how. SA-6 1-factor Security Attitude scale (SOUPS 2019)

14 Cori Faklaris , Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing How Do Different Attitudes Associate With Behaviors? We sought to create a longer measure that addresses different attitudes that people might hold toward cybersecurity: Resistance Concernedness Attentiveness Engagement SA-6 1-factor Security Attitude scale (SOUPS 2019) SA-13 4-factor Security Attitude inventory (arxiv 2022 )

15 Cori Faklaris , Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from https://www.usenix.org/system/files/soups2019-faklaris.pdf Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing SA-13 Adds Seven Negative or Neutral Attitude Items I usually will not use security measures if they are inconvenient . There are good reasons why I do not take the necessary steps to keep my online data and accounts safe. I am too busy to put in the effort needed to change my security behaviors. I have much bigger problems than my risk of a security breach. On a scale of 1=Strongly Disagree to 5=Strongly Agree, rate your level of agreement with the following: I want to change my security behaviors to improve my protection against threats (e.g. phishing, computer viruses, identity theft, password hacking) that are a danger to my online data and accounts. I worry that I’m not doing enough to protect myself against threats (e.g. phishing, computer viruses, identity theft, password hacking) that are a danger to my online data and accounts. I want to change my security behaviors in order to keep my online data and accounts safe .

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 16 Security Attitudes Social Influences Voluntary Adoption Tech/Usability Factors Acceptance 1 Simple Way of Depicting ‘Reasoned Action’ on Security Fred D. Davis. 1989. Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. The Mississippi quarterly 13, 3: 319–340. https://doi.org/10.2307/249008 ; Martin Fishbein and Icek Ajzen. 2011. Predicting and changing behavior: The reasoned action approach . Psychology Press. Retrieved from https://content.taylorfrancis.com/books/download?dac=C2009-0-04110-3&isbn=9781136874734&format=googlePreviewPdf Measured by SA-6 and/or SA-13

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 17 Security Attitudes Social Influences Voluntary Adoption Tech/Usability Factors Acceptance 1 Simple Way of Depicting ‘Reasoned Action’ on Security Fred D. Davis. 1989. Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. The Mississippi quarterly 13, 3: 319–340. https://doi.org/10.2307/249008 ; Martin Fishbein and Icek Ajzen. 2011. Predicting and changing behavior: The reasoned action approach . Psychology Press. Retrieved from https://content.taylorfrancis.com/books/download?dac=C2009-0-04110-3&isbn=9781136874734&format=googlePreviewPdf Positive attitudes will lead to positive social influences and ultimately, acceptance Measured by SA-6 and/or SA-13

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 18 Security Attitudes Social Influences Voluntary Adoption Tech/Usability Factors Acceptance 1 Simple Way of Depicting ‘Reasoned Action’ on Security Fred D. Davis. 1989. Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. The Mississippi quarterly 13, 3: 319–340. https://doi.org/10.2307/249008 ; Martin Fishbein and Icek Ajzen. 2011. Predicting and changing behavior: The reasoned action approach . Psychology Press. Retrieved from https://content.taylorfrancis.com/books/download?dac=C2009-0-04110-3&isbn=9781136874734&format=googlePreviewPdf Negative attitudes will lead to negative social influences and ultimately, a lack of acceptance :-( Measured by SA-6 and/or SA-13

How to Use SA-6 and SA-13 in Research Describe participants and answer research questions such as: How attentive to security advice is a certain user group likely to be? Does a new awareness campaign or usability tool help or hurt a user’s attitude toward security compliance? Conduct theory-motivated research on human factors: Measure attitude in Elaboration Likelihood Model Measure motivation in Self-Determination Theory Measure coping appraisal in Protection Motivation Theory 19 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 20 Security Attitudes Social Influences Voluntary Adoption Tech/Usability Factors Acceptance What Specific Levers Can We Push to Drive Acceptance? Fred D. Davis. 1989. Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. The Mississippi quarterly 13, 3: 319–340. https://doi.org/10.2307/249008 ; Martin Fishbein and Icek Ajzen. 2011. Predicting and changing behavior: The reasoned action approach . Psychology Press. Retrieved from https://content.taylorfrancis.com/books/download?dac=C2009-0-04110-3&isbn=9781136874734&format=googlePreviewPdf

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 21 The Security & Privacy Acceptance Framework (SPAF) Sauvik Das, Cori Faklaris, Jason I. Hong, and Laura A. Dabbish. 2022. The Security & Privacy Acceptance Framework (SPAF). Foundations and Trends in Security and Privacy 5, 1-2: 1–143. Retrieved from https://corifaklaris.com/files/spaf_preprint.pdf - Social engagement - Mental models and digital literacy - Media exposure - Warnings & notifications - Subjective norms - Perceived relative advantage - Trialability - Compatibility - System usability/complexity - Accessibility Awareness Motivation Ability Summarizes three barriers to S&P acceptance and the associated factors.

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 22 Education Can Help in All Three Areas … Sauvik Das, Cori Faklaris, Jason I. Hong, and Laura A. Dabbish. 2022. The Security & Privacy Acceptance Framework (SPAF). Foundations and Trends in Security and Privacy 5, 1-2: 1–143. Retrieved from https://corifaklaris.com/files/spaf_preprint.pdf - Social engagement - Mental models and digital literacy - Media exposure - Warnings & notifications - Subjective norms - Perceived relative advantage - Trialability - Compatibility - System usability/complexity - Accessibility Awareness Motivation Ability Focus on (1) risks , (2) behaviors to mitigate risks , (3) how to put behaviors into practice . (Measure to prove impact!)

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 23 Social Influences Help Drive Us to Act + to Keep Acting Sauvik Das, Cori Faklaris, Jason I. Hong, and Laura A. Dabbish. 2022. The Security & Privacy Acceptance Framework (SPAF). Foundations and Trends in Security and Privacy 5, 1-2: 1–143. Retrieved from https://corifaklaris.com/files/spaf_preprint.pdf - Social engagement - Mental models and digital literacy - Media exposure - Warnings & notifications - Subjective norms - Perceived relative advantage - Trialability - Compatibility - System usability/complexity - Accessibility Awareness Motivation Ability

Examples of Persuasive Social Messages that Succeeded 24 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Goldstein et al. 2008: varied wording of hotel-room cards asking guests to reuse their towels. Appeals using social norms (ex: “the majority of guests reuse their towels”) worked better than those focused solely on the environment. Noah J. Goldstein, Robert B. Cialdini, and Vladas Griskevicius. 2008 . A room with a viewpoint: Using social norms to motivate environmental conservation in hotels . The Journal of consumer research 35, 3: 472–482.

Examples of Persuasive Social Messages that Succeeded 25 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Das et al. 2014: varied wording of Facebook announcements about Login Notifications, Login Approvals, and Trusted Contacts features. Appeals worked best that showed the number of someone’s friends using the features , with 37% more exploring the security features than with the non-social announcements. Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2014 . Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation . In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 739-749. DOI: https://doi.org/10.1145/2660267.2660271

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 26 Social Influences Drive Us to Act and to Keep Acting Sauvik Das, Cori Faklaris, Jason I. Hong, and Laura A. Dabbish. 2022. The Security & Privacy Acceptance Framework (SPAF). Foundations and Trends in Security and Privacy 5, 1-2: 1–143. Retrieved from https://corifaklaris.com/files/spaf_preprint.pdf - Social engagement - Mental models and digital literacy - Media exposure - Warnings & notifications - Subjective norms - Perceived relative advantage - Trialability - Compatibility - System usability/complexity - Accessibility Awareness Motivation Ability What does this look like as a process in time? At what steps do particular social influences help - or hurt?

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 27 Security & Privacy Adoption Process Model Cori Faklaris , Laura Dabbish, and Jason I. Hong. 2024. A framework for reasoning about social influences on security and privacy adoption. In Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3613905.3651012

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 28 Security & Privacy Adoption Process Model Cori Faklaris , Laura Dabbish , and Jason I. Hong. 2024. A framework for reasoning about social influences on security and privacy adoption. In Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3613905.3651012

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 29 Security & Privacy Adoption Process Model Cori Faklaris , Laura Dabbish, and Jason I. Hong. 2024. A framework for reasoning about social influences on security and privacy adoption. In Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3613905.3651012 So there is one person who I like to discuss things with. He is a colleague who's been at the university for something like 15 years. And he's originally from Bolivia. But he loves tech. He loves everything about tech. And I sometimes ask him about tech questions. [C1]

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 30 Security & Privacy Adoption Process Model Cori Faklaris , Laura Dabbish, and Jason I. Hong. 2024. A framework for reasoning about social influences on security and privacy adoption. In Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3613905.3651012

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 31 Security & Privacy Adoption Process Model Cori Faklaris , Laura Dabbish, and Jason I. Hong. 2024. A framework for reasoning about social influences on security and privacy adoption. In Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3613905.3651012 You call them back at this number for the company. And it's busy. On the company's website. So I'm after a while, thinking and I called my brother and my friend to help me out of this little jam here. [D8]

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 32 Security & Privacy Adoption Process Model Cori Faklaris , Laura Dabbish, and Jason I. Hong. 2024. A framework for reasoning about social influences on security and privacy adoption. In Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3613905.3651012

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 33 Security & Privacy Adoption Process Model Cori Faklaris , Laura Dabbish, and Jason I. Hong. 2024. A framework for reasoning about social influences on security and privacy adoption. In Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3613905.3651012 “Hey, you know, do you know your password to this? Did you install this? You do? Would you mind if I borrowed your thumb for a minute?” And you know, did this and, you know, sometimes [my relatives] go with it. [D12]

34 Cori Faklaris , Laura Dabbish, and Jason I. Hong. 2024. A framework for reasoning about social influences on security and privacy adoption. In Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3613905.3651012 Step Classification Algorithm For the Process Model STEP 4: MAINTENANCE STEP 3: IMPLEMENTATION STEP X: REJECTION (a) Why didn’t they start? Do they use it currently? Yes No ≥ 6 mos. < 6 mos. Yes No STEP 0: NO LEARNING OR THREAT AWARENESS When did they start using the practice? Did they ever use the practice? STEP 1: THREAT AWARENESS (NO LEARNING) STEP 2: SECURITY LEARNING STEP X: REJECTION (b) When did they start using the practice? Did they ever use the practice? Why didn’t they start? Do they use it currently? Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing

35 Case Sudy: How Many At Each Step for Password Managers Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing N=859 U.S.-based adults in a census- representative survey panel, Feb. 21-28, 2022 Mean = 2.69, Median = 3.00, SE = 0.06 No Learning or Threat Awareness Threat Awareness Security Learning Practice Implementation Practice Maintenance Practice Rejection Adoption decision

36 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Social Influences Found for Adoption AND for Rejection Participants were 8.0 times more likely to be Step 3 if they “found someone to help me with it [the password manager]” (OR = 8.023 [95% CI: 2.099, 30.664], p=.002, Nagelkerke R 2 = .031) Participants were 5.9 times more likely to be in Step X ( before or after Step 3) if they “couldn’t find someone to help me with it.” (OR = 5.913 [95% CI: 2.335, 14.976], p <.001, Nagelkerke R 2 =.044) Threat Awareness Security Learning Practice Implementation Practice Rejection 1 2 3 4 X Practice Maintenance No L or T Awareness Adoption decision

37 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Social Influences Found for Adoption AND for Rejection For All Rejection (Step X, before or after Step 3): 4.1 times more likely if “Someone I trust told me not to use it.” (OR = 4.125 [95% CI: 1.351, 12.591], p =.013, Nagelkerke R 2 =.030) 2.6 times more likely if “I’m not required to use it.” (OR = 2.634 [95% CI: 1.610, 4.310], p <.001, Nagelkerke R 2 =.044) For Rejection before Step 3: 7.1 times more likely if “I heard or saw advice not to use it.” (OR = 7.104 [95% CI: 1.393, 36.232], p =.018, Nagelkerke R 2 =.036) Threat Awareness Security Learning Practice Implementation Practice Rejection 1 2 3 4 X Practice Maintenance No L or T Awareness Adoption decision

Free Research Idea! 38 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Pay students or give them course credit to share cybersecurity memes with your website URL on their social media accounts Use SA- 13 along with system stats and social media metrics to evaluate impacts

Free Research Idea! 39 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Create a cybersecurity social event such as a game night, an escape room or a scavenger hunt Use SA- 13, step algorithm before - and - a fter to test changes in participants’ security attitudes or steps of adoption of a security practice

40 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Recommended 3-Prong Approach to Usable Security Make it invisible (where possible) Offer better user interfaces (affordances, mappings, mental models, etc) Train users (where necessary)

‘Smishing’ - Phishing on Mobile (comes from SMS) 41 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing U.S. FTC data for 2022 shows that consumers reported losses of $326 million to text scams, an increase of 279% since 2020 (right) In 2021, Zelle users may have lost ~$440 million, according to a U.S. Senate report Year # of Reports % of all reports with Contact Method * % with a dollar loss reported Total $ Lost (in millions) Median $ Loss 2020 334,524 27% 5% $86 $800 2021 377,840 21% 4% $131 $900 2022 321,374 22% 6% $326 $1,000 Average 344,579 23% 5% $181 $900 NOTE: Data from 2019 and earlier does not break out Text as a contact method. * Other contact methods include, in order of percentage: Phone calls, Email, Websites or Apps, Social Media, Online Ad or Pop-Up, Mail, and Other (TV or radio, print, fax, in person, consumer initiated contact, and other methods consumers write in or that cannot be otherwise categorized). A further 39% of fraud reports did not specify a contact method. SOURCE: “Explore Data,” Federal Trade Commission. Accessed: Jul. 11, 2023. [Online]. https:// www.ftc.gov /news-events/data-visualizations/explore-data “New Report by Senator Warren: Zelle Facilitating Fraud, Based on Internal Data from Big Banks | U.S. Senator Elizabeth Warren of Massachusetts.” Accessed: Jan. 15, 2024. [Online]. Available: https:// www.warren.senate.gov /oversight/reports/new-report-by-senator-warren-zelle-facilitating-fraud-based-on-internal-data-from-big-banks

42 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Ideas Following 3-Prong Approach for Smishing Make it invisible (where possible) Telecoms/Tech cos. implement systems to flag suspicious messages Offer better user interfaces (affordances, mappings, mental models, etc) Verified sender icons & passive warnings of suspicious senders 1-click interfaces to help users contact entities & verify messages Train users (where necessary) U.S. youth, college students more vulnerable (Faklaris et al. 2023)

43 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Education is an Easy Design to Implement, Evaluate Make it invisible (where possible) Telecoms/Tech cos. implement systems to flag suspicious messages Offer better user interfaces (affordances, mappings, mental models, etc) Verified sender icons & passive warnings of suspicious senders 1-click interfaces to help users contact entities & verify messages Train users (where necessary) U.S. youth, college students more vulnerable (Faklaris et al. 2023)

44 Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing Education is an Easy Design to Implement, Evaluate Make it invisible (where possible) Telecoms/Tech cos. implement systems to flag suspicious messages Offer better user interfaces (affordances, mappings, mental models, etc) Verified sender icons & passive warnings of suspicious senders 1-click interfaces to help users contact entities & verify messages Train users (where necessary) U.S. youth, college students more vulnerable (Faklaris et al. 2023) Training increases Awareness, Motivation, and Ability (SPAF) (Hypothesis:) Trainees who are engaged and attentive (SA-6 & SA-13) are more likely to share advice and encourage others to verify messages, report smish (Social Influences)

What are your questions? Cybersecurity is not just a technical issue or a usability issue - it’s about the larger social-psychological context. Attitudes and social influences are important determinants of cybersecurity behavior adoption. A better understanding of their role in the adoption process can help us to improve the uptake of protective practices. cfaklari @charlotte.edu

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 46 Awareness Motivation Voluntary Adoption Ability Acceptance Attitudes + Social Norms Help Drive People’s Decisions Security Attitudes Social Influences

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 47 Security Attitudes Security Sensitivity, Social Influences on Process SA-6 1-factor Security Attitude scale (SOUPS 2019) SA-13 4-factor Security Attitude inventory (arxiv preprint 2022 ) Security and Privacy Acceptance Framework (SPAF) (FnT 2022) Smishing Interviews to ID commonalities (SOUPS 2024) Online surveys to capture scale ( arxiv preprint 2023 ) A Framework for Reasoning about Social Influences on Adoption (CHI 2024)

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 48 Understanding How People Decide to Act and to Accept New Practices Effortful, not unconscious, thinking Classic definition of usability: ease of use, usefulness, satisfaction Identify stages of change + measure readiness to change Describes the process through which a new practice spreads Behavior Models Reasoned Action (Ajzen and Fishbein) Technology Acceptance (Davis et al.) Transtheoretical Model (Prochaska and DiClemente) Innovation Diffusion (Rogers)

Problem Overview | SA-6 & SA-13 | SPAF | Social Influences | Smishing 49 Empirical Studies of Why People Decided to Act or to Not Act Securely Widespread aversion to cybersecurity Do they care - and do they know what to do about it Awareness, motivation, and knowledge to deal w/ threats Advice-seeking, storytelling, observations of others acting securely End-User Cybersecurity “Scary, confusing or dull” (Haney et al.) Arousing fear isn’t enough (Weirich et al.) Security sensitivity (Das et al.) Social influences (Das et al; Redmiles et al.; Wash et al.)

Connecting Attitudes and Social Influences with Designs for Usable Security and Privacy

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Connecting Attitudes and Social Influences with Designs for Usable Security and Privacy

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf

EUNITED_Advocacy and Public Engagement through Visual Media

DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx

DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx

Hinduism and Its History - PowerPoint Slides.pptx

Service Attributes of Manufactured Parts.pptx