Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online

Advancements in information technology often task users with complex and consequential privacy and security decisions. A growing body of research has investigated individuals’ choices in the presence of privacy and information security tradeoffs, the decision-making hurdles affecting those choices, and ways to mitigate such hurdles. This article provides a multi-disciplinary assessment of the literature pertaining to privacy and security decision making. It focuses on research on assisting individuals’ privacy and security choices with soft paternalistic interventions that nudge users toward...

Unpacking security policy compliance: The motivators and barriers of employees’ security behaviors

The body of research that focuses on employees’ Information Security Policy compliance is problematic as it treats compliance as a single behavior. This study explored the underlying behavioral context of information security in the workplace, exploring how individual and organizational factors influence the interplay of the motivations and barriers of security behaviors. Investigating factors that had previously been explored in security research, 20 employees from two organizations were interviewed and the data was analyzed using framework analysis. The analysis indicated that there were...

Information Security in the Workplace: A Mixed-Methods Approach to Understanding and Improving Security Behaviours

The thesis identified influencers and barriers to specific security behaviours and developed an extended-Protection Motivation Theory model. The model includes information sensitivity appraisal as an important influencer for which a new scale (WISA) was developed and validated. The model was tested on three specific anti-malware behaviours: usage of antimalware software, installing software updates and avoiding suspicious links within emails. The testing allowed the identification of the most influential factors for each behaviour and demonstrated how these factors differ between behaviours....

Effects of cyber security knowledge on attack detection

Ensuring cyber security is a complex task that relies on domain knowledge and requires cognitive abilities to determine possible threats from large amounts of network data. This study investigates how knowledge in network operations and information security influence the detection of intrusions in a simple network. We developed a simplified Intrusion Detection System (IDS), which allows us to examine how individuals with or without knowledge in cyber security detect malicious events and declare an attack based on a sequence of network events. Our results indicate that more knowledge in cyber...

Do it OR ELSE ! Exploring the Effectiveness of Deterrence on Employee Compliance with Information Security Policies

Organizations have long relied upon the threat of sanctions to influence employees to follow information security policies. Unfortunately, the belief in the power of deterrence has provided mixed results in both research and in real life. This study explored the impact of sanction effects in an organization with a robust information security program. Findings indicate an employee’s perceived sanction severity has a significant impact on their intent to follow ISP guidelines while their perceived certainty of sanction imposition does not, both of which support previous research. However, this...

Can we sell security like soap?: a new approach to behaviour change

Many organisations run security awareness programmes with the aim of improving end user behaviours around information security. Yet behavioural research tells us that raising awareness will not necessarily lead to behaviour change. In this paper we examine the challenge of changing end user behaviour and put forward social marketing as a new paradigm. Social marketing is a proven framework for achieving behavioural change and has traditionally been used in health care interventions, although there is an increasing recognition that it could be successfully applied to a broader range of...

Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness

We empirically assess whether browser security warnings are as ineffective as suggested by popular opinion and previous literature. We used Mozilla Firefox and Google Chrome’s in-browser telemetry to observe over 25 million warning impressions in situ. During our field study, users continued through a tenth of Mozilla Firefox’s malware and phishing warnings, a quarter of Google Chrome’s malware and phishing warnings, and a third of Mozilla Firefox’s SSL warnings. This demonstrates that security warnings can be effective in practice; security experts and system architects should not dismiss...

Your Attention Please Designing security-decision UIs to make genuine risks harder to ignore

We designed and tested attractors for computer security dialogs: user-interface modifications used to draw users’ attention to the most important information for making decisions. Some of these modifications were purely visual, while others temporarily inhibited potentially-dangerous behaviors to redirect users’ attention to salient information. We conducted three between-subjects experiments to test the effectiveness of the attractors. In the first two experiments, we sent participants to perform a task on what appeared to be a third-party site that required installation of a browser...

“Little Brothers Watching You:” Raising Awareness of Data Leaks on Smartphones

Today’s smartphone applications expect users to make decisions about what information they are willing to share, but fail to provide sufficient feedback about which privacy sensitive information is leaving the phone, as well as how frequently and with which entities it is being shared. Such feedback can improve users’ understanding of potential privacy leakages through apps that collect information about them in an unexpected way. Through a qualitative lab study with 19 participants, we first discuss misconceptions that smartphone users currently have with respect to two popular game...

Writing down your password: Does it help?

Users are able to remember their phone numbers and postal codes, their student numbers, PIN numbers, and social insurance numbers. Why, then, do users have trouble remembering their passwords? This paper considers the hypothesis that being able to access written notes when needed would eventually help users to memorize the password. Further we hypothesize that writing down passwords encourages the use of passwords that are more complex than their unwritten (memorized) counterparts. We surveyed 31 participants on their opinions and experiences with writing down passwords and tested whether...

Contextualized Web warnings, and how they cause distrust

Current warnings in Web browsers are difficult to understand for lay users. We address this problem through more concrete warning content by contextualizing the warning – for example, taking the user’s current intention into account in order to name concrete consequences. To explore the practical value of contextualization and potential obstacles, we conduct a behavioral study with 36 participants who we either confront with contextualized or with standard warning content while they solve Web browsing tasks. We also collect exploratory data in a posterior card-sorting exercise and interview....

Don’t make excuses! Discouraging neutralization to reduce IT policy violation

Past research on information technology (IT) security training and awareness has focused on informing employees about security policies and formal sanctions for violating those policies. However, research suggests that deterrent sanctions may not be the most powerful influencer of employee violations. Often, employees use rationalizations, termed neutralization techniques, to overcome the effects of deterrence when deciding whether or not to violate a policy. Therefore, neutralization techniques often are stronger than sanctions in predicting employee behavior. For this study, we examine...

Targeted Risk Communication for Computer Security

Attacks on computer systems are rapidly becoming more numerous and more sophisticated, and current preventive techniques do not seem able to keep pace. Many successful attacks can be attributed to user errors: for example, while focused on other tasks, users may succumb to ’social engineering’ attacks such as phishing or trojan horses. Warnings about the danger of these attacks are often vaguely worded and given long before the dangers are realized, and are therefore too easy to ignore. However, we hypothesize that users are more likely to be persuaded by messages that (1) leverage mental...

Designing a Mobile Game to Teach Conceptual Knowledge of Avoiding ‘Phishing Attacks’

Phishing is a form of online identity theft, which attempts to appropriate confidential and sensitive information such as usernames and passwords from its victims. To facilitate cyberspace as a secure environment, phishing education needs to be made accessible to home computer users and mobile games enable embedded learning in a natural environment. Previously, we have introduced a mobile game design that aimed to enhance avoidance motivation and behavior to protect against phishing threats. This paper focuses on a design that develops the conceptual knowledge that is necessary to combat...

Cyber Security Games: A New Line of Risk

Behaviour change is difficult to achieve and there are many models identifying the factors to affect such change but few have been applied in the security domain. This paper discusses the use of serious games to improve the security behaviour of end-users. A new framework, based upon literature findings, is proposed for future game design. The trust and privacy issues related to using serious games for improving security awareness and behaviour are highlighted.   Read full paper     Authors: John M. Blythe, Lynne...

How Users Bypass Access Control – And Why: The Impact Of Authorization Problems On Individuals And The Organization

Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not consider the full range of underlying problems, and their impact on organizations. We present a study of 118 individuals’ experiences of authorization measures in a multi-national company, and their self-reported subsequent behavior. Building on recent research that applies economic models to show the impact of lack of...

A Composite Framework for Behavioral Compliance with Information Security Policies

To combat potential security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. This paper presents a composite theoretical framework for understanding employee behavioral compliance with organizational information security policies. Building off of the theory of planned benefits, a composite model is presented that incorporates the strengths of previous studies while minimizing theoretical gaps...

Security Policy Compliance: User Acceptance Perspective

Information security policy compliance is one of the key concerns that face organizations today. Although, technical and procedural security measures help improve information security, there is an increased need to accommodate human, social and organizational factors. While employees are considered the weakest link in information security domain, they also are assets that organizations need to leverage effectively. Employees’ compliance with Information Security Policies (ISPs) is critical to the success of an information security program. The purpose of this research is to develop a...

Cyber security in the workplace: Understanding and promoting behaviour change

Cyber security and the role employees play in securing information are major concerns for businesses. The aim of this research is to explore employee security behaviours and design interventions that can motivate behaviour change. Previous research has focused on exploring factors that influence information security policy compliance; however there are several limitations with this approach. Our work-to-date has explored the behaviours that constitute ‘information security’ and potential influencers of these behaviours. These findings will aid the design of behaviour change interventions....

Phishing IQ Tests Measure Fear, Not Ability

We argue that phishing IQ tests fail to measure susceptibility to phishing attacks. We conducted a study where 40 subjects were asked to answer a selection of questions from existing phishing IQ tests in which we varied the portion (from 25% to 100%) of the questions that corresponded to phishing emails. We did not find any correlation between the actual number of phishing emails and the number of emails that the subjects indicated were phishing. Therefore, the tests did not measure the ability of the subjects. To further confirm this, we exposed all the subjects to existing phishing...

Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook

Online social networks such as Friendster, MySpace, or the Facebook have experienced exponential growth in membership in recent years. These networks offer attractive means for interaction and communication, but also raise privacy and security concerns. In this study we survey a representative sample of the members of the Facebook (a social network for colleges and high schools) at a US academic institution, and compare the survey data to information retrieved from the network itself. We look for underlying demographic or behavioral differences between the communities of the network’s...

Practicing safe computing: Message framing, self-view, and home computer user security behavior intentions

With its global reach and pervasiveness, the Internet enables individuals to be more connected through electronic linkages than ever before. In such a highly inter-dependent network, individual behaviors can have far-reaching consequences that transcend borders between people, organizations and nations. Because home computer users represent a weak link in securing cyberspace, it is critical that they be reached and motivated to consistently practice recommended security behavior so that we can continue to rely on the availability of information provided by the Internet, the capability to...

Bridging the gap between organisational and user perspectives of security in the clinical domain

An understanding of ‘communities of practice’ can help to make sense of existing security and privacy issues within organizations; the same understanding can be used proactively to help bridge the gap between organizational and end-user perspectives on these matters. Findings from two studies within the health domain reveal contrasting perspectives on the ‘enemy within’ approach to organizational security. Ethnographic evaluations involving in-depth interviews, focus groups and observations with 93 participants (clinical staff, managers, library staff and IT department members) were...

Privacy in Multimedia Communications: Protecting Users, Not Just Data

As the use of ubiquitous multimedia communication increases so do the privacy risks associated with widespread accessibility and utilisation of data generated by such applications. Most invasions of privacy are not intentional but due to designers inability to anticipate how this data could be used, by whom, and how this might affect users. This paper addresses the problem by providing a model of user perceptions of privacy in multimedia environments. The model has been derived from an analysis of empirical studies conducted by the authors and other researchers and aids designers to...