research-article

How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior

Authors:
Elissa M. Redmiles

University of Maryland, College Park, MD, USA

University of Maryland, College Park, MD, USA
View Profile

,
Sean Kross

Johns Hopkins University, Baltimore, MD, USA

Johns Hopkins University, Baltimore, MD, USA
View Profile

,
Michelle L. Mazurek

University of Maryland, College Park, USA

University of Maryland, College Park, USA
View Profile

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2016Pages 666–677https://doi.org/10.1145/2976749.2978307

Published:24 October 2016Publication History

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 666–677

ABSTRACT

Few users have a single, authoritative, source from whom they can request digital-security advice. Rather, digital-security skills are often learned haphazardly, as users filter through an overwhelming quantity of security advice. By understanding the factors that contribute to users' advice sources, beliefs, and security behaviors, we can help to pare down the quantity and improve the quality of advice provided to users, streamlining the process of learning key behaviors. This paper rigorously investigates how users' security beliefs, knowledge, and demographics correlate with their sources of security advice, and how all these factors influence security behaviors. Using a carefully pre-tested, U.S.-census-representative survey of 526 users, we present an overview of the prevalence of respondents' advice sources, reasons for accepting and rejecting advice from those sources, and the impact of these sources and demographic factors on security behavior. We find evidence of a "digital divide" in security: the advice sources of users with higher skill levels and socioeconomic status differ from those with fewer resources. This digital security divide may add to the vulnerability of already disadvantaged users. Additionally, we confirm and extend results from prior small-sample studies about why users accept certain digital-security advice (e.g., because they trust the source rather than the content) and reject other advice (e.g., because it is inconvenient and because it contains too much marketing material). We conclude with recommendations for combating the digital divide and improving the efficacy of digital-security advice.

References

Microsoft safety and security center.Google Scholar
US-CERT:Tips.Google Scholar
American community survey 5-year estimates, 2014.Google Scholar
Adams, A., and Sasse, M. A. Users are not the enemy.Google Scholar
Akaike, H. A new look at the statistical model identification.Google Scholar
Akhawe, D., and Felt, A. P. Alice in warningland: A large-scale field study of browser security warning effectiveness. In USENIX Sec. (2013). Google ScholarDigital Library
Arachchilage, N. A. G., and Love, S. A game design framework for avoiding phishing attacks. Comput. Hum. Behav. (2013). Google ScholarDigital Library
Baker, R., Blumberg, S., and et al. AAPOR report on online panels. The Public Opinion Quarterly (2010).Google Scholar
Beautement, A., Sasse, M. A., and Wonham, M. The compliance budget: Managing security behaviour in organisations. In workshop on new security paradigms (2008). Google ScholarDigital Library
Bravo-Lillo, C., Komanduri, S., Cranor, L. F., Reeder, R. W., Sleeper, M., Downs, J., and Schechter, S. Your attention please: Designing security-decision UIs to make genuine risks harder to ignore. In SOUPS (2013). Google ScholarDigital Library
Ciampa, M. A comparison of password feedback mechanisms and their impact on password entropy. Information Management & Computer Security (2013).Google Scholar
D., B., K., L., and A., A. The Networked Nature of Algorithmic Discrimination. Data and Discrimination: Collected Essays.Google Scholar
Das, S., Kim, T. H., Dabbish, L., and Hong, J. The effect of social influence on security sensitivity. In SOUPS (2014).Google Scholar
Das, S., Kramer, A. D., Dabbish, L. A., and Hong, J. I. Increasing security sensitivity with social proof: A large-scale experimental confirmation. In CCS (2014). Google ScholarDigital Library
DeMaio, T. J., Rothgeb, J., and Hess, J. Improving survey quality through pretesting. U.S. Bureau of the Census (2003).Google Scholar
Egelman, S., Cranor, L. F., and Hong, J. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In CHI (2008). Google ScholarDigital Library
Egelman, S., and Peer, E. Scaling the security wall: Developing a security behavior intentions scale (sebis). In CHI (2015). Google ScholarDigital Library
F.R.S., K. P. X. on the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. Philosophical Magazine Series 5 (1900).Google Scholar
Fujita, M., Yamada, M., Arimura, S., Ikeya, Y., and Nishigaki, M. An attempt to memorize strong passwords while playing games. In NBIS (2015). Google ScholarDigital Library
Furman, S. M., Theofanos, M. F., Choong, Y.-Y., and Stanton, B. Basing cybersecurity training on user perceptions. IEEE S&P (2012). Google ScholarDigital Library
Furnell, S., Bryant, P., and Phippen, A. Assessing the security perceptions of personal internet users. Computers & Security (2007). Google ScholarDigital Library
Garg, V., Camp, L. J., Connelly, K., and Lorenzen-Huber, L. Risk communication design: Video vs. text. In PETS (2012). Google ScholarDigital Library
Halevi, T., Lewis, J., and Memon, N. A pilot study of cyber security and privacy related behavior and personality traits. In WWW (2013). Google ScholarDigital Library
Hargittai, E. Second-level digital divide: Mapping differences in people's online skills. First Monday (2002).Google Scholar
Hargittai, E. The Digital Divide and What to Do About It. 2003, pp. 822--841.Google Scholar
Hargittai, E., and Hsieh, Y. P. Succinct survey measures of web-use skills. Soc. Sci. Comput. Rev. (2012). Google ScholarDigital Library
Herley, C. So long, and no thanks for the externalities: The rational rejection of security advice by users. In NPSW (2009). Google ScholarDigital Library
Herley, C. More is not the answer. IEEE Security & Privacy magazine (2014).Google ScholarCross Ref
Hinyard, L. J., and Kreuter, M. W. Using narrative communication as a tool for health behavior change: a conceptual, theoretical, and empirical overview. Health Educ Behav (2007).Google Scholar
Hosmer, D. W., and Lemeshow, S. Applied logistic regression. 2000.Google ScholarCross Ref
Howe, A. E., Ray, I., Roberts, M., Urbanska, M., and Byrne, Z. The psychology of security for the home computer user. In IEEE S&P (2012). Google ScholarDigital Library
Hu, X. Assessing source credibility on social media-- An electronic word-of-mouth communication perspective. PhD thesis, Bowling Green State University, 2015.Google Scholar
Ion, I., Reeder, R., and Consolvo, S. "...no one can hack my mind": Comparing expert and non-expert security practices. In SOUPS (2015).Google Scholar
Ipeirotis, P. Demographics of mechanical turk. NYU Center for Digital Economy (2010).Google Scholar
Jerome, J. Buying and Selling Privacy: Big Data's Different Burdens and Benefits. Stanford Law Review (2013).Google Scholar
Kang, M. Measuring social media credibility: A study on a measure of blog credibility. Institute for Public Relations (2009).Google Scholar
Kang, R., Brown, S., Dabbish, L., and Kiesler, S. Privacy attitudes of mechanical turk workers and the u.s. public. In SOUPS (2014).Google Scholar
Kelley, T., and Bertenthal, B. I. Attention and past behavior, not security knowledge, modulate users' decisions to login to insecure websites. Information and Computer Security (2016).Google Scholar
Kentaro Toyama, A. R. Kelsa+: Digital literacy for low-income office workers. In International Conference on Information and Communication Technologies and Development (2009). Google ScholarDigital Library
Krosnick, J. A. The threat of satisficing in surveys: the shortcuts respondents take in answering questions. Survey Methods Centre Newsletter, 2000.Google Scholar
Krosnick, J. A. Handbook of Survey Research. 2010.Google Scholar
Lin, E., Greenberg, S., Trotter, E., Ma, D., and Aycock, J. Does domain highlighting help people identify phishing sites? In CHI (2011). Google ScholarDigital Library
Mann, H. B., and Whitney, D. R. On a test of whether one of two random variables is stochastically larger than the other. Ann. Math. Statist. (1947).Google Scholar
Nappa, A., Johnson, R., Bilge, L., Caballero, J., and Dumitras, T. The attack of the clones: A study of the impact of shared code on vulnerability patching. In IEEE S&P (2015). Google ScholarDigital Library
Poole, E. S., Chetty, M., Morgan, T., Grinter, R. E., and Edwards, W. K. Computer help at home: Methods and motivations for informal technical support. CHI. Google ScholarDigital Library
Presser, S., Couper, M. P., Lessler, J. T., Martin, E., Martin, J., Rothgeb, J. M., and Singer, E. Methods for testing and evaluating survey questions. Public Opinion Quarterly (2004).Google ScholarCross Ref
Rader, E., and Wash, R. Identifying patterns in informal sources of security information. J. Cybersecurity (2015).Google Scholar
Rader, E., Wash, R., and Brooks, B. Stories as informal lessons about security. In SOUPS (2012). Google ScholarDigital Library
Redmiles, E., Malone, A. R., and Mazurek, M. L. How i learned to be secure: Advice sources and selection in digital security. In IEEE S&P (2016).Google ScholarDigital Library
Rice, R. E. Influences, usage, and outcomes of internet health information searching: Multivariate results from the pew surveys. International J. Medical Informatics (2006). Health and the Internet for All.Google ScholarCross Ref
Robila, S. A., and Ragucci, J. W. Don't be a phish: Steps in user education. In SIGCSE (2006). Google ScholarDigital Library
Ross, J., Irani, L., Silberman, M. S., Zaldivar, A., and Tomlinson, B. Who are the crowdworkers?: Shifting demographics in mechanical turk. In CHI (2010). Google ScholarDigital Library
Schaeffer, N. C., and Presser, S. The science of asking questions. Annual Review of Sociology (2003).Google Scholar
Schechter, S., and Bonneau, J. Learning assigned secrets for unlocking mobile devices. In SOUPS (2015).Google Scholar
Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. The Emperor's New Security Indicators. IEEE S&P (2007). Google ScholarDigital Library
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., and Downs, J. Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In CHI (2010). Google ScholarDigital Library
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In SOUPS (2007). Google ScholarDigital Library
Siciliano, R. 17 percent of pcs are exposed.Google Scholar
Smith, S. 4 ways to ensure valid responses for your online survey. Qualtrics.Google Scholar
Sole, D., and Wilson, D. G. Storytelling in Organizations : The power and traps of using stories to share knowledge in organizations. Training and Development (1999).Google Scholar
Stanley, L. D. Beyond access: Psychosocial barriers to computer literacy special issue: Icts and community networking. The Information Society (2003).Google ScholarCross Ref
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and Cranor, L. F. Crying wolf: An empirical study of ssl warning effectiveness. In USENIX Sec. (2009). Google ScholarDigital Library
Tourangeau, R., and Yan, T. Sensitive Questions in Surveys. Psychological Bulletin (2007).Google Scholar
Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? the effect of strength meters on password creation. In USENIX Sec. (2012). Google ScholarDigital Library
van Dijk, J., and Hacker, K. The digital divide as a complex and dynamic phenomenon. The Information Society (2003).Google ScholarCross Ref
Wash, R. Folk models of home computer security. In SOUPS (2010). Google ScholarDigital Library
Wash, R., and Rader, E. Too much knowledge? security beliefs and protective behaviors among united states internet users. In SOUPS (2015).Google Scholar
Whitman, M. E. Enemy at the gate: Threats to information security. Commun. ACM (2003). Google ScholarDigital Library
Willis, G. B. Cognitive Interviewing: A Tool for Improving Questionnaire Design. 2005.Google ScholarCross Ref
Wu, M., Miller, R. C., and Garfinkel, S. L. Do security toolbars actually prevent phishing attacks? In CHI (2006). Google ScholarDigital Library
Yuan, M., and Lin, Y. Model selection and estimation in regression with grouped variables. J. Royal Statistical Society (2006).Google ScholarCross Ref

Index Terms

How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy

Recommendations

Where is the Digital Divide?: A Survey of Security, Privacy, and Socioeconomics
CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

The behavior of the least-secure user can influence security and privacy outcomes for everyone else. Thus, it is important to understand the factors that influence the security and privacy of a broad variety of people. Prior work has suggested that ...
Read More
"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions ...
Read More
Smart skincare system: remote skincare advice system using life logs
AH '11: Proceedings of the 2nd Augmented Human International Conference

Many women find it difficult to maintain beautiful skin as skincare approaches require a great deal of effort, time, and special knowledge. Women often ask experts in cosmetic stores for skincare advice. However, this approach has limitations in terms ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
October 2016
1924 pages
ISBN:9781450341394
DOI:10.1145/2976749
General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
advice
census representative
digital divide
learning
survey
usable security
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '16 Paper Acceptance Rate137of831submissions,16%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 97
  Total Citations
  View Citations
- 1,835
  Total Downloads
- Downloads (Last 12 months)205
- Downloads (Last 6 weeks)29
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Where is the Digital Divide?: A Survey of Security, Privacy, and Socioeconomics

"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication

Smart skincare system: remote skincare advice system using life logs