ABSTRACT
Few users have a single, authoritative, source from whom they can request digital-security advice. Rather, digital-security skills are often learned haphazardly, as users filter through an overwhelming quantity of security advice. By understanding the factors that contribute to users' advice sources, beliefs, and security behaviors, we can help to pare down the quantity and improve the quality of advice provided to users, streamlining the process of learning key behaviors. This paper rigorously investigates how users' security beliefs, knowledge, and demographics correlate with their sources of security advice, and how all these factors influence security behaviors. Using a carefully pre-tested, U.S.-census-representative survey of 526 users, we present an overview of the prevalence of respondents' advice sources, reasons for accepting and rejecting advice from those sources, and the impact of these sources and demographic factors on security behavior. We find evidence of a "digital divide" in security: the advice sources of users with higher skill levels and socioeconomic status differ from those with fewer resources. This digital security divide may add to the vulnerability of already disadvantaged users. Additionally, we confirm and extend results from prior small-sample studies about why users accept certain digital-security advice (e.g., because they trust the source rather than the content) and reject other advice (e.g., because it is inconvenient and because it contains too much marketing material). We conclude with recommendations for combating the digital divide and improving the efficacy of digital-security advice.
- Microsoft safety and security center.Google Scholar
- US-CERT:Tips.Google Scholar
- American community survey 5-year estimates, 2014.Google Scholar
- Adams, A., and Sasse, M. A. Users are not the enemy.Google Scholar
- Akaike, H. A new look at the statistical model identification.Google Scholar
- Akhawe, D., and Felt, A. P. Alice in warningland: A large-scale field study of browser security warning effectiveness. In USENIX Sec. (2013). Google ScholarDigital Library
- Arachchilage, N. A. G., and Love, S. A game design framework for avoiding phishing attacks. Comput. Hum. Behav. (2013). Google ScholarDigital Library
- Baker, R., Blumberg, S., and et al. AAPOR report on online panels. The Public Opinion Quarterly (2010).Google Scholar
- Beautement, A., Sasse, M. A., and Wonham, M. The compliance budget: Managing security behaviour in organisations. In workshop on new security paradigms (2008). Google ScholarDigital Library
- Bravo-Lillo, C., Komanduri, S., Cranor, L. F., Reeder, R. W., Sleeper, M., Downs, J., and Schechter, S. Your attention please: Designing security-decision UIs to make genuine risks harder to ignore. In SOUPS (2013). Google ScholarDigital Library
- Ciampa, M. A comparison of password feedback mechanisms and their impact on password entropy. Information Management & Computer Security (2013).Google Scholar
- D., B., K., L., and A., A. The Networked Nature of Algorithmic Discrimination. Data and Discrimination: Collected Essays.Google Scholar
- Das, S., Kim, T. H., Dabbish, L., and Hong, J. The effect of social influence on security sensitivity. In SOUPS (2014).Google Scholar
- Das, S., Kramer, A. D., Dabbish, L. A., and Hong, J. I. Increasing security sensitivity with social proof: A large-scale experimental confirmation. In CCS (2014). Google ScholarDigital Library
- DeMaio, T. J., Rothgeb, J., and Hess, J. Improving survey quality through pretesting. U.S. Bureau of the Census (2003).Google Scholar
- Egelman, S., Cranor, L. F., and Hong, J. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In CHI (2008). Google ScholarDigital Library
- Egelman, S., and Peer, E. Scaling the security wall: Developing a security behavior intentions scale (sebis). In CHI (2015). Google ScholarDigital Library
- F.R.S., K. P. X. on the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. Philosophical Magazine Series 5 (1900).Google Scholar
- Fujita, M., Yamada, M., Arimura, S., Ikeya, Y., and Nishigaki, M. An attempt to memorize strong passwords while playing games. In NBIS (2015). Google ScholarDigital Library
- Furman, S. M., Theofanos, M. F., Choong, Y.-Y., and Stanton, B. Basing cybersecurity training on user perceptions. IEEE S&P (2012). Google ScholarDigital Library
- Furnell, S., Bryant, P., and Phippen, A. Assessing the security perceptions of personal internet users. Computers & Security (2007). Google ScholarDigital Library
- Garg, V., Camp, L. J., Connelly, K., and Lorenzen-Huber, L. Risk communication design: Video vs. text. In PETS (2012). Google ScholarDigital Library
- Halevi, T., Lewis, J., and Memon, N. A pilot study of cyber security and privacy related behavior and personality traits. In WWW (2013). Google ScholarDigital Library
- Hargittai, E. Second-level digital divide: Mapping differences in people's online skills. First Monday (2002).Google Scholar
- Hargittai, E. The Digital Divide and What to Do About It. 2003, pp. 822--841.Google Scholar
- Hargittai, E., and Hsieh, Y. P. Succinct survey measures of web-use skills. Soc. Sci. Comput. Rev. (2012). Google ScholarDigital Library
- Herley, C. So long, and no thanks for the externalities: The rational rejection of security advice by users. In NPSW (2009). Google ScholarDigital Library
- Herley, C. More is not the answer. IEEE Security & Privacy magazine (2014).Google ScholarCross Ref
- Hinyard, L. J., and Kreuter, M. W. Using narrative communication as a tool for health behavior change: a conceptual, theoretical, and empirical overview. Health Educ Behav (2007).Google Scholar
- Hosmer, D. W., and Lemeshow, S. Applied logistic regression. 2000.Google ScholarCross Ref
- Howe, A. E., Ray, I., Roberts, M., Urbanska, M., and Byrne, Z. The psychology of security for the home computer user. In IEEE S&P (2012). Google ScholarDigital Library
- Hu, X. Assessing source credibility on social media-- An electronic word-of-mouth communication perspective. PhD thesis, Bowling Green State University, 2015.Google Scholar
- Ion, I., Reeder, R., and Consolvo, S. "...no one can hack my mind": Comparing expert and non-expert security practices. In SOUPS (2015).Google Scholar
- Ipeirotis, P. Demographics of mechanical turk. NYU Center for Digital Economy (2010).Google Scholar
- Jerome, J. Buying and Selling Privacy: Big Data's Different Burdens and Benefits. Stanford Law Review (2013).Google Scholar
- Kang, M. Measuring social media credibility: A study on a measure of blog credibility. Institute for Public Relations (2009).Google Scholar
- Kang, R., Brown, S., Dabbish, L., and Kiesler, S. Privacy attitudes of mechanical turk workers and the u.s. public. In SOUPS (2014).Google Scholar
- Kelley, T., and Bertenthal, B. I. Attention and past behavior, not security knowledge, modulate users' decisions to login to insecure websites. Information and Computer Security (2016).Google Scholar
- Kentaro Toyama, A. R. Kelsa+: Digital literacy for low-income office workers. In International Conference on Information and Communication Technologies and Development (2009). Google ScholarDigital Library
- Krosnick, J. A. The threat of satisficing in surveys: the shortcuts respondents take in answering questions. Survey Methods Centre Newsletter, 2000.Google Scholar
- Krosnick, J. A. Handbook of Survey Research. 2010.Google Scholar
- Lin, E., Greenberg, S., Trotter, E., Ma, D., and Aycock, J. Does domain highlighting help people identify phishing sites? In CHI (2011). Google ScholarDigital Library
- Mann, H. B., and Whitney, D. R. On a test of whether one of two random variables is stochastically larger than the other. Ann. Math. Statist. (1947).Google Scholar
- Nappa, A., Johnson, R., Bilge, L., Caballero, J., and Dumitras, T. The attack of the clones: A study of the impact of shared code on vulnerability patching. In IEEE S&P (2015). Google ScholarDigital Library
- Poole, E. S., Chetty, M., Morgan, T., Grinter, R. E., and Edwards, W. K. Computer help at home: Methods and motivations for informal technical support. CHI. Google ScholarDigital Library
- Presser, S., Couper, M. P., Lessler, J. T., Martin, E., Martin, J., Rothgeb, J. M., and Singer, E. Methods for testing and evaluating survey questions. Public Opinion Quarterly (2004).Google ScholarCross Ref
- Rader, E., and Wash, R. Identifying patterns in informal sources of security information. J. Cybersecurity (2015).Google Scholar
- Rader, E., Wash, R., and Brooks, B. Stories as informal lessons about security. In SOUPS (2012). Google ScholarDigital Library
- Redmiles, E., Malone, A. R., and Mazurek, M. L. How i learned to be secure: Advice sources and selection in digital security. In IEEE S&P (2016).Google ScholarDigital Library
- Rice, R. E. Influences, usage, and outcomes of internet health information searching: Multivariate results from the pew surveys. International J. Medical Informatics (2006). Health and the Internet for All.Google ScholarCross Ref
- Robila, S. A., and Ragucci, J. W. Don't be a phish: Steps in user education. In SIGCSE (2006). Google ScholarDigital Library
- Ross, J., Irani, L., Silberman, M. S., Zaldivar, A., and Tomlinson, B. Who are the crowdworkers?: Shifting demographics in mechanical turk. In CHI (2010). Google ScholarDigital Library
- Schaeffer, N. C., and Presser, S. The science of asking questions. Annual Review of Sociology (2003).Google Scholar
- Schechter, S., and Bonneau, J. Learning assigned secrets for unlocking mobile devices. In SOUPS (2015).Google Scholar
- Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. The Emperor's New Security Indicators. IEEE S&P (2007). Google ScholarDigital Library
- Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., and Downs, J. Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In CHI (2010). Google ScholarDigital Library
- Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In SOUPS (2007). Google ScholarDigital Library
- Siciliano, R. 17 percent of pcs are exposed.Google Scholar
- Smith, S. 4 ways to ensure valid responses for your online survey. Qualtrics.Google Scholar
- Sole, D., and Wilson, D. G. Storytelling in Organizations : The power and traps of using stories to share knowledge in organizations. Training and Development (1999).Google Scholar
- Stanley, L. D. Beyond access: Psychosocial barriers to computer literacy special issue: Icts and community networking. The Information Society (2003).Google ScholarCross Ref
- Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and Cranor, L. F. Crying wolf: An empirical study of ssl warning effectiveness. In USENIX Sec. (2009). Google ScholarDigital Library
- Tourangeau, R., and Yan, T. Sensitive Questions in Surveys. Psychological Bulletin (2007).Google Scholar
- Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? the effect of strength meters on password creation. In USENIX Sec. (2012). Google ScholarDigital Library
- van Dijk, J., and Hacker, K. The digital divide as a complex and dynamic phenomenon. The Information Society (2003).Google ScholarCross Ref
- Wash, R. Folk models of home computer security. In SOUPS (2010). Google ScholarDigital Library
- Wash, R., and Rader, E. Too much knowledge? security beliefs and protective behaviors among united states internet users. In SOUPS (2015).Google Scholar
- Whitman, M. E. Enemy at the gate: Threats to information security. Commun. ACM (2003). Google ScholarDigital Library
- Willis, G. B. Cognitive Interviewing: A Tool for Improving Questionnaire Design. 2005.Google ScholarCross Ref
- Wu, M., Miller, R. C., and Garfinkel, S. L. Do security toolbars actually prevent phishing attacks? In CHI (2006). Google ScholarDigital Library
- Yuan, M., and Lin, Y. Model selection and estimation in regression with grouped variables. J. Royal Statistical Society (2006).Google ScholarCross Ref
Index Terms
- How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior
Recommendations
Where is the Digital Divide?: A Survey of Security, Privacy, and Socioeconomics
CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing SystemsThe behavior of the least-secure user can influence security and privacy outcomes for everyone else. Thus, it is important to understand the factors that influence the security and privacy of a broad variety of people. Prior work has suggested that ...
"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityUsable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions ...
Smart skincare system: remote skincare advice system using life logs
AH '11: Proceedings of the 2nd Augmented Human International ConferenceMany women find it difficult to maintain beautiful skin as skincare approaches require a great deal of effort, time, and special knowledge. Women often ask experts in cosmetic stores for skincare advice. However, this approach has limitations in terms ...
Comments