Visible to the public Do or Do Not, There Is No Try: User Engagement May Not Improve Security OutcomesConflict Detection Enabled

TitleDo or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes
Publication TypeConference Proceedings
Year of Publication2016
AuthorsAlain Forget, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Cranor, Serge Egelman, Marian Harbach, Rahul Telang
Conference NameProceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016)
Date Published06/2016
Conference LocationDenver, CO
ISBN Number978-1-931971-31-7
KeywordsCMU, July'16

Computer security problems often occur when there are disconnects between users' understanding of their role in computer security and what is expected of them. To help users make good security decisions more easily, we need insights into the challenges they face in their daily computer usage. We built and deployed the Security Behavior Observatory (SBO) to collect data on user behavior and machine configurations from participants' home computers. Combining SBO data with user interviews, this paper presents a qualitative study comparing users' attitudes, behaviors, and understanding of computer security to the actual states of their computers. Qualitative inductive thematic analysis of the interviews produced "engagement" as the overarching theme, whereby participants with greater engagement in computer security and maintenance did not necessarily have more secure computer states. Thus, user engagement alone may not be predictive of computer security. We identify several other themes that inform future directions for better design and research into security interventions. Our findings emphasize the need for better understanding of how users' computers get infected, so that we can more effectively design user-centered mitigations.

Citation Keynode-30359

Other available formats:

Forget_Do_or_Do_Not_LC.pdfPDF document392.86 KBDownloadPreview