Visible to the public Understanding how Users Process Security Advice - UMD - January 2017Conflict Detection Enabled

PI(s): Michelle Mazurek
Researchers: Elissa Redmiles, Wei Bai, Angel Plane, Rock Stevens, Peter Sutor, Candice Schumann, Amy Malone, Sean Kross

Human Behavior


People encounter a tremendous amount of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore in different circumstances. But the advice they pick is not always the most correct or useful. In this project, we examine how users learn security behaviors and develop and evaluate new interventions for improving user behavior. By more scientifically understanding how users interpret advice and learn behaviors, we can try to increase user security both through new educational interventions and by helping users prioritize and evaluate the advice they receive.



5. "Where is the Digital Divide? A Survey of Security, Privacy, and Socioeconomics." Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. To Appear in CHI 2017: ACM Conference on Human Factors in Computing Systems. May 2017.

4. "More skilled internet users behave (a little) more securely." Elissa M. Redmiles, Shelby Silverstein, Wei Bai, and Mazurek, M. L. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2016.

3. "How I learned to be secure: A census-representative survey of security advice sources and behavior." Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. In CCS 2016: ACM Conference on Computer and Communications Security. October 2016.

2. "I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security." Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. In Proc. IEEE S&P, May 2016.

1. "How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity." Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2015.



Graduate student Elissa Redmiles presented our quantitative study [3] at ACM CCS, a top security conference. In this study, we conducted a nearly census-representative survey of 526 US internet users. We developed the survey based on the results of our prior qualitative study [2]. Our results indicate that there is a digital divide in where users obtain advice: users with higher internet skills, and users with higher education levels, typically receive advice from more authoritative sources (e.g., the workplace) than do less skilled or less educated users. This study also confirms our prior result that users tend to rely on their trust of the advice source to evaluate most digital security advice (except advice about passwords), while they rely on their own assessment of the advice for physical-safety related advice. Users are generally less confident in assessing the credibility of cybersecurity vs. physical security advice. We find that our respondents most commonly rejected advice because it was inconvenient, contained too much marketing material, or because they had not yet had a negative experience that would have been prevented by the advice. The paper received a good response at the conference, including interesting questions during the presentation and many follow-up inquiries, one of which led to a new project related to two-factor authentication, described below.

To further investigate our findings regarding a digital divide, graduate student Elissa Redmiles received a "data grant" from the Data&Society Institute to study security habits of low-SES (socio-economic status) Americans, in part due to her work on this project. We completed a quantitative analysis of how low-SES users' resources and advice sources correlate with their behavior. We found that users' negative experiences correlated strongly with their advice sources, regardless of their SES or the resources (e.g., high speed internet) available to them. However, we again observed a large difference in how low- and high-SES users receive advice. This study will be published in ACM CHI [5], a top HCI conference, in May 2017, where it will be presented by Elissa Redmiles.

Based on discussions with Greg Shannon (Chief Scientist at CERT and former Cybersecurity Advisor to the Whitehouse Office of Science and Technology Policy) as a result of our CCS presentation [3], we are conducting a mixed-methods study to evaluate and improve messages that promote two-factor authentication. We are in the process of recruiting participants for the interview-and-design portion of the study, during which participants will be invited to react to different 2FA messages and sketch new ones that they feel would make them more likely to enable 2FA. Based on the results of this portion of the study, we will design three new 2FA messages and evaluate these messages using both experimental and survey approaches. We plan to submit a paper based on this work to USENIX Symposium on Usable Security and Privacy in March 2017.

Last quarter, we developed a security edutainment video based on the results of our research. This quarter, we evaluated the video. Our preliminary experimental evaluation found that the edutainment video was more effective at increasing participants' intent to update their software than was text-based security advice. This suggests that edutainment may be a promising new direction for educating users about security. We submitted a poster based on this analysis to NDSS 2017, a top security conference; and we will submit a paper based on this analysis to USENIX Security 2017.