Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at HCIC 2015

1,283 views

Published on

June 2015

This talk looks at our team's ongoing work in using social psychology and diffusion of innovations to improve cybersecurity. It also reflects on the role of theory, in terms of offering inspiration for new ideas, a useful vocabulary, guidance for what to build and how to build things better, as well as insight into the problem space. This talk also offers some advice for people building theories, adapting Pasteur's quadrant and Diffusion of Innovations to theory, to help people who build and design systems.

2 Comments
8 Likes
Statistics
Notes
No Downloads
Views
Total views
1,283
On SlideShare
0
From Embeds
0
Number of Embeds
39
Actions
Shares
0
Downloads
18
Comments
2
Likes
8
Embeds 0
No embeds

No notes for slide

Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at HCIC 2015

  1. 1. ©2015CarnegieMellonUniversity:1 Social Cybersecurity Applying Social Psychology to Cybersecurity Jason Hong Laura Dabbish Sauvik Das Hyun-Jin Kim HCIC June 30, 2015 Computer Human Interaction: Mobility Privacy Security
  2. 2. ©2015CarnegieMellonUniversity:2 or, A Computer Scientist’s View of HCI and Theory Jason Hong Laura Dabbish Sauvik Das Hyun-Jin Kim HCIC June 30, 2015 Computer Human Interaction: Mobility Privacy Security
  3. 3. ©2015CarnegieMellonUniversity:3 Introduction • This is the most unusual talk I’ve ever given • Got lots of funny looks from people You’re going to talk about theory?? You’re going to talk about theory?? You’re going to talk about theory?? Ed Chi Leila Takayama James Landay
  4. 4. ©2015CarnegieMellonUniversity:4 Who am I? What am I doing here?
  5. 5. ©2015CarnegieMellonUniversity:5 Most of My Work is Athereotical • I do work in privacy, cybersecurity, ubicomp • But little of it grounded in theory
  6. 6. ©2015CarnegieMellonUniversity:6 But It’s Not Just Me Technical HCI work doesn’t seem to build a lot on top of each other’s work. There doesn’t seem to be a lot of theory either.* *not an exact quote Bob Kraut (Jedi Master, CMU)
  7. 7. ©2015CarnegieMellonUniversity:7 Examples of Tech HCI
  8. 8. ©2015CarnegieMellonUniversity:8 Why Little Theory Building in Tech HCI? • Is it because it’s engineering? – I would say no – Civil Eng has traffic modeling, materials – MechE has heat transfer, mass transfer – EE has AC theory, circuit models, signal
  9. 9. ©2015CarnegieMellonUniversity:9 Why Little Theory Building in Tech HCI? • Science of the artificial – Outside of speed of light, few limits to computing – We make a lot of the rules, and mostly limited by our imagination and market • Compare to natural science – Only one way DNA works – Only one way brain circuit works – (And only one research team can win)
  10. 10. ©2015CarnegieMellonUniversity:10 Why Little Theory Building in Tech HCI? • No clear natural objective function • Instead, goal of Tech HCI is to: – Expand frontiers of what’s possible (expand our imagination) – Sweep parameter space to understand principles and tradeoffs • And while Tech HCI doesn’t build theory, it will occasionally use it
  11. 11. ©2015CarnegieMellonUniversity:11 Themes in This Talk • Role of theory for Tech HCI? • Kinds of theories useful for Tech HCI? – Some theories more useful than others • Will describe our work on cybersec – Social Psych / Diffusion of Innovations • My perspectives: – Tech HCI research – (Successful?) startup – Helped run Master’s of HCI program
  12. 12. ©2015CarnegieMellonUniversity:12 Cybersecurity Research Today • Most research focused on computers – Protocols, detection, static analysis • Some research on individuals – Mostly usability of tools • But cybersec faces deep problems – How do people learn cybersecurity? – How can we fix misconceptions? – How to change people’s behaviors?
  13. 13. ©2015CarnegieMellonUniversity:13 A True Story Did you hear what happened to Moe? He slipped on ice and damaged his laptop. Now he can’t get his data.
  14. 14. ©2015CarnegieMellonUniversity:14 A True Story Did you hear what happened to Moe? He slipped on ice and damaged his laptop. Now he can’t get his data. I’m going to back up my data right now!
  15. 15. ©2015CarnegieMellonUniversity:15 Light Bulb Moment • Hung around behavioral scientists for many years – Learned about basics of social psych thru osmosis • Realized that this simple interaction led to desirable action
  16. 16. ©2015CarnegieMellonUniversity:16 How can we use social influences to help improve cybersecurity?
  17. 17. ©2015CarnegieMellonUniversity:17 Social Proof
  18. 18. ©2015CarnegieMellonUniversity:18 • Baseline effectiveness is 35%
  19. 19. ©2015CarnegieMellonUniversity:19
  20. 20. ©2015CarnegieMellonUniversity:20 • “showing each user pictures of friends who said they had already voted, generated 340,000 additional votes nationwide” • “they also discovered that about 4 percent of those who claimed they had voted were not telling the truth”
  21. 21. ©2015CarnegieMellonUniversity:21 Energy Consumption
  22. 22. ©2015CarnegieMellonUniversity:22 Energy Consumption
  23. 23. ©2015CarnegieMellonUniversity:23 Social Cybersecurity • Focus on usability has gotten us far, but security features rarely adopted • Pop Quiz: How many of you have heard of / use these features? – Two-factor authentication – Login notifications on Facebook – Trusted contacts on Facebook
  24. 24. ©2015CarnegieMellonUniversity:24 Social Cybersecurity • Adoption rate typically single digits [Das et al 2015] • Why develop new tools if we can’t get people to adopt existing ones?
  25. 25. ©2015CarnegieMellonUniversity:25 Reflection 1 Good Theory Can Offer Inspiration • Cybersecurity research somewhat stuck in its approaches • Diminishing returns after exploring, need new ideas and perspectives – See Lakhani08 paper on Innocentive
  26. 26. ©2015CarnegieMellonUniversity:26 Social Cybersecurity Our Team’s Work to Date • Interviews about why people changed behaviors and what they talk about with others [SOUPS 2014] • Study w/ Facebook evaluating social interventions [CCS 2014] • Analysis of who does and doesn’t adopt features [CSCW 2015]
  27. 27. ©2015CarnegieMellonUniversity:27 Semi-Structured Interviews • Interviewed 19 people – Mobile authentication – App installation / uninstallation – Online privacy settings • What caused the change? • Hear about incident thru a friend? • Talk to others about the change? Das, S., H.J. Kim, L. Dabbish, and J.I. Hong. The Effect of Social Influence on Security Sensitivity. SOUPS 2014.
  28. 28. ©2015CarnegieMellonUniversity:28 Cybersec Behavior Changes • 114 behavior changes coded • 48 had social influences (42%) – Observing friends (14 of 48) – Social sensemaking (9 of 48) – Pranks and demonstrations (8) – Experiencing security breach (6) – Sharing access (3)
  29. 29. ©2015CarnegieMellonUniversity:29 Insight #1 - Observability • One person stopped in coffee shop and asked about the Android 9-dot: “We were just sitting in a coffee shop and I wanted to show somebody something and [they said], ‘ My phone does not have that,’ and I was like, ‘I believe it probably does.’”
  30. 30. ©2015CarnegieMellonUniversity:30 Diffusion of Innovations • Five major factors for successful innovations: – Relative Advantage – Trialability – Complexity – Compatibility – Observability
  31. 31. ©2015CarnegieMellonUniversity:31 Most Cybersecurity not very Observable • How strong are Gary’s passwords? • What privacy settings does Leysia have for Facebook? • What does Jofish look for to avoid phishing attacks? • Low observability -> hard to diffuse
  32. 32. ©2015CarnegieMellonUniversity:32 Reflection 2 Good Theory Offers Vocabulary • If we weren’t aware of Diffusion of Innovations, might have overlooked the comments about Observability • Act of having a name focuses
  33. 33. ©2015CarnegieMellonUniversity:33 Insight #2 – Social Factors Might Work Against Adoption • A lot of early adopters tend to be: – Security experts – People with clear reason (e.g. job) – Viewed as “Nutty” or paranoid [Gaw et al 06] • Brand disenfranchisement – Illusory correlation between something (use of security tools) and attributes of users
  34. 34. ©2015CarnegieMellonUniversity:34 Who Uses What Computer? • “These people aren’t like me” – (Regardless of whether true or not)
  35. 35. ©2015CarnegieMellonUniversity:35 What are Professors Like?
  36. 36. ©2015CarnegieMellonUniversity:36 Social Proof + Make Cybersecurity Observable • Variants – Control – Over # / % – Only # / % – Raw # / % – Some Das, S., A. Kramer, L. Dabbish, J.I. Hong. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. CCS 2014.
  37. 37. ©2015CarnegieMellonUniversity:37 Method • Controlled, randomized study with 50k active Facebook users – 8 conditions, so N=6250 • Part of annual security awareness campaign Facebook was going to run anyway
  38. 38. ©2015CarnegieMellonUniversity:38 Results of Experiment
  39. 39. ©2015CarnegieMellonUniversity:39 Social Influences on Adoption • Analyzed 1.5M people on Facebook – No interventions, existing behaviors – More adopters a person can see, more likely to adopt (but J-curve) – More social circles, stronger effects – More observable and social feature (trusted contacts), stronger effects Das, S., A.D.I. Kramer, L. Dabbish, J.I.Hong. The Role of Social Influence In Security Feature Adoption. CSCW 2015.
  40. 40. ©2015CarnegieMellonUniversity:40 Ongoing Work • Are there other ways to make security more observable (+ safe)? – Note that this is counter to conventional wisdom of security • Other social techniques to influence people’s awareness, knowledge, motivation?
  41. 41. ©2015CarnegieMellonUniversity:41 Reflection 3 Good Theory Should Offer Guidance • We could have done mass A/B tests of interventions without theory – (This is essentially what industry does) – Instead, Social psych and Diffusion of Innovations gave us direction • Blind searches unsatisfying – Dan Russell’s talk at HCIC 2009 – Eric Brill’s talk at HCIC 2013
  42. 42. ©2015CarnegieMellonUniversity:4242 Dan Russell’s HCIC 2009 Slides
  43. 43. ©2015CarnegieMellonUniversity:4343 Dan Russell’s HCIC 2009 Slides
  44. 44. ©2015CarnegieMellonUniversity:4444 Dan Russell’s HCIC 2009 Slides
  45. 45. ©2015CarnegieMellonUniversity:45 What to Name Buttons? Dan Russell’s HCIC 2009 Slides
  46. 46. ©2015CarnegieMellonUniversity:46 Why Unsatisfying? • What’s generalizable? • What did we as a community learn?
  47. 47. ©2015CarnegieMellonUniversity:47 Reflection 4 Good Theory Should Offer Insight
  48. 48. ©2015CarnegieMellonUniversity:48 Reflection 4 Good Theory Should Offer Insight “For instance, when Appel and Haken completed a proof of the 4-color map theorem using a massive automatic computation, it evoked much controversy. I interpret the controversy as having little to do with doubt people had as to the veracity of the theorem or the correctness of the proof. Rather, it reflected a continuing desire for human understanding of a proof, in addition to knowledge that the theorem is true.” - William Thurston, On Proof and Progress in Mathematics
  49. 49. ©2015CarnegieMellonUniversity:49 Reflection 4 Good Theory Should Offer Insight • Alternative formulation by Tim Gowers The Two Cultures of Mathematics – (i) The point of solving problems is to understand mathematics better. – (ii) The point of understanding mathematics is to become better able to solve problems. – Mathematicians lie on spectrum
  50. 50. ©2015CarnegieMellonUniversity:50 Pasteur’s Quadrant Good Science + Good Applications
  51. 51. ©2015CarnegieMellonUniversity:51 • Situated Action • Activity Theory • Distributed Cognition • Embodied Interaction • Ethnography • Fitts’ Law • Learning science • Visual Perception • Social Psych • Motivation Advice for Theory Builders Consider Insight + Guidance Guidance (What to Build / How to Build it Better) Insight • Heuristic Evaluation • Contextual Inquiry • 41 Shades of Blue (A/B) • Iterative Design • Agile / Lean
  52. 52. ©2015CarnegieMellonUniversity:52 • Situated Action • Activity Theory • Distributed Cognition • Embodied Interaction • Ethnography • Fitts’ Law • Learning science • Visual Perception • Social Psych • Motivation Advice for Theory Builders Consider Repackaging Too Guidance (What to Build / How to Build it Better) Insight • Heuristic Evaluation • Contextual Inquiry • 41 Shades of Blue • Iterative Design • Agile / Lean
  53. 53. ©2015CarnegieMellonUniversity:53 Wishlist for Tech HCI and for Master’s Students • Design Theory – Service design – Engagement, stickiness • Emotional Attachment • Innovation Theory – What’s more likely to have impact? – Product lifecycles – Feature / Product / Business
  54. 54. ©2015CarnegieMellonUniversity:54 Example for Innovation Christensen’s Disruption Model
  55. 55. ©2015CarnegieMellonUniversity:55 Lifecycle of Product
  56. 56. ©2015CarnegieMellonUniversity:56 • New product starts out with lots of chaos • Eventually dominant design appears, right combination of existing features / ideas
  57. 57. ©2015CarnegieMellonUniversity:57 • Less innovation in features, few changes to dominant design • More innovation in process of production • Dominant design only obvious in retrospect too
  58. 58. ©2015CarnegieMellonUniversity:58 • Extreme focus on cost, volume, capacity • Very little innovation
  59. 59. ©2015CarnegieMellonUniversity:59 • Cycle starts anew • But winner of last cycle rarely winner of next • Formed network, doesn’t want to anger them
  60. 60. ©2015CarnegieMellonUniversity:60 Conjecture: These Can Help Tech HCI Research • Can focus research on the phase your company is in – More useful to help industry research for connecting research to product – A/B tests only useful in later phases • Can look forward to next fluid phase – We already do this – More useful for academic
  61. 61. ©2015CarnegieMellonUniversity:61 Other Advice For Theory Builders • Five major factors: – Relative Advantage – Trialability – Complexity – Compatibility – Observability • How might you apply these to your work?
  62. 62. ©2015CarnegieMellonUniversity:62 Summary • Reflections: Good Theory… – Can Offer Inspiration – Offers Vocabulary – Should Offer Guidance – Should Offer Insight • For theory builders: Consider… – Insight + Building Apps – Diffusion of Innovations
  63. 63. ©2015CarnegieMellonUniversity:63
  64. 64. ©2015CarnegieMellonUniversity:64 Reflection N Be Prepared to Invest a lot of Time • This work only came about b/c of hanging around behavioral folks • And because cross-trained students • Big open question: how to train PhD students, given breadth of HCI?
  65. 65. ©2015CarnegieMellonUniversity:65 Technical HCI Rarely Uses or Builds Theory • Mostly uses low-level perception and interaction – Ex. Fitts’ law, psychoacoustics, visual perception, reaction times – (Often built into toolkits)

×