This document summarizes a presentation on applying social psychology to cybersecurity. It discusses how over 40% of changes to cybersecurity behaviors had a social influence or dimension. Studies found that observing friends' security behaviors and social sensemaking around incidents increased likelihood of behavior changes. The presentation argues that cybersecurity research could benefit from incorporating more social and behavioral theories to help encourage widespread adoption of better security practices. It provides examples of work analyzing how social influences impact security feature adoption on Facebook.

1. ©2015CarnegieMellonUniversity:1
Social Cybersecurity
Applying Social Psychology
to Cybersecurity
Laura Dabbish
Sauvik Das
Jason Hong
July 31, 2017
Computer
Human
Interaction:
Mobility
Privacy
Security

2. ©2017CarnegieMellonUniversity:2
How can we design systems that
encourage better cybersecurity
behaviors?

3. ©2017CarnegieMellonUniversity:3
Today, Cybersecurity is Something People
Tolerate, If Not Ignore

4. ©2017CarnegieMellonUniversity:4
But Sometimes People Do Change Their
Cybersecurity Behaviors
• What makes people decide to add a PIN to
their phone?
• What makes people decide to change their
passwords?
• What makes people decide to adopt two-
factor authentication?

5. ©2017CarnegieMellonUniversity:5
"When I first had a smartphone
I didn’t have a code, but then I
started using one because
everyone around me had a
code so I kind of felt a group
pressure to also use a code."

6. ©2017CarnegieMellonUniversity:6
"One of my boys wanted
to use my phone for
something so I gave them
my passcode. And not that
I have anything that I don’t
care for them to see or
anything, but after they
did that then I changed it
again."

7. ©2017CarnegieMellonUniversity:7
"my friends...have a lot of
different accounts, the same as
me. But they didn't get into
any trouble. So I think maybe it
will not be dangerous [to reuse
passwords]."

8. ©2017CarnegieMellonUniversity:8
Some Cybersecurity Behaviors Seem to
Have a Social Dimension
• Over 40% of behavior changes had some
kind of social dimension to it
• Security behavior, like any human behavior,
is driven in part by social trends
– Learning new things from other people
– Seeing what others do
– Listening to what others say or talk about

9. ©2017CarnegieMellonUniversity:9
Cybersecurity Research Today
• Most research focuses on the computer itself
– Protocols, cryptography, static analysis
• Also some research on individuals
– Usability of tools, passwords, smartphones
• But very little on groups of people
– How the design of tools might affect diffusion
– Improving people’s awareness and adoption
– I’ll talk about our team’s work in this area today

10. ©2017CarnegieMellonUniversity:10
About Me
• Computer scientist by training
• Research in mobility, privacy, and security
– Designing UIs, building systems, using ML
– Internet of Things: software infrastructures,
analyzing network traffic, notifications
– Smartphones: helping developers, analyzing
smartphone apps (PrivacyGrade.org)
– Anti-phishing: why people fall for attacks, how
to detect fake web pages, Wombat Security

11. ©2017CarnegieMellonUniversity:11
Today: Social Cybersecurity
• Today’s talk is unusual for me
– Not a system, and driven by theory
• Talk ~40min about social cybersecurity
– Will also reflect on the research as I go
– Ex. The role of theory, why doesn’t computer
science have more theory, dissemination, etc
• Feel free to ask questions throughout

12. ©2017CarnegieMellonUniversity:12
The Origin of this Research
Did you hear what happened
to Moe? He slipped on ice
and damaged his laptop. Now
he can’t get his data.

13. ©2017CarnegieMellonUniversity:13
The Origin of this Research
Did you hear what happened
to Moe? He slipped on ice
and damaged his laptop. Now
he can’t get his data.
I’m going to back
up my data right
now!

14. ©2017CarnegieMellonUniversity:14
Light Bulb Moment
• Hung around behavioral scientists in my
department for many years
– HCII has designers, compsci, psych sitting near
each other and working together
– Learned basics of social psych thru osmosis
• Realized that this simple social interaction led
to desirable action

15. ©2017CarnegieMellonUniversity:15
Social Proof

16. ©2017CarnegieMellonUniversity:16
• Baseline effectiveness is 35%

17. ©2017CarnegieMellonUniversity:17

18. ©2017CarnegieMellonUniversity:18
• “showing each user pictures of friends who
said they had already voted, generated
340,000 additional votes nationwide”
• “they also discovered that about 4 percent of
those who claimed they had voted were not
telling the truth”

19. ©2017CarnegieMellonUniversity:19
Energy Consumption

20. ©2017CarnegieMellonUniversity:20
Energy Consumption

21. ©2017CarnegieMellonUniversity:21
Social Cybersecurity
• Observation: useful security features still
rarely adopted by general population
• Pop Quiz: How many of you have heard of /
use these features?
– Login Approvals (two-factor authentication)
– Login notifications on Facebook
– Trusted contacts on Facebook

22. ©2017CarnegieMellonUniversity:22
Login Notifications

23. ©2017CarnegieMellonUniversity:23
Trusted Contacts

24. ©2017CarnegieMellonUniversity:24
Social Cybersecurity
• Adoption rate typically single digits [Das et al 2015]
• This doesn’t seem to be just functionality
• This doesn’t seem to be just usability either
• Not much point in building new security
features if people don’t adopt good ones today

25. ©2017CarnegieMellonUniversity:25
Reflection 1
Need New Ideas for Longstanding Problems
• Cybersecurity research somewhat stuck in
its approaches
• Diminishing returns in cybersecurity, need
new ideas and perspectives
– See Lakhani08 paper on Innocentive

26. ©2017CarnegieMellonUniversity:26
Reflection 2
Computer Science Tends to Have Little Theory
• CompSci rarely uses or builds theory
– Math: algorithms, type theory, machine learning
– HCI: Fitts’ law, visual perception, info foraging
– Security: crypto
• CompSci has a fair amount of model building
and design principles
– Models: passwords, phishing, bug finding, biometrics
– Principles: TOCTOU, least privilege, layered security

27. ©2017CarnegieMellonUniversity:27
Reflection 2
Computer Science Tends to Have Little Theory
• Much of CompSci is showing that something
can be done, and/or how to do it better
– They offer insight, sometimes new models and
new principles
– Often not predictive power or generalizability
• Examples from IEEE Security and Privacy 2017
– Measurements of malware
– Two permissions to take over smartphones
– How Volkswagen defeat devices worked
– Multi-touch authentication using hand geometry

28. ©2017CarnegieMellonUniversity:28
Reflection 2
Computer Science Tends to Have Little Theory
• This lack of theory isn’t necessarily bad
– But it’s also pretty intrinsic to how CompSci works
• Science of the artificial
– Outside of speed of light, few limits to computing
– We make a lot of the rules, and mostly limited by
our imagination, market, and computing context
• Compare to natural sciences
– Only one way DNA works
– Only one way brain circuit works
– (And only one research team can win)

29. ©2017CarnegieMellonUniversity:29
Reflection 3
An Opportunity for Behavioral Sciences
• Cybersecurity needs new ideas + CompSci
tends to have little theory = Opportunity
– New source of ideas (about individual and group
behaviors) for solving hard problems
– New kinds of methods for understanding,
analyzing, and designing solutions

30. ©2017CarnegieMellonUniversity:30
Social Cybersecurity
Our Team’s Work to Date
• Interviews about why people changed
behaviors and what they talk about with
others [SOUPS 2014]
• Study w/ Facebook evaluating social
interventions [CCS 2014]
• Analysis of who does and doesn’t adopt
features [CSCW 2015]

31. ©2017CarnegieMellonUniversity:31
Semi-Structured Interviews about Recent
Changes to Security Behaviors
• Interviewed 19 people
– Mobile authentication (e.g. PIN)
– App installation / uninstallation
– Online privacy settings
• What caused the change?
• Hear about incident thru a friend?
• Talk to others about the change?
Das, S., H.J. Kim, L. Dabbish, and J.I. Hong. The Effect of Social
Influence on Security Sensitivity. SOUPS 2014.

32. ©2017CarnegieMellonUniversity:32
Cybersec Behavior Changes
• 114 behavior changes coded (grounded theory)
• 48 had social influences (42%)
– Observing friends (14 of 48)
– Social sensemaking (9 of 48)
– Pranks and demonstrations (8)
– Experiencing security breach (6)
– Sharing access (3)

33. ©2017CarnegieMellonUniversity:33
Insight: Observability
• One person stopped in coffee shop and asked
about the Android 9-dot:
“We were just sitting in a
coffee shop and I wanted
to show somebody
something and [they said], ‘
My phone does not have
that,’ and I was like, ‘I
believe it probably does.’”

34. ©2017CarnegieMellonUniversity:34
Diffusion of Innovations
• Five major factors
for successful
innovations:
– Relative Advantage
– Trialability
– Complexity
– Compatibility
– Observability

35. ©2017CarnegieMellonUniversity:35
Most Cybersecurity not very Observable
• How strong are Matt’s passwords?
• What privacy settings does Astrid have for
Facebook?
• What does Elizabeth look for to avoid
phishing attacks?
• Low observability -> hard for good practices
to diffuse and be adopted

36. ©2017CarnegieMellonUniversity:36
Social Proof + Observability
• Variants
– Control
– Over # / %
– Only # / %
– Raw # / %
– Some
Das, S., A. Kramer, L. Dabbish, J.I. Hong. Increasing Security Sensitivity
With Social Proof: A Large-Scale Experimental Confirmation. CCS 2014.

37. ©2017CarnegieMellonUniversity:37
Method
• Controlled, randomized study
with 50k active Facebook users
– 8 conditions, so N=6250
• Part of annual security awareness campaign
Facebook was going to run anyway

38. ©2017CarnegieMellonUniversity:38
Results of Experiment

39. ©2017CarnegieMellonUniversity:39
Social Influences on Adoption
• Analyzed 1.5M people on Facebook
– Matched propensity sampling to distinguish
between homophily vs social influence
• People with similar characteristics but different levels
of friends using a security feature
– 750k users of features and 750 use-nots
– Collected over 12 days, evenly across 3 features
• Login notifications, login approvals, trusted contacts
– No interventions, existing behaviors only
Das, S., A.D.I. Kramer, L. Dabbish, J.I.Hong. The Role of Social Influence
In Security Feature Adoption. CSCW 2015.

40. ©2017CarnegieMellonUniversity:40

41. ©2017CarnegieMellonUniversity:41
Insight: Social Factors Might Work
Against Adoption
• A lot of early adopters tend to be:
– People with clear reason (e.g. job), or
– Security experts
• Often viewed as “Nutty” or paranoid [Gaw et al 06]
• Disaffiliation due to external factors

42. ©2017CarnegieMellonUniversity:42
Who Uses What Computer?
• “These people aren’t like me”
– (Regardless of whether true or not)

43. ©2017CarnegieMellonUniversity:43
Ongoing Challenges + Opportunities
Observability
How can we make it easier for people to
observe and emulate good security behaviors?
Can we make security behaviors more
observable while still preserving safety of
system and individuals?

44. ©2017CarnegieMellonUniversity:44
Ongoing Challenges + Opportunities
Inclusiveness
How can we design additive security systems
that make group security a sum instead of a
min function?
Can we design more systems for groups of
people to be effective in protecting others?

45. ©2017CarnegieMellonUniversity:45
Ongoing Challenges + Opportunities
Stewardship
How can we design systems that allow people
to act on their concern for the security of their
loved ones?

46. ©2017CarnegieMellonUniversity:46

47. ©2017CarnegieMellonUniversity:47

48. ©2017CarnegieMellonUniversity:48

49. ©2017CarnegieMellonUniversity:49
Reflection 4
Be Prepared for Culture Mismatch
• This work came about primarily because of
structure of my department
– Proximity of designers, compsci, psych
– Students cross-trained in these areas
– Easy co-advising
– One discipline not in service to another
– Shared funding and publication model

50. ©2017CarnegieMellonUniversity:50
Reflection 4
Be Prepared for Culture Mismatch
• Most CompSci work
– How to build things better
• Problem -> solution
– Mostly atheoretical
– Mostly design, build, and evaluate
• Most behavioral work
– Understanding world better
– Mostly about theory
– Mostly solely on evaluation

51. ©2017CarnegieMellonUniversity:51
Newell’s Time
Bands of Cognition

52. ©2017CarnegieMellonUniversity:52
Newell’s Time
Bands of Cognition
Computational
Most traditional
computer security
focuses here (and often
just the computer)

53. ©2017CarnegieMellonUniversity:53
Newell’s Time
Bands of Cognition
Computational
Most usable security
focuses here, and often
just one person (or a
few people)

54. ©2017CarnegieMellonUniversity:54
Newell’s Time
Bands of Cognition
Computational
Little understanding of
cybersecurity here
(larger time scales,
larger groups of people)

55. ©2017CarnegieMellonUniversity:55
Closing
• Social cybersecurity
– One line of research combining behavioral
sciences + cybersecurity
– Drawn from theory, data analysis at scale, practical
• Reflections
– Cybersecurity needs new ideas
– CompSci tends to be atheoretical
– Opportunity for behavioral sciences here
– But lots of challenges and pitfalls to collaboration

56. ©2017CarnegieMellonUniversity:56

57. ©2017CarnegieMellonUniversity:57
Recommendations
• Give tutorials on behavioral methods at
some top security venues (CCS, Usenix Sec,
IEEE S&P)
• Vice versa for the different behavioral scienc
es
• Invited tutorials for SaTC PI meeting
• Offer funding to travel to these venues to
understand methods, values, potential
partners
– Focus on people “closer” to other side

58. ©2017CarnegieMellonUniversity:58
Reflection
Good Theory Offers Vocabulary
• If we weren’t aware of Diffusion of
Innovations, might have overlooked the
comments about Observability
• Act of having a name focuses

59. ©2017CarnegieMellonUniversity:59
Why Little Theory Building in CompSci?
• Is it because it’s engineering?
– I would say no
– Civil Eng has traffic modeling, materials
– MechE has heat transfer, mass transfer
– EE has AC theory, circuit models, signal

60. ©2017CarnegieMellonUniversity:60
Why Little Theory Building in Tech HCI?
• No clear natural objective function
• Instead, goal of Tech HCI is to:
– Expand frontiers of what’s possible (expand our
imagination)
– Sweep parameter space to understand principles
and tradeoffs
• And while Tech HCI doesn’t build theory, it will
occasionally use it

61. ©2017CarnegieMellonUniversity:61

62. ©2017CarnegieMellonUniversity:62
Cybersecurity Research
Empirical Measurements + Models
• Interviews or collection+analysis of data set
• Spamalytics
• How much money do spammers make?
• The state of {phishing, malware, DNS attacks}
• How is Bitcoin used today
• How do orgs handle phishing attacks?

63. ©2017CarnegieMellonUniversity:63
Cybersecurity Research
New Techniques for the Security Toolbox
• Faster, better, cheaper
• New forms of authentication
• Better ways of protecting Tor
• Better ways of doing fuzz testing
• Role-based access control
• Sand-boxing of apps

64. ©2017CarnegieMellonUniversity:64
Cybersecurity Research
New Vulnerabilities + Defenses
• “Here’s this interesting new problem…”
• Cloud computing data leaks
• Side channel attacks
• Voice-based interfaces
• Automobiles
• Tor anonymous routing