This document summarizes a presentation on applying social psychology to cybersecurity. It discusses how over 40% of changes to cybersecurity behaviors had a social influence or dimension. Studies found that observing friends' security behaviors and social sensemaking around incidents increased likelihood of behavior changes. The presentation argues that cybersecurity research could benefit from incorporating more social and behavioral theories to help encourage widespread adoption of better security practices. It provides examples of work analyzing how social influences impact security feature adoption on Facebook.
The main credit for all of this work goes to Sauvik Das
Laura Dabbish and I helped with some of the formulation of the work, but Sauvik did all of the heavy lifting
Excerpts from interviews we did (SOUPS 2014 paper)
My ideas crystallized due to one incident at my company, Wombat Security Technologies
Happened at Wombat Security Technologies, my company
NOTE: Frank Ritter asked if the other person actually backed up the data, she actually did so immediately afterward, since she happened to have her portable HD with her.
Pictures of Laura Dabbish, Sara Kiesler, Sue Fussell (now Cornell), Bob Kraut, Niki Kittur, Geoff Kaufman
The draw of the crowd is devilishly strong
There have been studies demonstrating that if you have lots of people looking up, pretty much every passerby will too
http://www.carlsonschool.umn.edu/assets/118359.pdf
Baseline environmental message was 35%
From our CSCW 2015 paper
Table 2. Exposed condition prerequisites for each securityfeature. For example, if a user is “exposed” at E3 for loginapprovals, at least 1.3% of her friends must have adoptedlogin approvals at the time of data collection.
More heterogeneity -> more likely to be solved
Further from field, more likely to solve
Lakhani et al, 2007
http://www.hbs.edu/faculty/Publication%20Files/07-050.pdf
Lakhani et al
The Value of Openness in Scientific Problem Solving
NOTE: Steve Whittaker brought up this topic afterward, that a lot of good theory can be built directly into toolkits. I had it in my backup slides, so it didn’t come up in the talk itself.
Only one team can win, which is why I think Tech HCI folks are pretty friendly. I once heard from a person in the natural sciences that after you publish in Science or Nature, a dozen teams around the world will try to replicate your work and beat you to the next step.
We are competing against each other, but not in the same way that folks in natural sciences are.
Or as Ben Shneiderman once said, our field has more hugs per hour than any other field.
The Effect of Social Influence on Security Sensitivity
http://www.cmuchimps.org/uploads/publication/paper/147/the_effect_of_social_influence_on_security_sensitivity.pdf
Das, S., A. Kramer, L. Dabbish, J.I. Hong. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. In The 21st ACM Conference on Computer and Communications Security (CCS 2014). 2014. [19.5% accept rate]http://www.cmuchimps.org/publications/increasing_security_sensitivity_with_social_proof_a_large_scale_experimental_confirmation_2014
Results more subtle than presented in this table, see the CCS 2014 paper for details.
The basics are there though, that social conditions worked better than control in almost every case
NOTE: Cecilia Aragon protested that she uses Linux! I responded that I liked her beard.
Organizing groups of people, collective wisdom of crowds
Harnessing a desire to want to protect others
Originally cognitive psychology
Now elements of social psych, learning sciences, anthro, design, econ (decision and behavioral econ), feminism
Big open question as to how to train given so much breadth, defer the question
Funding well-aligned
Mostly NSF in our department
Compare to departments that do mostly teaching and master’s students
NOTE: Stu Card commented that this is one area where Tech HCI might use and even advance theory, relying on natural phenomena. For example, for Skinput, it might be natural phenomena of how waves propagate in a person’s arm. I think that’s true, that we can rely on natural phenomena, but that a lot of Tech HCI is still artificial in that we don’t have a lot of guidance as to what to build based on theory, nor do we advance “natural” theory.