Cori Faklaris presented a model for understanding the process of adopting or not adopting cybersecurity behaviors. Existing models focus on concepts like expectancy and value but do not account for time or how thinking evolves. Stage models break the process into chunks like stages of change. Faklaris proposes exploring whether there are two trajectories for adoption - mandatory behaviors imposed by authorities versus voluntary behaviors influenced more by peers. The goal is to specify stages to target security interventions more effectively and improve adoption of behaviors.

1. Components of a Model of
Cybersecurity Behavior Adoption
Cori Faklaris,
Carnegie Mellon University
Workshop on Security Information Workers
Symposium on Usable Privacy and Security
Aug. 8, 2021
August 2021

2. Agenda ▪ Introduction
▪ Existing models and their relevant
components
▪ Overview of my thesis research to start
defining the learning/adoption
trajectories for end-user cybersecurity
behavior
▪ Implications
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 2

3. About Cori (@heycori)
▪ 5th year PhD candidate and researcher at the
Human-Computer Interaction Institute, School of
Computer Science, Carnegie Mellon University.
▪ Knight Fellow of the Center for Informed Democracy and
Social Cybersecurity (IDeaS); CMU Presidential Fellow of
the CyLab Security & Privacy Institute.
▪ Co-principal investigator on the NSF Social Cybersecurity
project at the HCII (https://socialcybersecurity.org/ ).
▪ Past career in journalism, IT and social media
(https://corifaklaris.com).
▪ Published at the USENIX Symposium on Usable Privacy
and Security (SOUPS) and in Proceedings of the ACM:
Human-Computer Interaction (CSCW), other venues.
3

4. Problem:
Cyberdefense
(Non-) Adoption
▪ Computing systems are increasingly
central to society.
▪ But, many people do not understand
enough about how they work - or what
cyber-threats to guard against.
▪ Meanwhile, global costs of cybercrime
jumped >50% in 2019-20, to over $1T.
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 4
Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. “My Data Just Goes Everywhere:” User Mental Models of the Internet and Implications for Privacy and Security. In Symposium on Usable Privacy and Security (SOUPS), USENIX
Association Berkeley, CA, 39–52. Retrieved from https://www.usenix.org/conference/soups2015/proceedings/presentation/kang
Zhanna Malekos Smith, Eugenia Lostri, and James A Lewis. 2020. The Hidden Costs of Cybercrime. McAfee.

5. Problem:
Cyberdefense
(Non-) Adoption
▪ Enterprise security training can cost
around $300,000 + 100s of staff hours.
▪ Difficult to persuade users to accept and
adopt security measures when they or
their peers do not view these measures
positively.
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 5
Tara Seals. 2017. Cost of User Security Training Tops $290K Per Year. Infosecurity Magazine. Retrieved January 20, 2021 from https://www.infosecurity-magazine.com:443/news/cost-of-user-security-training/
Cori Faklaris, Laura Dabbish, and Jason I Hong. 2019. A Self-Report Measure of End-User Security Attitudes (SA-6). In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), USENIX Association Berkeley, CA, Santa Clara, CA, 18. Retrieved from
https://www.usenix.org/system/files/soups2019-faklaris.pdf
Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2015. The Role of Social Influence in Security Feature Adoption. In Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (CSCW ’15), ACM, New York, NY, USA, 1416–1426.
DOI:https://doi.org/10.1145/2675133.2675225

6. To reduce costs and
improve awareness
+ adoption, we should
apply insights from:
▪ social psychology,
▪ marketing, and
▪ public health.
6
Key Insight for
Cyberdefense

7. An empirical
understanding of the
cyberdefense adoption
process will help us to
specify the mental states
and social influences
acting at each step,
leading to better targeting
and timing of security
interventions.
7
My Thesis

8. 8
Cori Faklaris. 2021. Components of a Model
of Cybersecurity Behavior Adoption. In
Workshop on Security Information
Workers. Retrieved from
https://corifaklaris.com/files/Faklaris_WS
IW2021_stagemodels.pdf
● Many models of behavior adoption focus on concepts
of expectancy (how likely it is thought that a desired,
instrumental outcome will occur) and value (how
much the outcome has importance or utility).
● They do not account for time or how thinking evolves.
Search string in Google Scholar using an "incognito" browser window in July 2021 Results
fogg behavior model and cybersecurity 395
decisional balance theory and cybersecurity 1210
prospect theory and cybersecurity 13700
health belief model and cybersecurity 19500
theory of reasoned action and cybersecurity 18900
theory of planned behavior and cybersecurity 25000
protection motivation theory and cybersecurity 27800
technology acceptance model and cybersecurity 31300
Focus:
Understand
Process of
Cyberdefense
(Non-) Adoption
Theoretical Modeling
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 8

9. Theory of Planned Behavior (TPB)
9

10. Protection Motivation Theory (PMT)
10

11. Technology Acceptance Model (TAM)
11

12. 12
Cori Faklaris. 2021. Components of a Model
of Cybersecurity Behavior Adoption. In
Workshop on Security Information
Workers. Retrieved from
https://corifaklaris.com/files/Faklaris_WS
IW2021_stagemodels.pdf
● Stage models of behavior change account for the
progress of time, breaking the continuum into chunks.
● The Transtheoretical Model sees change as a cyclical
process, in which the associated processes of change
help move people from one stage to the next.
● The Precaution Adoption Process Model break down
“inaction” into unawareness, unengaged, undecided, and
decided not to act; “action’ stages are like TTM.
● The Diffusion of Innovations process model accounts for
more “action” stage changes such as confirmation, later
adoption, and discontinuance of adoption.
Search string in Google Scholar using an "incognito" browser window in July 2021 Results
transtheoretical model and cybersecurity 112
precaution adoption process model and cybersecurity 9610
diffusion of innovations and cybersecurity 17300
Focus:
Understand
Process of
Cyberdefense
(Non-) Adoption
Theoretical Modeling

13. Transtheoretical Model (TTM)
13
Experiential
processes
Behavioral processes

14. Diffusion of Innovations (DoI) Process Model
14

15. RQ: What stages do people go through in
adoption (or non-adoption) of
cybersecurity behaviors?
15

16. Phase 3
Method: Exploratory Sequential Mixed-Methods
16
John W. Creswell and J. David Creswell. 2017. Research Design: Qualitative, Quantitative, and Mixed Methods Approaches. SAGE Publications. Retrieved from https://play.google.com/store/books/details?id=KGNADwAAQBAJ
Surveys
Interviews Analysis Survey
Design
Analysis
Triangulation
and Integration
Phase 1 - Qualitative Phase 2 - Quantitative

17. Mandatory adoption
Cybersecurity has
two different
learning/
adoption
trajectories
Voluntary adoption
17
Learning
Persuasion Adoption
Learning
Threat
Authorities
Adoption
Threat
Peers/Media
Persuasion
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 17

18. Implications:
Specify how
the stages
might vary
for different
security
measures
For tool-based practices
such as password
managers, 2FA
authentication:
How many are aware of,
motivated, and/or able to
use each of the tools?
How much do social
influences and
voluntariness weigh in the
decision to adopt?
Why do people stop using
the tools, once adopted?
For knowledge-based
practices such as timely
updates, alertness to
“fake news”:
How many people are
aware of which practices
have merit, and when?
Which cognitions or
contexts cue them to act
out practices?
Whiat defeats their
intention to act out
practices?
18
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 18

19. Outcome:
Stage Model of
Cybersecurity
Behavior
Adoption
▪ Moves the field of usable security away
from “one size fits all” strategies
▪ Use to create a classification algorithm
to direct resources, “interventions”
(such as security tips or interface
nudges) to those most likely to benefit.
▪ Boost effectiveness of cybersecurity risk
assessments in resource-tight orgs
▪ Help adoption researchers to sharpen
strategies, build business value
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 19

20. Future work Collect experimental evidence for targeting
security interventions by stage and by tool:
▪ Password managers
▪ Software updates
Examine how this and/or other stage
models, such as Diffusion of Innovations,
can be adapted for enterprise teams
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 20

21. Mandatory adoption
What are your
questions /
feedback on
these ideas?
Voluntary adoption
21
Learning
Persuasion Adoption
Learning
Threat
Authorities
Adoption
Threat
Peers/Media
Persuasion
Cori Faklaris • Carnegie Mellon University • corifaklaris.com • @heycori • 21