October 6, 2017 –
Title: Emotionally and Socially Aware Approaches to Understanding and Changing Users' Cybersecurity Behavior
Ph.D. Candidate: Michael Fagan
Defense Date: October 6th 2017
Location: ITE 336
Major Advisor: Mohammad M. H. Khan
Associate Advisors: Steven Demurjian and Ross Buck
Security is a priority to most, but studies show that users commonly fail to adopt recommended cybersecurity behavior. Researchers have looked to user factors for explanations of this gap, finding security and convenience to be common considerations, along with perceptions of risks and past experiences. Some have tried to alter user behavior, but targeted specific advice and focused on rational motivations to persuade users.
In this thesis, three expertly recommended cybersecurity advice (i.e., updating software regularly, using two-factor authentication, using a secure password manager) are deeply explored, and these results inform the design of videos in a systematic study of novel cybersecurity interventions aimed at altering users’ behavior around these advices. First, users’ rational motivations around each advice, including social motivations are studied, and then each advice is studied with more in-depth instruments, including those that gathered users’ emotions in the varying contexts, which can influence decision-making.
These studies found that those who do not follow advice commonly see the risks in their decision as lower than those who do follow. Additionally, users rarely make social considerations around these advices. Finally, negative emotions are found to be prevalent across many contexts. These emotions may influence and trigger perceptions of negative past experiences, which in-turn hinders adoption. With these leads, novel video-based interventions are developed that incorporate appeals which address social motivations and emotions around cybersecurity advice. Awareness, perceptions, emotions, and behavior were measured before, immediately, two weeks, and one month after an intervention was delivered aimed at altering their behavior around one of the three test advices. This study finds that the emotion-based techniques may have merit since the groups which saw videos that used this approach had the largest and most sustained increases on variables that measured awareness and perceptions of benefits, costs, and risks. Also, the data demonstrates the role social motivations may have in cybersecurity behavior, showing the importance of both of these alternative approaches in this field.