Research on the human factors of cybersecurity often treats people as isolated individuals rather than as social actors within a web of relationships and social influences. This project leverages known social influence principles such as making public commitments and social proof (i.e., people tend to copy others' behavior, especially when in doubt) to develop techniques that improve cybersecurity behavior and enhance security tool adoption. The team will design, develop, and deploy examples of the use of social influence in three common contexts: standalone security training materials, real-time training ("micro-interventions") given at the moment of a security-related decision, and adoption of security tools and updates. The work will deepen our knowledge of how to incorporate social influences into interface designs that improve people's security sensitivity, that is, the awareness, knowledge, and motivation to be secure. It will also add to the toolbox of cybersecurity researchers and practitioners designing human-facing security tools, and raise public awareness through outreach efforts and widely deploying the security training mini-games. Finally, the project will provide educational opportunities for a number of PhD and undergraduate students, both in doing the research and through integrating the research work and products into courses on human-computer interaction and security.
The project uses a number of well-known social influence mechanisms to influence security behavior, including reciprocity, social proof, consistency and commitment, liking, authority, and scarcity, through three main research thrusts. The first thrust will develop standalone security training though security related mini-games. The games will allow the researchers to control the observability of others' behaviors and deploy interface features and messages informed by social influence processes. In experiments, the research team will compare how emphasizing different influence processes affect people's security awareness, knowledge and behavior both immediately after the experiment and two weeks later. The second thrust will develop micro-interventions in the context of login pages, based on preliminary work showing this is the most common time people think about security. Working with their institution's information security office, the team will embed security training in system login pages. They will evaluate effectiveness of the training using logged user behavior and a one-month follow-up survey and interview. The third thrust will encourage adoption of new security tools, behaviors, and updates by varying the social influence mechanisms used at different points in the adoption curve of a new tool. Again, the team will run field studies in conjunction with their institution's information security office, measuring relative effectiveness of messages employing different social influence processes based on time-to-update. Experimental materials, monitoring and analysis software, the mini-games themselves, and (when not creating security and privacy risks) the datasets themselves will be released publicly.
