Thesis Proposal: "Toward a Socio-Cognitive Stage Model of Cybersecurity Behavior Adoption"

Cori Faklaris

PhD Candidate, HCII

Friday, October 15, 2021 - 9:00am
Virtual presentation via Zoom

Thesis Committee

Jason I. Hong (Co-Chair)

Laura Dabbish (Co-Chair)

Geoff Kaufman

Sauvik Das (Georgia Tech)

Michelle Mazurek (University of Maryland, College Park)


My research looks at how to apply insights from social psychology, marketing, and public health to reduce the costs of cybercrime and improve adoption of security practices. The central problem that I am addressing is what McAfee termed the “lack of organization-wide understanding of cyber risks,” which they estimate led to a jump of more than 50% in the global costs of cybercrime in 2019-20, to over $1 trillion. But, fixing this problem is expensive; enterprise security training can cost around $300,000 and hundreds of staff hours per organization. While many good solutions exist (such as using password managers or Virtual Private Networks), people have been slow to become fully aware of what they do and to use them regularly. To address the problem, we should look to insights from social psychology, marketing, and public health that behavior change unfolds as a process in time and can be influenced by social contacts that are relevant at a given stage of the process. No one has yet fully described the behavior adoption process for cybersecurity in a way that identifies stages of adoption and the social and cognitive factors that differentiate each stage. Such an empirical understanding of the cyberdefense adoption process will lead to better targeting and timing of security interventions. 


Toward this goal, I propose a research project in three phases. Phase 1, a remote interview study with 17 participants, is already under way. We will identify participants’ stages of security behavior change, along with the social influences that are particularly relevant at each stage, for a diverse set of practices in four general areas: keeping software up to date, maintaining good password hygiene, staying alert for phishing, scammers and “fake news”, and securing devices and networks. Phase 2, an online survey deployed to 1000 people, will assess the distribution of these stages among a U.S.-representative randomized sample who are asked about their awareness and adoption of using specific security practices and whether this is mandatory or voluntary. Phase 3 will produce materials on how to use these findings for research, for the design of security awareness training, and for persuasion to adopt security measures. 


The resulting socio-cognitive model will help to move the field of usable security away from “one size fits all” strategies, paving the way for a classification algorithm to direct resources and match “interventions” (such as security tips or interface nudges) to those most likely to benefit. Future work will experimentally investigate the degree to which stage-matched interventions are associated with adoption of either a tool or a knowledge-based practice, versus interventions that are not stage-matched, and the degree to which participants are likely to maintain these security practices within one year. 


Draft Document 

Queenie Kravitz