- Monday, May 9, 2022 - 9:00am
- Virtual only
- Jason I. Hong (Co-Chair, HCII)
- Laura Dabbish (Co-Chair, HCII)
- Geoff Kaufman (HCII)
- Sauvik Das (Georgia Institute of Technology)
- Michelle Mazurek (University of Maryland, College Park)
My research looks at how to apply insights from social psychology, marketing, and public health to reduce the costs of cybercrime and improve adoption of security practices. The central problem that I am addressing is the widespread lack of understanding of cyber-risks. While many solutions exist (such as using password managers), people often are not fully aware of what they do or use them regularly. To address the problem, we should look to insights from social psychology, marketing, and public health that behavior change unfolds as a process in time and is influenced at each stage by relevant contacts. Other researchers have developed models to describe behaviors such as reasoned action, technology acceptance, health/wellness adoption, and innovation diffusion. But we lack a model that is specifically developed for end-user cybersecurity and that accounts for social influences and for non-adoption. In my thesis, I used an exploratory sequential mixed-methods approach to specify such a preliminary model, comprised of six steps of adoption, their step-associated social influences, and each step’s obstacles to moving forward.
To this end, I conducted two phases of research. In Phase 1, a remote interview study (N=17), I gathered data to synthesize a common narrative of how people adopt security practices. In Phase 2, an online survey study (N=859), I validated the Phase 1 insights with a U.S. Census-matched panel of adults aged 18 and older. I documented the distribution of the steps of adoption for password managers (either built-in or separately installed), and which factors were significantly associated with each step. I then integrated these findings and triangulated them with prior research on the influences of threat awareness, social proof, advice-seeking, and caretaking roles in people’s security behaviors.
The results are a data-driven diagram and description of the six steps of cybersecurity adoption and a survey-item algorithm for classifying people by adoption step. These will help move the field of usable security away from “one size fits all” strategies by providing a theoretical basis and a method for segmenting the target audience for security interventions and directing resources to those segments most likely to benefit. They establish an agenda for future experiments to validate whether specific step-matched interventions influence adoption and are more likely to lead to long-term change. Finally, they suggest specific design interventions for boosting security adoption.