BITlab: Behavior Information Technology

404 Wilson Rd. Room 249
Communication Arts & Sciences
Michigan State University
East Lansing, MI 48824

Using Stories to Improve Computer Security Decision-Making

People regularly need to make security and privacy decisions; however, they often don’t realize they are making these decisions, and when they do, they often lack the experience and ability to make good choices. Based on studies of how people make decisions “in the wild”, this project looks to improve people’s security education, training, and awareness (SETA) by (1) using short stories about regular users’ security behaviors, rather than expert advice, facts, and warnings, to raise awareness of and suggest responses to security risks, and (2) deliver those stories at exactly the times people might need them, rather than as a separate training program divorced from people’s regular use and needs around security. Through a series of interviews the project team will learn more about how experts versus non-experts make security-related decisions in the moment. Using these insights and theories of decision-making, the team will develop and test a set of story-based training materials for common security decisions including selecting passwords, ignoring phishing emails that lure people to download malware or give personal information to fake websites, and avoiding sites that present invalid security credentials. These experiments will increase knowledge of how people make security decisions and how to design materials to support SETA, as well as directly improving security at the lead researcher’s institution through live testing with students and staff. The PI will also involve both undergraduate students and people from underrepresented groups in the research and publicly release the materials the team develops.

The project seeks to test the hypothesis that telling end users stories about security incidents can better train them to resist semantic attacks than traditional facts-and-advice training. The researchers will first develop a detailed understanding of how people make everyday in-the-moment security decisions, using Critical Decision Method and Experience Sampling Method-based approaches that focus on specific past attacks. The team will interview both experts and non-experts to learn what features they use to recognize attacks and how they identify actions to take; comparing expert to non-expert behavior will help identify vulnerabilities and inform both effective training goals and materials. These insights will be used in developing a set of story-based training materials that emphasize important constructs suggested by the theory of Naturalistic Decision Making including incident typicality, social norms around responses, causality (linking responses to outcomes), and empowerment and efficacy in security decision-making. Through a series of field experiments in collaboration with security mangers at the lead researcher’s institution, the team will iteratively improve the training materials while developing theoretical knowledge of how stories about security incidents can support security decision-making in naturalistic settings.

Funded by NSF Award CNS-1714126.

PI: Rick Wash


  • Rick Wash, Norbert Nthala, and Emilee Rader. “Knowledge and Capabilities that Non-Expert Users Bring to Phishing DetectionSymposium on Usable Privacy and Security (SOUPS). Virtual. July 2021. ( PDF, Data )

  • Rick Wash and Emilee Rader. “Prioritizing Security Over Usability: Strategies for How People Choose PasswordsJournal of CyberSecurity. To Appear 2021. ( Abstract Data )

  • Norbert Nthala and Rick Wash. “How Non-Experts Try to Detect Phishing Scam Emails”.” Paper in Workshop on Technology and Consumer Protection. May 2021. ( Abstract, PDF )

  • Wyche, S., Greenwood, A., Geyer, B.S.. “Exploring Photography in Rural Kenyan Households: Considering Relational Objects in CSCW and HCIProc. ACM Hum.-Comput. Interact.. 2020.

  • Wyche, S.. “Using Cultural Probes in HCI4D/ICTD: A Design Case Study from Bungoma, KenyaProc. ACM Hum.-Comput. Interact.. 2020.

  • Rick Wash. “How Experts Detect Phishing Scam EmailsProceedings of the ACM: Human-Computer Interation (CSCW). Vol. 4 November 2020. ( Abstract, Link, PDF, ACM DL )

  • Fennell, C. and Wash, R.. “Do Stories Help People Adopt Two-factor Authentication.” Poster in Symposium on Usable Privacy and Security. 2019. ( Link )

  • Chris Fennell and Rick Wash. “Emotional Impact: How Stories Affect Password Behavior.” Poster in Symposium on Usable Privacy and Security. Baltimore, MD. August 2018. ( Abstract, Link, PDF )