Using Stories to Improve Computer Security Decision-Making
People regularly need to make security and privacy decisions; however, they often don’t realize they are making these decisions, and when they do, they often lack the experience and ability to make good choices. Based on studies of how people make decisions “in the wild”, this project looks to improve people’s security education, training, and awareness (SETA) by (1) using short stories about regular users’ security behaviors, rather than expert advice, facts, and warnings, to raise awareness of and suggest responses to security risks, and (2) deliver those stories at exactly the times people might need them, rather than as a separate training program divorced from people’s regular use and needs around security. Through a series of interviews the project team will learn more about how experts versus non-experts make security-related decisions in the moment. Using these insights and theories of decision-making, the team will develop and test a set of story-based training materials for common security decisions including selecting passwords, ignoring phishing emails that lure people to download malware or give personal information to fake websites, and avoiding sites that present invalid security credentials. These experiments will increase knowledge of how people make security decisions and how to design materials to support SETA, as well as directly improving security at the lead researcher’s institution through live testing with students and staff. The PI will also involve both undergraduate students and people from underrepresented groups in the research and publicly release the materials the team develops.
The project seeks to test the hypothesis that telling end users stories about security incidents can better train them to resist semantic attacks than traditional facts-and-advice training. The researchers will first develop a detailed understanding of how people make everyday in-the-moment security decisions, using Critical Decision Method and Experience Sampling Method-based approaches that focus on specific past attacks. The team will interview both experts and non-experts to learn what features they use to recognize attacks and how they identify actions to take; comparing expert to non-expert behavior will help identify vulnerabilities and inform both effective training goals and materials. These insights will be used in developing a set of story-based training materials that emphasize important constructs suggested by the theory of Naturalistic Decision Making including incident typicality, social norms around responses, causality (linking responses to outcomes), and empowerment and efficacy in security decision-making. Through a series of field experiments in collaboration with security mangers at the lead researcher’s institution, the team will iteratively improve the training materials while developing theoretical knowledge of how stories about security incidents can support security decision-making in naturalistic settings.
Funded by NSF Award CNS-1714126.
PI: Rick Wash
Rick Wash was awarded a $500,000 grant from the National Science Foundation to study “Using Stories to Improve Computer Security Decision Making”.