Human-Computer Interaction Thesis Proposal
- Remote Access - Zoom
- Virtual Presentation - ET (NEW TIME/DATE)
- CORI FAKLARIS
- Ph.D. Student
- Human-Computer Interaction Institute
- Carnegie Mellon University
Toward a Socio-Cognitive Stage Model of Cybersecurity Behavior Adoption
My research looks at how to apply insights from social psychology, marketing, and public health to reduce the costs of cybercrime and improve adoption of security practices. The central problem that I am addressing is the widespread lack of understanding of cyber-risks. While many solutions exist (such as using password managers), people often are not fully aware of what they do or use them regularly. To address the problem, we should look to insights from social psychology, marketing, and public health that behavior change unfolds as a process in time and is influenced at each stage by relevant contacts. In my thesis, I propose to use an exploratory sequential mixed-methods approach to identify the stages that individuals go through when becoming aware of and adopting a new cybersecurity practice.
Other researchers have developed models to describe behaviors such as reasoned action, technology acceptance, health/wellness adoption, and innovation diffusion. But we lack a model that is specific to end-user cybersecurity and that accounts for social influences. Prior work has found that people perceive cybersecurity to be scary, confusing, or dull, and that they do not connect security practices with specific threats, nor view breaches as a personal concern. Their adoption of security practices is associated with fear appeals, with security sensitivity (the awareness, motivation, and knowledge of how to use practices to protect against threats), and with social influences (such as advice, storytelling, and observations of others’ behavior). In my work to date, I have found that attitudes toward security practices are significantly associated with breach experiences, security behavior intention, and recalled security actions; and that social contexts such as romantic relationships and workgroups influence the degree to which people share credentials for online accounts. Now, I seek to extend this work to describe the social and cognitive factors that differentiate each stage of the cybersecurity adoption process.
Toward this end, I propose two phases of research to figure out commonalities in people’s adoption process, then to validate these observations with a larger population. Phase 1, a remote interview study with 17 participants, is under way. We are eliciting participants’ experiences and thinking about their security adoption process, along with the relevant social influences, then inferring a common narrative of the stages of awareness and/or adoption. Phase 2, consisting of online surveys of up to 1500 people, will assess the distribution of these stages among a U.S.-representative randomized sample who are asked their awareness and adoption of using either a computational tool (password managers) or a knowledge practice (evaluating whether a website is legitimate). I will then integrate and synthesize findings with existing models of behavior change and their associated processes of change.
The results will describe a preliminary stage model of cybersecurity adoption and the mental states and social influences that are associated with each stage. This will help move the field of usable security away from “one size fits all” strategies by providing a theoretical basis and a method for segmenting the target audience for security interventions and directing resources to those segments most likely to benefit. It will suggest hypotheses such as whether a social or an individual intervention is likely to perform better at a particular stage, and it will enable assessment of current interventions by how well they match up with model predictions. It also will enable future researchers to experimentally investigate whether stage-matched interventions influence adoption and are more likely to lead to long-term change. Finally, it will describe the degree to which the cybersecurity adoption process diverges from other models of behavior adoption in social psychology, marketing, and public health.
Jason I. Hong (Co-Chair)
Laura Dabbish (Co-Chair)
Sauvik Das (Georgia Institute of Technology)
Michelle Mazurek (University of Maryland, College Park)
Zoom Participation. See announcement.